A bug in Cryptomator was recently found and reported on for the iOS app. Cryptomator is an app that gives you end-to-end encryption for file storage. The team wrote about the vulnerability on Tuesday.
Bug in Cryptomator
A user discovered that when the app is decrypted files for the iOS Files app (because its most recent major update fully integrates with files), the cleartext file needs to be stored on the file system. The file path is sent to the Files app. If you have iCloud Backup enabled the cleartext file is included in the backup, leaking the file paths to Apple.
Only files that you opened from within the Files app are decrypted. All others in the vault remain encrypted and unaffected. Affected devices include those who made an iCloud Backup while the bug in Cryptomator was live, version 2.0.0 released on December 12, 2021. Users should update the app to version 2.0.4 if the app hasn’t already been automatically updated.
Cryptomator includes a brief FAQ in its report. Here are a few of the more important ones.
Q: Can leaked files be deleted from existing backups?
A: While we don’t know how reliably Apple erases data, you can in fact exclude individual apps from iCloud Backup and remove existing backups.
Q: Why is there decrypted data in the first place?
A: At some point, you need to have cleartext data, otherwise you can’t work with them. Cryptomator is fully integrated into the Files app, which means that it is bound to and limited by the File Provider Extension API. It requires to have readable (cleartext) data readily available. Keep in mind that Cryptomator’s target is to ensure privacy in the cloud and not on the device itself.
You can find out which version of Cryptomator you have by opening the app, tapping on the gear icon in the upper-left, then tapping About Cryptomator. The version number is at the top-middle of the display.