Encryption Bug or Leak: iOS Data Protection Class Implementation on DTG for iOS

This post is to highlight a problem I briefly referred to in my thread on the main Devonthink subforum.

According to my research, DTG on iOS makes use of an elevated data protection class API “NSFileProtectionCompleteUnlessOpen” or “NSFileProtectionComplete”. By default iOS devices, like the MacOS desktop counterpart, makes use of Full Disk Encryption (FDE). The way this works is that when your device is powered off the data on the drive is encrypted. Post first boot authentication the data on the disk is completely decrypted. For majority of users devices are kept in a post-first authenticated state (i.e. data is decrypted). This is a inherent limitation of FDE and not a problem with Apple’s implementation. Based on the official iOS Security Guide it appears Apple is acutely aware of this shortcoming and attempts to solve it through an API called data protection class. By default, most applications are assigned a “NSFileProtectionCompleteUntilFirstUserAuthentication” class. That is, data is decrypted if phone is turned on and in a post-first-boot user authenticated state. Iif your phone is on but locked the FDE is NOT enforced (i.e. data is decrypted). Only when it is in a pre-first-boot NON-authenticated state is this enforced. Apple gives developers the option to opt into a elevated data protection class API which will encrypt the data as soon as the application is closed or within a few minutes. Apple uses these higher protection class on some default apps like Mail. It would mean for example, if you plug your phone into a malicious public charging station or if someone uses specialized but commercially available software to perform a logical acquisition of the devices the data exfiltrated from the apps which make use of this elevated API remain protected so long as they are closed. These scenarios are more complicated than I make them out to be but still very real and feasible.

To the best of my understanding this is how DTG approaches security for data at rest on it’s iOS device. It applies when you activate a pin lock and “immediate” option in-app settings. It’s not true “app-level encryption" but something close to it.

Now on DTG even if the application is closed and presumably data protection is being enforced you can still open DTG data without any authentication through the “Files” app. So for example, if you open DTG, authenticate and edit the entry “Strategy Plans 2020”. Close the app. Wait. Then open Apple’s Files app you can access that same file without any authentication. This is a concern.

My hope is that Devonthink will adopt a similar approach as to v3 of the desktop app and offer users the option for true application level encryption of data. However, in the time being perhaps this problem should be looked at by the dev team. Also the option to set custom alphanumeric passcodes on the iOS app would help a great deal. I know the security implementation on the desktop and iOS devices are different but I would like to have just one “application” password per database across devices. A sync password, desktop password and iOS password - all of which are different can be confusing.

Thank you

I have noticed that DTG - despite my having set a passcode and set the slider to “immediately” (quote ‘“Immediately” locks this app as soon as you switch to another app but also breaks integration with the Files app’ - routinely does not ask me for the password when I start the app.

Stop Press:
I just opened “security” in DTG to be able to write this post quoting the exact settings; from that moment on DTG has just decided to ask for my password every time I open the app; I changed no settings, but only looked at the settings. I have just confirmed the same phenomenon on a second iOS device. @sam68: is DTG reliably asking you for a password or biometric confirmation every time you open the app?

Developing Story:
DTG reliably asked for a password until I locked the iOS device. Now, when I open DTG for the first time after unlocking the device, DTG does not ask for a password; it appears to reliably ask for a password when I reopen the app after having opened any other app, if at least a number of seconds have passed before I attempt to open DTG again. It never asks for a password the first time I open the app after unlocking the device. However: regardless of the point in time, I cannot access any DTG content via the Files app. @sam68: you speak of editing the entry - are you editing the document or the metadata? I altered the metadata but still could not access the document via the Files app; but I don’t have the add-on for DTG to allow me to edit the document; is that an essential part of being able to replicate what you are doing?

@sam68

It’s not true “app-level encryption"

This is correct.

@Blanc

I have noticed that DTG - despite my having set a passcode and set the slider to “immediately” (quote ‘“Immediately” locks this app as soon as you switch to another app but also breaks integration with the Files app’ - routinely does not ask me for the password when I start the app.

If you set it to Immediately then you are removing access to the document provider mechanism, including Files.app.

I’m not seeing any issue with the unlocking when set to Immediately.

Yes, it is set to immediately. Are you checking the “recents” tab in files?

I made a video reproducing the bug but I am unable to upload here it says new users do not have permission

I uploaded here sendspace dot com/file/uy2veu

Any updates on this? Ideally, devonthink will implement actual application level encryption to give parity to the desktop experience but in time being i think this needs to be addressed.

No, there is currently nothing to report on this. Your request is noted but I can’t comment on any development timeframes. Thanks for your patience and understanding.