Hi. Posting this because I am concerned I might have uncovered a security flaw with the encrypted feature of the app.
First, I elected to have my content encrypted according to the app’s settings. I thought I was golden until I ran across a hack. I am running the lastest version of Joplin and macOS 10.15 Catalina.
In macOS, if you open the .config file via Terminal, inside is a folder called “resources.” If you open the resources folder you will see a listing of your content but NOT all of it is encrypted as I thought. The text notes part is encrypted but NONE of the PDFs, JPGs, or anything else is encrypted. This is bad because for example what if I took a screenshot of backup security codes. That file would fully viewable.
Did I uncover a security hole? Are the developers aware of this? If so, I urge them to look at it and see if they can also get that content encrypted.