Storing data in the app’s home directory is insecure. If it is necessary to store data in app’s home directory then data should be stored in encrypted form. Besides, use secure encryption settings.

iOS allows developers to specify which data must be encrypted when writing to the file. It uses the Data Protection API. The default mode is NSFileProtectionNone, in which the data is protected only by the basic encryption based on the device UID-key. Thus, by default the data is stored insecurely and is available at boot time or when the device is unlocked.

Possible values of constants that define the level of encryption are set for NSFileManager:

NSFileProtectionComplete
NSDataWritingFileProtectionComplete
NSFileProtectionCompleteUnlessOpen
NSDataWritingFileProtectionCompleteUnlessOpen
NSFileProtectionCompleteUntilFirstUserAuthentication
NSDataWritingFileProtectionCompleteUntilFirstUserAuthentication
NSFileProtectionNone
NSDataWritingFileProtectionNone

Objective-C : Unsafe internal storage

DerScanner Severity Score

Do you want to fix Objective-C : Unsafe internal storage in your application?

See also