OmniFocus Now Supports End-to-End Encryption

by Derek Reiff on August 1, 2016

“Is my data safe on the server?”

That’s a question we get occasionally from customers, and the answer has always been this:

“Communication to and from the server is encrypted using a secure HTTPS connection, just like the traffic between your computer and your online banking website. We take measures to protect our servers from outside intrusion, as we do with our own online store.” (via Omni Sync Server’s About Page)

And then we add:

“But you can also set up your own server if you’d like more control.”

There are quite a few people that do set up their own server for end-to-end control, but it takes a bit of work. Plus, anyone with access to the server would, potentially, be able to read your data.

But, with our latest updates today (OmniFocus 2.6 for Mac and OmniFocus 2.15 for iOS), your data will be completely encrypted before it leaves your device so that it’s encrypted on the server itself. We’re using your sync password to generate a key that encrypts everything as it leaves your device. All encryption and decryption happens locally, so your data is always encrypted end-to-end and our server never has access to your encryption key. (OmniFocus doesn’t encrypt the data stored on your local devices: you can use the built-in device encryption features in iOS (enabled by default) and OS X (FileVault) to encrypt your local data at rest.)

OmniFocus is the first of our apps to get this sort of encryption treatment, but it won’t be the last. We hope to get it into document-based apps quickly!

Upgrading your database

To make this level of encryption work—and for other features down the road—we needed to make some adjustments to our database format.

The releases of OmniFocus out today will periodically check to see if all of your devices are using the latest version. Once they are, you’ll be prompted to migrate to the new database format. If you’re pretty sure all devices are updated but still haven’t received a prompt, choose Migrate from the File menu on Mac or Settings on iOS to see a list of out-of-date devices.

We’re confident that we’ve thoroughly tested the process, but if you get stuck at any point in the process, feel free to email or call: 800-315-6664.

A Bit More

The guiding principle of today’s updates is that the only things which should ever have access to your OmniFocus tasks are devices you own and control: your phone, your Mac, your tablet.

There are a few other things worth remembering: no one at Omni will have the ability to look at or restore your data. Further, if you lose every single device OmniFocus is installed on and you forget your password, you should consider your OmniFocus database lost and unrecoverable.

There are more technical details for the curious: find out more on Discourse or dig into the code on github.

The technical tl;dr?

PBKDF2-SHA256, AESWRAP, AES128-CTR, HMAC-SHA256.

Finally, we didn’t just assume the design we came up with was perfect. We asked Leviathan Security, a firm that specializes in this sort of thing, to take an additional look. Here’s a link to Leviathan’s design review.

Anything else?

For iOS, the /add URL action now supports an autosave=true parameter which saves the added task without prompting. You can now restore backups  in the new Backup section of Settings. And, if you restore a new iPhone from an iCloud backup, we behave much more sensibly during your first sync.

On Mac, we’ve updated our localizations and squashed a whole lot of bugs!

As always, you can read release notes from both Mac and iOS releases.