federicoiosue
Discussion about sync & omninotesweb
I am still working on the backend, and I believe we would need to work together when doing the sync with website thing.
what do you plan to do with sync? complete sync with unlimited storage for all photos and videos?
I would like to have the db schema that is being used in the android app.
Thanks.
The class that manages DB interaction is this: https://github.com/federicoiosue/Omni-Notes/blob/develop/omniNotes/src/main/java/it/feio/android/omninotes/db/DbHelper.java
You cluld find useful to give a look to this dependency project that contains the POJO that will be used for synchronization: https://github.com/federicoiosue/Omni-Notes-Commons/tree/master/src/main/java/it/feio/android/omninotes/commons/models
Well, to be honest, I don't have experience in java and or android, I have created only few apps in android till now, and even now I don't understand to use the android studio, I was hoping I could code the webapp and we would collaborate on the sync part
I'll prepare the full JSON shema as soon as possibile to eventually build your angular services
okay, take your time actually, because the app is going to take time, I just have started learning django, it might take one more month to get the basic things fully functioning :)
Hey, I wanted to ask if I should give the ability to mask the notes in the web application (or should I keep it optional?), because it doesn't make sense to me to mask the notes in a webapp
Of course, for sync purposes the password will be stored in the db.
I am sorry for sounding naive, what do you mean by client side encryption?
It's roughly the equivalent to end-to-end-encryption in communication. I'm neither a programmer nor a cryptography expert, but I think the basic principle is that everything will be encrypted locally before uploaded to the server. If the user wants to access data via a web interface the encrypted content is usually downloaded again and decrypted locally in the browser's local storage. If done right, it means that the provider of a service doesn't have any access to the actual data that is handled. For example, Spideroak or MEGA are client-side-encrypted, while Dropbox or OwnCloud are not.
Okay, I don't think I would code the end to end encryption into onweb, since it is open source someone else can take up that matter. Also even if we decide to do so, I would rather focus on building a working version, I was not finding the time since a few months, I hope to find time this month. Let's see.
Also I don't get the end to end encryption logic, there is this hacking 101 principle, if it is accessible online one can break into it.
Again, I'm not a crypto expert, but I think it works like this: They key is generated by a client or withing the browser's local storage. It is used to encrypt all data. The key itself then gets encrypted by the user's password. This still all happens locally. The encrypted key and data gets uploaded. If the user wants to access it again, everything will be loaded in the browser's local storage again, the key is decrypted by typing in the password and can now decrypt the data.
Yes, I can understand how it works, I don't understand why anyone would want to encrypt everything for an open source application, it is unlikely that a project that will run on donations will use the user data for malicious purposes, also encrypting everything seems to be a big deal for me.
Yes, I understand that it is very difficult. That's why only a few services (mostly cloud storages) offer it.
But, at the moment OmniNotes isn't 100% FOSS (see https://github.com/federicoiosue/Omni-Notes/issues/177). And even if it was I had to completely trust it that it won't use my data which can be very sensitive as it is a note taking app. Of course, this would be different if I'd host it myself.
I really don't assume OmniNotes would use my data in any way I don't want it to. Still I would like the idea of having everything completely encrypted, just so that I don't have to trust anyone, but would know that OmniNotes had zero knowledge about my data.
But as I said, I understand that this is too complicated at the moment.
Dude, I think you don't know this, http://github.com/thewhitetulip/onweb I am building the webapp and it is 100% FOSS, you can host it anywhere you want, but the omninotes android app needs to be changed after the webapp is made to accept the custom IP address that you will give of the server! So no client side encryption needed eh?
also even if you host it yourself, what if someone breaks into your server and steals all your sensitive notes, I would suggest that if you are really really crazy about security then you should use ON as it is, because it doesn't store your data anywhere except your android phone, it doesn't have cloud sync nor the webapp ready at the moment!
The only reason I use Omni notes & contribute to it by raising issues and stuff is that it doesn't have the annoying sync feature, plus I use CM12 and it doesn't have a single google app installed, and ON seems to run fine on it ;) I think we can remove the play store dependencies and upload this app on Fdroid, let's see.
Anyways if you are knowing django/python let me know, you can also help me build the webapp
I really didn't intend to attack you on this! And I really trust ON and ONweb with my data. It's more a general thing: I'd just like the internet to feature as much end-to-end or respectively client-side encryption as possible. But I understand that this is complicated to implemented and therefore not a feature that will be built in ONweb. I still appreciate very much that you are working on ONweb. I'm really looking forward to having an actual Evernote alternative! As I'm not a coder I'm afraid I'm not able to help you building it!
Hahaha You didn't attack me in any way :smile: But I have heard this argument before "data needs to be protected", and my suggestion always has been that if you feel your data needs to be protected then don't put it online!
There is a rule in hacking, if it is available online, then given enough time and resources one can break into it
Hi there! Here you have my two cents.
ON actually is capable of partial encryption by storing locked notes' content into database as DES encrypted text.
To obtain an E2EE from this point we should:
- Fully encrypt notes' acttachments
- Transmit data in this protected and unreadable (man-in-the-middle could be the real problem here, without E2EE) format to the server
- Store datas are they are
- Perform client-side data decryption (https://code.google.com/p/crypto-js/#DES,_Triple_DES)
- Vice versa for online edited notes
This could be performed even on a preferrable 3-tier architecture (Android app <-> DB (ex. cloudant) <-> frontend).
For sure all this will need a deeped analysis but it's obviously possible.
Okay, if you really want to include this feature, then we can do an analysis, but as of now I would not be implementing this, let's see once I get time to resume and finish the development, then maybe in a month or so I can add this client side encryption too.
It would be quite cool to simply offer sync with a WebDAV server. That way many servers (such as ownCloud) will automatically be supported.
Yes, I agree to that, actually ON is best used on a mobile phone, it won't have much use on a webapp. I haven't got time to work on the webapp since few months.
Yup, and still having it backed up / synced is important for lots of people. Using WebDAV for that is simplest then since you don’t need to care about the server and it will support a lot of solutions.
ownCloud for example has a library for Android: https://github.com/owncloud/android-library – maybe that is useful, especially the WebDAV parts. And in addition there’s also sharing and stuff like that, should it be needed.
Hi, sorry for the delay but I'm currently on holiday with my family (playing all the day with children is actually harder that a decathlon!).
The next step from now will be to improve the underlaying models library (https://github.com/federicoiosue/Omni-Notes-Commons) to make it an API for third-party sync services. In this way anyone will be able to implements his/her favorite way to sync notes by creating a specific apk that will be connected to ON.
I'm personally interested in a Google Drive synchronization most, so I'll start with that. This also because I've real few free time to spend on the project so I'll have to focus it.
@stevenroose how about Paperworks implements WebDAV, the common standard for this kind of stuff? ownCloud and many other servers & clients already support that.
@federicoiosue Take a look at this https://github.com/thewhitetulip/Tasks
I have been building this since a lot of time now, if this can be modified and used for ON it'd be great As of now it lacks a few things though.
For the most parts https://github.com/thewhitetulip/Tasks is done :) only sessions and user accounts is remaining, functionality is ready as you want it to be for ON, just minor tweaking is necessary @federicoiosue do let me know.
I've opened an issue #534 about using Sandstorm.io as a platform for developing an Omni-Notes web service.
