Security Updates

Evernote makes products that are the go-to apps for millions of people worldwide accomplishing their most important work. It's important to us that your experience be both private and secure. We proactively test our products for security issues and regularly squash bugs that could create vulnerabilities in our apps.

Here you'll find a list of the most recent security bugs that we've fixed. We'll update this page anytime we release an app that has a security update. (Note: Reporting began on March 1st, 2015. Fixes released prior to this date do not appear.)

To stay up-to-date with security patches, check back here or in our app release notes.

Security Overview Updates

Date Update
April 2017

April 2017 updates to the October 2014 version:

We’ve made updates to reflect our move of the Evernote service to Google Cloud Platform (“GCP”). This included updates to our Network Security, Media Disposal and Destruction, Transport Encryption, Resiliency / Availability, and Physical Security sections.

We updated the Account Security section to reflect that both free and paid users can use SMS delivery for two-step verification codes.

We updated the Email Security section with additional domains that we may email you from.

We removed the Customer Account Access section because that information is better described in our Privacy Policy.

We updated the Media Disposal and Destruction section to reflect the standard that we use for secure erasing and destruction for all types of storage media, not just hard drives.

We updated the Activity Logging section to reflect that we collect event data from our clients.

We added the Encryption At Rest section to explain how we now encrypt data at rest in GCP.

We moved the Encrypted Text Within a Note section to the Customer Security Tips page and renamed it End-to-End Encryption to better reflect the modern name for this feature. We also clarified some of the language in that section.

Security Tips Updates

Date Update
April 2017

April 2017 updates to the October 2014 version:

We moved the Encrypted Text Within a Note section from the Security Overview into this page and renamed it End-to-End Encryption to better reflect the modern name for this feature. We also clarified some of the language in that section.

We renamed the “Phishing” section to “How to Know an Email is From Evernote.” We also updated the list of email domains from which we may email you.

We updated the Malware Protection section to reflect changes in configuring Chrome and Firefox. We removed recommendations for Safari since the maintainer of ClickToPlugin has stopped supporting it.

Evernote for Mac

Ticket Id Description Fixed Release
MACOSNOTE-12400 Added a prompt before opening any file:// URIs. Evernote for Mac 6.6
MACOSNOTE-18729 Improved NSConnection usage with NSProtocolChecker to protect the cross application IPC channel. Evernote for Mac 6.3

Evernote for Windows

Ticket Id Description Fixed Release
WINNOTE-15870 Fixed a potential stored cross site scripting (XSS) issue on Google Drive integration. Evernote for Windows 6.4
WINNOTE-15637, WINNOTE-8970 Fixed DLL hijacking/preloading vulnerabilities on installer and other binaries. Evernote for Windows 6.3
WINNOTE-14610 Delete the local data in the original folder when the local folder configuration is changed. Evernote for Windows 6.1.2
WINNOTE-13340, WINNOTE-13475, WINNOTE-13472 Fixed several stored XSS (cross-site scripting) issues in activity view and other web views. Evernote for Windows 5.9.5
WINNOTE-8997 Added a warning to users before openning local files. Evernote for Windows 5.8.11
CE-735 Fixed a stored XSS (cross-site scripting) issue in Related Context by properly rendering the context note snippet. Evernote for Windows 5.8.4

Evernote for iOS

Ticket Id Description Fixed Release
IOSNOTE-28074 Fixed a PIN lock bypass issue. Evernote for iOS 8.2
IOSNOTE-22342 Updated the keychain items accessibility attribute in iTunes/iCloud backups. Evernote for iOS 7.14
IOSNOTE-19688, CP-3280 Fixed the WebViews that disables same-origin policy using file:// URLs. Evernote for iOS 7.7.7
IOSNOTE-19338 Upgraded vulnerable SDWebImage library to 3.7.2. Evernote for iOS 7.7.2

Evernote for Android

Ticket Id Description Fixed Release
DRDNOTE-24142 Fixed a PIN lock bruteforcing issue. Evernote for Android 7.9.9
DRDNOTE-23054 Fixed a potential stored cross site scripting (XSS) issue on Google Drive integration. Evernote for Android 7.9.5
DRDNOTE-20794,DRDNOTE-22660 Fixed a PIN lock bypass issue. Evernote for Android 7.9.4
DRDNOTE-20842 Fixed an issue that some WebView could ignore SSL certificate errors in debug/internal builds. Evernote for Android 7.6
DRDNOTE-9500, DRDNOTE-11183 Move notes stored in SD card to internal memory. Evernote for Android 7.0.7

Evernote for BlackBerry

Ticket Id Description Fixed Release
EFB-1836 Fixed an issue that PIN lock can be bypassed. Evernote for BlackBerry 5.6.2

Web Clipper 6 for Chrome

Ticket Id Description Fixed Release
CC-2561 Fixed a potential cross site scripting (XSS) issue while clipping from a malicious site. Web Clipper 6 for Chrome 6.9.2
CC-1729 Fixed a potential HTML injection issue through the extension's login page. Web Clipper 6 for Chrome 6.7
CC-1693 Fixed a potential stored cross site scripting (XSS) issue in releated search results. Web Clipper 6 for Chrome 6.6

Web Clipper 6 for Safari

Ticket Id Description Fixed Release
SAFARICLIP-992 Fixed a potential stored cross site scripting (XSS) issue in releated search results. Web Clipper 6 for Safari 6.7

Penultimate for iOS

Ticket Id Description Fixed Release
IOSPENULT-4056 Updated adonit SDK to fetch all web content through HTTPS. Penultimate for iPad 6.2

Evernote Food for iOS

Ticket Id Description Fixed Release
IOSFOOD-4320 Upgraded vulnerable SDWebImage library to 3.7.2. Evernote Food for iOS 2.5.1
  We have ended support for this product and will not be providing any future security updates. September 30, 2015

Skitch for iOS

Ticket Id Description Fixed Release
  We have ended support for this product and will not be providing any future security updates. January 22, 2016

Skitch for Android

Ticket Id Description Fixed Release
  We have ended support for this product and will not be providing any future security updates. January 22, 2016

Skitch for Windows Touch

Ticket Id Description Fixed Release
  We have ended support for this product and will not be providing any future security updates. January 22, 2016

Skitch for Windows

Ticket Id Description Fixed Release
  We have ended support for this product and will not be providing any future security updates. January 22, 2016

Evernote Clearly

Ticket Id Description Fixed Release
  We have ended support for this product and will not be providing any future security updates. January 22, 2016

Evernote for Pebble

Ticket Id Description Fixed Release
  We have ended support for this product and will not be providing any future security updates. January 22, 2016