Data Theorem's App Secure product has identified and fixed (with Objective-C, Swift, Java, & Kotlin secure code) a variety of vulnerability issues in Evernote's apps before releasing them to the public app stores including:
Remote Code Execution Flaws
Since Evernote provides a way to share content among users, this collaboration feature could be exploited in a way for a malicious user to share malicious content in an attempt to run code as if they were the recipient. Data Theorem has helped the Evernote security team identify vectors that would allow an attacker to attempt this. This resulted in Evernote fixing the security flaw and releasing a more secure version that mitigated this risk.
App/Play Store Blockers
Apple and Google review each app submission and reject releases if they don’t meet their platform requirements. Data Theorem has helped Evernote identify blockers before they submit for release, making the approval process faster, and allowing Evernote to release new versions with bug fixes and features, without unnecessary delay.
Vulnerabilities in Open Source Libraries
Most software engineers don’t write all code from scratch; they include open source libraries and build upon them. Tracking vulnerabilities in these external libraries can be tedious. Data Theorem identifies third-party libraries and notifies the Evernote security team when they discover a vulnerability in one of them.
Unexpected commercial SDKs
Data Theorem also makes the Evernote team aware of new SDKs that have been added that may send data to a new service provider. Data Theorem helped the Evernote security team identify an analytics tracker that one of their product teams added to the code before it had been reviewed and approved. This helped the company continue its best practices in privacy and security.
Proactive Security Features
As part of the App Secure product, Data Theorem provides an app protection service that extends beyond just finding security bugs by giving developers secure code snippets that help prevent security problems from ever being published into production. Evernote has implemented many of these proactive application security features to make their apps more resilient to app-layer security hacks.
Data Theorem provides 100% security coverage of Evernote's entire mobile application portfolio with backend API services. Through the hosted portal, Evernote's developers and security team can log in at any time for status updates, to review flaws and alerts and make secure code recommendations, thus saving time by reducing the burden on IT security staff.