ICS Recent Apps shows most recently accessed login in the clear

drewsign

When flipping through the Recent Apps thumbnails on my Ice Cream Sandwich phone, I noticed the thumbnail for 1Password shows the most recently accessed login in plain view. Most alarmingly, the password isn't obscured. Other information like the username and website are naturally shown. This is while the app itself is locked down.



Since most 1Password users probably have a screen lock PIN or pattern set up, this probably isn't a major issue. However, it is a "leak," and one I'm sure we all prefer didn't exist.



Thanks again for bringing 1Password goodness to Android!

GeneY

Hi[url="http://forum.agilebits.com/index.php?/user/58414-drewsign/"] drewsign[/url]



Thank you for raising this important question.

As it stands today, the common opinion among Android developers is that the issue you are describing is not possible to address.



Every single application where lock screen is employed has this peculiarity. The problem is that Home button press event is not possible to detect (it is explicitly made so in Android OS)

and, therefore, application can only be locked once you retrieve it from the background ( and the snapshot with data is created well before that).



The best solution currently available will be locking 1Password Reader explicitly before bringing the application into the background by pressing Home button.

In this case a snapshot of the lock screen will be stored in the running application list.



Please let me know if you need more information, I will be glad to assists you further.



Best regards,

Gene

Android developer

macewank

[quote name='GeneY' timestamp='1344349915' post='61305']

Hi[url="http://forum.agilebits.com/index.php?/user/58414-drewsign/"] drewsign[/url]



Thank you for raising this important question.

As it stands today, the common opinion among Android developers is that the issue you are describing is not possible to address.



Every single application where lock screen is employed has this peculiarity. The problem is that Home button press event is not possible to detect (it is explicitly made so in Android OS)

and, therefore, application can only be locked once you retrieve it from the background ( and the snapshot with data is created well before that).



The best solution currently available will be locking 1Password Reader explicitly before bringing the application into the background by pressing Home button.

In this case a snapshot of the lock screen will be stored in the running application list.



Please let me know if you need more information, I will be glad to assists you further.



Best regards,

Gene

Android developer

[/quote]



Hi Gene,



I'm a little late to the party on this one, but I just had a chat with the Twitter folks and they directed me here for this.



What you're saying is true, in that the recent apps menu will show that 1Password has been launched, however, you're incorrect in stating that there is no way to handle it. With the current Android SDK, there are at least 2 ways to handle this that would increase the security of the application and address drewsign's (and mine, for what it's worth) concern. I'll outline them below:



Option 1 (less good): Utilize the FLAG_ACTIVITY_HIDE_FROM_RECENTS intent when launching the app. This will keep the program out of the recent apps menu completely [url="http://developer.android.com/reference/android/content/Intent.html#FLAG_ACTIVITY_EXCLUDE_FROM_RECENTS"]http://developer.and...DE_FROM_RECENTS[/url]



Option 2 (better): When you're setting the LayoutParams on creation of the 1Password window, you can set FLAG_SECURE. This will prevent the app from responding to screenshot requests (manual or automatic) which will cause the application to show a solid black square when viewed in the recent apps menu. [url="http://developer.android.com/reference/android/view/WindowManager.LayoutParams.html#FLAG_SECURE"]http://developer.and...tml#FLAG_SECURE[/url]



Either of those 2 solutions should address the problem. The latter shouldn't be terribly difficult to implement either, though the former could depending on how many different ways you have the app launching. Still, not too difficult.



Hopefully this helps? I love 1Password, and am pretty excited about the new version that's coming, but exposing passwords is a showstopper for me. I would gladly pay for a version of the app that did not expose that data <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



EDIT: A 3rd option, if you so desire, would be to add " android:excludeFromRecents="true" " to the AndroidManifest file .. this would achieve similar in functionality to Option #1 and be a lot less code. Literally 1 line <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

GeneY

HI[url="http://forum.agilebits.com/index.php?/user/76357-macewank/"] macewank[/url],



First of all, thank you for the detailed feedback !



The stand-alone version of 1Password for Android (currently in development) will be using the second option you've mentioned.

I tested this option (setting FLAG_SECURE) on several phones and tabs running OS >=4.0.4 and it works absolutely fine. The application screenshot will look black in the

recent application list while the application icon will still be visible to navigate to the application when required.



Solutions 1 and 3 are also interesting but I'd like to keep 1Password in the running application list though. Besides, some screens (for example lock or login) don't contain any private info and are fine to show as is in the task list.



Sincerely,

Gene