Security implications of iCloud/MAS transition

Hi @Unimpressed,

I am an iCloud-preferring customer (who has had that function now disabled by 1Password)

1Password 5 for Mac is a major release and one of the significant changes we made was a complete rewrite of iCloud syncing. 1Password 5 switched to the new Apple iCloud "CloudKit" technology which is only available on OS X Yosemite and iOS 8, and limited to Mac App Store apps only. After this change we were no longer able to offer iCloud syncing in the web store version of 1Password. We didn't simply "disable" iCloud sync in the web store version.

We've put together a FAQ page with more information here:

Web store and iCloud FAQ

I also want to make sure that you have a chance to review some more information on iCloud and why the Mac App Store is the only version that has access to that particular sync option. Roustem, one of our founders, has written a blog post on the iCloud rewrite and I’d like to share it with you:

About iCloud changes in 1Password 5

I am comfortable with Apple inspecting and approving your application/code. The fact you now have two versions indicates Apple does not approve the webstore version. Please explain what is functional in the Webstore version that Apple will not allow in the AppleStore version.

First of all, Apple has no access to the app's source code, they do not review that. Apple reviews the submitted application to ensure that it follows the Mac App Store guidelines, which can be found here: https://developer.apple.com/app-store/review/guidelines/mac/

The web store version is designed to be sold on our web store for users who prefer to purchase it there, so it's not necessary (or possible) for it to be allowed in the Mac App Store. For example, the web store version includes an in-app updater to install updates — this wouldn't be allowed in the Mac App Store since the updates are handled by the App Store instead. Also, the web store version isn't sandboxed, which lets us to work around a few limitations of sandboxing. This allows our in-app updater to work, and allows a few other improvements as well, such as auto-submit (if you use the Mac App Store version, you need to install a separate script to improve auto-submit — this isn't necessary in the web store version because we're able to include the functionality by default).

You appear to state that your webstore version no longer supports "the kind of data we are storing going forward". Please confirm exactly what data Agilebits is storing about or from its users.

The "the kind of data" Ben was referring to above is your 1Password data, which you are syncing via iCloud (or another sync provider). We are not the ones storing the data, you are storing your (encrypted) data with the sync provider.

The kind of data that needs to be stored for syncing works well with CloudKit, it's like a database. Other parts of iCloud are designed for different types of data — iCloud Drive is best used for syncing files and documents (like Pages, Numbers, and Keynote need).

The only data we have about our web store users is the information they provided when they purchased the app on our store (name, email, etc.) for licensing purposes.

Please explain what your staff manually tailoring Webstore versions to enable them to use iCloud involves, that users could not reasonably do themselves. And how this tailoring fits with Apple having refused the Webstore version as above.

It's not possible to use iCloud sync in the web store version. The only way to use iCloud in 1Password 5 is to purchase directly from the Mac App Store. The CloudKit API is only available to apps that are downloaded via the Mac App Store.

Unfortunately there is no way for us to transfer your purchase from our store to Apple's. I’m sorry we don't have a better migration path for you.

Please let us know if you have any other questions. We're always happy to help!