I want to use 1Password on Mac, Windows, iPhone and iPad and to sync the 1Password files with Dropbox. Unfortunately it seems there are some serious problems with security if you use Dropbox with iPhone and iPad.
a) manual sync with dropboxhttp://help.agile.ws/1Password_touch/how_secure_is_syncing.html
“For 1Password to synchronize with Dropbox automatically, it will need access to the following three secrets:
- Your Dropbox credentials (email address and Dropbox password)
- Your master password for 1Password on your iOS device.
- Your master password for your data as stored on Dropbox.
Although it may appear insecure to store these secrets on your device for automatic syncing, it is actually far more secure than it initially looks. These three secrets are stored in an iOS keychain.
If you prefer to not sync automatically, you need not store any of this information in the iOS keychain. To manually sync with Dropbox you will need to provide the necessary information at each sync.”
But how do I sync manually without storing dropbox password and master password for data on Dropbox?
master password revealed
discussed in http://forum.agile.ws/index.php?/topic/2170-dropbox-master-password-security/
. Show master password is gone in iPhone with version 3.5.4 but still visible in iPad when 1Password is unlocked.
c) Security of iOS keychain
The master password used on Mac and Windows is needed on devices (iPhone, iPad) when syncing to en/decrypt 1Password data in Dropbox since another format is used on devices.
On devices this master password is kept in the iOS keychain. 1Password on devices have their own device master password, which only needs to be stored in iOS keychain if automatic syncing is used.
The iOS keychain is probably pretty secure on the device, but there is a backdoor - the iTunes backup. http://help.agile.ws/1Password_touch/iOS_security_details.html
advices against using backup password with iTunes because the password may be broken, see http://www.elcomsoft.com/iphone_password_recovery.html
However, if you use a strong password (keep it safe in 1Password), elcomsoft’s tool can’t break it in practice.
If you do not password protect the backup consider this scenario: your iPhone is stolen and the thief is able to unlock it, the thief makes a backup with password and uses elcomsoft’s tool to see the keychain in plaintext.
Which means that I need to secure my iPhone with a stronger unlock code, set the data protection option to clear data after 10 unsuccessful unlock attempts, and be careful not to let anyone see the code when I unlock my iPhone. It’s even worse with the iPad being shared in the family with a simple or no unlock code.
All this hassle is what I wanted to avoid and why I purchased 1Password. Please provide manual sync without storing passwords in the iOS keychain.
I think it's great that you've been reading our security documents carefully. Many people are happy to use 1Password because it "just works". But others, like you, want to delve into the details. I always enjoy these conversions.
I will address your last point first if you don't mind me taking things out of order.
First of all, I would personally recommend against setting things to clear data after N unsuccessful unlock attempts, particularly if the device is shared by a family. The risk of data loss (malicious or accidental) is, in my mind, far greater than the risk of someone obtaining the data.
But for your main point, we have been looking at some newly introduced tools in iOS 4 that would ensure that even in the case of an encrypted iTunes backup those keychain items would never leave your device. We are still working out the implementation details, so I don't want to promise anything prematurely. But this is something that we have been looking at.
We also obfuscate the data we put into iOS keychain. This is hardly a main line of defense, but it does provide another layer. The obfuscation scheme would have to be discovered by an attacker.
After you sync, go to (More ...) > Settings > Sync > Dropbox > Dropbox Account and tap "Reset" That will remove all of that data from the iOS keychain. Note also that if you have your Dropbox login data within 1Password, then when you sync again (with 1Password fully unlocked) 1Password will prompt you about using your Dropbox data. This means that each time you sync, you will only need to enter your master password for your data stored on Dropbox.
This is a known issue. Keep in mind that at this point someone would already have access to all of the data that is protected by your master password in the first place. That is, they would need to have your 1Password data fully open on your iPad to be able to view that master password. Still, it would probably be better for us never to display this (except during entry).
You can perform a manual sync by reseting your sync settings after each sync. I see that how to do that wasn't properly documented, and I will fix that.
I hope that this addresses your concern. All of us here (who are security freaks of some level or another) are happy to use and recommend automatic Dropbox sync to iOS. But there is the ability to manually sync for those who do not trust iOS keychain security.
but the master password for data in dropbox is not requested next time I sync after reset, even after reboot of iPhone, so it must still be in the iOS keychain!??
Is your data file master password the same as your 1Password for iPhone master password?
yes, I use the same password.
That is why you are not prompted.
From our "Automatic Syncing Using Dropbox" guide: