Secure Storage
Encrypt your application data in the Secure File System.
-
BlackBerry Secure File System
Overview
This class is a subclass of the native
FileManager
class, for access to the BlackBerry secure file system.For applications, the BlackBerry secure file system behaves like the default file system, with the following differences.
- All data within the secure file system is stored on the device in an encrypted form.
- Directory and file names are also encrypted.
- The secure file system cannot be accessed until runtime
is in an active or tokenExpired
InitializationState
.
Every operating system has a maximum supported length for the names of files and directories. For example, iOS 11 supports a maximum length of 255 bytes, given by the
NAME_MAX
constant. The encrypted form of the name of a directory or file will typically be longer than the plaintext, and it is the encrypted form that must be within the limits supported by the operating system. This means that names in the secure file system have a shorter effective maximum supported length. It isn’t possible to give a simple maximum but the following should be expected.- Names that are 16 bytes or longer will be increased by a factor of 4:3 approximately.
- Shorter names will be increased to a length of 20 bytes approximately.
Encryption and decryption is transparent to the application code:
- The application passes its data to a file writing interface. The runtime encrypts the data and stores it on the device.
- When a file-reading interface is utilized, the runtime decrypts and returns the data.
- Path access interfaces accept plaintext parameters for directory and file names. The runtime encrypts the parameter values in order to create paths in the secure store.
- Directory and file names provided as return values are plaintext. The runtime decrypts paths in the secure store in order to generate the return values.
Usage
This class is a subclass of the native
FileManager
class. It should be easy to replace references toFileManager
with references toBBSFileManager
, in order to convert application code that utilizes the native file system into code that utilizes the secure file system.The differences between this class and
FileManager
are:- Write access is limited to the secure store.
- There is no access to “Ubiquitous” files and directories, i.e. no access to items in “cloud” storage.
- There is no access to native application group containers, which aren’t
secured by BlackBerry Security. The
containerURL(forSecurityApplicationGroupIdentifier:)
returns the same value as the base class would for an invalid group identifier. - The secure file system doesn’t have a designated temporary directory. The
temporaryDirectory
property mustn’t be used to create paths. - File Provider extensions aren’t supported. The
getFileProviderServicesForItem(at:completionHandler:)
interface always fails. - Returned URL values for locations within the secure file system can only be utilized by BlackBerry Security programming interfaces, see below.
- Returned String values for paths within the secure file system can only be utilized by BlackBerry Security programming interfaces, see below.
- Error codes could be in the specific
BBSFileManager
error domain or could be generalError
codes.
The
URL
values returned by functions in this class can only be used to access files and directories by SecureEdge programming interfaces. They cannot be used by native interfaces, such asInputStream
norstring(withContentsOf:)
for example.The String values for paths returned by functions in this class can only be used to access files and directories by BlackBerry Security programming interfaces. They cannot be used by native interfaces, such as
stringByResolvingSymlinksInPath
for example.To read and write files in the secure store, use functions in this class or in one of the other BlackBerry Security programming interfaces. For example:
Use
createFile(atPath:contents:attributes:)
to write a fileUse
contents(atPath:)
to read a fileDon’t use file-reading and -writing functions in the native Foundation classes to access files in the secure store
Best practice for building paths for use with this class is as follows. First use an
SearchPathDirectory
value to generate a path prefix, for example by calling theNSSearchPathForDirectoriesInDomains(_:_:_:)
. Then append to the prefix, for example:
See morelet paths = NSSearchPathForDirectoriesInDomains(FileManager.SearchPathDirectory.applicationDirectory, FileManager.SearchPathDomainMask.userDomainMask, true) let filePath = paths[0].appending("testFile")
Declaration
Swift
public class BBSFileManager : NSObject, FileManagerDelegate, InitializationStateProvider
-
Enumeration for error codes of the
See moreBBSFileManager
Declaration
Swift
public enum BBSFileManagerErrorCode : Int, CaseIterable
-
Overview
InputStream
subclass for reading files that are in the secure store. This class is a subclass of the nativeInputStream
class, for access to the BlackBerrySecurity secure file system.Usage
This class supports the
read
andhasBytesAvailable
member functions ofInputStream
. This class doesn’t supportgetBuffer
, which will always return false. This class also doesn’t supportscheduleInRunLoop
norremoveFromRunLoop
. Support for run loops isn’t required because the file data can be read immediately.Notes on use of the read function
The
read
function in this class will work best when the supplied buffer is a multiple of 16 bytes in length. ThemaxLength
parameter should reflect the size of the buffer, and not the amount of data remaining to be read from the file. To read a particular number of bytes, B, supply a buffer whose size is B rounded up to the next multiple of 16.The return value of the
See moreread
function must always be checked by the application. It mustn’t be assumed that a file has been completely read into a buffer, even if the buffer is large enough to accomodate the whole file.Declaration
Swift
public class BBSReadStream : InputStream, InitializationStateProvider
-
Overview
OutputStream
subclass for writing files in the secure store.This class is a subclass of the native OutputStream class, for access to the BlackBerrySecurity secure file system.
Usage
The class supports the
See morewrite
andhasSpaceAvailable
member functions ofOutputStream
. The subclass doesn’t supportscheduleInRunLoop
norremoveFromRunLoop
. Support for run loops isn’t required because the file data can be written immediately.Declaration
Swift
public class BBSWriteStream : OutputStream, InitializationStateProvider