Enable iOS On-Disk Encryption

血红的双手。 提交于 2019-12-01 03:23:25
jatoben

The reason you can access files without unlocking your device is that an escrow keybag has been created. This is explained in Apple's iOS Security Guide (pdf):

Escrow keybag is used for iTunes syncing and Mobile Device Management (MDM). This keybag allows iTunes to back up and sync without requiring the user to enter a passcode, and it allows an MDM server to remotely clear a user’s passcode. It is stored on the computer that’s used to sync with iTunes, or on the MDM server that manages the device.

The Escrow keybag improves the user experience during device synchronization, which potentially requires access to all classes of data. When a passcode-locked device is first connected to iTunes, the user is prompted to enter a passcode. The device then creates an Escrow keybag and passes it to the host. The Escrow keybag contains exactly the same class keys used on the device, protected by a newly generated key. This key is needed to unlock the Escrow keybag, and is stored on the device in the Protected Until First User Authentication class. This is why the device passcode must be entered before backing up with iTunes for the first time after a reboot.

If you reboot your phone, you will not be able to access files without unlocking it once.

If you want that files to be available only when device is unlocked(+about 10 seconds of grace period), set file protection to NSFileProtectionComplete. Be sure to implement delegate methods to know when data will become [un]available.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!