The Omni Group Forums

The Omni Group Forums (
-   OmniFocus 1 for Mac (

whpalmer4 2012-02-22 12:01 PM

As OF files are zipped, how complex would it be to encrypt prior to sync?

That said, there are some issues with encryption with zip files. [URL=""][/URL]
The issue is with the built-in encryption in the old standard, not putting encrypted contents in Zip files. Omni just uses Zip to make the files smaller, and there's nothing really stopping them (except convenience and a SMOP) from putting encrypted files in the Zip files.
If the omni server got hacked and everybody's files copied - any criminal is likely to go through the plain text ones first leaving encrypted ones to the end. Assuming no security flaws that entirely defeat the key (Think WPA) if I have a very long and complex encryption key my data will be at the end of the list.
The bad guys don't know in advance that you have a long and complex key, do they?

I agree that encryption of the data before zipping could be useful, as it protects against a compromised server and makes eavesdropping on sync traffic (normally encrypted in transit) more difficult. With the current sync implementation, there's no need for the server to have your encryption credentials if the data is encrypted before zipping, so you don't have the DropBox situation where your data is encrypted but the people running the server can decrypt easily. It also protects against someone swiping the database off the client, which putting a password on the app does not (unless it is used to encrypt the data).

Brian 2012-02-24 04:19 PM

Catching up on the forums after a pretty busy week; sorry I didn't see this until now.

Data encryption is absolutely something we're interested in providing, but in general - and in particular when it comes to adding new features - we feel that we're best off working on the ones that the greatest number of customers have expressed interest in.

For every request we've gotten for this, we have 4 requests for "Bring Forecast to the Mac" and we have 7 for "Make a web-based version of OmniFocus". Development work is a zero-sum game; time spent working on A takes time away from working on B. Adding encryption now means that many more folks have to wait longer for the things they want.

That isn't intended to dismiss the importance of the request, or the passion of the folks that do want this. We think this is a great idea, and we want to add it at some point. We just can't do it right now.

GeoffAirey 2012-03-01 03:30 AM

[QUOTE=Amilius;107630]Thanks for your reply CatOne, but not constructive. I asked for co-signs on those that were interested in it and not in shooting holes in the idea. (I'm trying to get something positive done).

The functionality you mention is a pacifier. Those mechanisms can be broken and OF is a database, which can be hacked. Just having the password on the device is not enough. [/QUOTE]

I'm sorry, but I agree. If you want to protect the database, you need to lock your devices. Yes security should always be layered as much as possible, but you're talking about password encryption on the database and that severely slows things down.

It's not something that I've felt the need to request and even now you mention it, it's not even in my top ten things I'd improve within Omnifocus.

I suggest you contact the ninjas to log your interest in the feature.

SpiralOcean 2012-03-01 09:21 AM

Interesting article about Federal governments moving away from Blackberry to iOS / Android.


For Government agencies to use OmniFocus, I wonder how important encryption would be?

SpiralOcean 2012-03-01 09:26 AM

Two iPhone apps that use encryption because they store sensitive data on Dropbox are MoneyWell & 1Password.

CatOne 2012-03-01 10:41 AM

[QUOTE=SpiralOcean;107964]Interesting article about Federal governments moving away from Blackberry to iOS / Android.


For Government agencies to use OmniFocus, I wonder how important encryption would be?[/QUOTE]

Not very important. The iPhone itself is encrypted.

Note, it wouldn't be all that difficult for the Omni Group to secure OmniFocus for iOS further; all they have to do is implement data protection, and then the data in the OF library would be further encrypted when the device is locked.

But, really, per-app lock screens are a bad precedent. Having 27 different lock screens with 27 PINs on iOS is a bad idea because people are going to be forgetting their PIN codes. iOS provides a very secure option with data protection, which leverages the device password. Implementing data protection in an app has little or no performance impact. And then you just put a secure password on the device and set it to lock quickly.

And… don't share your iOS device with others. They're really intended to be single-user devices.

Venture 2012-03-06 04:27 PM

There's this interesting phenomenon on the Internet where people have a hard time seeing beyond their way of doing things. It often goes one step further, and you see people telling other people that they're using their devices the wrong way. This same discussion happened in the Evernote forums, too, when a segment of that community asked that the app be password-protected.

Personally, this feature isn't a big deal to me, but I can see how someone might want/need it. I'm assuming the "don't share your iOS device" comment was a joke, but, if not, it's pretty myopic to tell someone that his use of his iPad is "wrong," because he shares the device with a family member. I know plenty of people who share their iPads in the family.

One of the Android ROMs has an interesting features where you can restrict access on an app by app basis. Perhaps overkill, but helpful in some ways.

whpalmer4 2012-03-06 04:59 PM

[QUOTE=Venture;108110]I'm assuming the "don't share your iOS device" comment was a joke, but, if not, it's pretty myopic to tell someone that his use of his iPad is "wrong," because he shares the device with a family member. I know plenty of people who share their iPads in the family.[/QUOTE]
I know plenty of people who do stupid things. I do some myself. It doesn't make those things be any less stupid, just because they are more convenient than the less stupid alternative.

I don't know if CatOne was joking or not (I think not). I know I'm not joking. If you don't trust someone with your data, don't give them unsupervised access to a device that contains it. If you can't control the device because it belongs to your employer, don't put your private data on it. I agree it's a bit myopic, though; I wouldn't lend my laptop to someone I don't trust with my data, either!

CatOne 2012-03-06 05:07 PM

I'm assuming the "don't share your iOS device" comment was a joke, but, if not, it's pretty myopic to tell someone that his use of his iPad is "wrong," because he shares the device with a family member. I know plenty of people who share their iPads in the family.

I'm not joking. iOS devices are really designed as "personal" devices. They're not intended to be multi-user, shared devices, where you have lots of people who don't trust each other using them.

Seriously, putting a passcode on each and every app individually that has private data is a horrible hack.

CatOne 2012-03-08 08:42 AM

[QUOTE=tippf2011;108134] <spam removed>[/QUOTE]

Brian did answer it pretty clearly above.

All times are GMT -8. The time now is 12:44 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.