MASTG-BEST-0024: Store Data Encrypted in App Sandbox Directory
Choose the right location for storing the app's and the user's data to the app sandbox: useDocuments directory to store user-generated content andLibrary directory for app's internal data.
An app can be configured to makeDocuments directory accessible to the user in the Files app by settingUIFileSharingEnabled andLSSupportsOpeningDocumentsInPlace. Therefore, storing databases, config files, purchase state in this directory is highly dangerous because:
- a user can tamper with internal app files
- an attacker with a physical access to the device can copy content of
Documentsdirectory - other apps can access
Documentsdirectory of other apps with adocument picker interface
Note: Storing data in the correct directory doesn't mean it's secure. For L2 profile apps, it's recommended to encrypt the files before storing them, and put the encryption key into the Keychain.
Tests¶
MASTG-TEST-0301: Runtime Use of APIs for Storing Unencrypted Data in Private Storage MASTG-TEST-0300: References to APIs for Storing Unencrypted Data in Private Storage MASTG-TEST-0303: References to APIs for Storing Unencrypted Data in Shared Storage MASTG-TEST-0302: Sensitive Data Unencrypted in Private Storage Files MASTG-TEST-0299: Data Protection Classes for Files in Private Storage