(Archived) Hi. I am bothered by the lack of security on Android. Help?

[BumbleBeeTuna 0]

I just signed up to inquire about the security flaw on Evernote for Android. The email welcoming me to the Evernote forums has sent my password to me in plain text. I know this doesn't automatically mean Evernote is storing my password in plain text but how do I know? And isn't this considered an unacceptable practice now? I am further bothered by the security Evernote has in place, especially since notes can be sensitive information.

Now for Android: I was going through my SD card using a file explorer looking for a screenshot I made on another program and came across an Evernote folder on my SD card. I plugged my phone in via USB and saw that the contents inside this SD card are my notes! And other apps can have access to this sensitive information. It was extremely troubling that I had some of my notes in a location that can easily be accessed by other applications. I had to uninstall Evernote.

Is this going to change? Either way, I've come to the decision that Evernote really doesn't care about my privacy/security much so I'm going to have to look into other note-taking options. I just wanted to have some clarification on this matter because it is a highly irresponsible thing to do when handling people's information.

Thank you.

[BurgersNFries 2,407]

I just signed up to inquire about the security flaw on Evernote for Android. The email welcoming me to the Evernote forums has sent my password to me in plain text. I know this doesn't automatically mean Evernote is storing my password in plain text but how do I know? And isn't this considered an unacceptable practice now?

I've joined countless message boards over the years & I'm pretty sure each one has sent me my password via email in plain text. OR...if you click the "forgot my password", it will be sent email in plain text. So nothing different with respect to EN's message board system.

I am further bothered by the security Evernote has in place, especially since notes can be sensitive information.

You should take some time & read through this thread. You may also want to search on the word security to find other discussions.

viewtopic.php?f=30&t=9583&hilit=onenote

Now for Android: I was going through my SD card using a file explorer looking for a screenshot I made on another program and came across an Evernote folder on my SD card. I plugged my phone in via USB and saw that the contents inside this SD card are my notes! And other apps can have access to this sensitive information. It was extremely troubling that I had some of my notes in a location that can easily be accessed by other applications. I had to uninstall Evernote.

Is this going to change? Either way, I've come to the decision that Evernote really doesn't care about my privacy/security much so I'm going to have to look into other note-taking options. I just wanted to have some clarification on this matter because it is a highly irresponsible thing to do when handling people's information.

Most applications leave the security up to the user. It's especially important when you have a small, portable device, like a PDA or smartphone. When I used a Palm TX, unless you specifically encrypted the SD card, anyone could look at any of the data on it. Security wasn't done automatically. Same thing with the two Palm Treos my husband had. Same thing if you use a thumb drive. You load a sensitive Word document onto that puppy & lose it, anyone can view your Word document, unless the thumb drive is encrypted. Passwords give you a false sense of security. You can password protect Word documents but anyone with a bit of skill can hack it in seconds. They even sell programs to break Word document passwords. Quicken uses a password but any images you scan into it are quickly viewed with any image viewer. Same thing with NeatReceipts. It's a MySQL (IIRC) database & unless you have that database on an encrypted drive, anyone who knows how to access MySQL databases can get in there.

So most programs leave the security up to the user.

[BumbleBeeTuna 0]

BumbleBeeTuna wrote:

Now for Android: I was going through my SD card using a file explorer looking for a screenshot I made on another program and came across an Evernote folder on my SD card. I plugged my phone in via USB and saw that the contents inside this SD card are my notes! And other apps can have access to this sensitive information. It was extremely troubling that I had some of my notes in a location that can easily be accessed by other applications. I had to uninstall Evernote.

Is this going to change? Either way, I've come to the decision that Evernote really doesn't care about my privacy/security much so I'm going to have to look into other note-taking options. I just wanted to have some clarification on this matter because it is a highly irresponsible thing to do when handling people's information.

Most applications leave the security up to the user. It's especially important when you have a small, portable device, like a PDA or smartphone. When I used a Palm TX, unless you specifically encrypted the SD card, anyone could look at any of the data on it. Security wasn't done automatically. Same thing with the two Palm Treos my husband had. Same thing if you use a thumb drive. You load a sensitive Word document onto that puppy & lose it, anyone can view your Word document, unless the thumb drive is encrypted. Passwords give you a false sense of security. You can password protect Word documents but anyone with a bit of skill can hack it in seconds. They even sell programs to break Word document passwords. Quicken uses a password but any images you scan into it are quickly viewed with any image viewer. Same thing with NeatReceipts. It's a MySQL (IIRC) database & unless you have that database on an encrypted drive, anyone who knows how to access MySQL databases can get in there.

So most programs leave the security up to the user.

Android certainly provides ways to store stuff locally (in the phone's built-in FLASH, as opposed to the SD card) which is protected and private to the specific application. An application will only have permission to access that data because it will be stored in that app's directory (unless a phone is rooted). Also, the notes cannot be removed from the phone if stored in flash but can certainly be synced to a even more private service like on the web (And I have already discovered an app that does this).

I understand the "false sense of security" with passwords but my Android question had nothing to do with passwords. It is about WHO and WHAT can access my notes that are on my SDcard, that any app can have access to.

[BurgersNFries 2,407]

but my Android question had nothing to do with passwords. It is about WHO and WHAT can access my notes that are on my SDcard, that any app can have access to.

When I used a Palm TX, unless you specifically encrypted the SD card, anyone could look at any of the data on it. Security wasn't done automatically. Same thing with the two Palm Treos my husband had. Same thing if you use a thumb drive. You load a sensitive Word document onto that puppy & lose it, anyone can view your Word document, unless the thumb drive is encrypted.

So if you want to be annoyed at anyone, perhaps it should be at Android. Because it's not just Evernote files but ANY file you'd store on the SD card that is vulnerable, unless the SD card is encrypted. But I'm guessing they have a way for you to encrypt the SD card. Or at least they should. I know there was a way for me to encrypt the data on the SD card I used on my Palm TX. Didn't worry about my husband's since all he stored on it was movies.

[BumbleBeeTuna 0]

LOL, annoyed with Android?

Evernote is one of the only applications that does this. THAT is why it concerns me and THAT is why I bring it up, that's all. Other applications that use your SDcard for storing data actually use it to export your data onto (so you can make a back-up on your computer and then delete), or hold big files such as images.

Maybe the problem is that Evernote doesn't understand Android. It's okay. Plenty of fish in the sea. Good luck to them.

[engberg 89]

Evernote's service doesn't ever email your password at all.

Our forums are run on completely separate servers, running off-the-shelf forum software (phpBB3). These forums predate the service by several years, which is why you need to register for them independent of your Evernote account.

[mjschmidt 1]

LOL, annoyed with Android?

Evernote is one of the only applications that does this. THAT is why it concerns me and THAT is why I bring it up, that's all. Other applications that use your SDcard for storing data actually use it to export your data onto (so you can make a back-up on your computer and then delete), or hold big files such as images.

Maybe the problem is that Evernote doesn't understand Android. It's okay. Plenty of fish in the sea. Good luck to them.

Um... you know that camera app on your phone? Photos get saved to the SD. Same with Video. They are not hidden or encrypted.

The adobe PS app... saved to SD. Not hidden or encrypted.

Twidroid... SD.

GDocs... SD.

That's just a cursory glance at my HTC Magic SD card using the Astro file manager. This is not just an Evernote thing.

By the way... you do realize that one of the big features of Android phones (being made by Google) is about living "in the cloud"? Your contacts, calendar, and email (Gmail) all being synced to your Google account (unless you turn it off)? Maybe Android isn't really the platform for you. ;-)

[BumbleBeeTuna 0]

LOL, annoyed with Android?

Evernote is one of the only applications that does this. THAT is why it concerns me and THAT is why I bring it up, that's all. Other applications that use your SDcard for storing data actually use it to export your data onto (so you can make a back-up on your computer and then delete), or hold big files such as images.

Maybe the problem is that Evernote doesn't understand Android. It's okay. Plenty of fish in the sea. Good luck to them.

Um... you know that camera app on your phone? Photos get saved to the SD. Same with Video. They are not hidden or encrypted.

The adobe PS app... saved to SD. Not hidden or encrypted.

Twidroid... SD.

GDocs... SD.

That's just a cursory glance at my HTC Magic SD card using the Astro file manager. This is not just an Evernote thing.

By the way... you do realize that one of the big features of Android phones (being made by Google) is about living "in the cloud"? Your contacts, calendar, and email (Gmail) all being synced to your Google account (unless you turn it off)? Maybe Android isn't really the platform for you. ;-)

First of all, photos are totally different than notes. I do not take photos that hold sensitive information, or ideas, or even potentially embarrassing personal information. Same with video.

2nd of all, just because PS app (which is not sensitive info in my opinion), Twidroid (again, not sensitive), and GDocs (Which I don't use because it does store info on the SD card) stores all their data on the sd card doesn't mean that this is OK. Your justification of Evernote handling data by storing them on the SD card is that it's OK because other apps do? That is laughable.

And yes I understand Android is about the cloud. Duh. Saying Google is about living in the cloud is like saying the sun is really hot. I am not really sure what the cloud and Google has anything to do with this conversation (they do not store on sdcard). There are other note-taking apps that sync your notes and files WHILE not sharing it's data to any other app that can easily access the SD card. They store the information locally and minimize the size of the data by changing the way the data is sized until it's accessed. For instance, if you are storing a photo, the photo is at a very low resolution until you make a call for it (clicking on it).

When it comes to notes they should probably handle the data in a way that makes more sense for the security of their users, rather than just because "everybody else does it that way."

[ubik 0]

When it comes to notes they should probably handle the data in a way that makes more sense for the security of their users, rather than just because "everybody else does it that way."

I don't think it is so much a matter of saying "everybody does is that way," as it is more a way of saying Android is not designed as a secure solution. If you are this worried about security you should really set up your own Exchange Server, your own BlackBerry Enterprise Server (or get a hosted plan at a company you are sure you can trust) and then use nothing but BlackBerry Enterprise applications that take advantage of the hardware device encryption and secure encrypted communication directly to the server. Android is really more designed for people who have no problem having their phone broadcast their current position to their friends, who put everything about themselves on Facebook, and who put their every moment's thought on Twitter. I'm not saying this to excuse Evernote, or to put down Android, but the reality is that Android is designed from the ground up for people who lead a very web-friendly life. The BlackBerry, and to a lesser extent Windows Mobile, are designed for professionals dealing with sensitive information who are seriously concerned with any possible security leaks. If you keep anything on your phone that you aren't comfortable with trusting a 3rd party vendor to know, then Android really isn't the OS you are looking for, and a web notepad really isn't where you should be keeping your notes.

[Philip Constantinou 11]

Regarding Evernote's use of the SD card, it may be useful tool look at the App Storage section of this:

http://www.mobilecrunch.com/2009/11/05/ ... d-round-2/

for some more info.

The internal memory on the Android is very limited. We initially used it but found that it was quickly consumed.

With future versions of Evernote we hope to use more device memory making more of your notes available offline. We'll almost certainly need to use the SD card and we don't want to consume internal memory since it puts pretty big limitations on other uses of the device.

Based on your post we'll review how Evernote stores data on the SD card and see if we can do more to restrict access using the security framework that comes with Android.

[BumbleBeeTuna 0]

Regarding Evernote's use of the SD card, it may be useful tool look at the App Storage section of this:

http://www.mobilecrunch.com/2009/11/05/ ... d-round-2/

for some more info.

The internal memory on the Android is very limited. We initially used it but found that it was quickly consumed.

With future versions of Evernote we hope to use more device memory making more of your notes available offline. We'll almost certainly need to use the SD card and we don't want to consume internal memory since it puts pretty big limitations on other uses of the device.

Based on your post we'll review how Evernote stores data on the SD card and see if we can do more to restrict access using the security framework that comes with Android.

Thank you.

[sstrauss 0]

Thanks for the hint that offline storage is coming for android.

[Kvothe 0]

Based on your post we'll review how Evernote stores data on the SD card and see if we can do more to restrict access using the security framework that comes with Android.

Is there any update on this? I browsed the Evernote folder on my SD card today and noticed that it's still possible to view just about everytihng in plain text. To clarify, I realize that the SD card needs to be used due to the large amount of storage space required to provide a speedy offline user experience. I'd just prefer that Evernote encrypted the data before placing it on SD. As things stand right now, the PIN lock feature is pointless--someone with the phone in hand can simply pop the SD card out and put it in a PC, gaining access to all your cached Evernote data. For those of us who store confidential information in Evernote, this is rather alarming.