7

So I am working on a app which stores user information with CoreData framework locally. The information can be sensitive, so I am thinking how to protect the information stored to the data base. In Xcode dashboard, under the capabilities tab, I found this Data Protection switch:

Anyone knows how this works? If I turn on the switch will Xcode encode my CoreData files automatically? Or how to implement this protection on my CoreData files? Appreciate your time and patient. Thank you!

bfontaine
  • 18,169
  • 13
  • 73
  • 107
Michael Dai
  • 115
  • 1
  • 8
  • Have you tried looking in Apple's documentation at all? Which part(s) do you need help with? – Tom Harrington Dec 21 '16 at 03:08
  • @Tom Harrington – Michael Dai Dec 21 '16 at 04:07
  • @Tom Harrington Yes I went through Apple's documentation about Data Protection, but it is super brief and did not mention any useful methods or how to implement. I am now confused about how to implement iOS's data protection onto my CoreData database~ – Michael Dai Dec 21 '16 at 04:08

2 Answers2

5

As per Apple documentation, the Data protection is enabled automatically when the user sets an active passcode for the device. The system encrypts and decrypts your content behind the scenes. These processes are automatic and hardware accelerated. But still we can set the file protection level options programmatically by using none, complete, completeUnlessOpen and completeUntilFirstUserAuthentication

let options = [NSMigratePersistentStoresAutomaticallyOption:true,
                           NSInferMappingModelAutomaticallyOption:true,
                           NSPersistentStoreFileProtectionKey: FileProtectionType.complete] as [String : Any]
            try persistantStoreCoordinator.addPersistentStore(ofType: NSSQLiteStoreType, configurationName: nil, at: storeURL, options: options)

Refer this link to know more information on different types of options.

Ganesh G
  • 1,991
  • 1
  • 24
  • 37
3

You found the right spot, you have to turn on the Data Protection switch in your target's capabilities pane to signal that you want to use data protection. According to Apple's documentation, this should suffice:

The default level of protection is complete protection, in which files are encrypted and inaccessible when the device is locked. You can programmatically set the level of protection for files created by your app [...]

It states you can set the level of protection programmatically. If you want to do that (I still do that, to be save ;), you should use the appropriate option when creating the persistentStoreCoordinator:

NSDictionary *options = [NSDictionary dictionaryWithObjectsAndKeys:
                         @YES, NSMigratePersistentStoresAutomaticallyOption,
                         @YES, NSInferMappingModelAutomaticallyOption,
                         NSFileProtectionComplete, NSPersistentStoreFileProtectionKey, // <-- HERE
                         nil];
...

__persistentStoreCoordinator = [[NSPersistentStoreCoordinator alloc] initWithManagedObjectModel:[self managedObjectModel]];
if (![__persistentStoreCoordinator addPersistentStoreWithType:NSSQLiteStoreType configuration:nil URL:storeURL options:options error:&error]) {
...
}

NSFileProtectionComplete means

The file is stored in an encrypted format on disk and cannot be read from or written to while the device is locked or booting.

You could also use NSFileProtectionCompleteUnlessOpen, see the Xcode Quick Help for differences.

AverageHelper
  • 2,144
  • 2
  • 22
  • 34
Dirk
  • 2,335
  • 24
  • 36
  • Thank you for your response. So if i understand this right, as long as I turn on the Data Protection switch in my target's capabilities pane, all the files contained in this app are encrypted and inaccessible. – Michael Dai Dec 21 '16 at 10:09
  • But I still have the option to change the protection level programmatically. Sounds like turn on the switch is good enough for me:D – Michael Dai Dec 21 '16 at 10:10
  • Yep. Maybe this is why the documentation is so brief ;) – Dirk Dec 21 '16 at 10:35