Storage Encryption
| Plan | Platforms | MASVS |
|---|---|---|
| Team | iOS | MASVS-STORAGE-1, MASVS-CRYPTO-1, MASVS-CRYPTO-2 |
Overview
Storage Encryption applies iOS Data Protection attributes to supported app files, protecting sensitive user data at rest against device-level attacks. It also provisions a device-bound AES-256 key in the iOS Keychain for supported encryption operations.
Android storage permission hardening is documented separately in Storage Permission Hardening. The Android permission-hardening control does not encrypt app files.
How It Works
Applies iOS Data Protection classes to files in your app's Documents and temp directories. By default, uses NSFileProtectionCompleteUntilFirstUserAuthentication, which protects files until the device is unlocked for the first time after boot. Files remain encrypted on disk when the device is locked.
The control also provisions an AES-256 key in the Keychain for additional encryption operations, stored with strong protection attributes (kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly) to ensure it never leaves the device.
What Is Protected
- Documents directory (
NSDocumentDirectory) - Temporary directory (
NSTemporaryDirectory)
Excluded for host compatibility:
- Library/Preferences (NSUserDefaults storage)
- Library/Caches (cache data)
- SQLite database files (.sqlite, .sqlite-wal, .sqlite-shm)
- System directories (Library/WebKit, Library/Cookies, etc.)
These exclusions prevent compatibility issues with host SDKs and frameworks that may need to access preferences or cached data before the device is unlocked.
Threats Mitigated
- Physical device theft: Protects data at rest when device is powered off or locked
- Forensic extraction: Makes file system dumps less useful to attackers
- Backup exploitation: Files encrypted on device remain protected in backups
Caveats
- The default protection class (
NSFileProtectionCompleteUntilFirstUserAuthentication) allows file access after first unlock, even when the device is subsequently locked. This balances security with app functionality, allowing background processes to continue working. - Files protected with Data Protection cannot be accessed by the system or app when the device is locked and has not yet been unlocked after boot.
- Host SDKs that read state from excluded paths (Preferences, Caches) before first unlock are unaffected.
- Android is not covered by this control. Use Storage Permission Hardening for Android file-mode hardening.
Support Matrix
| Platform | Minimum Version | Notes |
|---|---|---|
| iOS | iOS 10.0+ | Data Protection available on all modern devices |
How to Enable the Control
Navigate to Preventative Controls from the AppTego portal, and expand the Data at Rest Protection section. Under this section you will find the Storage Encryption control for iOS apps. Click Enable to enable it for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"StorageEncryptionPrevention": {
"protection": true
}
}| Field | Purpose |
|---|---|
protection | Enables iOS storage encryption behavior for protected apps. |
Configuration
This control is configured through MobileDefender's standard control configuration:
- protection: Set to
trueto enable iOS storage encryption enforcement - detection: Reserved for future detection-mode functionality
Options
The protectionClass parameter allows customization of the NSFileProtection level:
"default"— NSFileProtectionCompleteUntilFirstUserAuthentication (recommended)"unlessOpen"— NSFileProtectionCompleteUnlessOpen (stronger, file-level locking)"complete"— NSFileProtectionComplete (strongest, requires unlock for all access)
Caution: Using "complete" may break background functionality and should only be enabled after thorough testing.