This post is to highlight a problem I briefly referred to in my thread on the main Devonthink subforum.
According to my research, DTG on iOS makes use of an elevated data protection class API “NSFileProtectionCompleteUnlessOpen” or “NSFileProtectionComplete”. By default iOS devices, like the MacOS desktop counterpart, makes use of Full Disk Encryption (FDE). The way this works is that when your device is powered off the data on the drive is encrypted. Post first boot authentication the data on the disk is completely decrypted. For majority of users devices are kept in a post-first authenticated state (i.e. data is decrypted). This is a inherent limitation of FDE and not a problem with Apple’s implementation. Based on the official iOS Security Guide it appears Apple is acutely aware of this shortcoming and attempts to solve it through an API called data protection class. By default, most applications are assigned a “NSFileProtectionCompleteUntilFirstUserAuthentication” class. That is, data is decrypted if phone is turned on and in a post-first-boot user authenticated state. Iif your phone is on but locked the FDE is NOT enforced (i.e. data is decrypted). Only when it is in a pre-first-boot NON-authenticated state is this enforced. Apple gives developers the option to opt into a elevated data protection class API which will encrypt the data as soon as the application is closed or within a few minutes. Apple uses these higher protection class on some default apps like Mail. It would mean for example, if you plug your phone into a malicious public charging station or if someone uses specialized but commercially available software to perform a logical acquisition of the devices the data exfiltrated from the apps which make use of this elevated API remain protected so long as they are closed. These scenarios are more complicated than I make them out to be but still very real and feasible.
To the best of my understanding this is how DTG approaches security for data at rest on it’s iOS device. It applies when you activate a pin lock and “immediate” option in-app settings. It’s not true “app-level encryption" but something close to it.
Now on DTG even if the application is closed and presumably data protection is being enforced you can still open DTG data without any authentication through the “Files” app. So for example, if you open DTG, authenticate and edit the entry “Strategy Plans 2020”. Close the app. Wait. Then open Apple’s Files app you can access that same file without any authentication. This is a concern.
My hope is that Devonthink will adopt a similar approach as to v3 of the desktop app and offer users the option for true application level encryption of data. However, in the time being perhaps this problem should be looked at by the dev team. Also the option to set custom alphanumeric passcodes on the iOS app would help a great deal. I know the security implementation on the desktop and iOS devices are different but I would like to have just one “application” password per database across devices. A sync password, desktop password and iOS password - all of which are different can be confusing.
Thank you