1Password password copy to clipboard insecure because all apps can read the contents (IOS9)
Is my most used function of 1Password app to copy the password now completely insecure on IOS9?
See article below:
http://www.thedailybeast.com/articles/2015/10/21/facebook-knows-what-you-copy-on-your-iphone.html
Cyber security blogger, Graham Cluley says that Facebook may be the newest app to spy on your clipboard but it is not the first. “**Many iOS apps can access the clipboard **and do something similar to what you’re describing. For instance, Flipboard, Doesn’t sound untoward to me.”
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: kb-search:IOS
Comments
-
I imagine that's one reason why you'll find an option, under 1P Settings > Security, to set the time within which the clipboard should be cleared. :)
Stephen
0 -
Greetings @NL_1Password_User,
Sadly it does make it a bit tougher doesn't it - it's stuff like this that means we can't have nice toys. Now the 1Password iOS Extension doesn't use the clipboard but that won't cover all the possible situations where you need to use a password stored in 1Password elsewhere as sadly not all apps have added support for our general extension... yet.
Now I've seen claims that it runs when the app is closed but I haven't seen anything that suggests it can do this if the app is terminated. So if you need to log into something sensitive then one possible option would be to terminate all the apps that have been opened using iOSes multitasking window, leaving just 1Password and the other app loaded. Copy the password across, let 1Password clear the clipboard and then you're fine. Is this ideal? I can't say that it is but it might be all we have for the moment. I agree the entire situation is a pain in the rear - I just want to be able to use my phone without worrying what some piece of software is trying to do in the background. Maybe Apple can do something clever here like location privileges where an app can access your location all the time or only when it's running - who knows.
0 -
Thanks for replies.
To validate the claim:- Facebook app with background refresh disabled
- Facebook app closed
- I copy a URL to clipboard
- start the Facebook app and the URL is shown
If Facebook has this ability then other apps can too.
If an app can subscribe to the content of the clipboard in the situation above then the timer based clear function isn't useful.
I would appriciate if Agilebits can get some more clarification from Apple.
0 -
I would appriciate if Agilebits can get some more clarification from Apple.
What would you like clarified?
Ben
0 -
Clarification about:
- if only selected of all apps can read the contents from the clipboard
- API that is available for apps related to clipboard: can all data be read or only selected things like URL?, subscription model? only latest entry of multiple if they are stored within the app?
- possibility to block this?
These answers can help determine the risks involved regarding the copy&paste of passwords.
0 -
I'd be happy to clarify those points for you.
- if only selected of all apps can read the contents from the clipboard
The iOS clipboard is accessible across the whole system... Much like the Mac and Windows clipboard work on their respective platforms. Any app can put something in the clipboard, and any app can read it out.
- API that is available for apps related to clipboard: can all data be read or only selected things like URL?, subscription model? only latest entry of multiple if they are stored within the app?
Any data that is on the clipboard can be read. Note that 1Password only puts things on the clipboard when you request it to. We do not use the clipboard when filling using the 1Password extension or 1Browser.
- possibility to block this?
It isn't possible to turn off the clipboard, no. Any sort of blocking would essentially defeat the purpose of the clipboard.
Thanks!
Ben
0 -
Thanks for clarifying.
What I didn't realize was that this possibility even exist for apps that aren't active and that are blocked from running in the background.0 -
You're welcome.
What I didn't realize was that this possibility even exist for apps that aren't active and that are blocked from running in the background.
And perhaps that is something Apple should consider. :)
0
