File Protection level in iOS

Question

Created May ’22

Replies 3

Boosts 0

Views 1.7k

Participants 2

Hi, I wanted to know what level of NSFileProtection is provided by default in iOS in the user's documents directory of application container. Basically, if I am creating a file in this location -

NSArray *documentPaths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);

What level of protection among NSFileProtectionType is provided? `

Answered by DTS Engineer in 714131022

if my app does not have this entitlement, will the default data protection still be present?

Yes. The entitlement overrides the default. The default is… well… the default (-:

how can I explicitly add data protection to my files?

Best practice is to apply data protection to a file as you create it so the answer depends on what API you’re using. For example:

If you use the write(to:options:) method on Data, the options parameter supports data protection.
Core Data has an option to set up data protection.
If you’re using Darwin-layer APIs, there’s open_dprotected_np [1].

If the API you’re using doesn’t have an option for this, you have two choices:

Modify the protection after writing the file by setting the URL’s .fileProtectionKey.
Create a temporary directory, set the data protection on that, and then create your file within that directory. Files written to a directory default to that directory’s data protection.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Annoyingly, this has no man page (r. 93562342).

Boost

Answer 1

DTS Engineer OP

Apple

May ’22

This is a complicated question. If you install your app from scratch then the value is determined by the Data Protection Entitlement (com.apple.developer.default-data-protection). On modern systems its default is NSURLFileProtectionCompleteUntilFirstUserAuthentication.

WARNING I strongly recommend that you not use the com.apple.developer.default-data-protection entitlement to change this default. Doing so can cause problems if your app ever runs in the background (which is basically unavoidable on modern systems). I recommend that you explicitly set data protection on the files that you manage.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

iOSDev1601 OP

May ’22

Thanks for the reply, I had a few questions, if my app does not have this entitlement, will the default data protection still be present? Secondly, as you mentioned, how can I explicitly add data protection to my files? can you share an example?

0

Answer 3

DTS Engineer OP

Apple

May ’22

Accepted Answer

if my app does not have this entitlement, will the default data protection still be present?

Yes. The entitlement overrides the default. The default is… well… the default (-:

how can I explicitly add data protection to my files?

Best practice is to apply data protection to a file as you create it so the answer depends on what API you’re using. For example:

If you use the write(to:options:) method on Data, the options parameter supports data protection.
Core Data has an option to set up data protection.
If you’re using Darwin-layer APIs, there’s open_dprotected_np [1].

If the API you’re using doesn’t have an option for this, you have two choices:

Modify the protection after writing the file by setting the URL’s .fileProtectionKey.
Create a temporary directory, set the data protection on that, and then create your file within that directory. Files written to a directory default to that directory’s data protection.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Annoyingly, this has no man page (r. 93562342).

0