Wednesday, March 4, 2020

Apple’s (Not Quite) Secure Notes

Sarah Edwards:

However, the ZSNIPPET column show the partial unencrypted content of this note. This is where potentially sensitive information from the note could be extracted. While I cannot see the full contents of the secure note, I can see the snippet or the first line of the note! I am unable see “The ocean is wet.” in this field.


I mentioned previously about the ZMARKEDFORDELETION column. When do these entries get deleted? Turns out, a few different ways!

  • Upon exiting Notes on macOS
  • Upon closing the Notes window on macOS
  • Upon swiping up (to go to the home screen) on iOS. Switching to another app does not necessarily delete the entries.


Due to the nature of how Apple Secure Notes work, it is possible for forensic analysts to acquire information, even if it is currently encrypted.

Besides this, it’s not clear to me that the old unencrypted data will actually be wiped from the SQLite database page when the row is logically deleted. And even then it may persist on disk, in previous blocks for both the database and for Spotlight. All of these problems stem from converting an unencrypted note to be encrypted. It’s better to start out with an empty encrypted note and then add content to it.

In EagleFiler I try to avoid this by encrypting the entire library from the start. The files and database, as well as search indexes, temporary files, Spotlight, and the versions database are only ever written in encrypted form.


2 Comments RSS · Twitter


Maybe that why FileVault exists in the first place ?

@Jean-Daniel Yeah, FileVault is a good backstop. But Apple heavily pushes you to store the key on their servers, so for most people the data is accessible both to Apple and to anyone who can get into your Apple ID account.

Leave a Comment