Where does 1password store its data on iOS ?

Trishaelwood

Does 1password 5 store its data(password and credit card details) on iOS keychain or in local sqlite file?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: kb:opvault-overview, kb-search:security, kb:locking-and-unlocking, kb:opvault-design, kb:data-locations

Ben

Hi @Trishaelwood,

1Password's data is not stored in the iOS keychain but instead is stored locally within the app. We do use the iOS keychain for the Master Password if using Touch ID (or a PIN on legacy devices), which you can read more about here:

https://support.1password.com/master-password-ios-keychain/

Thanks!

Ben

Trishaelwood

Is it stored locally as sqlite file? If yes is it possible that with software like funbox user can see the sandbox directory and can access the sqlite file.

nathanvf

Hi @Trishaelwood,

1Password for iOS's data is stored in a location that is not accessible to outside applications. It should not be able to be browsed or read by other applications or a connected Mac.

However, if you are Jailbroken it's possible that the files could be accessible from different applications since it breaks down the security of the apps/device by design. We cannot guarantee the safety of the files themselves.

However, the data that is stored is encrypted with your master password all the same. That means that the file cannot be read unless the Master Password is known. And if the file is changed it would become corrupt because the injected data could not be read by the app.

Trishaelwood

Thanks for the reply nathan, actually in devices with iOS version less then 8.3 the sandbox directory is visible though applications like ifunbox even if not jailbroken.

So was just curious to know that if that is the case and if 1password stores its data locally in an sqlite file then had some queries like
1. What is the location of this sqlite file? (in Sandbox- Document or library directory )
2. Like OPVault is everything encrypted? i.e along with passwords, the title, URL etc
3. Are passwords stored inside this sqlite files? if yes then if someone breaks the encryption he would be able to access everything from a single sqlite file. Username, passwords, credit card details. (Apple mentions that the best place to store such a information is iOS keychain and core-data and sqlite are venerable)
4. When master password changes do you have to decrypt and encrypt everything?

Note: Though master password is stored in iOS keychain so it would be hard to break but its just out of curiosity. Why sqlite and not iOS keychain for such critical details?

MrRooni

Hi @Trishaelwood, thanks for following up!

1. What is the location of this sqlite file? (in Sandbox- Document or library directory )

The 1Password SQLite file is stored in a group container directory on the device so it can be accessed by both the main 1Password application and the 1Password extension. I believe that container is stored in the Group Containers directory within the Library directory.

2. Like OPVault is everything encrypted? i.e along with passwords, the title, URL etc

Yes.

3. Are passwords stored inside this sqlite files? if yes then if someone breaks the encryption he would be able to access everything from a single sqlite file. Username, passwords, credit card details. (Apple mentions that the best place to store such a information is iOS keychain and core-data and sqlite are venerable)

The stronger your Master Password, the harder it is for an attacker to gain access to your sensitive data (assuming they even have access to the data file in the first place). We've written some great articles about this stuff you should check out:

1. Toward Better Master Passwords
2. 1Password is Ready for John the Ripper

4. When master password changes do you have to decrypt and encrypt everything?

1Password handles all of this for you.

Note: Though master password is stored in iOS keychain so it would be hard to break but its just out of curiosity. Why sqlite and not iOS keychain for such critical details?

The iOS keychain is not designed to be used for the amount of items a typical 1Password vault contains. Also, by using SQLite we guarantee our file format is portable and can be opened on our other supported platforms like Windows and Android.