Locked note in Notes.app can be deleted without asking for the password

Originator:alexbrie
Number:rdar://25290396 Date Originated:22/03/2016
Status:Open Resolved:
Product:iOS Product Version:9.3
Classification:UI/Usability Reproducible:Always
 
The new Lock note feature should allow users to store safely sensitive information(phone numbers, secret information, private urls, etc).

Currently anyone with physical access to an unlocked phone forgotten on a desk (such as toddlers, kids or nosy coworkers) can delete locked notes without being asked to authenticate. So the data is indeed private but not secure. 

Moreover, if an ill-intentioned person deletes the notes both from iCloud and from the Recently Deleted folder, they are gone forever from all iCloud-synced devices. 

Therefore, no note is safe on iOS, not even the locked ones. While for speed of use purposes an ordinary note should be easily deletable, a secure, private, locked note should be impossible to delete by an unauthorised person.


Steps to Reproduce:
1. Open Notes.app
2. Open an existing note or create a new one "Christmas Shopping List".
3. Use the "action sheet" button and ask to "Lock Note" 
4. Use TouchId or password to make the note lockable
5. Tap the new "lock" button on the top-right corner, in order to properly "lock" it.
6. Give your phone to your teen children. They will try to view the note and see its contents but won't be allowed because the note is secret. 
7. In retaliation or by accident they tap the "trashcan" button and delete the note
8. They navigate to the Recently Deleted folder and once again try to open the note.
9. They tap once more the "trashcan" button.

Expected Results:
A locked note should be only deletable by its authorised owner 

Actual Results: 
The locked note can be deleted by anyone, even if unauthorised; by deleting it again from the "Recently Deleted" folder, the note is erased from all iCloud-synced devices (and, if no backup has been made since its creation, the note is irremediably destroyed). The Christmas Shopping List is gone and I might never be able to recreate it. X-mas is ruined!

Additional Notes:
UI is incorrect; the "delete note" button should be disabled while the note is locked, just like all other buttons. Alternatively, tapping it should open the authentication dialog that currently appears when trying to view a locked note.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!