August 1, 2017•428 words
A few months ago, we hired an independent security research firm to conduct an audit on the encryption specification used by Standard Notes. In building out our product, we spent a lot of time making sure our encryption is as strong and fool-proof as possible. While it's easy for one to feel confident of their own work, a security audit is a must for any privacy-focused project to assure the developers and customers alike that data being encrypted and transferred is done safely and securely.
We're happy to announce the results of our first third-party security audit, and share in this milestone with you while we continue on our journey to build the most private notes app in the world.
The full report is attached below for the crypto-minded. Security is a moving target, but we're happy to report that this report does not find any major weaknesses in our data encryption flow, which is the largest part of our crypto implementation. Instead, it identified two main places in which security could be improved:
1. Verifying login parameters from the server. It's standard practice for a modern web app to trust that what the server has sent for a particular user is associated with that user. For Standard Notes, we distrust the server a little more, and instead place trust on the applications that are running on the machines our users control. We were happy to learn about this as it has allowed us to add an additional layer of protection from the out-of-sight server.
2. Ensuring that the ID of the data item is not exchanged with another item. This is an issue with little practical exploitability. But it is important to protect against nonetheless. Now, when your app decrypts an item, it makes sure that the data contents of the item match the ID of the item it was originally created with.
Both of these improvements, along with others, are now live in the latest versions of Standard Notes on all platforms. With this launch, we also release the latest version of our encryption specification. Any new data you create is automatically secured with the most powerful version of our encryption spec. For data created before this launch, read here for instructions on re-syncing.
We're proud to say that we're amongst the only private notes apps to have completed a third-party security audit. With our applications built for maximum longevity, we're confident we can continue protecting your data now and long into the future.
As always, thanks for your support. Please don't hesitate to reach out with any questions.