Objective-C : Unsafe internal storage

Storing data in the app’s home directory is insecure. If it is necessary to store data in app’s home directory then data should be stored in encrypted form. Besides, use secure encryption settings.

iOS allows developers to specify which data must be encrypted when writing to the file. It uses the Data Protection API. The default mode is NSFileProtectionNone, in which the data is protected only by the basic encryption based on the device UID-key. Thus, by default the data is stored insecurely and is available at boot time or when the device is unlocked.

Possible values of constants that define the level of encryption are set for NSFileManager:

• NSFileProtectionComplete
• NSDataWritingFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSDataWritingFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthentication
• NSDataWritingFileProtectionCompleteUntilFirstUserAuthentication
• NSFileProtectionNone
• NSDataWritingFileProtectionNone