NSFileProtectionComplete doesn't encrypt the core data file
I am using Xcode 7.3 for iOS 9.3 to try and encrypt a Core Data file. I am trying to use NSPersistentStoreFileProtectionKey and set it to NSFileProtectionComplete to enable
-
Rather than encrypt a file at the local level I set NSFileProtectionComplete for the app as a whole.
Create the file 'entitlements.plist' in your apps root folder with the following content.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>DataProtectionClass</key> <string>NSFileProtectionComplete</string> </dict> </plist>Then if you haven't already done so already (this could be the problem with your file level encryption) enable Data Protection in your apps capabilities.
讨论(0) -
Swift 5.0 & Xcode 11:
- Enable "Data Protection" in "Capabilities".
Use the following code to protect a file or folder at a specific path:
// Protects a file or folder + excludes it from backup. // - parameter path: Path component of the file. // - parameter fileProtectionType: `FileProtectionType`. // - returns: True, when protected successful. static func protectFileOrFolderAtPath(_ path: String, fileProtectionType: FileProtectionType) -> Bool { guard FileManager.default.fileExists(atPath: path) else { return false } let fileProtectionAttrs = [FileAttributeKey.protectionKey: fileProtectionType] do { try FileManager.default.setAttributes(fileProtectionAttrs, ofItemAtPath: path) return true } catch { assertionFailure("Failed protecting path with error: \(error).") return false } }(Optional) Use the following code to check whether the file or folder at the specific path is protected (note: This only works on physical devices):
/// Returns true, when the file at the provided path is protected. /// - parameter path: Path of the file to check. /// - note: Returns true, for simulators. Simulators do not have hardware file encryption. This feature is only available for real devices. static func isFileProtectedAtPath(_ path: String) -> Bool { guard !Environment.isSimulator else { return true } // file protection does not work on simulator! do { let attributes = try FileManager.default.attributesOfItem(atPath: path) if attributes.contains(where: { $0.key == .protectionKey }) { return true } else { return false } } catch { assertionFailure(String(describing: error)) return false } }
讨论(0) -
We need to understand how Data Protection works. Actually, you don't even need to enable it. Starting with iOS7, the default protection level is “File Protection Complete until first user authentication.”
This means that the files are not accessible until the user unlocks the device for the first time. After that, the files remain accessible even when the device is locked and until it shuts down or reboots.
The other thing is that you're going to see the app's data on a trusted computer always - regardless of the Data Protection level setting.
However, the data can’t be accessed if somebody tries to read them from the flash drive directly. The purpose of Data Protection is to ensure that sensitive data can’t be extracted from a password-protected device’s storage.
After running this code, I could still access and read the contents written to protectedFileURL, even after locking the device.
do { try data.write(to: protectedFileURL, options: .completeFileProtectionUnlessOpen) } catch { print(error) }But that's normal since I ran iExplorer on a trusted computer. And for the same reason, it's fine if you see your sqlite file.
The situation is different if your device gets lost or stolen. A hacker won't be able to read the sqlite file since it's encrypted. Well, unless he guesses your passcode somehow.
讨论(0) -
Ok, I finally understand this.
Using Xcode 7.3.1
Enabling File Protection
- Enable File Protection using the Capabilities tab on your app target
- If you do not want the default NSFileProtectionComplete, change this setting in the developer portal under your app id
- Make sure Xcode has the new provisioning profile this creates.
- For protecting files your app creates, that's it.
- To protect Core Data, you need to add the NSPersistentStoreFileProtectionKey: NSFileProtectionComplete option to your persistent store.
Example:
var options: [NSObject : AnyObject] = [NSMigratePersistentStoresAutomaticallyOption: true, NSPersistentStoreFileProtectionKey: NSFileProtectionComplete, NSInferMappingModelAutomaticallyOption: true] do { try coordinator!.addPersistentStoreWithType(NSSQLiteStoreType, configuration: nil, URL: url, options: options)Testing File Protection
I am not able to test this using a non-jailbroken device connected to a computer. Every attempt to access the device this way requires that I "trust" the computer and I believe that trusted computers are always able to read the phone's data ("Trusted computers can sync with your iOS device, create backups, and access your device's photos, videos, contacts, and other content" - https://support.apple.com/en-us/HT202778). I think the other answers on SO referencing this technique are no longer valid with more recent versions of iOS. Indeed, I am always able to download the container using XCode and view the app's data using iPhone Explorer. So how to test...
1 - Create an archive and ensure that it is has the proper entitlements by running the following on the .app file from the command line:
codesign -d --entitlements :- <path_to_app_binary>You should see a key/value pair that represents your Data Protection level. In this example, NSFileProtectionComplete:
<key>com.apple.developer.default-data-protection</key> <string>NSFileProtectionComplete</string>In addition, I used the following two techniques to satisfy myself that the data protection is indeed working. They both require code changes.
2 - Add some code to verify that the proper NSFileProtectionKey is being set on your files and/or core data store:
NSFileManager.defaultManager().attributesOfItemAtPath(dbPath.path!)If I print this out on one of my files I get:
["NSFileCreationDate": 2016-10-14 02:06:39 +0000, "NSFileGroupOwnerAccountName": mobile, "NSFileType": NSFileTypeRegular, "NSFileSystemNumber": 16777218, "NSFileOwnerAccountName": mobile, "NSFileReferenceCount": 1, "NSFileModificationDate": 2016-10-14 02:06:39 +0000, "NSFileExtensionHidden": 0, "NSFileSize": 81920, "NSFileGroupOwnerAccountID": 501, "NSFileOwnerAccountID": 501, "NSFilePosixPermissions": 420, "NSFileProtectionKey": NSFileProtectionComplete, "NSFileSystemFileNumber": 270902]
Note the
"NSFileProtectionKey": "NSFileProtectionComplete"pair.3 - Modify the following code and hook it up to some button in your app.
@IBAction func settingButtonTouch(sender: AnyObject) { updateTimer = NSTimer.scheduledTimerWithTimeInterval(0.5, target: self, selector: #selector(TabbedOverviewViewController.runTest), userInfo: nil, repeats: true) registerBackgroundTask() } var backgroundTask: UIBackgroundTaskIdentifier = UIBackgroundTaskInvalid var updateTimer: NSTimer? func registerBackgroundTask() { backgroundTask = UIApplication.sharedApplication().beginBackgroundTaskWithExpirationHandler { [unowned self] in self.endBackgroundTask() } assert(backgroundTask != UIBackgroundTaskInvalid) } func endBackgroundTask() { NSLog("Background task ended.") UIApplication.sharedApplication().endBackgroundTask(backgroundTask) backgroundTask = UIBackgroundTaskInvalid } func runTest() { switch UIApplication.sharedApplication().applicationState { case .Active: NSLog("App is active.") checkFiles() case .Background: NSLog("App is backgrounded.") checkFiles() case .Inactive: break } } func checkFiles() { // attempt to access a protected resource, i.e. a core data store or file }When you tap the button this code begins executing the
checkFilesmethod every .5 seconds. This should run indefinitely with the app in the foreground or background - until you lock your phone. At that point it should reliably fail after roughly 10 seconds - exactly as described in the description ofNSFileProtectionComplete.讨论(0)
加载中...
- 热议问题