Hello everyone,
With recent global discussions about privacy and encryption gaining momentum, we want to take a moment to reaffirm Bear’s commitment to keeping your data private and secure. Here’s what we’re currently doing and what we’re planning to improve.
How Bear Protects Your Data Today
Bear syncs your notes using iCloud, specifically Apple’s CloudKit framework. This means your data is protected by the same security measures as iCloud itself—encrypted both in transit and at rest on Apple’s servers. While we do not have access to your data, Apple retains the decryption keys, which means they could access it if legally required.
Apple has a strong track record when it comes to privacy and security, and for most users, this level of protection is sufficient. However, we understand that some users require even stronger security, which is why Bear also offers end-to-end encryption (E2EE) for individual notes.
With E2EE, your notes are safeguarded by robust encryption, developed in collaboration with an external security firm to ensure its strength and reliability. Only you hold the decryption keys, meaning neither we, Apple, nor any government agency can access your encrypted notes. Furthermore, they remain securely encrypted on your device, ensuring that even if your device is lost or compromised, your notes stay completely inaccessible.
Upcoming Enhancements to Encryption
While our current system provides strong security, we recognize certain limitations:
- Notes must be encrypted one by one.
- Attachments in encrypted notes are not yet supported.
- Encrypted notes currently don’t support in-text search.
We’re actively working to improve these areas, and some enhancements are already on the way. Encrypted attachments are complete and currently in internal testing. We’re also exploring ways to streamline encryption, such as allowing users to automatically encrypt multiple notes (e.g., all notes with a specific tag).
Encryption is always a balance between security, app features, and performance, and we’re committed to finding the best possible approach.
A Note on Apple’s Advanced Data Protection (ADP)
Apple offers an optional setting called Advanced Data Protection (ADP), which enhances iCloud security. At this time, Bear does not support ADP, and we are carefully evaluating whether it can be integrated. However, there are key challenges preventing full adoption:
- Apple can still revoke ADP and provide data to authorities (as seen in the UK).
- Enabling ADP would prevent access to Bear’s upcoming web app, since encrypted data stored on Apple’s servers cannot be decrypted in a browser.
- ADP does not encrypt notes stored on your device, which could create a false sense of security.
We take security seriously and are committed to providing transparent, effective, and practical solutions to protect your data.
Stay tuned for updates, and as always, thank you for trusting Bear with your notes.