The application was found to implement an improper Data Protection Entitlement based on the data handled by the application. This could expose sensitive information about the device or user to an attacker with access to the device. Apple provides Data Protection Entitlements to protect sensitive data in iOS by encrypting it on disk. Developers can set 4 different levels of protection: 1) No protection (file is always accessible), 2) Complete protection until first user authentication (default), 3) Complete unless already open and 4) Complete (file is accessible only when the device is unlocked). All sensitive user data and device identifiers should be protected at rest on the device.
Steps to Reproduce
This test audits the file protections set by the app for the data that it stores, and flags any places where data is left improperly protected by Apple's built-in encryption mechanisms.
Business Impact
Sensitive user data on the device may be accessible to an attacker or through forensic analysis.
Remediation Resources
Data Protection Entitlements represent the level of data protection that encrypts sensitive user data when accessed on some devices.
The level of protection may vary depending on the information that is being handled by the application.
Sensitive user data, files containing personal information about the user, or files created directly by the user, always warrant the strongest level of protection (NSFileProtectionComplete), meaning that the file is accessible only when the device is unlocked.
Assign the complete protection level to user data files and manage access to those files using the app delegate methods.
Finding Description
The application was found to implement an improper Data Protection Entitlement based on the data handled by the application. This could expose sensitive information about the device or user to an attacker with access to the device. Apple provides Data Protection Entitlements to protect sensitive data in iOS by encrypting it on disk. Developers can set 4 different levels of protection: 1) No protection (file is always accessible), 2) Complete protection until first user authentication (default), 3) Complete unless already open and 4) Complete (file is accessible only when the device is unlocked). All sensitive user data and device identifiers should be protected at rest on the device.
Steps to Reproduce
This test audits the file protections set by the app for the data that it stores, and flags any places where data is left improperly protected by Apple's built-in encryption mechanisms.
Business Impact
Sensitive user data on the device may be accessible to an attacker or through forensic analysis.
Remediation Resources
Data Protection Entitlements represent the level of data protection that encrypts sensitive user data when accessed on some devices. The level of protection may vary depending on the information that is being handled by the application. Sensitive user data, files containing personal information about the user, or files created directly by the user, always warrant the strongest level of protection (
NSFileProtectionComplete
), meaning that the file is accessible only when the device is unlocked. Assign the complete protection level to user data files and manage access to those files using the app delegate methods.Risk and Regulatory Information
Severity: low CVSS: 3.9
Application
See more detail in the NowSecure Report