iOS: Data Protection

iOS is based on the same core technologies as OS X, and benefits from years of hardening and security development. According to Apple’s iOS Security Guide, iOS security can be viewed in four layers:
  • System architecture: The secure platform and hardware foundations of iPhone, iPad, and iPod touch.
  • Encryption and Data Protection: The architecture and design that protects the user’s data when the device is lost or stolen, or when an unauthorized person attempts to use or modify it.
  • Network security: Industry-standard networking protocols that provide secure authentication and encryption of data in transmission.
  • Device access: Methods that prevent unauthorized use of the device and enable it to be remotely wiped if lost or stolen.

iOS devices provide full hardware encryption of all data stored on the device. The System architecture includes both software and hardware used to protect files inside all iOS devices; but with the available documentations, many developers still avoid the task of securing an app. When Xcode 5 was released, new pane has been added to the project settings and made it easier, just tap to turn on or off.
Xcode Capabilities
Xcode Capabilities

Adding Capabilities

Apple implements an underlying security model to protect both user data and your app from being modified and distributed without your knowledge. Hence, your app is code signed and provisioned to use only the key Apple technologies and services that you specify. When you add capabilities to your app using Xcode, Xcode automatically configures your project to use them; it edits the entitlements and information property list files for you and adds technology-specific frameworks as needed.

About Entitlements

An entitlement is a single right granted to a particular app, tool, or other executable that gives it additional permissions above and beyond what it would ordinarily have. The term entitlement is most commonly used in the context of a sandbox, and to a lesser degree for an App ID.
It is up to the developer to enforce the correct level of encryption
Regardless of the location, an entitlement is a piece of configuration information included in your app’s code signature—telling the system to allow your app to access certain resources or perform certain operations. In effect, an entitlement extends the sandbox and capabilities of your app to allow a particular operation to occur.

Enabling Data Protection for iOS Apps

Data protection adds a level of security to files stored on disk by your app. Data protection uses the built-in encryption hardware present on specific devices to store files in an encrypted format on disk. Your app needs to be provisioned to use data protection.
  1. In the project navigator, select the project and your target to display the project editor.
  2. Click Capabilities.
  3. If Data Protection isn’t enabled, select the switch in the Data Protection row.
  4. If a dialog appears asking whether Xcode should request a development certificate on your behalf, click Request.
The default level of protection is “complete protection”, in which files are encrypted and inaccessible when the device is locked. This, in my opinion, is close to OSX’s FileVault.

Data Protection

Data Protection is designed to let applications declare when items in the keychain and files stored on the system should be encrypted or not. When a developer marks an asset as having the attribute NSFileProtectionNone, which is also the default flag for the Data Protection class, the resource is only protected with basic encryption that is based upon the UUID key of the device. As such, the default setting leaves the data unprotected and may be accessed at boot time and while the device is unlocked.

Data Protection Options

It is a developer’s responsibility to protect sensitive data.
Data protection constants are defined for NSFileManager which are to be used as values for the NSFileProtectionKey key in an NSDictionary associated with an NSFileManager instance and NSDataWritingOptions options is defined in NSData to be used as an option for - writeToFile:options:error: method of NSData. Functions - setAttributes:ofItemAtPath:error:, - attributesOfItemAtPath:error:, and - createFileAtPath:contents:attributes: are all common functions defined in NSFileManager for working with Data Protection. In addition, protection options are defined for NSData items which are to be used as part of the options: parameter in the - writeToURL:options:error: and - writeToFile:options:error: functions of the NSData class.
NSFileProtectionKey
Option iOS Description
NSFileProtectionNone 4.0 The file has no special protections associated with it. It can be read from or written to at any time.
NSFileProtectionComplete 4.0 The file is stored in an encrypted format on disk and cannot be read from or written to while the device is locked or booting.
NSFileProtectionCompleteUnlessOpen 5.0 The file is stored in an encrypted format on disk. Files can be created while the device is locked, but once closed, cannot be opened again until the device is unlocked. If the file is opened when unlocked, you may continue to access the file normally, even if the user locks the device. There is a small performance penalty when the file is created and opened, though not when being written to or read from. This can be mitigated by changing the file protection to NSFileProtectionComplete when the device is unlocked.
NSFileProtectionCompleteUntilFirstUserAuthentication 5.0 The file is stored in an encrypted format on disk and cannot be accessed until after the device has booted. After the user unlocks the device for the first time, your app can access the file and continue to access it even if the user subsequently locks the device.
NSDataWritingOptions
Option iOS Description
NSDataWritingFileProtectionNone 4.0 A hint to set the content protection attribute of the file when writing it out. In this case, the file is not stored in an encrypted format and may be accessed at boot time and while the device is unlocked.
NSDataWritingFileProtectionComplete 4.0 A hint to set the content protection attribute of the file when writing it out. In this case, the file is stored in an encrypted format and may be read from or written to only while the device is unlocked. At all other times, attempts to read and write the file result in failure.
NSDataWritingFileProtectionCompleteUnlessOpen 5.0 A hint to set the content protection attribute of the file when writing it out. In this case, the file cannot be opened for reading or writing when the device is locked, although new files can be created with this class. If one of these files is open when the device is locked, reading and writing are still allowed.
NSDataWritingFileProtectionCompleteUntilFirstUserAuthentication 5.0 A hint to set the content protection attribute of the file when writing it out. In this case, the file can be read or written to while the device is locked, but while it is booting up, they have protection equivalent to NSDataWritingFileProtectionComplete.

NSFileManager & NSData Class API

The NSFileProtectionKey extended attribute of the NSFileManager class is used to identify the protection level for a given file.
[[NSFileManager defaultManager] setAttributes:@{ NSFileProtectionKey: NSFileProtectionComplete } ofItemAtPath:[PGPasswordSync applicationFolderPath] error:&errorFolderProtect];
The NSDataWritingOptions defines an enumeration of options used to write NSData objects.
[data writeToFile:path options:NSDataWritingFileProtectionComplete error:&errorWriteProtect];
When a developer marks a file as having the attribute NSFileProtectionNone and NSDataWritingFileProtectionNone as an option, which is also the default Data Protection option, the resource is only protected with basic encryption that is based upon the UUID key of the device while NSFileProtectionComplete and NSDataWritingFileProtectionComplete, the file is stored in an encrypted format and may only be read from or written to while the device is unlocked.