The application was found to implement an improper Data Protection Entitlement based on the data handled by the application. This could expose sensitive information about the device or user to an attacker with access to the device. Apple provides Data Protection Entitlements to protect sensitive data in iOS by encrypting it on disk. Developers can set 4 different levels of protection: 1) No protection (file is always accessible), 2) Complete protection until first user authentication (default), 3) Complete unless already open and 4) Complete (file is accessible only when the device is unlocked). All sensitive user data and device identifiers should be protected at rest on the device.
Recommendation
Data Protection Entitlements represent the level of data protection that encrypts sensitive user
data when accessed on some devices. The level of protection may vary depending on the information
that is being handled by the application. Sensitive user data, files containing personal information
about the user, or files created directly by the user, always warrant the strongest level of
protection (NSFileProtectionComplete), meaning that the file is accessible only when the device is
unlocked. Assign the complete protection level to user data files and manage access to those files
using the app delegate methods.
Summary
The application was found to implement an improper Data Protection Entitlement based on the data handled by the application. This could expose sensitive information about the device or user to an attacker with access to the device. Apple provides Data Protection Entitlements to protect sensitive data in iOS by encrypting it on disk. Developers can set 4 different levels of protection: 1) No protection (file is always accessible), 2) Complete protection until first user authentication (default), 3) Complete unless already open and 4) Complete (file is accessible only when the device is unlocked). All sensitive user data and device identifiers should be protected at rest on the device.
Recommendation
Data Protection Entitlements represent the level of data protection that encrypts sensitive user data when accessed on some devices. The level of protection may vary depending on the information that is being handled by the application. Sensitive user data, files containing personal information about the user, or files created directly by the user, always warrant the strongest level of protection (
NSFileProtectionComplete
), meaning that the file is accessible only when the device is unlocked. Assign the complete protection level to user data files and manage access to those files using the app delegate methods.Risk and Regulatory Information
Severity: low CVSS: 3.9
Application
See more detail in the NowSecure Report