Security improvements necessary

• 

  cryptycus · Member · April 8, 2024 at 11:03 am

  • Copy link
  • Add topic to favorites

  DayOne always says how important privacy and security is for them.

  For a journaling app, this ist one of the most important features for me. If you look at the hacking attacks even on big players and how dangerous such an attack could be for the very sensitive information in DayOne, I wonder why:

  1. There is no 2 factor authentification.
  2. There is no possibility to change the encryption key without creating a new account (https://dayoneapp.com/guides/troubleshooting/getting-a-new-encryption-key/).
  3. There is no auto-logoff feature in the Web app. The logout button is very hidden and when you forget to log out, everybody visiting the Web app is able to read the journal.
  4. You can save the encryption key when logged in in the Web app (view n°3) without entering your password.
  5. It’s very good having passed a security audit, but it’s already very old dated 2017 (https://dayoneapp.com/guides/day-one-sync/end-to-end-encryption-faq/).
  6. The entries are not encrypted on the device.

  I really like DayOne because of its functions and the user experience and because it is one of the rare apps that offer e2e-encryption at all but I am afraid if the data is very secure in DayOne and if they implement really privacy by design at an actual security level.

  Are there any improvements planned?

  Best, Elysee

• 

  helper-james · Member · April 12, 2024 at 2:00 pm

  • Copy link

  Hi Elysee 👋

  Thank you so much for this feedback! We are working on some improvements with the encryption process for Day One Sync and we hope to have a new audit after those changes are added.

  The entries are not encrypted on the device.

  If you are using Day One on iOS or Mac, everything is encrypted on disk by the operating system, and is only available when you are signed in to the device.

  We are happy to share your feedback with the team for future consideration on making Day One even more secure!

• 

  cryptycus · Member · April 24, 2024 at 5:20 am

  • Copy link

  We are working on some improvements with the encryption process for Day One Sync and we hope to have a new audit after those changes are added.

  Thanks, that are good news.

• 

  helper-lilly · Member · April 24, 2024 at 9:35 am

  • Copy link

  You’re welcome! We’re dedicated to making Day One even better, so stay tuned for more updates.