Bear app is a popular note-taking application for iOS/macOS platforms. It is featured by Apple as one of the competitors to Apple’s native Notes app. The Shiny Frog team behind Bear values users’ privacy: by design they don’t have access to users’ notes and don’t transmit them via their own backend servers. At some point, Bear app users started asking for specific features (encryption and locking) to protect their notes.
There were several business-sensitive aspects to be kept in mind. First, adding reliable note encryption into the application flow should preserve smooth user experience. Next, the huge user base (500K monthly active devices!) leads to numerous possible corner-cases, which we should foresee and prevent.
Products and services involved
We've designed the end-to-end encryption protocol, assisted with implementation and verification.
We've recommended platform-specific security controls for data protection outside of end-to-end encryption scope.
Themis is a cross-platform high-level open-source cryptographic library. We used Themis as a building block for cryptographic protocol, focusing on the data flow and user experience while having cryptography covered.
End-to-end encryption of user notes should be based on solutions compatible with Apple platform, but at the same time, it should be easy to migrate to Web/Electron platform that Bear team has in the roadmap.
Support of multi-device synchronisation for encrypted notes and notes’ passwords since a typical Bear user uses the app on several Apple devices (iPhone, iPad, MacBook).
Encryption engine should be easy to maintain, support, and update by non-cryptographers, giving the Bear dev team the necessary flexibility for introducing changes.
Bear app doesn’t have externally enforced strict security requirements (unlike, for instance, fintech/banking-related apps) so cannot force users to create strong and unique passwords.
Losing or not being able to decrypt user notes is a significant threat and reputational risk.
Smooth user experience is a part of UVP, so the encryption scheme should not complicate the UX, but rather overcome the limitations.
Mobile users have multiple devices, some of them online and some of them offline, which requires careful synchronisation of encrypted data and keys.
The Bear team can’t access iCloud database of their users, meaning there’s no “admin way” to help users if they forget or lose their passwords.
We have designed secure data flow architecture based on our open-source cryptographic library Themis, applicable usability and security considerations, and industry standards (Apple security guidelines, iOS Data Storage guidelines and OWASP MASVS).
We designed end-to-end encryption engine with the following properties:
Each protected note is stored and transferred in encrypted form throughout the whole system, decrypted only on a user’s device after successful authentication.
Each note of each user is encrypted by a unique encryption key using Themis library (AES-GCM-256 with KDF).
According to the threat model, no data is stored in Keychain in plaintext; notes’ encryption keys are not stored at all.
The security system is flawlessly integrated into the UX: instead of asking user’s password often, the application implements proper key management procedures (key generation, key stretching and caching).
The designed protocol supports changing users’ password and synchronisation of notes when some of the users’ devices are online or offline.
The built-in biometrics engine is used for restoring access to the encrypted notes if a user forgets the password.
The encryption engine is designed to be easily updated in case of discovered vulnerabilities or bugs.
Besides the cryptographic core, we’ve also provided a number of security recommendations for development aligned with “defense in depth” approach:
Usage of platform-specific security controls to provide maximum security guarantees (biometrics authentication, integration with SecureEnclave and iCloudKeychain).
Application auto-locking in case of user inactivity for a set amount of time (maybe they’ve left their phone on a table?); locking time calculations are based on a monotonic timer.
Data minimisation and clean-up – removing notes’ content from memory as soon as the user closed the note (or due to app locking).
Protecting the password hint because users often put their password as a hint, so it wouldn’t make much sense to protect the password and leave the hint in plaintext.
Prevention of manual passphrase brute forcing by using a counter of failed attempts and throttling user input.
Multi-level test suite based on unit/integration tests to cover as many corner cases as possible.
Our solution provides strong security guarantees, uses platform-specific security controls, and is fully integrated into the Bear application flow without ruining the user experience.
The new secured Bear app had a very successful release after a short beta-testing phase. End-to-end encryption was one of the release’s main highlights. Our engineers worked closely with Bear app’s team, designing cryptographic protocol, helping with implementation, suggesting security improvements, and verifying the results. The resulting solution attracted security-aware users, potentially allowing Bear app to increase and consolidate their user base and provided a clear competitive advantage over their competitors.