Jump to content
ZZever

Is your evernote database really fully accessible even when logged out of the App?

Recommended Posts

I noticed today that when I LOG out of the evernote Mac app, I'm using Mojave version 10.14.6, and then quit the evernote app as well...I'm still able to access the local database folder that contains all my notes, attachments, photos, and such. I wasn't sure if it was normal for you to be able to access/view and open all that info EVEN WHEN LOGGED OUT? Yes, it is burred in the normally hidden "library" folder in finder, but all the info is very easy to find and see. I can even access, and view pretty much everything, of any other evernote accounts that have used my computer(assuming we share a user login.)

Is this normal, or is that information suppose to be encrypted or unaccessible when you are both logged out and the app is closed? If it is normal, is there a simple way to protect it? I have had some issues with very skilled hackers, so Id like to not make it THAT easy for them. lol  I have always assumed that when you login to the app, even when offline, you are unlocking your database files.  

Can anyone shed some light on this for me?  Thanks guys. 

Share this post


Link to post

This is the way it has always been.  The only app I know of the encrypts the data stored on your Mac is 1Password.

The key to Mac security is NOT sharing your Mac login credentials with anyone.  Period.  In addition, you can have the macOS encrypt everything, so that it is not readable unless you are logged in.

  • Like 1

Share this post


Link to post
12 hours ago, ZZever said:

Is this normal, or is that information suppose to be encrypted or unaccessible when you are both logged out and the app is closed? If it is normal, is there a simple way to protect it?

Yes, a full copy of Evernote data is stored on the Mac, and is accessible without the application.
I ofen access this directly

Our Macs have protection at the OS level
- User password is required to access the computer
- The data is stored in your user folders; not accessible by other users.
- You can use FileVault to encrypt your disk.1759403030_ScreenShot2019-09-10at07_59_53.png.95f18893f8292f7f630947b0209f6070.png

  • Like 1

Share this post


Link to post

... and it is basically not different if you go to a Windows PC. 

It is just that the EN database there has another format, but is is legible on the computers drive even when the EN app is not active. And compared to a Mac (at least when File Vault is up) file level security on a PC sucks.

  • Like 1

Share this post


Link to post

Thanks for the quick reply guys.  I really appreciate it. I had always stupidly assumed the data was locked in a container until you logged into the app. 🤦‍♂️  I currently follow all the great information/tips from all your comments as well, and I suggest that anyone in the future that happens upon this post do the same..  A quick story about an unlikely encounter I had recently with a group of talented hackers. If your interested read on.  

 

I travel often and usually setup several of my own dedicated mobile hotspots in hotels, from different carriers so my devices aren't using the same network, and I have more cell coverage options.  Public wifi for me is unfortunately always a no-go, even with a good VPN.  Last year, while staying in a hotel, with many other hotels in close proximity,  I was having a connection issue.  I decided to troubleshoot by running Wireshark, a very thorough packet capturing application for those of you maybe not familiar with it. When I was going through the data I noticed that luckily, and unfortunately, I happen to catch a group of hackers silently attacking everyone in the hotel. These guys were smooth and dead silent.  I believe that because I was applying some fairly high security measures, for a hotel guest anyway, they decided to take a closer look into my devices..which were all locked down pretty solidly...so I thought. 

Just in case you are interested...I was using creditable VPN's while on my own networks, use strong password techniques, use a password manager, of course have file vault turned on, use the strictest of firewall settings, normally use virtual machines to browse the web, and try my best to follow basic security measures (scanning links before clicking anything, checking the websites for https, clearing cached data, and such). I even log out of icloud on my devices when doing work in hotels.  Since I was staying in a nice hotel, and not working with any overly sensitive data, I didn't think it necessary to use any hardened operating systems like Tails or Whonix.

I did happen to grab some of their chats out of the air with Wireshark, and judging by the conversations between them I could tell they were EXTREMELY well educated and very organized.  When they became aware I had captured data about their attack they started targeting me with a vengeance.  Later I realized they just wanted to see what all I knew, and erase their tracks. Thankfully they didn't have intentions to cause any damage...besides trying to erase my laptop through my iCloud which they accessed. I barely escaped that mess.  But during the attack I was scared to death. I couldn't use any device without them moving laterally through it.  I didn't know their intentions, and I didn't want to pass them on to any of my personal or business contacts.   They even changed the wifi and bluetooth icons on my Macs  GUI to just appear off when I tried to toggle them off. The computer also only appeared to power off when I shut it down.  Luckily I could fumble around at the command prompt enough to shut settings off there, and later follow pieces of the damage. I spent the next two days with not a single electrical device, not even a cell phone.  I felt I made a wrong turn and ended up in a Tom Cruz spy movie. The story gets a little more wild but the point of all this is now I know why my evernote info seemed to be the most exposed.  I had originally thought that maybe they just stole an active browser cookie and then downloaded the info that way.  Anyway, if you have read this far thanks for letting me share. Most people I work with roll their eyes when I mention anything at all about the security of a project we are working on. I do use encrypted folders on my Mac for sensitive data, but I guess I'll just have to be more cautious about what I store in evernote.   I can almost guarantee not a soul in that hotel knew their devices were exposed.   Love evernote...wish it had more security features.  But as my grandma use to say..."wish in one hand and ***** in the other." Be careful out there! ...and thanks again.

 

Share this post


Link to post

Thanks for sharing.

Who is staying in nice hotels ? People who can pay, mostly on business, tired from Jetlag, meetings and the other glas of wine. With other words: Targets - worth it and usually not well protected. I know few on top management level that are in deep enough to protect against an attack. So they have a good IT department PLUS the discipline to follow their advise, or they are exposed.

The best protection is always a cord you can pull. So it is no bad idea to have sensitive stuff on an external drive, fully encrypted. If you take hardware encoded drives, they even protect content against a brute force attack. 10 times the wrong PW, and all that is left is data dust. However they protect only as long as they stay encrypted.

The other measure is to use dedicated devices, and build your own network based on a mobile connection you control. And inside of this (!) a VPN tunnel. Why ? Because GSM encryption is a joke, and even LTE/4G can be broken with some resources.

WiFi is to be regarded as unsafe - always ! First anybody can set up a Hotspot, call it „Splendid Hotel Free WiFi“ and just wait for people to connect. Second usually Hotel WiFi is „protected“ by no encryption (Open WiFi) or by super-safe passwords like „Aloha2019“. Very funny ... and known to anybody who is at that place.

So if I’m forced to use a WiFi out of my house (protected or not), VPN is a must. Sometimes connection is not possible ! Why ? Because a port needed to make it work may be closed. Or the provider may be blacklisted. Some countries enforce this, some Admins may have closed out traffic for security (their own, not that of the guest) etc.

It is a good idea to have more than one VPN ready to go on your device. There are many providers that offer a free membership with restricted data volume. This may not serve for everything, but is a good fallback option. If possible use different VPN types (IPSec and OpenVPN are common), because they use different ports to communicate.

For EN things are a bit difficult. Because it is a cloud-based service, and it offers strong server-based OCR and search capabilities, it can not do an end-to-end-encryption of what you file away there. As long as your device stays safe, the EN data is safe as well. When the device gets corrupted, EN is compromised as well as nearly all other data on the device.

For the logon into EN I would always recommend to use a strong password from a password manager plus 2FA. 2FA does make is much harder to get into the account for others, plus you get a notification when it is tried.

And then - don’t worry, be happy !

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...