1password does connect to Microsoft AppCenter without user consent

Educabledrift
Educabledrift
Community Member

Hi,
1password on iOS does connect to Microsoft AppCenter without asking for user consent.
On iOS the domains of network requests from apps are collected to give users insights resp. transparency.
With the latest 1password for iOS version 8.9.7, 1password does send requests to Microsoft AppCenter (domain in.appcenter.ms).
As a user you are not informed by 1Password why this request is issued.
What data is sent to the 3rd party Microsoft?
As a user I do not want that 1password sends any data to appcenter since it is not necessary for 1password’s function, right?
So please inform us which data you are collecting and sending to Appcenter please in detail.
Further, since tracking is not necessary for the function of 1password you should request a user’s consent to collect and send data related to app crashes or analytics.
Tracking should only be an opt-in.
Take care of the EU GDPR.

Best regards.

Comments

  • davidciani
    davidciani
    Community Member
    edited December 2022

    It looks like they use Visual Studio App Center, which is a service that provides some developer automation tools. It seems like they are using it for crash reporting and metrics.

    I intercepted the traffic and observed it sending the following data elements every time the app starts:

    appBuild, appNamespace, appVersion, locale, model, oemName, osBuild, osName, osVersion, screenSize, sdkName, sdkVersion, timeZoneOffset.

    Edit: the privacy implications of this depend on how 1Password uses it. Per Microsoft, the information collected as part of the crash reporting system does not include personal information unless the developer chooses to attach PII-containing data to the crash reports. I didn't see any unique ID numbers in the data I collected, though that didn't include a crash dump.

    https://learn.microsoft.com/en-us/appcenter/gdpr/does-it-apply-to-me

  • Hello @Educabledrift! 👋

    @davidciani is correct, in.appcenter.ms is used for crash reporting. You can find this connection documented here: 1Password ports and domains

    Specifically:

    • in.appcenter.ms: Provides crash report management for 1Password for Mac and iOS.

    I hope that helps! 🙂

    -Dave

  • Educabledrift
    Educabledrift
    Community Member

    Thanks for your analysis of the request and the information provided.
    I do understand that 1Password uses a third party service for crash reporting.

    But, I do not get why requests to Microsoft AppCenter are done even if no crash of the application happened?

    Even sending data about the device model, app build version, operating system version, date & time of app openings (i.e. app usage) and the IP address are unnecessary and undesirable, in the case where no actual app crash has occurred, instead it is analytics data in my opinion.

    I would be OK with the behavior that 1password asks a user whether to send a crash report or not and only if the user agrees then 1password can send requests to in.appcenter.ms.
    In the case where no app crash or error occurred, why should I accept that you share data with Microsoft about app usage?

    Thanks for your response.
    Best regards.

This discussion has been closed.