With Advanced Data Protection, Apple will offer users to get end-to-end, zero knowledge encryption on almost all their iCloud data, which is awesome.
I was wondering if it will include Bear’s database as well? This support document reads:
When you turn on Advanced Data Protection, third-party app data stored in iCloud Backup and CloudKit encrypted fields and assets are end-to-end encrypted.
If our beloved developers could make it so that our data is end-to-end encrypted when we switch on Advanced Data Protection, it would be wonderful! And it seems like it would not be too much work (design the data as encrypted, I guess?)
I have not installed iOS 16.2 yet but my understanding is the new Advanced Data Protection is not open to third-party developers. If this will be at some point made available to devs (or even better, it just works) we’ll be glad to integrate it.
Mind CloudKit already provides non-e2e encryption as some services un ADP but we do provide our own.
Thanks for your answer! CloudKit is concerned as well by the blanket E2EE, is my understanding. In the same way that your files are encrypted but still available to your apps locally. I might be very mistaken on that front, but if not, it would be great if Bear could be made compatible
It seems that developers must take some kind of step so it falls under ADP.
“Advanced Data Protection also automatically protects CloudKit fields that third-party developers choose to mark as encrypted, and all CloudKit assets.”
And: " iCloud stores some data without the protection of user-specific CloudKit service keys, even when Advanced Data Protection is turned on. CloudKit Record fields must be explicitly declared as “encrypted” in the container’s schema to be protected, and reading and writing encrypted fields requires the use of dedicated APIs."
Can there be clarification whether Bear uses or will use this requirement?
“CloudKit Record fields must be explicitly declared as “encrypted” in the container’s schema to be protected, and reading and writing encrypted fields requires the use of dedicated APIs .”
If so, I hope there’s some kind of update to Bear’s faq as well.
Yes, as you can see on the API page you linked encryptedValues is available only on macOS 12+ and iOS 15+. This is a huge problem for us because B2 actually supports macOS 10.15+ and iOS 14+ so we can’t support this API without dropping a considerable portion of users currently using B1.
Usually, we can check inside the code the OS version the user is running and eventually enable a version-specific API but this is different because we are not aware of the other user devices and which OS they are running. Otherwise, we can find ourselves in situations where some user devices can’t sync.
Yeah, so you have “Enable E2E sync” checkbox in preferences of both macOS & iOS apps, then you enable it everywhere you have Bear installed and Bear uses E2E API instead. Seems feasible.
Of course user can mess it up, but Bear may warn with red big warning when you enable it.
I would love to see E2E Encryption through iCloud ADP to come as an option, as it was one of reasons which brought me to use Bear in the first place (privacy first).
Reasoning: I don’t see myself encrypting every note individually, but I don’t want Apple to be able to read my notes in clear either.