Data Protection / NSFileProtectionComplete - successfully supported through entitlements.plist?
Asked Answered
E

4

10

I'm looking to encrypt user data in an app, and the NSFileProtection mechanism looks perfect for this.

This SO Question / Answer thread pointed me at the WWDC 2011 Video Securing iOS Apps which gave the 'too good to be true' tip of setting Data Protection across the app via entitlements (see from 33 minutes in).

So, I tried this for my iOS 5.x+ app, and ran into the problem where it complains about Invalid Entitlements.

I've configured Data Protection for the specific app via the iOS Provisioning Portal, and updated my app Provisioning, so in theory I should all be set, but I still get the error.

If I remove the specific FileProtectionComplete setting from the Entitlement, the app runs without the Invalid Entitlement error.

In investigating this, I also saw the some folk are getting their apps rejected (at the point they upload the binary) as this isn't supported (or deprecated?). Please note that I'm specifically asking about Data Protection, and not Passbook.

At this stage, I'm thinking, maybe it really is, 'too good to be true'. So, I'm about to give up on this magic entitlements flag, and instead use the programmatic method, of adding NSFileProtectionComplete as a write option.

However, before I do that, can anyone confirm they've been able to successfully add Data Protection just by using the Entitlements flag? Thanks.

Eryn answered 6/2, 2013 at 17:6 Comment(0)
R
13

NSFileProtectionComplete isn't supported via entitlements anymore. Instead, it is specified in the provision profile.

I had the exact same problem you did. When I tried to build and run on a device, I got the following alert:

The executable was signed with invalid entitlements.

The entitlements specified in your application’s Code Signing Entitlements file do not match those specified in your provisioning profile.

(0xE8008016).

In the console, it manifested itself as this error:

May 6 16:18:13 XXXXX installd[54] : entitlement 'DataProtectionClass' has value not permitted by a provisioning profile

Eventually, I found the proper settings. You must log in to the developer portal and enable data protection on the app id associated with the provisioning profile you're using. See the image below:

enter image description here

Rudie answered 6/5, 2013 at 21:59 Comment(0)
B
1

It wouldn't work for me using the wildcard for the profile id (i.e. my.company.app.*) so had to create a new fully qualified one. It works for me with my Entitlements.plist looking like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.default-data-protection</key>
    <string>NSFileProtectionComplete</string>
    <key>get-task-allow</key>
    <false/>
</dict>
</plist>

and with my profile section for it looking like this: ....

<dict>
    <key>application-identifier</key>
    <string>xxx.my.company.app</string>
    <key>com.apple.developer.default-data-protection</key>
    <string>NSFileProtectionComplete</string>
    <key>get-task-allow</key>
    <false/>
    <key>keychain-access-groups</key>
    <array>
        <string>xxxxxxxx</string>
    </array>
</dict>            

....

Baryton answered 2/4, 2013 at 19:17 Comment(0)
D
0

I have tried data protection using entitlements and it works fine. The trick is to make sure your entitlements file entry in your Xcode project is the same as that of your provisioning profile.

Specifically, the following 2 settings in entitlements file and provisioning profile should be same:- "com.apple.developer.default-data-protection" - I have set this as NSFileProtectionComplete. "application-identifier" - I am not using wildcards in identifier though I think it should work as well.

Disturbed answered 26/2, 2013 at 6:28 Comment(2)
Can you elaborate on what you mean by this? I set up an entitlements file, made sure my AppID was configured for data protection, and issued a provisioning profile, but did not have any success. I found this post at Apple Dev Forums that confirmed this wasn't working (as of March 21, 2012)Laureate
edelaney05- I have updated my reply. Does this work for you ?Disturbed
M
0

To enable data protection, switch it on in the Capabilities pane of your target in Xcode.

Details: App Distribution Guide: Adding Capabilities

Mercie answered 14/4, 2015 at 9:4 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.