6

I just need a confirmation on this.

Is it correct to say that, with the iPhone 3GS and above, any data written to the filesystem is encrypted using hardware encryption? By simply creating the XXX.sqlite file on the file system, the data stored in it is already encrypted.

Also for further security NSFileProtectionComplete is provided?

Thanks.

Lorenzo B
  • 33,216
  • 24
  • 116
  • 190
user1253637
  • 237
  • 1
  • 7
  • 15
  • AFAIK that is the case only if the phone has a passcode and is in a locked state. – Rog Mar 14 '12 at 00:06
  • Also have a look at this WWDC session https://developer.apple.com/itunes/?destination=adc.apple.com.4088379409.04088379411.4092394151?i=1595505280 – Rog Mar 14 '12 at 00:13

3 Answers3

8
[_persistentStoreCoordinator addPersistentStoreWithType:NSSQLiteStoreType configuration:nil URL:storeURL options:@{ NSPersistentStoreFileProtectionKey : NSFileProtectionComplete } error:&error]
rosem
  • 1,311
  • 14
  • 19
  • This seems to be working for me- out of curiosity, does anyone think the Apple documentation for this is incorrect? The only mention I see of this option value is at https://developer.apple.com/library/mac/documentation/Cocoa/Reference/CoreDataFramework/Classes/NSPersistentStoreCoordinator_Class/#//apple_ref/doc/constant_group/Spotlight_External_Record_Elements which does not seem correct. – jeffmax Jul 09 '15 at 13:58
7

No, that is not correct. You will need to enable encryption on the sqlite file. Add the following after you create your persistentStoreCoordinator:

// Make sure the database is encrypted when the device is locked
NSDictionary *fileAttributes = [NSDictionary dictionaryWithObject:NSFileProtectionComplete forKey:NSFileProtectionKey];
if (![[NSFileManager defaultManager] setAttributes:fileAttributes ofItemAtPath:[storeURL path] error:&error]) {
    // Deal with the error
}
edsko
  • 1,628
  • 12
  • 19
  • 1
    I think this will fail to encrypt the Write-Ahead Log (WAL) file, which contains application data. This has to do with the journal mode used for sqlite, but be default it is now on. See the Comment below by Mike Rose and this blog post for more information: http://www.hopelessgeek.com/2014/10/10/core-data-and-data-protection/ – jeffmax Jul 14 '15 at 16:52
  • 2
    @edsko Is it mandatory to turn on Data Protection in capabilities as well in order to complete the core data file encryption ? – RandomGuy Nov 29 '16 at 18:24
3

No, your assumption is not correct.

From the NSPersistentStoreCoordinator class documentation:

The default value is NSFileProtectionCompleteUntilFirstUserAuthentication for all applications built on or after iOS v5.0. The default value for all older applications is NSFileProtectionNone.

To enable NSFileProtectionComplete, one would need to add the NSPersistentStoreFileProtectionKey with NSFileProtectionComplete to the options NSDictionary when calling the addPersistentStoreWithType:configuration:URL:options:error: method.

Keep in mind that this file encryption is only enabled when the user has set a passcode.

Eric
  • 2,045
  • 17
  • 24