March 31, 2020

Ensuring Data Protection is Properly Enabled in Your iOS App

By Phillip Tennen

Data Theorem

What is Data Protection?

Data Protection is a powerful security mechanism provided by Apple. When enabled, it ensures that any files created by an app are automatically encrypted on the iOS filesystem. This setting is off by default, but it can be easily enabled within Xcode’s capability viewer.

Here at Data Theorem, we’ve come across several apps that tried to enable this setting by turning on the Xcode capability, but later discovered their apps were still not receiving the security benefits of Data Protection. This guide will help you ensure that Data Protection has been properly enabled for your app, resulting in boosted security for the data of your users and customers.

​First, a bit of background: the Data Protection capability is an entitlement that gets added to your app’s list of entitlements. An entitlement is essentially a feature-flag which tells iOS to enable a certain piece of functionality when your app is in use — in this case, the functionality to auto-encrypt files. Within an app archive, there are multiple of these entitlements lists, and each of them must contain the Data Protection entitlement for the feature to be enabled.

​Why are extra checks needed to ensure its enabled?

For Data Protection to be correctly enabled, the entitlement must be reflected in two places within the app: a special file placed within the app bundle called `embedded.mobileprovision`, otherwise known as a provisioning profile, and within the code-signing information of the `.app` bundle.

Here at Data Theorem, we verified experimentally that the entitlement must be present in both of these locations for iOS to enable the secure behavior. In other words, if only one of these locations has the Data Protection entitlement listed, iOS will not auto-encrypt files created by the app, and the app’s data security will be no better off. For this reason, it’s crucial to ensure that the Data Protection setting is turned on as expected.

​How to ensure Data Protection is correctly enabled

Follow these steps to inspect the entitlements of both the app bundle and the embedded provisioning profile:

1. Generate an .ipa archive with Xcode

2. Rename the .ipa to .zip and decompress the archive. Within the resulting folder, there will be an item suffixed .app

3. Run this command to see the entitlements of the app bundle: `codesign -d --entitlements :- "Payload/YourApp.app"`

4. Run this command to see the entitlements of the provisioning profile: `security cms -D -i "Payload/YourApp.app/embedded.mobileprovision"`

For Data Protection to be enabled and enforced when running the app on a device, the output of both of these commands must contain this value: `com.apple.developer.default-data-protection: NSFileProtectionComplete`. If they do, congratulations! Data Protection is turned on and your app is benefiting from this strong platform security feature.

More information on verifying the entitlements is available within [Apple’s QA documentation].

​Troubleshooting a Missing Capability

In the case that one, but not both, of the entitlement lists shows the Data Protection capability, there are a few workarounds to try:

​Apple provides instructions on how to check and regenerate provisioning profiles on [this page], under the heading “Troubleshooting Entitlement Mismatches”.

If that still doesn’t resolve it, we’ve had luck with this method:

1. Remove all local provisioning profiles within the Xcode profile organizer

2. Click “Distribute…” in the Xcode > Organizer > Archives tab. During the archive process, set the archive signing scheme to “manual”

3. Inspect the produced app bundle with the steps above to validate that the Data Protection entitlement has been correctly enabled

If you’re still experiencing issues, we’re here to help. Drop us a line on your support portal and we’ll be happy to provide technical assistance. For more iOS security tips, check out this blog post, webinar, or any of the other Data Theorem resources. As always, you can also reach out on Twitter [@phillipten]