Rebar iOS Data at Rest

Monkton, Inc.

Part of Rebar's compliance with NIAP and other associated security profiles is adherence to the API Boundary for Data at Rest (DAR). DAR compliance for the app is achieved by leveraging Rebar's File Manager, Settings Manager, and Database Manager.

Where appropriate, Rebar implements functionality similar to iOS SDK functions to reduce a developers time to learn.

Rebar itself handles all the File Encryption Key and Key Encryption Key generation for layering the appropriate security for your application.

This is in addition to the database storage that also is managed by Rebar itself.

File Management

Rebar implements the RebarFileManager, which mimics the functionality of FileManager for reading and writing files from the file system. RebarFileManager handles and manages the entire AES-256 encryption of files which are to be saved to the file system. All Key Encryption Key and File Encryption Keys are automatically managed and generated by Rebar and are transparent to the developer.

The RebarFileManager provides cryptographically secure functionality built on top of iOS default cryptography, providing dual layers of FIPS Validated encryption for iOS. This enables developers to call simple convenience methods to encrypt and decrypt Data values.

Integrating the RebarFileManager is a drop in replacement for FileManager, meaning it can be replaced without issue since RebarFileManager's base class is FileManager.

Using the File Manager

Accessing the file manager across your app can be simplified by creating some convenience methods. When building code that may work in multiple environments, we suggest implementing a helper function such as:

/**
 Returns the default file manager for the app. When we are running in a
 Rebar app, it will return the `RebarFileManager` instance. When it is running
 in the standard app mode, it will return the default `FileManager` instance.
 
 Note: One must define the preprocessor flags in the project to switch between
 the two.
 */
lazy var fileManager: FileManager = {
    #if REBAR_APP
    return RebarFileManager.default
    #else
    return FileManager.default
    #endif
}()

Storing Data

Reading and writing Data to and from the file system is accomplished with the Data convenience methods that are built into Rebar. Each of the methods will leverage AES-256 encryption in combination with methods to ensure data integrity on the file system in addition to protections to avoid the data being stored in iCloud.

Writing Data

Writing Data in Swift to the file system is as simple as calling the writeEncrypted method on Data class. This will transparently handle all the encryption for encrypting the files on the device.

  • func writeEncrypted(toPath path: String, options: Data.WritingOptions = []) throws
  • func writeEncrypted(to url: URL, options: Data.WritingOptions = []) throws
// Create some data to write to the file system
let someData = "Hello! 👻".toNSData()!

// Writing Data to the file system requires a do/catch block
do {
    
    // Lets create a path. Our RebarFileManager has some helper functions
    // that discern file paths automatically. This is optional to do, one
    // can build the file manager up themselves. 
    if let path = RebarFileManager.default.filePathInDocumentsAsUrl("sample-text-file.txt") {
        // Write the encrypted data to the file system
        try someData.writeEncrypted(to: path)
        
    } // if
    
} // do
catch {
    // Error handling here...
}

Reading Data

Rebar has several convenience methods to read encrypted data from the file system. This will transparently handle all the decryption for decrypting the files on the device.

  • init?(encryptedContentsOfPath path: String, options: Data.ReadingOptions = []) throws
  • init?(encryptedContentsOf url: URL, options: Data.ReadingOptions = []) throws
  • init?(encryptedBase64Encoded base64String: String, options: Data.Base64DecodingOptions = [])
  • init?(encryptedBase64Encoded base64Data: Data, options: Data.Base64DecodingOptions = [])
// Reading Data to the file system requires a do/catch block
do {
    
    // Lets create a path. Our RebarFileManager has some helper functions
    // that discern file paths automatically. This is optional to do, one
    // can build the file manager up themselves. 
    if let path = RebarFileManager.default.filePathInDocumentsAsUrl("sample-text-file.txt") {
        // Pull data from the encrypted file
        if let fromData = try Data(encryptedContentsOf: path) {
            
            // Write it out, should match
            print(fromData.toString()! as Any)
            
        } // if
        
    } // if
    
} // do
catch {
    // Error handling here...
}

Reading with RebarFileManager

Optionally, one can invoke the open override func contents(atPath path: String) -> Data? of the RebarFileManager class. This will decrypt the file and return the contents in a decrypted format.

Settings Management

Rebar provides an encrypted settings manager RebarUserDefaults to store settings securely. All settings will be stored with AES-256 encryption. A limitation of the secure settings is they can only be accessed after the user has authenticated. If you need to access settings outside of an authenticated user, leverage the device keychain.

RebarUserDefaults is a subclass of NSUserDefaults and can be accessed the same way. To retrieve the instance of RebarUserDefaults call the static method RebarUserDefaults.default.

Deleting Files

To securely delete a file, invoke the RebarFileManager.default.removeItem method. This will ensure that the file is removed along with the requirements of NSA NIAP protocols.

Database Management

Please visit the App Database to learn more about managing databases automatically with Rebar.