I'd like to better understand the behaviour of entitlements, and default data protection specificially. My assumption is that iOS application does not need to specify default data protection explicitly, neither in Provisioning Profiles or app entitlements plist file. In that case, the default value "Complete until first user authentication. (Default)" will be used (https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files).
I wonder what happens when the default data protection is specified in PP entitlements with the value "Complete", but the default data protection setting is not present in app entitlements plist at all.
My observation is that app entitlements plist is used as a primary source, and validated against PP entitlements, in that case, the binary (codesign -d --entitlements :- <path_to_app>) will NOT have this setting, and frashly installed app will default to "Complete until first user authentication".
Side note: I've also noticed the codesign will fail if PP and app entitlements plist have different default-data-protection settings i.e. NSFileProtectionComplete in one, and NSFileProtectionCompleteUntilFirstUserAuthentication in the other (error: Provisioning profile "...” doesn’t match the entitlements).
Is it correct to say that if an app does not have default-data-protection setting in its entitlements plist, it's safe assume it will always default to NSFileProtectionCompleteUntilFirstUserAuthentication regardless of the value in Provisioning Profile and App Identifier, i.e. even the Provisioning Profile and App Identifier has Data Protection "Complete", "Protected Unless Open", or "Protected Until First User Authentication", the app will default to NSFileProtectionCompleteUntilFirstUserAuthentication.
Many thanks for any tips!
I wonder what happens when the default data protection is specified in PP entitlements with the value "Complete", but the default data protection setting is not present in app entitlements plist at all.
My observation is that app entitlements plist is used as a primary source, and validated against PP entitlements, in that case, the binary (codesign -d --entitlements :- <path_to_app>) will NOT have this setting, and frashly installed app will default to "Complete until first user authentication".
Side note: I've also noticed the codesign will fail if PP and app entitlements plist have different default-data-protection settings i.e. NSFileProtectionComplete in one, and NSFileProtectionCompleteUntilFirstUserAuthentication in the other (error: Provisioning profile "...” doesn’t match the entitlements).
Is it correct to say that if an app does not have default-data-protection setting in its entitlements plist, it's safe assume it will always default to NSFileProtectionCompleteUntilFirstUserAuthentication regardless of the value in Provisioning Profile and App Identifier, i.e. even the Provisioning Profile and App Identifier has Data Protection "Complete", "Protected Unless Open", or "Protected Until First User Authentication", the app will default to NSFileProtectionCompleteUntilFirstUserAuthentication.
Many thanks for any tips!