Thursday, February 21, 2019

Popular Note-taking Apps Share These Security Flaws

vixentael:

Of course, all apps now use TLS to send network requests to the backend server. However, TLS is not enough if someone wants to read your notes. In my talks, I describe in more details why sometimes and in some countries, we can’t rely on TLS itself.

During my testing, I could easily intercept and change network requests — which allows me to not only read notes content, investigate API, send not-allowed network requests, but also to unlock some app features available after subscription only.

[…]

One application, that I tried, encrypted my notes, but at the same time it generated preview image with note content, that was stored as file next to the encrypted note. Totally visible, a picture, in plaintext.

[…]

It’s better to separate user password from encryption key: app should generate a long random encryption key, and store it in the Keychain (or iCloud Keychain). Before encryption/decryption app asks user password / Touch ID / Face ID to make sure that user is really a note-owner, unlocks Keychain, reads encryption key and decrypts the note.

Comments RSS · Twitter

Leave a Comment