This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
Non-visible VoiceOver elements can be heard in the lock screen
[b]Is this bug reproducible?[/b]
Yes, I can reproduce it.
[b]Which devices did this bug appear on and is it reproducible on any devices?[/b]
I've only tested it on an iPhone 4S running iOS 6.0.1. I don't have any other devices to test on.
If it makes a difference, my primary language is English and I’m based in Britain.
[b]A quick summary of the bug:[/b]
When you're at the lock screen (be it with a master password or a quick lock code), VoiceOver elements from the underlying screen can be accessed and listened to even if they're not visible on the screen.
[b]Detailed Step-by-step instruction on how to reproduce it:[/b][list=1]
[*]Switch on VoiceOver.
[*]Open 1Password but don't enter a master password or quick unlock code.
[*]Tap around in the area above the master password field looking for VoiceOver elements. When opening the app from fresh, this is the Favorites screen, so there's "Heading: Favorites" and an "Empty List" that I can hear. These aren't visible on the screen.
[*]Try double-tapping. Nothing happens; the label is just read again.
[/list]
This is both a functionality problem (because we have elements presented by VO that can't be used) and also a potential security risk. Potentially sensitive data in the list is read aloud. For example, in the Favorites pane of the demo data, the following areas can be found with VO:[list]
[*]"Edit: button"
[*]"Favorites: heading"
[*]"Add to Favorites: button"
[*]"Fitbit: Wendy dot H dot Appleseed at Gmail dot com"
[*]"Amazon: Wendy underscore Appleseed"
[/list]
This potentially exposes usernames, email addresses and other similar information. I assume that this is undesirable behaviour.
Yes, I can reproduce it.
[b]Which devices did this bug appear on and is it reproducible on any devices?[/b]
I've only tested it on an iPhone 4S running iOS 6.0.1. I don't have any other devices to test on.
If it makes a difference, my primary language is English and I’m based in Britain.
[b]A quick summary of the bug:[/b]
When you're at the lock screen (be it with a master password or a quick lock code), VoiceOver elements from the underlying screen can be accessed and listened to even if they're not visible on the screen.
[b]Detailed Step-by-step instruction on how to reproduce it:[/b][list=1]
[*]Switch on VoiceOver.
[*]Open 1Password but don't enter a master password or quick unlock code.
[*]Tap around in the area above the master password field looking for VoiceOver elements. When opening the app from fresh, this is the Favorites screen, so there's "Heading: Favorites" and an "Empty List" that I can hear. These aren't visible on the screen.
[*]Try double-tapping. Nothing happens; the label is just read again.
[/list]
This is both a functionality problem (because we have elements presented by VO that can't be used) and also a potential security risk. Potentially sensitive data in the list is read aloud. For example, in the Favorites pane of the demo data, the following areas can be found with VO:[list]
[*]"Edit: button"
[*]"Favorites: heading"
[*]"Add to Favorites: button"
[*]"Fitbit: Wendy dot H dot Appleseed at Gmail dot com"
[*]"Amazon: Wendy underscore Appleseed"
[/list]
This potentially exposes usernames, email addresses and other similar information. I assume that this is undesirable behaviour.
Flag
0
Comments
-
I just reproduced this. In addition to the security flaw mentioned above, it's also very unclear that the screen has been locked until you find the "master password" text element directly in the middle of the screen. The large lock icon, for example, should contain some help text (perhaps not visible but only findable with VO) to explain that this is the lock screen.Flag 0
