iOS API Need to store a shared secret from my app

dlemex
dlemex
Community Member

Before there was iOS extension support, I requested the ability to store data into the 1Password database from my app and I was told that it was not possible. Now there is some ability to write data into the user's 1Password file, I would like to request the feature again.

Background: I have a medical professional app which needs HIPAA compliance and so I implement an encrypted database. As sometimes users lose their password, I build a failsafe key for the database which is a UUID. The database decryption key is protected by their encryption password and a copy is protected by the failsafe key. Every database also has a unique identifier never changes.

As the UUID is long and can be difficult to transcribe, I would like to store it into 1password if it is available. The current user interface requires a URL to store passwords and although I could make it work, what I would really like is an interface to allow me to add a plain password entry (or a secure note) to 1password.

In order to only be able to access my key, you should behave like the keyChain and only allow the app to access entries that were created by the app in question. In my case, I could envision entries having a specific name: "PsychChart (DATABASE_UNIQUE_ID)" which is ugly for the user OR "PsychChart: Failsafe Key" and then have a "unique key" (the database id) that I could query for. The second option is much better for the user and they will understand what the key is. In addition, the entry should have my application identifier so that the SDK can only access entries which I have stored. Although some apps might want to store multiple entries, in my case there are two other passwords, the access password and the encryption password, for HIPAA reasons I would not store those in 1Password.

This is not a hypothetical case. I have one of my beta users that is really bad about passwords. She originally lost her encryption password but had, much to my surprise, written down the failsafe key. That time she was able to create a new encryption password from the failsafe key. (It was at that time I asked about storing items into 1password.) Now, she has done it again but this time she cannot find the paper she wrote the FS password down on. Worse, she does not know why she did not enter it into 1password as she uses your app on her computer and devices.

I know that I could create a URL that might uniquely identify the entry and treat this as a login password but I really believe it would be better to implement a generic interface for storing things like Shared Secrets, database keys, and even database setup values. Basically to be able to store information that a person might someday need to remember BUT without other programs being able to access my entries. With a URL, it seems possible for other apps to access my stored failsafe key if they generated a URL that matched what I crafted.


1Password Version: 6.8.1
Extension Version: Not Provided
OS Version: OS X 10.12.6, iOS 10.3.3
Sync Type: Not Provided
Referrer: forum-search:iOS API Store password

Comments

  • Hi @dlemex ,

    The app extension API was basically designed to allow the 3rd party app to easily create, fetch, and change passwords of logins (basically, a username/password pair tied to a website). So you may be able to create a URL to meet your needs. Note that apps can not get URLs (even ones they created) without user intervention. The user has to activate the extension and choose the item before it is given to the app. Another app could not get your data without the user giving it to them. Otherwise, it could just siphon website logins from the app, which we obviously couldn't allow.

    We can consider look at adding ways for apps to store non-website style logins, but at this time it cannot. The current API is not designed to be an all-purpose data store for apps; it is mainly designed to filling login information. However you do have the option of using the iOS Keychain. Specifically, if you use the the iCloud keychain, it will be securely backed up and synced to the user's other devices. That way, if a user gets a new phone, etc. your app can fetch the information on their behalf, and also you wouldn't need to make them enter a UUID.

    I hope that helps.

    Cheers,
    Kevin

This discussion has been closed.