(Archived) Major Security Upgrade for Evernote Third Party Trunk Apps

[JMichaelTX 4,117]

Many, many thanks to Evernote for upgrading the security of third party Trunk apps.

In an Evernote Tech Blog released today (Apr 24, 2012), Evernote announced:

We are now requiring all new applications to authenticate to the Evernote service using OAuth, a standard authorization protocol used by Google, Twitter, Dropbox and most other major web service providers. We will no longer activate applications on the production Evernote service if they use username and password for authentication. The Evernote service has long supported OAuth, and now we’re making it mandatory.

Developers with have until November 1, 2012 to modify existing applications that authenticate using username and password. At that time, we will cut off third party access to the UserStore.authenticate function. We will email developers who hold “client” API keys (those that authenticate via username and password) this week to let them know about this change, and again in September if they have not converted their application to OAuth.

This is huge!!!! This fills what was, IMO, a big security hole in using Trunk apps.

Previously Trunk Apps had full permissions to your Evernote account to read, create, edit ALL your Notes, when maybe the app only needed "Create" permission (like adding a new text Note, or a new snapshot).

Now (as of Nov 1, 2012) Trunk Apps will have to meet much stricter security process, and can be limited to only the permissions the app actually needs to do its job.

Many thanks to Evernote for listening to our security concerns and requests, and making this major step forward to providing an even more secure environment for our Evernote Notes.