Skip to main content

Data Protection

iOS and iPadOS leverage an API called "Data Protection" which is used to encrypt and protect each individual file of the app. The encryption keys are stored in the Secure Enclave Processor (SEP).

Data Protection Classes

Data Protection Classes:

ClassAPI Name
Class A: Complete ProtectionNSFileProtectionComplete
Class B: Protected Unless OpenNSFileProtectionCompleteUnlessOpen
Class C: Protected Until First User AuthenticationNSFileProtectionCompleteUntilFirstUserAuthentication
Class D: No ProtectionNSFileProtectionNone

For detailed information on each of these classes, see Apple's Security Guide:

https://support.apple.com/guide/security/data-protection-classes-secb010e978a/web

Dynamic Analysis Testing

Using Frida, we can interrogate the running the application to determine the Data Protection class of every file in the application. There is a Frida script available on BitBucket to assist with the evaluation.

  • Run Frida with the "-l" option and pass the ios-data-protection.js script

      frida -U -l ios-data-protection.js -f com.example.app

  • Once Frida is connected to the app, and the script has been injected, run the getDataProtectionKeysForAllPaths() function

    [iPhone::Mobile]-> getDataProtectionKeysForAllPaths()

  • This function will produce a lot of input, as it will evaluate every single file associated with the application

    % frida -U -l iosDataProtection.js -F
         ____
        / _  |   Frida 12.11.17 - A world-class dynamic instrumentation toolkit
       | (_| |
        > _  |   Commands:
       /_/ |_|       help      -> Displays the help system
       . . . .       object?   -> Display information about 'object'
       . . . .       exit/quit -> Exit
       . . . .
       . . . .   More info at https://www.frida.re/docs/home/
    [iPhone::Mobile]-> getDataProtectionKeysForAllPaths()
    [
        {
            "fileProtectionKey": "NSFileProtectionNone",
            "path": "/private/var/mobile/Containers/Data/Application/7A2A3930-A2A4-4F8B-B162-3DC35E5FA59B/StoreKit/receipt"
        },
        {
            "fileProtectionKey": "NSFileProtectionCompleteUntilFirstUserAuthentication",
            "path": "/private/var/mobile/Containers/Data/Application/7A2A3930-A2A4-4F8B-B162-3DC35E5FA59B/Documents/FSCalendar.fid"
        },

    etc…

  • Evaluate the output to determine if the established Data Protection class is appropriate for the file type that is displayed.

    • If the file contains data, such as PLIST's or SQLite databases, then there should be a protection class set.

    • If the files are benign, such as images, receipt, etc., then not having a Data Protection class set is fine.