Reflect App: Encrypted Note Taking App

Hello everyone. Just found out about this note taking app named Reflect App. Claims to be end-to-end encrypted, but still closed source. I created an account so I could check things out and I got really impressed. It’s a new perspective on note taking which I didn’t have seen before: everything you do is on the day’s note, and so it goes on and back with daily notes indefitenely. There is a strong AI integration which concerned me. And the perspective of an e2ee app with good integrations - as it’s the case, as you can even sync kindle highlights and notes - is almost to good to be true.

Privacy Policy doesn’t sounds different then expected, but the claim to not read or be able to access note’s contente.

Encryption has been audited:

Our security and encryption has been independently and successfully audited by https://www.doyensec.com.

There’s also this curious disclaim:

### But… is this encryption really secure? You could just edit the JavaScript anytime. That’s correct - ultimately you have to trust the client, and the client can change (we do update it from time to time). There’s always a user-experience tradeoff with security and this is where we’ve chosen to draw the line. We understand this may not work for everyone, but we think this compromise is going to help the most amount of people start using end-to-end encryption.

Anyway, has anyone heard of them? Found practically nothing on Reddit and PG.

Uses AI in notes and is closed sourced. Absolutely useless for folks who are privacy conscious.

Not sure this belongs on a forum discussing privacy and security forward tools/things.

There’s no real trade-off between security and UX here. In fact, native clients written in other languages are faster which I’d argue provides better UX. Thus, this is about developers being too lazy to develop multiple native clients.

The security related article from which the quote is from, does list a best practice cipher, XChaCha20-Poly1305 that runs constant time in software, and has extended nonce and a Carter-Wegman MAC. Password hashing wasn’t advertised, the library shows it’s Argon2id which is again best practice.

The implementation seems to be Noble Ciphers which is again a good choice, and hash-wasm library seems to be popular and maintained.

But GitHub - team-reflect/kiss-crypto v. 0.3.4 doesn’t inspire confidence. The versioning might just index from 0 and major version change might signify incompatibility, but 0.x.x is generally reserved for work in progress.

The audit was apparently five work days with one assigned person. They did find some issues with the crypto, but e.g. the salt reuse in Argon2id seems to have been fixed.

So decent amount of work have been put to ensure things look right.

But again it boils down to the quote.

The bottom line is this. Even IF the library on GitHub is fine, it’s just a library. Who’s to say what the server delivers to your browser. Will it be the same? Will it be the same, every time? Or will they ship something that steals your password? They only need to do that exactly once. Open source native clients exist to solve this to the extent it can be solved, and the team is again either too lazy, or too understaffed to deliver them.

I’m not too excited about them plastering advertisement about end-to-end encryption everywhere when it’s trivial for them to backdoor said E2EE and not get caught. They’re kind of open about the fact, but they’re also not telling you what they could be doing (native, open source clients), and they’re giving no promises of going there. Thus–

Hard pass.

My tip for note taking is https://www.qownnotes.org/

It runs locally and really well, and works on all main OSs, and even FreeBSD. You can sync your notes between two devices with e.g. unison-gtk over Tailscale for free. Or if you have Nextcloud server you can use that instead. Just disable the QOwnnotes’ analytics from settings before using it.

I’m not a fan of AI. At all. However, I do think that all note-taking apps lack a powerful spellchecker. It’s possible that apps like Grammarly, which I don’t use, can be integrated into non-E2EE note apps. I don’t know. IMO, the day that an E2EE notes app has a powerful spellchecker is the moment they can really grow their user base and outshine every other notes app.

Even if Reflect is closed source, if they can do that, they will become serious competitors. I’m not saying this is what Reflect is doing, but I am not a fan of privacy washing. So many companies like Telegram and WhatsApp lull their users into a false sense of security. I don’t want another company added to that list.

This is why I’m rooting for Proton Scribe which, for the record, I have never tried.
I really hope they integrate it into Standard Notes at no extra cost.

AI can be used privately and closed-source software (some Apple services, 1Password, Tresorit) can be more private than open-source software (WordPress, Firefox, OnlyOffice, Debian, Meta AI, Deepseek).

Your point is well taken but will only become valid if in this case this app is indeed better than other recommendations by PG here.

Until then, I still believe my point stands.