For my iOS 6+-only app, I would like to enable the On-Disk Encryption offered from iOS.
I read this guide and I saw the "Protecting the User's Data" video of the WWDC 2012 (Session 714). However, I could not make it work.
Here are the steps I followed:
1- In the iOS Dev Center, I created a new App ID with:
2- In Xcode, I added an Entitlements file with the key:
3- On the device, I activated a passcode lock.
If I'm not wrong, this should be all. I now expect that while the device (in my case: an iPhone 5) is locked, protected files are inaccessible. But... if I use iExplorer, I can easily access the files created by my app, even when the device is locked. But this is exactly what I want to avoid. Did I forgot something?
The reason you can access files without unlocking your device is that an escrow keybag has been created. This is explained in Apple's iOS Security Guide (pdf):
Escrow keybag is used for iTunes syncing and Mobile Device Management (MDM). This keybag allows iTunes to back up and sync without requiring the user to enter a passcode, and it allows an MDM server to remotely clear a user’s passcode. It is stored on the computer that’s used to sync with iTunes, or on the MDM server that manages the device.
The Escrow keybag improves the user experience during device synchronization, which potentially requires access to all classes of data. When a passcode-locked device is first connected to iTunes, the user is prompted to enter a passcode. The device then creates an Escrow keybag and passes it to the host. The Escrow keybag contains exactly the same class keys used on the device, protected by a newly generated key. This key is needed to unlock the Escrow keybag, and is stored on the device in the Protected Until First User Authentication class. This is why the device passcode must be entered before backing up with iTunes for the first time after a reboot.
If you reboot your phone, you will not be able to access files without unlocking it once.
If you want that files to be available only when device is unlocked(+about 10 seconds of grace period), set file protection to NSFileProtectionComplete. Be sure to implement delegate methods to know when data will become [un]available.
来源:https://stackoverflow.com/questions/15139305/enable-ios-on-disk-encryption