January 27, 2016
Photo Credit: PicJumbo-Viktor Hanacek
Recently I looked into various task-management apps that will work across my Mac and mobiles (iPhone and iPad). Of course, that means I also need to synchronize data across those platforms, so that tasks created or completed on one device reflect as such on all the other devices. While that’s not generally an issue for most of the major software vendors, it does bring up some important concerns that most of those same developers have completely ignored.
Syncing data between devices requires sending that information outside of your network to a server, where it can then be accessed by the other devices and compared/added/removed. All the major vendors of task software encrypt the transmission to and from those servers with SSL, a reasonable security practice. But nearly none encrypt the data at rest. This means that they have ensured no one (or nearly no-one at any rate) can view the data in flight, but anyone who compromises their security at the server can see all the data in plain format.
As we’ve seen from the recent spate of attacks and hacks against a large number of companies, servers are compromised on an unfortunately regular basis. Having the data rest unencrypted on those servers means that your info (which might include personally identifiable information) will eventually be stolen whenever an attacker decides to focus their attentions on the software vendor in question. Let me repeat, this is not a matter of “if,” it is a matter of “when” this is going to occur.
Luckily, a few of the vendors – such as Appigo and their ToDo app – do allow for you to set up your own sync using services such as DropBox or your own WebDAV server which can be encrypted at rest. Using Dropbox isn’t perfect by any stretch, they’ve shown that their security can be compromised, typically via attack through third-party connectivity. However, they do at least attempt to keep your data safe, and it’s a far cry better than no encryption at all. Setting up your own secure WebDAV server is tricky, and not for the technological newbie, but it is another option to keep your data safe.
So, when syncing your data with any app, make sure the data is encrypted both in-flight and at-rest. “Secure Sync” may simply mean the data is transmitted securely, and it’s up to you to find out if the data is also stored securely. You may find, and in many cases will find, that the data is stored in a format that leaves you wide open.