{"id":24383,"date":"2019-02-21T16:28:09","date_gmt":"2019-02-21T21:28:09","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=24383"},"modified":"2019-02-21T16:28:09","modified_gmt":"2019-02-21T21:28:09","slug":"popular-note-taking-apps-share-these-security-flaws","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/02\/21\/popular-note-taking-apps-share-these-security-flaws\/","title":{"rendered":"Popular Note-taking Apps Share These Security Flaws"},"content":{"rendered":"<p><a href=\"https:\/\/medium.com\/@vixentael\/popular-note-taking-apps-share-these-security-flaws-security-tips-for-developers-326180e41329\">vixentael<\/a>:<\/p>\n<blockquote cite=\"https:\/\/medium.com\/@vixentael\/popular-note-taking-apps-share-these-security-flaws-security-tips-for-developers-326180e41329\"><p>Of course, all apps now use TLS to send network requests to the backend server. However, <a href=\"https:\/\/www.cossacklabs.com\/avoid-ssl-for-your-next-app.html\">TLS is not enough if someone wants to read your notes<\/a>. <a href=\"https:\/\/github.com\/vixentael\/my-talks#x-things-you-need-to-know-before-implementing-cryptography\">In my talks<\/a>, I describe in more details why sometimes and in some countries, we can&rsquo;t rely on TLS itself.<\/p><p>During my testing, I could easily intercept and change network requests&#x200A;&mdash;&#x200A;which allows me to not only read notes content, investigate API, send not-allowed network requests, but also to unlock some app features available after subscription only.<\/p><p>[&#8230;]<\/p><p>One application, that I tried, encrypted my notes, but at the same time it generated preview image with note content, that was stored as file next to the encrypted note. Totally visible, a picture, in plaintext.<\/p>\n<p>[&#8230;]<\/p>\n<p>It&rsquo;s better to separate user password from encryption key: app should generate a long random encryption key, and store it in the Keychain (or iCloud Keychain). Before encryption\/decryption app asks user password \/ Touch ID \/ Face ID to make sure that user is really a note-owner, unlocks Keychain, reads encryption key and decrypts the note.<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>vixentael: Of course, all apps now use TLS to send network requests to the backend server. However, TLS is not enough if someone wants to read your notes. In my talks, I describe in more details why sometimes and in some countries, we can&rsquo;t rely on TLS itself.During my testing, I could easily intercept and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2019-02-21T21:28:13Z","apple_news_api_id":"805dd9e2-6126-4f63-99be-c161fe118576","apple_news_api_modified_at":"2019-02-21T21:28:15Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AgF3Z4mEmT2OZvsFh_hGFdg","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[31,1610,26,355,71,48,581],"class_list":["post-24383","post","type-post","status-publish","format-standard","hentry","category-technology","tag-ios","tag-ios-12","tag-iosapp","tag-privacy","tag-programming","tag-security","tag-ssltls"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/24383","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=24383"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/24383\/revisions"}],"predecessor-version":[{"id":24384,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/24383\/revisions\/24384"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=24383"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=24383"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=24383"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}