I agree with patrick.
https should be part of the api.
can i get it as a paid user?

Also, the “API Key” appears to be a static string.
I’ve verified that it does not change when I change my password. THIS IS REALLY BAD!

Each device that uses the api should (after the initial username / password challenge) be issued a unique security token that it can store for future challenges.

Better yet. Implement OpenAuth.

My biggest concern with the current state is : does this expose my linked Evernote account for manipulation? Does it expose my linked google account?

I paid for the app within an hour of starting to use it (not this account – developing an android app with this one).

Hi guys. I am really concerned about my account security after reading these statements.

I am not a technical person myself, but is it really true that if someone gets access to the API key, then even when I change my password, they will still have that access???

This sounds like a huge security flaw.

Daniel,
Bad news and good(ish):

THE BAD:
The big issue here is with third party apps that use the API as published at http://www.nozbe.com/api. And it is a very big one. As I said above: based on my tests – your API key does not change when you change your password. Also – the thing that makes this really horrible is that the api as it’s currently document doesn’t offer any encryption. Your key (the one that can’t be changed and grants full access) is transmitted in plain view with every request (add/edit/check/delete a project/action/note). A hacker looking at the network traffic of any client using this API could have access to your account in moments.

This just isn’t the way security should be handled in a web app. These guys are obviously smart enough to do it right. How to do it right is well documented many places on the web. The unfortunate truth is that this story is not unique. If you’re using a smart phone, there’s probably one or two apps on there that are doing the same or worse.

THE GOOD (ish):
I analyzed some network traffic while using my PAID account via Nozbe.com. From what I could tell that uses a different communication scheme with the Nozbe servers, and appeared to be more secure. So if you have a PAID account, and are only accessing their systems from the web browser I would worry a LITTLE less. That said, I did only a cursory analysis. The disregard for security in the published API doesn’t give me a lot of confidence they’re going to take security seriously in code they don’t document or share with the outside world.

MY RECOMMENDATIONS:
Despite my concerns with security – Nozbe fulfills my GTD needs too well for me to abandon it. I’ve not yet found a solution that offers the same features (believe me – I’ve looked a lot since discovering this security hole). I will be changing my usage patterns though. I recommend the following:

I’d be very hesitant to access Nozbe.com through any means that makes use of the published API. This almost definitely includes the unofficial nozbe app that’s available for android. It MAY also be true of the iPhone/iPad apps. Those were developed in coordination with the Nozbe team, so maybe they got special treatment, but I wouldn’t bet on that until Nozbe told me otherwise . Based on Patricks comment I’m guessing the widgets available for iGoogle, mac dashboard, etc – all use the insecure API as well.

Do NOT use a common password with Nozbe (i.e. don’t use that same password you use for your e-mail account, bank account, whatever). You don’t want a hacker to be able to access your e-mail or bank sites if they figure out your password. This is especially true if you are making use of the insecure API. Even if you’re a paid user only using Nozbe via the browser – I’d use a unique password anyways- this glaring security hole makes me question everything. In all honesty – you should be doing this for EVERY website you visit anyways. Check out LASTPASS – and make heavy use of it’s password generation feature.

Backup your data regularly. Nozbe does offer a text file you can download that contains all your todo’s. It’s formatted in a way that (heaven forbid) your account was compromised – you’ll be able to rely on it as your todo list.

START MAKING NOISE to the development team right NOW (whether you are paid or free user)! I know you said you weren’t technical, but I can assure you this is not acceptable.

<steps off soap box>

Thanks for this detailed update, I will for sure contact the development team to figure out how to get protected in the best way. But seems that you have some good ideas as well which I will follow :)

Daniel,
I’ve been in e-mail contact with support regarding the issue. They assure me all their apps (web, iPhone, iPad) use the new API.

Also, I should mention that I made the mistake of posting my rant before searching the forums. The API’s security issues have been documented elsewhere – and commented on by the Nozbe staff.