找到你要的答案

Q:How can I use file encryption when calling parent application from Watch app?

Q:我如何使用文件加密时调用父应用程序从手表应用程序?

I am calling a parent app on my iPhone from an Apple Watch app using openParentApplication and handleWatchKitExtensionRequest. In the main app, I use CoreData with the following options for addPersistentStoreWithType:

NSDictionary *options = @{
        NSMigratePersistentStoresAutomaticallyOption : @YES,    //
        NSInferMappingModelAutomaticallyOption : @YES,          //
        NSSQLitePragmasOption : @{@"journal_mode" : @"DELETE"}, //
        NSPersistentStoreFileProtectionKey : NSFileProtectionCompleteUnlessOpen
    };

This caused an exception:

This NSPersistentStoreCoordinator has no persistent stores (device locked). It cannot perform a save operation.

Does this mean that I can neither use NSFileProtectionCompleteUnlessOpen nor NSFileProtectionComplete?

Do I have to use NSFileProtectionNone or NSFileProtectionCompleteUntilFirstUserAuthentication?

I would like to know a way to protect my data by using NSFileProtectionCompleteUnlessOpen and still be able to access the data when my Watch app uses openParentApplication.

Possible ways to deal with the problem (but not a real solution)

  • Have two files (e.g., SQL data bases), where one is encrypted and the other one is not. The latter one would store only the data required by the Watch app.

我在使用openparentapplication和handlewatchkitextensionrequest苹果iPhone应用程序调用一个看我父应用程序。在主要的应用程序,我使用CoreData下列选项addpersistentstorewithtype:

NSDictionary *options = @{
        NSMigratePersistentStoresAutomaticallyOption : @YES,    //
        NSInferMappingModelAutomaticallyOption : @YES,          //
        NSSQLitePragmasOption : @{@"journal_mode" : @"DELETE"}, //
        NSPersistentStoreFileProtectionKey : NSFileProtectionCompleteUnlessOpen
    };

这引起了异常:

This NSPersistentStoreCoordinator has no persistent stores (device locked). It cannot perform a save operation.

这是否意味着我不能用nsfileprotectioncompleteunlessopen也nsfileprotectioncomplete?

我要用nsfileprotectionnone或nsfileprotectioncompleteuntilfirstuserauthentication?

我想知道如何用nsfileprotectioncompleteunlessopen保护我的数据,还可以访问数据时,我的表的应用程序使用的openparentapplication。

可能的方法来处理这个问题(但不是一个真正的解决方案)

  • Have two files (e.g., SQL data bases), where one is encrypted and the other one is not. The latter one would store only the data required by the Watch app.
answer1: 回答1:

NSFileProtectionCompleteUntilFirstUserAuthentication seems to be the recommended way for me. It makes sure the user has to unlock the device at least once since the last boot.

This problem was introduced with iOS 7 and background refresh. It's to prevent physical forensic analysis to read your unencrypted data.


Additionaly information from http://security.stackexchange.com/questions/57588/iphone-ios-7-encryption-at-lock-screen:

  • NSFileProtectionNone: file can be accessed any time, even if device is locked;
  • NSFileProtectionComplete: file can accessed only when device is unlocked (note there's ~10 seconds grace period after device is locked during which files are still accessible);
  • NSFileProtectionCompleteUnlessOpen: file can be created while device is locked, but once closed, can only be accessed when device is unlocked;
  • NSFileProtectionCompleteUntilFirstUserAuthentication: file can be accessed only if device has been unlocked at least once since boot.

The guys from Gilt also explained a lot about this behaviour here: http://tech.gilt.com/post/67708037571/sleuthing-and-solving-the-user-logout-bug-on-ios


Another idea which just came into my mind is to use an app group container. See the question here: WatchKit SDK not retrieving data from NSUserDefaults This way it should not only share NSUserDefaults but also the same keychain. This should work the same way to iOS Apps share the same keychain.

nsfileprotectioncompleteuntilfirstuserauthentication似乎是我推荐的方法。它确保用户必须解锁设备至少一次自上次启动。

这一问题介绍了iOS 7和背景刷新。这是为了防止读你的未加密的数据物理取证分析。


从http://security.stackexchange.com/questions/57588/iphone-ios-7-encryption-at-lock-screen附加信息:

  • NSFileProtectionNone: file can be accessed any time, even if device is locked;
  • NSFileProtectionComplete: file can accessed only when device is unlocked (note there's ~10 seconds grace period after device is locked during which files are still accessible);
  • NSFileProtectionCompleteUnlessOpen: file can be created while device is locked, but once closed, can only be accessed when device is unlocked;
  • NSFileProtectionCompleteUntilFirstUserAuthentication: file can be accessed only if device has been unlocked at least once since boot.

从镀金的家伙也解释了很多关于这种行为在这里:http://tech.gilt.com/post/67708037571/sleuthing-and-solving-the-user-logout-bug-on-ios


我想到的另一个想法是使用一个应用程序组容器。看到这里的问题:watchkit SDK不检索数据从nsuserdefaults这样不仅要分享nsuserdefaults也是相同的钥匙扣。这应该以同样的方式工作的iOS应用程序共享相同的钥匙扣。

ios  core-data  watchkit