How does the new iOS app read encrypted files?

KT's Avatar

KT

28 Jun, 2012 12:58 PM

Like most other iOS users, I eagerly installed the new Moneydance app on my iPad as soon as it came out. Everything worked just fine.

After a while, I realized something. My Moneydance file is encrypted and the desktop version asks for the password every time I open the file. Although I entered a separate password for the iOS/Dropbox synchronization, the iOS app never asks me for the encryption password that I enter into the desktop system.

This worries me a little. How is the iOS app reading my encrypted file if it never asks for the password? Is my password being stored somewhere on Dropbox? That would seem insecure, as both the encrypted file and the password would be available to anyone who hacks my Dropbox account.

Also, the iOS app doesn't ask for a password when I start it up. I know I can set a 4-digit code, but that seems a low barrier for financial data.

Can someone reassure me that the iOS app doesn't compromise the security of my main Moneydance file stored at Dropbox? Thank you.

  1. 1 Posted by Angie Rauscher on 28 Jun, 2012 02:18 PM

    Angie Rauscher's Avatar

    Hi KT,

    We share your thoughts on security- after all we all use Moneydance and the app every day! Your finances are some of the most private information in your online life. Although Dropbox encrypts your data on the server, this wasn’t good enough for us. All Moneydance data that is synced over Dropbox is additionally encrypted using a 128 bit AES key that you specify on your desktop and on each device. This ensures that your data is completely safe, even if the bad guys get access to your Dropbox account.

    If you have any other questions, please don't hesitate to ask,

    Angie Rauscher
    Moneydance Support

  2. 2 Posted by KT on 28 Jun, 2012 02:51 PM

    KT's Avatar

    Understood. But how does it access my encrypted Moneydance file without asking for the same encryption password that the desktop application requests?

    Just to be clear here, I am NOT talking about the password that the Network Synchronization Extension requested. I'm talking about the file encryption password that I set via the desktop application. If my file is encrypted and the desktop application requests a password, how does the iOS app access it without ever requesting that password?

  3. 3 Posted by KT on 28 Jun, 2012 02:57 PM

    KT's Avatar

    Let me elaborate. I set up my Moneydance file in the desktop application (File->Encryption...) and I set a password of foobar123. Every time I start the desktop application, I must enter foobar123 in order to work with the file.

    OK, now I set up the iOS app. The Network Synchronization extension wants a password. I enter snafu678. When I set up the IOS app, it wants a password. I entered snafu678. Voila, the file is opened and it shows me data. It never made me enter foobar123 anywhere.

    Why did the iOS app never request the foobar123 password that the desktop application requires? If the file is encrypted with that password, how can the iOS app access it without ever being told that password?

  4. 4 Posted by Ben Spencer on 28 Jun, 2012 10:04 PM

    Ben Spencer's Avatar

    All of the information that goes through dropbox is encrypted with the sync password.

    When you first set up the sync the initial sync you had already entered your main password and decrypted your data into memory. This data was written to dropbox and encrypted with your sync password - snafu678. This was then decrypted by the mobile app using the sync password.

    The iOS app never has direct access to your encrypted .md file. All it has access to is is change files that are written to dropbox and encrypted with the sync password.

    Ben Spencer
    Moneydance Support

  5. 5 Posted by KT on 29 Jun, 2012 03:36 AM

    KT's Avatar

    Ben,

    Thank you. That clarifies it for me. I didn't realize that the iOS app doesn't have access to the encrypted .md file.

  6. 6 Posted by Kent on 29 Jul, 2012 09:22 PM

    Kent's Avatar

    This was a very enlightening thread for me. Just to make sure I'm clear about KT's scenario:

    -The .md file is encrypted locally using 3DES -The sync file is encrypted to Dropbox using AES128

    Since 3DES is theoretically less secure than AES, storing the .md file in a local folder that syncs to Dropbox would potentially place the .md file at greater risk than the sync file, right? So until AES encryption is available in the next MD release, is there a way to store the .md file locally (NOT in a location that syncs to Dropbox) - and still have a sync file on Dropbox - to improve .md file security? Assuming, of course, that the user properly safeguards the local .md file! ;-)

    Thanks!
    Kent

    PS: I'm quite pleased with the new Dropbox sync on the iOS app. It was worth the wait.

  7. 7 Posted by Scott Meehan on 29 Jul, 2012 09:30 PM

    Scott Meehan's Avatar

    Hi Kent,

    There's no issue with storing your main .md file anywhere you want--the only data that needs to be on Dropbox are the sync files for the iOS app, but your main .md file can be anywhere, including just on your local computer, and it will sync up fine.

    Please let us know if we can be of further assistance!

    Scott Meehan
    Moneydance Support

  8. 8 Posted by Kent on 29 Jul, 2012 10:14 PM

    Kent's Avatar

    Scott,

    Thanks! I tested this configuration and am happier with not having my .md file on Dropbox (a holdover from when I accessed the sile from two different PCs). I had assumed the .md file needed to reside on Drobbox... So where does the sync (change) file reside? I cannot locate it anywhere in my Dropbox files. Is it being stored in another Dropbox location?

    Thanks,
    Kent

  9. 9 Posted by Scott Meehan on 30 Jul, 2012 12:09 AM

    Scott Meehan's Avatar

    Hi Kent,

    All the Dropbox sync files reside in the folder:

    .moneydancesync

    in Dropbox. This folder is usually hidden, so you would have to enable viewing hidden files and folders on your operating system's file manager or, the easier way, view them using the Dropbox iOS app or Dropbox web interface.

    Please let us know if we can be of further assistance!

    Scott Meehan
    Moneydance Support

  10. System closed this discussion on 31 Mar, 2015 03:50 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac