Is my Joplin master password being exposed to Google?

I'm worried about security of data backed up by Android's automated backups in general... And I came across a post on reddit where a joplin user was complaining about the fact that, when he user restored an android backup, his joplin master key came with the backup (hence the masterkey was being exposed to / stored by google).

I'm not sure if this is still the behavior, even though I searched github and these forums couldn't be sure.

So my questions are:

Is any of my Joplin data currently being backed by Android automated cloud backups? Is the master key part of that backup? I can only assume that the unencrpyted notes database which is stored locally in the phone itself would by no means be part of that backup, correct?

Please clarify.

I saw some discussions on Github, some users asking to re-enable android backups. So even if currently our data isn't backed up to Google Cloud, in a future scenario where it would be enabled, the developers must really carefully consider how that feature would be implemented.

A potential best practice here would be similar to that of Aegis 2FA app. In the config screen, it asks users whether to participate in Android's backup system or not (and also gives option for local backups).

Personally I would not desire neither my encryption key nor my notes to be backed up to Google servers. I moved from Evernote because of my mistrust in cloud based data storage.

FYI, currently it isn't really clear if Google is implementing zero knowledge encryption for the automated Android backups. And even if they said they actually do so, I wouldn't trust them.

And so, a privacy focused notes taking app like Joplin should make it a priority not to expose any user data to Google Cloud.

I believe the Joplin profile is excluded from Android backups. And anyway if the backups are not encrypted with E2EE and content is sent in plain text to Google, then they are being done wrong.

The backups have been disabled for some time now.

I wonder if there's a similar issue on iOS. As far as I know iCloud handles E2EE even worse than Google/GDrive (restricting it to what they term "sensitive data"). When iCloud backup is enabled, every installed app is enabled per default as well, although it's easy to disable it manually. As Joplin doesn't provide for encryption at rest (on the client itself), is it the case that the whole unencrypted database (and ressources folder) is backed up to iCloud in plain text?
I'm not as "techy" as the majority of users on this forum, but offline access and local search (great advantages in Joplin) seem to have created a security loophole here (mainly due to Apple's policies and Apple users' behaviour, I must admit).

I'm surprised. Isn't Apple supposed to be all about data privacy and so on? If so I'd expect they encrypt the data on the device before sending it to iCloud.

Both Apple and Google encrypt data before sending the cloud. But they have the encryption key, and so potentially law enforcement or a hacker who manages to steal the encryption key would have access to data (you can google this: Apple dropped plan for encrypting backups after FBI complained).

Even joplin dropped android backups, after careful consideration I've just decided to opt-out of Google One android backups... I will do my manual backups and store them on my own hard drives...

That’s correct: Apple states that device backups on iCloud are encrypted “at least” with 128-Bit-AES. Some parts of this backup (what Apple deems to be sensitive data) are secured with E2EE, so that the keys should be in users’ hands only (theoretically). I’m afraid that many Joplin users are not even aware that ALL of their profile directory is automatically transferred to Apple servers when iCloud backup is turned on and they forgot to deactivate it manually for the Joplin app (or aren’t aware about it).
The fact that iCloud backs up ALL Joplin data can easily be experienced by anyone with a free iCloud storage plan (5 GB only) and a Joplin database large enough: If the profile directory on desktop is 1.5 GB, for example, Joplin’s part of the cloud backup will take up 1.5 GB. This thread was started for Android users, but maybe we should change it into a helpline for iOS users how to wipe out backups containing sensitive Joplin data…

I don't use either backup mechanism, because I don't trust GDrive nor iCloud (or better said the companies behind them).

But I can see that this is a problem. iOS should not backup any Joplin data.

It's true we don't save the password to the keychain on mobile, because the data is already on a secure location. Someone stealing your device can't access it, nor any other app running on the device, so it's quite safe.

Android Backup is not an issue because it's not enabled, and probably won't. Apple Backup I don't know - can we specify that the app data should not be backed up by default? (and is that something that most users really want?)

I would hope that there's something similar to the Android manifest. Usually such info shuold be able to be set in the Info.plist. (Maybe it's an entitlement.)

The problem is that many people have a backup setup without even knowing it. Since I never activated iCloud I don't have to worry (and the backend servers are blocked in my network), but Apple and Google start syncing device data indiscriminately at the click of the wrong button.

I haven't done any Apple coding in a while since I can't deal with Apple's BS anymore. Perfectly fine code just stops working without runtime or compile errors. I'm sick and tired of all that. Especially since Apple doesn't even reply when you send them a detailed and valid bug report.

iOS has 4 different ways to move data to the apple cloud.

  1. directly by and through the app (a permission setting), not an issue as this is only available to system apps
  2. through system settings (e.g. for keychain, siri, etc.) could be problematic, but can be turned off by the user
  3. when an app uses the icloud drive as a external drive (but here I do not see Joplin listed)), and it can be turned off by the user
  4. and using "icloud backup", I cannot tell if this might cause a problem since it is off on my device, it cannot be turned on while offline, and I do not see a backup being started in the background while I turn it on for testing while online.

All settings can be found under settings -> user -> apple ID -> iCloud.
Hope this helps a little bit.

I'd suppose that most of users who care for turning on E2EE within Joplin (one of its greatest features!) would feel quite awkward about all of their Joplin data being transferred to iCloud unless they actively restrict it. So I would suppose that many aren't even aware of it.
I switched from Android to iOS not so long ago, and I find it terribly intransparent what "app data" is actually backed up in the cloud, especially when it comes to third-party apps. From what the cloud storage statistics show, it seems to be rather unique that the WHOLE data directory of Joplin is sent to the cloud (and not only a few settings, as is the case for many other apps). So maybe there's a way to stop this behaviour and not leave it over to the individual user's awareness.
The good news is that manually turning off iCloud backup for individual apps wipes out their storage quota when running the next backup. At least that's what Apple's saying, but the storage usage statistics seem to suggest that it's true.
However, it's a great relief to hear that passwords are transmitted neither to GDrive nor to iCloud (the issue the original post in this thread was concerned with).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.