Is Core Data BLOB data encrypted when stored in "External Storage"?

3
votes

I'm using Core Data to store some sensitive information. So far, I've applied hardware file encryption to the SQLite file used by the Persistent Store Coordinator. I've done this by setting its file Attributes (NSFileProtectionKey to NSFileProtectionComplete).

I'm storing some image data as Binary Data in the Core Database and I've checked off the "Allows External Storage" and "Store in External Record File" to prevent bloating of my SQLite datastore and to improve performance.

I'm presuming that the data files automatically stored outside of the SQLite database by Core Data will NOT be encrypted and that I need to encrypt these files myself. Does anyone know if this is correct?

Thanks

2
iphoneioscore-dataencryption
While not directly related, you should know the sqlite creates temporary files for transactions that are not encrypted, so if your app crashes while a database read/write is being performed the data will be available. - Hampus Nilsson
@HampusNilsson - hmmmm... something I hadn't considered. Some food for thought. Thanks. - luckman777

2 Answers

0
votes

luckman777,

Every version preinstalled of iOS will hardware encrypt every file when the user uses a screen lock. With respect to your question about external Core Data storage, why don't you just look at the files? It is quite straightforward to move the data from the phone to your dev system. Then try to open one of the external files. I expect that it is encrypted. (If not, that is a rather big and obvious hole in Core Data's encryption policy. I doubt that it exists.)

Andrew

0
votes

Hidden, but not encrypted! The folder it currently (iOS 11.2) holds the data is under Documents/.SingleViewCoreData_SUPPORT/_EXTERNAL_DATA
There, you can see all the files, without their extension in a token-name. However, the data is all there unchanged. You can view any file by simply adding the file extension or using the right App.

Yes, the device data is encrypted when the screen is locked, but connected to Xcode, you can very easily download the container and access all the data. If your app holds sensitive data, the 'device is encrypted' will simply not hold. Only the SingleViewCoreData.sqlite file seems to be encrypted.