Data at rest (DAR) encryption protects each piece of app data before saving it on the mobile device, shielding it from malware, rogue apps, and hackers who attack the device storage. When the app needs an encrypted piece of data, the DAR policy decrypts it.
Although you apply the DAR policy to the app, the policy does not encrypt the entire secured app. (Otherwise, it would not be able to run on the device.) The DAR policy encrypts the data that the secured app generates. For example, if you apply DAR to a browser app, the data downloaded by the browser would be encrypted.
The DAR profile is a collection of settings to apply with the DAR policy.
For maximum security, apply the Local App Authentication policy along with the Data at Rest Encryption policy. DAR Encryption uses the Local App Authentication if enabled, but does not require it.
(Secure Microtunnel is not required.)
App updates and installations
When using the Encrypted Data at Rest policy, data can be lost on the mobile user’s device in these cases. This data loss may create unexpected app behavior.
- If the user uninstalls the app
All data associated with the app is deleted.
- If the user installs an unprotected version of the app after using a protected version of the app:
If the mobile user replaces an app that has been secured with the DAR policy with a version that doesn’t use the DAR policy, this process leaves encrypted data on the device and deletes the encryption key—any encrypted files on the user’s device cannot be decrypted. There is no way to recover this data once the secured app has been replaced.
To remove the DAR policy from an app that you’ve deployed to users’ mobile devices, your users need a way to sync their encrypted app data before upgrading the app.
If the user installs a protected version of the app after using an unprotected version of the app
If you upgrade an app from a version that has not been protected with the DAR policy to a version that is protected with the DAR policy, the existing data remains unencrypted. Any new data generated by the secured app is encrypted.
If you are updating an app secured with DAR to an app not secured with DAR, or updating from an app not secured with DAR to an app secured with DAR, Blue Cedar recommends asking your users to delete the old version and install the new version rather than updating in place.
- There should be a way to backup/sync the users data before switching between DAR-protected and -unprotected versions of the app.
- A fresh app install avoids data loss from a mix of encrypted and un-encrypted data files.
If a user upgrades from a DAR-secured version of an app to a new version of the app, secured with the same DAR policy, the existing data is preserved.
Android apps and the SD card
If an Android app has saved files to the device's SD card and the app uses the Encrypted Data at Rest policy, these files will be unreadable after an update.