iOS security protection for local files

Start with a few off-topic, many friends asked me how not to write anti-ah, I do have a little hesitation.
Hackers always imagined that if he was a developer, he would be able to write, and then find the starting point. Similarly, developers have to imagine what hackers would do to take defensive measures. Then, it is a recursive game.
Take the jailbreak detection this matter, at first we just have to judge if there is no installation Cydia good, hackers said, then I do not install Cydia can also hands foot. Developers say, then you have to use the Mobilesubstrate,bash,ssh bar, I go to detect whether the phone has installed these tools. But what's the use of it? You judge what I'm going to go around.

When Class-dump is popular and function symbols are exposed, developers try to hide their sensitive function code. Hackers also know where the class-dump of the dead cave, so the new search method arises spontaneously. Also said that when a defensive means become popular, it will no longer be a hackers to scold "akzent laborious" defensive means. For example before the introduction of a small trick: memory data erasure, hackers know that developers are going to wipe the data, then I hook memset before you wipe to read it. Developer said: I write directly on the hard drive and then delete! Hackers said: Haven't you heard of file recovery?

OK, there's a bit of a lot of poverty, this article describes defense-related topics ———— iOS data Protection API.

Data Protection API

Files in the file system, items in the keychain, are stored encrypted. When the user unlocks the device, the system generates a password key for decryption using the Udid key and the user's password, which is stored in memory until the device is locked again, and the developer can use the data Protection API to set the file in the file system, When the items in the keychain should be decrypted.

1) File Protection

2. /* Set protection level for filepath files */
4. Nsdictionary *attributes = [nsdictionary dictionarywithobject:nsfileprotectioncomplete
6. Forkey:nsfileprotectionkey];
8. [[Nsfilemanager Defaultmanager] setattributes:attributes
10. Ofitematpath:filepath
12. error: nil];

2. File Protection level attribute list
4. Nsfileprotectionnone //File not protected, ready to access (Default)
6. Nsfileprotectioncomplete //files are protected and accessible only if the device is not locked
8. Nsfileprotectioncompleteuntilfirstuserauthentication //file is protected until the device boots and the user enters the password for the first time
10. Nsfileprotectioncompleteunlessopen //files are protected and can be opened only if the device is not locked, but even when the device is locked, the files that have been opened can continue to be used and written

2) Keychain Protection

2. /* Set the Keychain protection level */
4. Nsdictionary *query = @{(__bridge ID) Ksecclass: (__bridge ID) ksecclassgenericpassword,
6. (__bridge ID) ksecattrgeneric:@ "myitem",
8. (__bridge ID) ksecattraccount:@ "username",
10. (__bridge ID) ksecvaluedata:@ "Password",
12. (__bridge ID) ksecattrservice:[nsbundle mainbundle]. Bundleidentifier,
14. (__bridge ID) Ksecattrlabel:@ "",
16. (__bridge ID) ksecattrdescription:@ "",
18. (__bridge ID) ksecattraccessible: (__bridge ID) ksecattraccessiblewhenunlocked};
22. Osstatus result = Secitemadd ((__bridge cfdictionaryref) (query), NULL);

2. List of keychain protection levels
4. ksecattraccessiblewhenunlocked //keychain items are protected and can only be accessed if the device is not locked
6. Ksecattraccessibleafterfirstunlock //keychain items are protected until the device boots and the user enters the password for the first time
8. Ksecattraccessiblealways //keychain is unprotected and can be accessed at any time (Default)
10. Ksecattraccessiblewhenunlockedthisdeviceonly //keychain items are protected and can only be accessed if the device is not locked and cannot be transferred to another device
12. Ksecattraccessibleafterfirstunlockthisdeviceonly //keychain items are protected until the device boots and the user enters the password for the first time and cannot be transferred to another device
14. Ksecattraccessiblealwaysthisdeviceonly //keychain is unprotected and can be accessed at any time, but cannot be transferred to other devices

Application examples

Writes a piece of information infostrng a string into the file and then sets the protection through the data Protection API.

2. NSString *documentspath =[nssearchpathfordirectoriesindomains (nsdocumentdirectory, NSUserDomainMask, YES)   Firstobject];
4. NSString *filepath = [Documentspath stringbyappendingpathcomponent:@ "DataProtect"];
6. [Infostring Writetofile:filepath
8. atomically:YES
10. encoding:nsutf8StringEncoding
12. error: nil];
14. Nsdictionary *attributes = [nsdictionary dictionarywithobject:nsfileprotectioncomplete
16. Forkey:nsfileprotectionkey];
18. [[Nsfilemanager Defaultmanager] setattributes:attributes
20. Ofitematpath:filepath
22. error: nil];

After the device lock screen (with password protection), even if the jailbreak machine, under the root permission, cat read the file information will be rejected.

Note: Go from blog http://www.cnblogs.com/ios8/p/ios-data-protect.html.

(go) iOS security protection for local files