Protecting Data Using On-Disk Encryption
In iOS 4 and later, apps can use the data protection feature to add a level of security to their on-disk data. Data protection uses the built-in encryption hardware present on specific devices (such as the iPhone 3GS and iPhone 4) to store files in an encrypted format on disk. While the user’s device is locked, protected files are inaccessible even to the app that created them. The user must explicitly unlock the device (by entering the appropriate passcode) at least once before your app can access one of its protected files.
Data protection is available on most iOS devices and is subject to the following requirements:
-
The file system on the user’s device must support data protection. This is true for newer devices, but for some earlier devices, the user might have to reformat the device’s disk and restore any content from a backup.
-
The user must have an active passcode lock set for the device.
To protect a file, your app must add an attribute to the file indicating the desired level of protection. Add this attribute using either theNSData NSFileManager writeToFile:options:error: NSDatawith the appropriate protection value as one of the write options. For existing files, you can use thesetAttributes:ofItemAtPath:error: NSFileManager NSFileProtectionKey. When using these methods, your app can specify one of the following protection levels for the file:
-
No protection—The file is not encrypted on disk. You can use this option to remove data protection from an accessible file. Specify the
NSDataWritingFileProtectionNone option ( NSData) or theNSFileProtectionNoneattribute ( NSFileManager). -
Complete—The file is encrypted and inaccessible while the device is locked. Specify the
NSDataWritingFileProtectoption (ionComplete NSData) or theNSFileProtectionCompleteattribute ( NSFileManager). -
Complete unless already open—The file is encrypted. A closed file is inaccessible while the device is locked. After the user unlocks the device, your app can open the file and use it. If the user locks the device while the file is open, though, your app can continue to access it. Specify the
NSDataWritingFileProtectionCompleteUnlessOpen option ( NSData) or theNSFileProtectionCompleteUnlessOpen attribute ( NSFileManager). -
Complete until first login—The file is encrypted and inaccessible until after the device has booted and the user has unlocked it once. Specify the
NSDataWritingFileProtectionCompleteUntilFirstUse rAuthentication option ( NSData) or theNSFileProtectionCompleteUntilFirstUserAuthentica tion attribute ( NSFileManager).
If you protect a file, your app must be prepared to lose access to that file. When complete file protection is enabled, even your app loses the ability to read and write the file’s contents when the user locks the device. Your app has several options for tracking when access to protected files might change, though:
-
The app delegate can implement the
applicationProtectedDataWillBecomeUnavailable: and applicationProtectedDataDidBecomeAvailable: methods. -
Any object can register for the
UIApplicationProtectedDataWillBecomeUnavailable and UIApplicationProtectedDataDidBecomeAvailable notifications. -
Any object can check the value of the
protectedDataAvailableproperty of the shared UIApplicationobject to determine whether files are currently accessible.
For new files, it is recommended that you enable data protection before writing any data to them. If you are using thewriteToFile:options:error: NSData
扫一扫
617
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
