Hacker Read top | best | new | newcomments | leaders | about | bookmarklet login 

    at any point in time, user and only
    the user has access to their notes
I don't think that is true.

When I use your app, you can do anything you want to my data. You might promise me that the Javascript you delivered to my browser is treating my data in a certain way. Storing it in encrypted form or whatnot. But that is just a promise. Reality is: you can ship me code that does whatever you like.

reply



sort by: page size:

This seems concerning: "The Service should not be used to store sensitive information such as bank account numbers, credit card information, or passwords."

Why would a notes app dictate what content can be stored in it?

From: https://simplenote.com/terms/

reply


Its.. a.. note taking app? Im not trying to convince you to use it, especially if security of your notes is a concern, but the data being asked of you is pretty much the bare minimum required to provide the described service. Its just weird to take exception to the rare service that authentically obeys a least access model

reply


Well, you don't have to trust me or some privacy policy.

On Android you can see for yourself whether an app tries to access data such as text messages, emails or calendar.

My app doesn't ask for those permissions, therefore it can't access that data.

reply


> All data resides solely on your mobile device unless you need to send it to authorities.

Network chatter can be viewed without source code access. If what they’re saying is true, this app should not make network requests unless initiated by the user.

reply


It doesn't look like there's a mode where the the app would not get any access to private data.

Why would users trust an app that has access to their direct messages?

reply 


  > That's completely separate from ownership of the data
No, it isn't. Under the app-controlled model, my access to my data is limited to what the app offers.

  > […] it's what prevents a malicious app from hoovering up all
  > of your Tinder messages, or your financial data from Mint.
That's an implementation of access control using the app-owned-data model. It's not the only possible implementation of access control.

reply


Is this rhetorical?

How can you trust any app that has access to your data?

reply


> What about every other app that requests permission to see that data?

Of course they'll collect and save it somewhere as well.

reply


I disagree. The difference being :

locally installed non-free web app

app: not yours (BUT: communication between author and app is impossible if you want it to be) data: yours (meaning you can delete it)

remotely installed non-free app

app: not yours, and you can't prevent the author from updating their app under your feet. And the author can do nearly anything, meaning any encryption on your data is useless. data: not yours (meaning the author can read, change, delete, and you CANNOT unless the author, and anyone with a global root certificate (like Saudi Arabia, dozens of companies that have committed breaches of trust, ...) can mitm you, and gain the author's access to your data)

reply


Out of principle, an app must not collect what it doesn't need. If the programmer thinks nothing sensitive should be in there, it's still not ok. Unrelated example because you mention the contact list - people who put passwords in there as phone numbers.

What really got to me though are notes. Notes! Of course no user should write "make that fat ass invest in us" in their appointment notes, but that is not how privacy works.

reply


This is a very shallow (and questionable) intro to a paper about apps using things like string obfuscation to hide API keys and similar “secret” app data.

I’m not sure how we get from that to “threatening your privacy”. Unless you have personal data on the app’s server, and that data is unprotected by any access controls.

Honestly this post seems clickbaity to me.

reply


“if anyone else can get hold of your phone, he can access to files of those apps where data is not protected.”

As always, if someone has physical access and unlimited time, no device or computer is safe.

Also, Mailbox.app only supports GMail. Security minded people are obviously not the target market.

reply


I think the point of the PandoDaily post was that you're already trusting apps with access to your data. You've granted permission for the app to access it any time. When I grant permissions for an app to access by data, this doesn't mean I am allowing my data to be published for the world to see. That's what privacy policies are for.

reply


My presumption is that apps will not be able to access this data, at least without some sort of permission gate.

reply


They can pretty much pick and choose unless the data is encrypted --- and most of it is not.

https://www.xda-developers.com/android-permissions-bypass-pl...

reply


It may seem negative, but it is also true.

You cannot have privacy with web apps. At all. Ever.

reply


And only their data in the app in question or any data that the user allowed the app to have would be vulnerable. If not, that’s an issue with the sandbox on the mobile OS.

reply


I hate this concept - the app doesn't own the data.

Apps that assume they do are rapidly removed from any system I use.

There are some single purpose apps that have data directly tied to them, but everything else is not like that.

reply


"Accessing data on their own terms"?

Like in terms "I created a silo of valuable data with some obscure app and now stuck with this app"?

reply

next

Legal | privacy