Security in Notes2Mobile



This page concerns storage and security in the Notes2Mobile mobile app, browser app, as well as the cloud service. Our mantra is to not store more information than needed,as well as limiting the worst-case-scenario for a security breach. We don't just think "how can we prevent attackers from gaining access to our system", we think "how can we limit the damage done when someone has gained access to our system".

1 § Storage

In this section we present what information we collect when using Notes2Mobile as well as how it is stored.

1.1 § Mobile app

When you log in to Notes2Mobile using the mobile app, your credentials are stored on the device to enableautomatic login between sessions. The password is not stored in plain text; it is encrypted using AES-256 with a randomly generated key. This key is stored together with an identifier for your device on our servers. In order for your device to automatically authenticate, it provides this identifier which is then linked to the encryption key on our servers and used to decrypt the password. This means that even if we have a breach in our database, no passwords will be exposed. In such an event, we will contact you and ask you to force your users to change their passwords, just in case an employee has also lost their device. When you uninstall Notes2Mobile from your device, these credentials will be removed. Your can also manually delete them by logging out from inside the app.

Apart from your encrypted credentials, we use an in-memory cache in the app to temporarily store your notes documents and application structureas you navigate through the app. This cache is reset when you close the app.

Lastly, if enabled in the web configuration (on notes2mobile.com), attachments and pictures can be saved on your mobile device. These attachments will be storedin the app storage, and will thus be deleted if you remove the app from your device. You can also delete these attachments manually from inside the app. When exporting attachments from the app, you can send them to external applications like your mail app, pdf-reader etc. This will not remove an attachment from Notes2Mobile if you have already stored it on your device.

Note:  For android, a copy is saved outside the app on the disk when exporting an attachment to another app. This copy is removedevery time you export a new attachment, but will however not be removed when uninstalling the app. This will have to be done manually.

1.2 § Browser client

When you log in to Notes2Mobile using a browser, your credentials are stored on the device to enableautomatic login between sessions. The credentials are not stored in plain text; they are encrypted using AES-256 with a randomly generated key. This key is stored together with an identifier for your device on our servers. This means that even if we have a breach in our database, no passwords will be exposed. In such an event, we will contact you and ask you to force your users to change their passwords. In order to manually remove these credentials, you will need to manually logout in the web interface.

Apart from your encrypted credentials, we use an in-memory cache in the browser to temporarily store your notes documents and application structureas you navigate through the page. This cache is reset if you close your browser window or tab.

When reading pdfs in the browser, the data is temporarily stored in the browser memory and removed when you close the browser window.When downloading non-pdf attachments or images from the browser client, nothing is stored in the browser.

1.3 § Cloud storage

When registering an account, you are required to enter a valid email address, your company name, VAT-number (if applicable), country name as well as credit cardinformation. Your credit card information is stored at our payment service provider, adyen (https://adyen.com), and the rest of the information is stored at our servers. When you configure applications and forms, we also store form structure, domain name for your server, application names and paths in our system.We do not store any accounts from your notes server in our cloud service.This also holds true for documents and attachments, with one exception: when downloading an attachment in the mobile app, it is cached on our server for faster downloads in the future. However, this cache is encrypted and invalidated regularily. If you do not wish to have your attachments cached, please contact us. In future versions, there might be a possibility to manually toggle this caching mechanism from the admin console in notes2mobile.com.

The username your users use to log in is saved in our systems as well as their unique device token. This is done to allow us to provide you with a simple appSessionsto send push notifications to your users.

2 § Traffic

All traffic in Notes2Mobile done with HTTPS using up-to-date, CA-signed certificates. This includes the browser client, mobile app and our webpage (where you manage your account).By all means, have a look at ourQualys reportfor the certificate. While we guarantee the quality of the HTTPS traffic between our products, the same cannot be said once our central system starts communicating with your domino server. It is your responsibility to secure the traffic for your domino server. If you do not employ HTTPS for your web server, there is no way for us to ensure the overall security of the communication. When setting up your first application, you will be warned if you use HTTPS but have a self-signed certificate. Of course, you have to possibility to run either HTTP and HTTPS with a self-signed certificate, though we strongly recommend that you use a CA-signed certificate and employ HTTPS. Although a self-signed certificate isn't necessarily insecure, it is more vulnerable to some attacks, like for example DNS poisoning.

3 § Authentication

When we authenticate against your domino server, both session based and basic authentication are supported. Depending what you have enabled on your server, you might need to choose basic authentication when setting upyour first application. The default is session authentication, and you will be prompted when configuring if you have chosen a different method than what's enabled on your server. While both are supported, we recommend session based authentication. Even if all data is transported using HTTPS, sending the credentials in every request poses an unecessary risk since it would compromise your account if it were to be exposed. For the admin console, session authentication is used.

4 § Policies

Notes2Mobile has several security policies in place. These can be enabled or disabled as you please, with no update required for the app. You simply select which ones you want in our admin interface. Policies are setfor your entire company, not per application you add. These policies are at the time of writing:

  • Require an iOS passcode to save attachments
    This policy prevents users from saving attachments from notes documents to their devices if they do not have an iOS passcode set. This policy only applies to iOS devices, and not android or the browser client

  • Users are prevented from saving attachments to their device
    This policy completely prevents users from saving attachments for offline usage to their devices.

  • Allow users to export attachments to external apps
    By default, Notes2Mobile does not allow users to export attachments to for example their mail, pdf-reader or other app on the device. By choosing this policy, you allow your users to open attachments in different appsthrough Notes2Mobile.

  • Require a secondary, separate password to save attachments to the device

    This policy requires a user to enter a passcode everytime they want to save or read an attachment. This passcode is unique per document, and is also used to encrypt the attachment on the device.

5 § Push Notifications

Notes2Mobile have capabilities to send push notifications to your users by using our very simple API. These notifications can be sent from any server or device capable of communicating through HTTPS, and can be a powerful addition to yourexisting Notes applications. You can send notifications to single users, or your entire company (every registered user). When you log in to using the Notes2Mobile app, your device is registered to your company if your login attempt is successful. Note that we make use of your session data when registering your device. That is, we use the session token/basic authentication credentials retrieved when successfully log in to the app to make sure that the user in question actually has access to your company server before being registered as a user in your company. This prevents unauthorized users from snooping your push notifications.

6 § ACL

Access control lists are inherited from your domino server. This means that a user will not be able to access any information through Notes2Mobile that she wouldn't be able to access using the notes client. For example, if a user tries to edita document in Notes2Mobile without the correct permissions, an error will be shown in the UI. To make it more convenient for your users, we check whether they have access to a certain application before showing it in the UI. Of course, even if we were to show it, the would not be able to view any data without the correct access rights: it is simply done for convenience.

7 § Contact us

Still have questions regarding security? Please contact us with any concerns atsecurity@notes2mobile.com.