Security issue on IOS8: 1Password + 3rd Party Keyboard

Hey there,
I noticed a security issue with 1Password in iOS8.
I have a third party keyboard (Swiftkey) installed. When I open 1Password, for the master password the system keyboard is used (as is supposed to be).
However, when I enter login data to save in my vault, the password is entered via Swiftkey. Please fix this issue as quickly as possible, I guess this behavior is not intended!
Thank you,
C.

Comments

  • edited September 2014

    bump As I notice the agilebits people are quite active in all other threads, how about a "yeah, we noticed your posts, we'll investigate that" so I can sleep well tonight? ;-) I fear this post might go unnoticed, but this actually is a serious problem (easy to fix, however)

  • That's an enormous security hole.

  • That's an enormous security hole.

    Why do you suppose that? It's a login item, details of which will either remain on your iDevice (and ultimately securely locked in 1P5) or, if in some way passed to Swiftkey Cloud, will be encrypted. It may be a small security lacuna but I'm not sure it's quite as "end of the world as we know it" as you make it out to be. :)

    Stephen

  • Encrypted or not, it's not supposed to go to the swiftkey cloud in the first place. Also, there already are other third party keyboards and very likely more will show up in the future, maybe one can trust swiftkey, but what about "obscure keyboard app xy"? So yeah, this is a major hole.

  • dtearedteare Agile Founder

    Team Member

    Hello krischan81, thank you for taking the time to discuss this issue with us.

    This is a tricky issue indeed. On the one hand, you as the user are in complete control of the keyboard extensions you allow on your iOS device and a big part of that is how much you trust the company who developed it. Apple has also done a lot to limit the functionality of keyboard extensions in order to keep them from doing nefarious things (for example, they cannot contact a remote server without your permission). Lastly, I can see users becoming accustomed to their favourite keyboard extension and be upset if 1Password disallowed it.

    On the other hand, 1Password contains your most sensitive and confidential information, so any potential attack vector must be treated with the utmost concern. It's very possible that someone would enable a custom keyboard and grant it access before installing 1Password. Then months later when they install 1Password, they may forget that they granted their favourite custom keyboard these permissions.

    I want to think about this issue some more before saying for certain, but at the moment, I'm thinking a preference in Settings that defaults to preventing custom keyboards is the best solution.

    Cheers!

    ++dave;

  • I just noticed the same flaw here. I have SwiftKey installed also.

    When I fire up Safari, IOS 8 correctly brings up the native keyboard when I try to type into a password field of a web page.

    When I fire up 1Password, the native keyboard also comes up.

    While inside 1Password, when I create a new login, the native keyboard also comes up.

    Here's where I noticed the problem.

    After I exit and quickly return to 1Password, if I go ahead and edit an existing record or create a new record, the Swiftkey keyboard comes up instead of the native keyboard!

    This is really bad.

  • thightowerthightower T-Dog Agile's Mascot

    I'm thinking a preference in Settings that defaults to preventing custom keyboards is the best solution.

    I think I like this idea a lot.

  • I also like the idea with a settings-option to disable 3rd-party keyboards for 1password.
    I (have to) trust Apple and 1password - but don't want to extend this unknown 3rd parties.

  • MeganMegan

    Team Member

    Hi Harald and @thightower‌

    Thanks so much for adding your thoughts here! I'll be sure to pass them along to Dave and the rest of the development team. :)

  • After inadvertently starting a separate thread requesting just such a settings options, I'd like add my voice to this thread. When I am in the confines of the 1Password app, I don't want to ever have to worry about these kinds of privacy and security issues.

  • MeganMegan

    Team Member

    Hi Paco,

    Thanks so much for the feedback! I'll let our developers know. :)

  • MikeTMikeT Agile Samurai

    Team Member

    Hi guys,

    The upcoming 1Password 5.1 for IOS update (submitted to the App Store for review) includes an option to disable custom keyboards (on by default) in Settings > Advanced.

This discussion has been closed.