This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

is 1Password affected by the newly discovered iPhone vulnerability?

xyglyx
xyglyx Junior Member
edited December 1969 in iOS
Engadget and others recently [URL="http://www.engadget.com/2010/05/27/iphone-vulnerability-leaves-your-data-wide-open-even-when-using/"]revealed[/URL] a newly discovered [URL="http://marienfeldt.wordpress.com/2010/03/22/iphone-business-security-framework/"]vulnerability[/URL] in iPhone OS. When an iPhone is plugged in via USB to a computer running the latest version of Ubuntu, the [I]entire[/I] file system and all user data is exposed in unencrypted form, [I]even if the phone is secured with a PIN[/I].



I am hoping that 1Password does not rely on the built-in encryption in iPhone OS. Reassurance, please?

Comments

  • Nik
    Nik
    edited December 1969
    Welcome to the forums, xyglyx. 1Password uses its own encryption. Whether your phone is protected by a PIN or not, your 1Password database is protected by a PIN and, in my cases, a master password as well. I imagine that any application data protected by the application's own password wouldn't be susceptible to this.
  • xyglyx
    xyglyx Junior Member
    edited December 1969
    Thanks, Gita. I just verified for myself that passwords in the 1Password for iPhone database remain encrypted after I copied the db to my Mac from my jailbroken touch. So that's good.



    However, I noticed that URLs are not encrypted in the database. Out of curiosity, I also opened a data file from my Mac's 1Password keychain in a text editor and saw that the URL was not encrypted. While URLs are obviously not as sensitive as passwords, I don't feel great about the fact that a hacker who acquires my 1Password keychain can get the URLs of all the password-protected pages I use, especially since many of those URLs contain my username.
  • Nik
    Nik
    edited December 1969
    Thanks for following up, xyglyx. While designing the 1Password data file format, we had to make some decisions that would ensure data integrity without compromising performance and convenience too much. The balance we found was to not encrypt titles and URLs. You can read more about this in our design document about the 1Password data file:

    [url]http://help.agile.ws/1Password3/agile_keychain_design.html[/url]