NSFileProtectionComplete doesn't encrypt the core data file

Question

I am using Xcode 7.3 for iOS 9.3 to try and encrypt a Core Data file. I am trying to use NSPersistentStoreFileProtectionKey and set it to NSFileProtectionComplete to enable

Answer 1

We need to understand how Data Protection works. Actually, you don't even need to enable it. Starting with iOS7, the default protection level is “File Protection Complete until first user authentication.”

This means that the files are not accessible until the user unlocks the device for the first time. After that, the files remain accessible even when the device is locked and until it shuts down or reboots.

The other thing is that you're going to see the app's data on a trusted computer always - regardless of the Data Protection level setting.

However, the data can’t be accessed if somebody tries to read them from the flash drive directly. The purpose of Data Protection is to ensure that sensitive data can’t be extracted from a password-protected device’s storage.

After running this code, I could still access and read the contents written to protectedFileURL, even after locking the device.

    do {
        try data.write(to: protectedFileURL, options: .completeFileProtectionUnlessOpen)
    } catch {
        print(error)
    }

But that's normal since I ran iExplorer on a trusted computer. And for the same reason, it's fine if you see your sqlite file.

The situation is different if your device gets lost or stolen. A hacker won't be able to read the sqlite file since it's encrypted. Well, unless he guesses your passcode somehow.