Reading here: (https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/AddingCapabilities/AddingCapabilities.html)

Enabling Data Protection (iOS, WatchKit Extension, tvOS)

Data protection adds a level of security to files stored on disk by your app in the app’s container. Data protection uses the built-in encryption hardware present on specific devices to store files in an encrypted format on disk. Your app needs to be provisioned to use data protection.

To enable data protection

In the Capabilities pane, if Data Protection isn’t enabled, click the switch in the Data Protection section.

The default level of protection is complete protection, in which files are encrypted and inaccessible when the device is locked. You can programmatically set the level of protection for files created by your app, as described in Protecting Data Using On-Disk Encryption in App Programming Guide for iOS. For files stored in shared containers (described in Configuring App Groups), set the level of protection programmatically.

It seems that the default protection is NSFileProtectionComplete, however I don think that is true, I think the default is NSFileProtectionCompleteUntilFirstUserAuthentication if you don't enable this.

Question #1: What is the default file protection for files written by the app?

Question #2:
Can I change the default for all files?

Does enabling 'Data Protection' and setting it to NSFileProtectionComplete in the entitlements file mean that all files created/stored in the application are encrypted with the NSFileProtectionComplete rule without doing anything else. IE do you need to enable this and also set the file protection for each file you want to be protected programmatically?

I have tried to test this. I have turned on Data Protection (entitlements) and provisioning/app. I deployed the app to a device via xcode and grabbed the database file to check its NSFileProtectionKey:

NSURL *database = [NSPersistentStore MR_urlForStoreName:@"app.sqlite"] id fileProtectionValue = [[[NSFileManager defaultManager] attributesOfItemAtPath:[database path] error:NULL] valueForKey:NSFileProtectionKey]; NSLog(@"file protection value: %@", fileProtectionValue);

However this still spits out 'NSFileProtectionCompleteUntilFirstUserAuthentication.

I have tried to delete the app and reinstall. Also verified all provisioning profiles were re-downloaded.

Does turning on Data Protection actually change the file protection key on all files within the app. IE is this a valid test?

If no, how do I test that the files are encrypted properly?

Question #1: What is the default file protection for files written by the app?

Per Apple's docs (page 16), it is NSFileProtectionCompleteUntilFirstUserAuthentication (new docs here)

This is the default class for all third-party app data not otherwise assigned to a Data Protection class.

and

Question #2: Can I change the default for all files?

Yes, in the provisioning profile / app ID's entitlements in the Apple Developer center.

Remember that file protection is inherited at creation time, so if you want an entire file system hierarchy to use this mode you can set it on the root directory of that hierarchy when you created it and everything inside will pick it up from there.

via https://forums.developer.apple.com/thread/91557#276303

You can then specify file-specific attributes as well if needed.

Additional info on testing: https://mcmap.net/q/536150/-nsfileprotectioncomplete-doesn-39-t-encrypt-the-core-data-file

If you added on the app level (i.e. add Data Protection capability via Signing & Capabilities), you can refer to https://developer.apple.com/library/archive/qa/qa1798/_index.html to see how to verify the entitlements.

Quoting some of it here:

1. Inspecting distribution build entitlements while submitting an app in Xcode

Xcode shows the distribution build's entitlements in the Summary pane during the submission workflow. This is the last opportunity you have to visually ensure that your app contains the expected entitlements before submitting your app for review.

2. Creating an .ipa file to check the entitlements of an iOS app store submission

Alternatively to Xcode's entitlements preview, you can check the entitlements of an iOS app store submission by first creating and inspecting an .ipa file. The following steps outline the process to do this.

Making an Inspectable .ipa file

1. In the Xcode Organizer, instead of Submit to the iOS App Store, do Save for Enterprise or Ad-Hoc Deployment. This will create a local copy of the .ipa file that would be submitted to the App Store.
2. When asked to choose the provisioning profile to sign with, select the same distribution profile you use when submitting to the App Store. Take a screenshot of your choice (command-shift-3) so you can verify this step later. During submission, this screenshot will be the only record you have identifying which profile was used to sign the app.
3. When asked to save the package, uncheck Save for Enterprise Distribution, then save the .ipa file.

Checking the Entitlements of an .ipa file

1. Find the .ipa file and change its the extension to .zip.
2. Expand the .zip file. This will produce a Payload folder containing your .app bundle.
3. Use the codesign tool to check the entitlements on the .app bundle like this: $ codesign -d --entitlements :- "Payload/YourApp.app" where YourApp.app is the actual name of your .app bundle.
4. Use the security tool to check the entitlements of the app's embedded provisioning profile: $ security cms -D -i "Payload/YourApp.app/embedded.mobileprovision" where YourApp.app is the actual name of your .app bundle.