Evernote

The Company

Evernote is a fast-growing global software provider of mobile applications for individuals and teams. Evernote users leverage their apps for capturing, finding, and sharing information and for collaborating in real time. Evernote's apps allow users to stay on top of projects individually or in a team environment. Users can manage projects, activities, and workflow easily and quickly without losing information. Evernote reduces the administrative burden and allows employees to communicate more efficiently from anywhere in the world.

The Challenge

Evernote has millions of active users and protecting their data is an important foundational principle for the company. Evernote talks about these foundational principles in its Three Laws of Data Protection (https://evernote.com/privacy). Their customers trust them with their most important thoughts and ideas, so the Evernote security team’s primary charter is to protect customer data. That starts with a secure product.

Evernote has built multiple apps that run on a variety of mobile platforms including Android, iOS, Windows Mobile, and Blackberry. Their flagship application is updated frequently and therefore needs a security scanning solution that can match the pace of each release. Ideally, the would like a scanning solution that can not only find traditional security defects but also identify mobile-specific privacy and security issues that developers may not be aware they need to address.

Past Alternatives

Before Data Theorem, Evernote relied solely on their internal security team, which didn't have enough staff to manage the company’s rapidly increasing scale and application growth. They tested numerous tools and found that none of them addressed the threat models that were most relevant to mobile apps. Instead of hiring security specialists for each mobile platform, the company connected with Data Theorem. Data Theorem’s approach expands on traditional bug-hunting techniques to also identify issues related to privacy, app-to-app attacks, and how data is protected at rest and in transit.

The Solution

Evernote evaluated several different solutions and as part of that process, engaged with Data Theorem to perform an evaluation scan on their Android and iOS flagship apps. The results were concise, relevant, and actionable. The company decided they wanted Data Theorem’s Scan & Secure solution in place for every future release of their apps.

The Data Theorem App Secure product performs dynamic run-time analysis on any iOS or Android application in search of security vulnerabilities and privacy gaps. It helps detect injection issues, session management issues, dynamic run-time flaws, vulnerable third-party SDKs, insecure Open Source Libraries, and compliance gaps for PCI, GDPR, HIPAA, and FTC. Most importantly, it provides Objective-C, Swift, and/or Java code to solve each identified issue.

Data Theorem's solution continuously monitors and scans every Evernote application available in the Apple App and Google Play Stores, alerting Evernote's team when it discovers a security or privacy issue. The Evernote security team also integrated the Data Theorem Analyzer Engine to scan every pre-production release as part of their continuous integration pipeline. This allows them to identify vulnerable code before it makes it into a production release, and into the hands of millions of users.

The Results

Data Theorem's App Secure product has identified and fixed (with Objective-C, Swift, Java, & Kotlin secure code) a variety of vulnerability issues in Evernote's apps before releasing them to the public app stores including:

Remote Code Execution Flaws

Since Evernote provides a way to share content among users, this collaboration feature could be exploited in a way for a malicious user to share malicious content in an attempt to run code as if they were the recipient. Data Theorem has helped the Evernote security team identify vectors that would allow an attacker to attempt this. This resulted in Evernote fixing the security flaw and releasing a more secure version that mitigated this risk.

App/Play Store Blockers

Apple and Google review each app submission and reject releases if they don’t meet their platform requirements. Data Theorem has helped Evernote identify blockers before they submit for release, making the approval process faster, and allowing Evernote to release new versions with bug fixes and features, without unnecessary delay.

Vulnerabilities in Open Source Libraries

Most software engineers don’t write all code from scratch; they include open source libraries and build upon them. Tracking vulnerabilities in these external libraries can be tedious. Data Theorem identifies third-party libraries and notifies the Evernote security team when they discover a vulnerability in one of them.

Unexpected commercial SDKs

Data Theorem also makes the Evernote team aware of new SDKs that have been added that may send data to a new service provider. Data Theorem helped the Evernote security team identify an analytics tracker that one of their product teams added to the code before it had been reviewed and approved. This helped the company continue its best practices in privacy and security.

Proactive Security Features

As part of the App Secure product, Data Theorem provides an app protection service that extends beyond just finding security bugs by giving developers secure code snippets that help prevent security problems from ever being published into production. Evernote has implemented many of these proactive application security features to make their apps more resilient to app-layer security hacks.

Data Theorem provides 100% security coverage of Evernote's entire mobile application portfolio with backend API services. Through the hosted portal, Evernote's developers and security team can log in at any time for status updates, to review flaws and alerts and make secure code recommendations, thus saving time by reducing the burden on IT security staff.