security flaw on iphone version of 1password

Jeremy R Young

According to a review on the iphone app store (posted 27-sept) there is a major security flaw with 1-password in iOS4.1 - it claims that if you close the app without going through all the faff of shutting it down then no password is asked for when you open it again. Is this true - I use 1password heavily on my mac and would not want to risk that data on my iphone if it is as easy as that for anyone who steals my iphone to get all my data.

brenty

[quote name='Jeremy R Young' timestamp='1288909548' post='14503']

According to a review on the iphone app store (posted 27-sept) there is a major security flaw with 1-password in iOS4.1 - it claims that if you close the app without going through all the faff of shutting it down then no password is asked for when you open it again. Is this true - I use 1password heavily on my mac and would not want to risk that data on my iphone if it is as easy as that for anyone who steals my iphone to get all my data.

[/quote]



I guess maybe I'm not quite clear on the specific issue. Is this just 1Password for iPhone? I have 1Password Pro (Universal) on both my iPhone (iOS 4.1) and iPad (3.2.2,) and when I launch it I am prompted for my Unlock Code. Even when coming out of standby or returning to it after it's been suspended via multitasking in 4.1, I have to once again use my Unlock Code.



I looked, but haven't managed to find the review you are referring to. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_worried.png' class='bbc_emoticon' alt=':S' />

jpgoldberg

[quote name='Jeremy R Young' timestamp='1288909548' post='14503']

According to a review on the iphone app store (posted 27-sept) there is a major security flaw with 1-password in iOS4.1 - it claims that if you close the app without going through all the faff of shutting it down then no password is asked for when you open it again. Is this true - I use 1password heavily on my mac and would not want to risk that data on my iphone if it is as easy as that for anyone who steals my iphone to get all my data.

[/quote]



Hi Jeremy!



Thanks for asking this.



This is a user setting. You can go to Settings > Security > Unlock Code/Auto-Lock and set "Lock when Inactive". It sounds like the reviewer doesn't have this set and as a very long timeout set for the unlock code. So although it is possible to get the behavior the reviewer describes, that certainly isn't normal behavior.



(Note that as we made the transition from iOS 3.2 to iOS 4, the impact of various settings changed. So it isn't too surprising that a user may have set a very long auto-lock period on iOS 3 which then behaved in ways that surprised the user in iOS 4.)

jpgoldberg

[quote name='brenty (toromei)' timestamp='1288929672' post='14513']

I guess maybe I'm not quite clear on the specific issue. Is this just 1Password for iPhone?[/quote]



Hi brenty!



The only difference between 1Password for iPhone and 1Password Pro is that 1Password Pro is also an iPad app. Their behavior on the iPhone is identical.



[quote]

I have 1Password Pro (Universal) on both my iPhone (iOS 4.1) and iPad (3.2.2,) and when I launch it I am prompted for my Unlock Code. Even when coming out of standby or returning to it after it's been suspended via multitasking in 4.1, I have to once again use my Unlock Code.[/quote]



It sounds like you have "Lock when Inactive" set for your unlock code. This shows how easy it is to set things one way and then forget that you've done it. I suspect that this is what the reviewer did.



Cheers,



-j

brenty

Ah, yes, of course! I tend to just set these things up the way I want them the first time I use an app and then just go on my merry way.



Also, thanks for clarifying. If 1Password for iPhone and 1Password Pro are functionally identical, I should be all set. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />