How does iOS data protection work

Asked 6/3, 2013 at 10:38 Answered 2/4, 2013 at 19:0

I have a quick question:

I downloaded an iOS application that uses the NSFileProtectionComplete class to protect a sqlite file that contains sensitive information.

According to the iOS security documentation (http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf), when a device (iPhone/iPad) is paired with the laptop, the laptop obtains the escrow keybag from the mobile device . The keybag contains all the class keys necessary to decrypt information on the device.

However, I noticed that when I pair the device with the laptop and use iExplorer to browse the file system, the sqlite file is only available when the device is unlocked. When the phone is locked (still paired) the file is not readable. Files which are not using NSFileProtectionComplete can be viewed while the device is locked.

If the escrow keybag contains all the class keys to decrypt information, why do I have to unlock the device to access it through iExplorer?

I'm using iOS 6.0 on an iPad3 and used the ios-dataprotection tool (https://github.com/ciso/ios-dataprotection) to determine the data protection class used by the files.

iOS Application: AccountVault
File: PointMinder.sqlite

Any help will be appreciated.

Thanks.

Roxie answered 6/3, 2013 at 10:38 Comment(4)

forgot to mention that the iPad is password protected. – Roxie 6/3, 2013 at 11:18

Does iExplorer know where to find the escrow keybag and backup passphrase? – Disentomb 7/3, 2013 at 2:57

iExplorer can't access the file system if the device is not paired. The only thing that changes after pairing the device is that the keybag gets transferred over. So i'm guessing that it uses the escrow keybag much like iTunes to decrypt and read information. – Roxie 7/3, 2013 at 3:23

Have you found any additional info on this? – Pileum 19/8, 2013 at 5:29

From documentation file you've linked:

Complete Protection (NSFileProtectionComplete): The class key is protected with a key derived from the user passcode and the device UID. Shortly after the user locks a device (10 seconds, if the Require Password setting is Immediately), the decrypted class key is discarded, rendering all data in this class inaccessible until the user enters the passcode again.

So device should be unlocked if you want to access that files. That is how Apple made it.

Edit: Found in "Hacking and Securing iOS Applications":

Protection class keys are master encryption keys used to unlock files based on their access policy. Protection classes are the encryption mechanism used to enforce the access policies of files.

Some files are so important that the operating system should be able to decrypt them only when the device’s user interface is unlocked. These files’ encryption keys are wrapped with a class key that is available only after the user has entered his passcode. When the device locks again, the key is wiped from memory, making the files unavailable again.

Protection class master keys are stored in an escrow known as a keybag. The keybag contains the encrypted protection class master keys, as well as other keys to system files on the device. The system keybag is encrypted using another encryption key named BAGI, which is also stored in the effaceable storage of the NAND. Whenever the user authenticates to meet a specific security protection policy, the encrypted keys in the keybag can be decrypted.

So keys for that files are transferred, but are encrypted. When you enter your passcode, OS decrypt that key and it can then be used to decrypt files protected with it.

Pileum answered 21/3, 2013 at 10:43 Comment(5)

Thanks for responding. I tried another test after your comment: After pairing the device with iTunes and unlocking the device, I opened iExplorer. At this stage, the sqlite file was accessible - as it was originally. Subsequent to performing that, I locked the device and waited for well over 5 minutes, and noticed the sqlite file was still accessible. This experiment didn't go as expected either. I should point out here that the device is set to unlock immediately, and the sqlite file is using NSFileProtectionComplete - I doubled checked it. – Roxie 22/3, 2013 at 3:11

According to the document I referred: " When a passcode-locked device is first connected to iTunes, the user is prompted to enter a passcode. The device then creates an Escrow keybag and passes it to the host. The Escrow keybag contains exactly the same class keys used on the device. " It states that all class keys are present in the escrow keybag. If I already have all the class keys, why would it require the passcode to unlock the class key? In other words, the combination of UID and passcode is required to obtain the class key, but all the class keys already exist in the escrow keybag. – Roxie 22/3, 2013 at 3:15

Strange that after 5 minutes file was still accessible. Maybe it was something like cached version in iExplorer(i've never used it myself)? Also: The per-file key is wrapped with one of several class keys, depending on the circumstances under which the file should be accessible. Which probably means that not all class keys are decrypted on pairing. – Pileum 22/3, 2013 at 6:53

@John Topley, thanks for your editing. Now I know a bit more formatting. :) – Pileum 22/3, 2013 at 7:18

Yeah probably. I'll keep researching. – Roxie 23/3, 2013 at 14:2

This works for me for SQLite databases in my app only, not for my other resources as I was hoping. BUT, I was having the same issues still being able to access the databases after locking the device and waiting several minutes with iExplore still open and device still connected. If I disconnect the iPad and connect right back in, iExplore forced to refresh I guess and I then could NOT access the databases. So not sure if it just has the old 'unencrypted' database info in memory or what.

Greengrocer answered 2/4, 2013 at 19:0 Comment(0)

Recommended topics

Hot tags