Skip to main content

Data Protection Classes -- Static Analysis

iOS and iPadOS leverage an API called "Data Protection" which is used to encrypt and protect each individual file of the app. The encryption keys are stored in the Secure Enclave Processor (SEP).

Data Protection Classes:

ClassAPI Name
Class A: Complete ProtectionNSFileProtectionComplete
Class B: Protected Unless OpenNSFileProtectionCompleteUnlessOpen
Class C: Protected Until First User AuthenticationNSFileProtectionCompleteUntilFirstUserAuthentication
Class D: No ProtectionNSFileProtectionNone

For detailed information on each of these classes, see Apple's Security Guide:

https://support.apple.com/guide/security/data-protection-classes-secb010e978a/web

Data Protection is defined as an application entitlement called "com.apple.developer.default-data-protection".

Check Default Data Protection For App

To evaluate the entitlements of an app, use the 'codesign' tool on the Mac. This can be run on the ".app" directory or the executable binary of the app.

  • Unzip the IPA file

    % unzip -qq filename.ipa

  • Use the codesign command to check the entitlements

    % codesign -d --entitlements :- "Payload/AppName.app"
    • Evaluate the output for the com.apple.developer.default-data-protection key
    % codesign -d --entitlements :- "Payload/AppName.app"
    Executable=/Users/name/Downloads/Payload/AppName.app/AppName
    <?xml version="1.0" encoding="UTF-8"?>
    <plist version="1.0">
    <dict>
        <key>com.apple.developer.team-identifier\</key>
          <string> AS2XXXXX7Q </string>
        <key>application-identifier</key>
          <string> AS2XXXXX7Q.com.company.appname</string>
          <key>aps-environment</key>
          <string>production</string>
          
        <key>com.apple.developer.default-data-protection</key>
          <string>
            NSFileProtectionCompleteUntilFirstUserAuthentication
          </string>
          
        <key>com.apple.developer.associated-domains</key>
           <array>
             <string>webcredentials:*.company.com</string>
             <string>applinks:*.company.com</string>
           </array>
    </dict>
    </plist>

  • You can also run the same command directly on the executable binary, which will present the same results.

If NSFileProtectionNone is found to be in use, or the app does not implement any Data Protection class, then call this out for insufficient app protections.