var img = document.createElement('img'); img.src = "https://calabrone.net/piwik.php?idsite=2&rec=1&url=https://stinger.io" + location.pathname; img.style = "border:0"; img.alt = "tracker"; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(img,s);
Skip to main content

Data Protections / Entitlements

iOS leverage’s an API called "Data Protection" which is used to assign a class to each file the application creates. This assigned class can one of the four listed below. They are used to encrypt and protect each individual file of the app. The encryption keys associated with data protection are stored in the Secure Enclave Processor (SEP) with all other encryption keys.

Data Protection Classes

ClassAPI Name
Class A:  Complete ProtectionNSFileProtectionComplete
Class B:  Protected Unless OpenNSFileProtectionCompleteUnlessOpen
Class C:  Protected Until First User AuthenticationNSFileProtectionCompleteUntilFirstUserAuthentication
Class D:  No ProtectionNSFileProtectionNone

For detailed information on each of these classes, see Apple's Security Guide:

https://support.apple.com/guide/security/data-protection-classes-secb010e978a/web

Data Protection is defined as an application entitlement called com.apple.developer.default-data-protection.

To obtain the entitlements from a binary there are a couple of different tools that you can choose from:

codesign -d --entitlements - binaryName
jtool2 --ent binaryName

Keep in mind that these data protection classes apply to Mach-O files, which have a valid code signature. During the Dynamic Analysis we will demonstrate how to pull the data protection of each file directly from the device using Frida.

Once the entitlements are dumped from the binary, you can review them for the data protection class.

There will be other entitlements not associated with data protection, so be sure to look for the com.apple.developer.default-data-protection key.

Below is an example using both tools.

Codesign

% codesign -d --entitlements - BufferOverflow
Executable=/Users/steve/Downloads/Projects/AIG-Mobile-Device-Testing-Guide/Lab-Files/BufferOverflow
[Dict]
	[Key] application-identifier
	[Value]
		[String] 5Z53J9VNR6.io.stinger.BufferOverflow
	[Key] com.apple.developer.default-data-protection
	[Value]
		[String] NSFileProtectionComplete
	[Key] com.apple.developer.team-identifier
	[Value]
		[String] 5Z53J9VNR6
	[Key] com.apple.security.application-groups
	[Value]
		[Array]
			[String] group.io.stinger
	[Key] get-task-allow
	[Value]
		[Bool] true
	[Key] keychain-access-groups
	[Value]
		[Array]
			[String] 5Z53J9VNR6.io.stinger.BufferOverflow

jtool

% jtool2 --ent BufferOverflow
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>application-identifier</key>
	<string>5Z53J9VNR6.io.stinger.BufferOverflow</string>
	<key>com.apple.developer.default-data-protection</key>
	<string>NSFileProtectionComplete</string>
	<key>com.apple.developer.team-identifier</key>
	<string>5Z53J9VNR6</string>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>group.io.stinger</string>
	</array>
	<key>get-task-allow</key>
	<true/>
	<key>keychain-access-groups</key>
	<array>
		<string>5Z53J9VNR6.io.stinger.BufferOverflow</string>
	</array>
</dict>
</plist>