Security issue on IOS8: 1Password + 3rd Party Keyboard

krischan81
krischan81
Community Member

Hey there,
I noticed a security issue with 1Password in iOS8.
I have a third party keyboard (Swiftkey) installed. When I open 1Password, for the master password the system keyboard is used (as is supposed to be).
However, when I enter login data to save in my vault, the password is entered via Swiftkey. Please fix this issue as quickly as possible, I guess this behavior is not intended!
Thank you,
C.

Comments

  • krischan81
    krischan81
    Community Member
    edited September 2014

    bump As I notice the agilebits people are quite active in all other threads, how about a "yeah, we noticed your posts, we'll investigate that" so I can sleep well tonight? ;-) I fear this post might go unnoticed, but this actually is a serious problem (easy to fix, however)

  • Luke Bosman
    Luke Bosman
    Community Member

    That's an enormous security hole.

  • Stephen_C
    Stephen_C
    Community Member

    That's an enormous security hole.

    Why do you suppose that? It's a login item, details of which will either remain on your iDevice (and ultimately securely locked in 1P5) or, if in some way passed to Swiftkey Cloud, will be encrypted. It may be a small security lacuna but I'm not sure it's quite as "end of the world as we know it" as you make it out to be. :)

    Stephen

  • krischan81
    krischan81
    Community Member

    Encrypted or not, it's not supposed to go to the swiftkey cloud in the first place. Also, there already are other third party keyboards and very likely more will show up in the future, maybe one can trust swiftkey, but what about "obscure keyboard app xy"? So yeah, this is a major hole.

  • Hello krischan81, thank you for taking the time to discuss this issue with us.

    This is a tricky issue indeed. On the one hand, you as the user are in complete control of the keyboard extensions you allow on your iOS device and a big part of that is how much you trust the company who developed it. Apple has also done a lot to limit the functionality of keyboard extensions in order to keep them from doing nefarious things (for example, they cannot contact a remote server without your permission). Lastly, I can see users becoming accustomed to their favourite keyboard extension and be upset if 1Password disallowed it.

    On the other hand, 1Password contains your most sensitive and confidential information, so any potential attack vector must be treated with the utmost concern. It's very possible that someone would enable a custom keyboard and grant it access before installing 1Password. Then months later when they install 1Password, they may forget that they granted their favourite custom keyboard these permissions.

    I want to think about this issue some more before saying for certain, but at the moment, I'm thinking a preference in Settings that defaults to preventing custom keyboards is the best solution.

    Cheers!

    ++dave;

  • securitas
    securitas
    Community Member

    I just noticed the same flaw here. I have SwiftKey installed also.

    When I fire up Safari, IOS 8 correctly brings up the native keyboard when I try to type into a password field of a web page.

    When I fire up 1Password, the native keyboard also comes up.

    While inside 1Password, when I create a new login, the native keyboard also comes up.

    Here's where I noticed the problem.

    After I exit and quickly return to 1Password, if I go ahead and edit an existing record or create a new record, the Swiftkey keyboard comes up instead of the native keyboard!

    This is really bad.

  • thightower
    thightower
    Community Member

    I'm thinking a preference in Settings that defaults to preventing custom keyboards is the best solution.

    I think I like this idea a lot.

  • Harald Biegler
    Harald Biegler
    Community Member

    I also like the idea with a settings-option to disable 3rd-party keyboards for 1password.
    I (have to) trust Apple and 1password - but don't want to extend this unknown 3rd parties.

  • Megan
    Megan
    1Password Alumni

    Hi Harald and @thightower‌

    Thanks so much for adding your thoughts here! I'll be sure to pass them along to Dave and the rest of the development team. :)

  • Paco II
    Paco II
    Community Member

    After inadvertently starting a separate thread requesting just such a settings options, I'd like add my voice to this thread. When I am in the confines of the 1Password app, I don't want to ever have to worry about these kinds of privacy and security issues.

  • Megan
    Megan
    1Password Alumni

    Hi Paco,

    Thanks so much for the feedback! I'll let our developers know. :)

  • Hi guys,

    The upcoming 1Password 5.1 for IOS update (submitted to the App Store for review) includes an option to disable custom keyboards (on by default) in Settings > Advanced.

This discussion has been closed.