Data protection encryption in ios 7 / iphone 4s

Question

bb1357 OP

Created 1w

Replies 2

Boosts 0

Participants 2

Hi,

I have a question regarding data protection in ios 7. Qustion 1 : if the passcode is turned off, and data protection is disabled, in this case, will the files in nand flash still be encrypted? Or will it just disable all hardware encryption and all the files in nand flash will be decrypted and stored in plain text? The security paper says even the NSFileProtectionNone class has some level of hardware encryption, but my question is if someone disable the passcode and disable the data protection, will the newly created file still be encrypted using UID key so the chiping-off the nand flash and reading off the nand directly does not work due to encryption even though the passcode is disabled and data protection is not active? Question 2 : if they are still encrypted, do the files in the storage have the data protection NSFileProtectionNone class if the passcode is disabled and data protection is inactive?

Answered by DTS Engineer in 805025022

Please reply in a reply; if you reply in the comments, I may not see it. For this and other titbits, see Quinn’s Top Ten DevForums Tips.

It does not have to ios 7 specific.

OK.

I am asking about how data protection api would generally work if the passcode is disabled.

I see two questions in your original post:

if the passcode is turned off, and data protection is disabled, in this case, will the files in nand flash still be encrypted?

That’s a question about the implementation, not the APIs. My focus is on APIs, so I’m not going to tackle questions about the implementation. I generally point folks at Apple Platform Security.

if they are still encrypted, do the files in the storage have the data protection NSFileProtectionNone class if the passcode is disabled and data protection is inactive?

Now that’s an API question, one that I don’t know off the bat. However, I ran a quick test and the results are clear: The data protection attribute on a file is independent of the availability of data protection as a whole. For example:

You can create a file with .complete when there’s no passcode set. If the user sets a passcode at some point in the future, the file will then receive that protection.
If you set .complete on a file while there’s a passcode set, and then the user disables their passcode, the file continues to report having .complete protection.

At least, that’s how it worked on iOS 16 (-: I’m not able to test this on more modern systems because I can’t disable the passcode on my more modern devices [1]. However, I very much doubt that this has changed.

This all gels with my understanding of how things are implemented, based on my reading of Apple Platform Security.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Because they all contain data that I need to keep protected.

Boost

Answer 1

DTS Engineer OP

Apple

1w

I have a question regarding data protection in ios 7.

About iOS 7 itself? Or about some API that we introduced in iOS 7?

Because if this is about iOS 7 specifically, that’s not something I can help you with. DTS tries to support old releases as much as we can, but iOS 7 is way too older.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

DTS Engineer OP

Apple

1w

Recommended

Please reply in a reply; if you reply in the comments, I may not see it. For this and other titbits, see Quinn’s Top Ten DevForums Tips.

It does not have to ios 7 specific.

OK.

I am asking about how data protection api would generally work if the passcode is disabled.

I see two questions in your original post:

if the passcode is turned off, and data protection is disabled, in this case, will the files in nand flash still be encrypted?

That’s a question about the implementation, not the APIs. My focus is on APIs, so I’m not going to tackle questions about the implementation. I generally point folks at Apple Platform Security.

if they are still encrypted, do the files in the storage have the data protection NSFileProtectionNone class if the passcode is disabled and data protection is inactive?

Now that’s an API question, one that I don’t know off the bat. However, I ran a quick test and the results are clear: The data protection attribute on a file is independent of the availability of data protection as a whole. For example:

You can create a file with .complete when there’s no passcode set. If the user sets a passcode at some point in the future, the file will then receive that protection.
If you set .complete on a file while there’s a passcode set, and then the user disables their passcode, the file continues to report having .complete protection.

At least, that’s how it worked on iOS 16 (-: I’m not able to test this on more modern systems because I can’t disable the passcode on my more modern devices [1]. However, I very much doubt that this has changed.

This all gels with my understanding of how things are implemented, based on my reading of Apple Platform Security.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Because they all contain data that I need to keep protected.

0