Is it safe to use 1Password to log into an in app browser
Comments
-
Craig Hockenberry is correct in his article that anything that you type into any app can be captured by that app.
If you give a password for some service to some app, then it is possible for that app to maliciously collect it. But they only get what you give it. They do not have access to all of your 1Password data. Some of this is discussed in this blog post on the security of application extensions.
So yes, you have to make a choice about what information you are willing to let an app handle. I should point out that the app review process, while hardly perfect, does make it harder for an app developer to be malicious in that way. Also, it may be difficult to conceal such malicious behavior for too long, so developers who seem to be in the business of selling you their app have less incentive to engage in such sniffing. But ultimately it is possible, and you need to use your own judgement.
I wouldn't go as far as to endorse Hockenberry's advice of
Another goal of this essay is to increase user awareness of the potential dangers of using an in-app browser. You should never enter any private information while you’re using an app that’s not Safari.
First of all, you are perfectly fine using 1Password's 1Browser. After all, you are already trusting the 1Password app with much more. But there are also other developers whom I also trust enough that I am happy to use their in-app browsers.
0 -
Thanks, great answer.. very informative.
0 -
Hello Security Experts,
What are your thoughts on this
http://furbo.org/2014/09/24/in-app-browsers-considered-harmful/which seems to indicate, if an app developer so chooses, they could eavesdrop on passwords when the user uses there in-app browser. I am not suggesting any links to 1Browser, I trust you guys. I am just concerned about other apps (very many actually, which prefer to keep the user in their app as opposed to redirecting them to Safari).
Will this be a problem if I try to login using 1P's share extension? It seems like it is as the username and password submitted by 1P could be taken as is by the host app, right?
Thanks.
0 -
Hi @raamana
I've merged your thread with another thread on this same question. Please check out @jpgoldberg's answer here.
Thanks.
0