This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
is 1Password affected by the newly discovered iPhone vulnerability?
Engadget and others recently [URL="http://www.engadget.com/2010/05/27/iphone-vulnerability-leaves-your-data-wide-open-even-when-using/"]revealed[/URL] a newly discovered [URL="http://marienfeldt.wordpress.com/2010/03/22/iphone-business-security-framework/"]vulnerability[/URL] in iPhone OS. When an iPhone is plugged in via USB to a computer running the latest version of Ubuntu, the [I]entire[/I] file system and all user data is exposed in unencrypted form, [I]even if the phone is secured with a PIN[/I].
I am hoping that 1Password does not rely on the built-in encryption in iPhone OS. Reassurance, please?
I am hoping that 1Password does not rely on the built-in encryption in iPhone OS. Reassurance, please?
Flag
0
Comments
-
Welcome to the forums, xyglyx. 1Password uses its own encryption. Whether your phone is protected by a PIN or not, your 1Password database is protected by a PIN and, in my cases, a master password as well. I imagine that any application data protected by the application's own password wouldn't be susceptible to this.Flag 0
-
Thanks, Gita. I just verified for myself that passwords in the 1Password for iPhone database remain encrypted after I copied the db to my Mac from my jailbroken touch. So that's good.
However, I noticed that URLs are not encrypted in the database. Out of curiosity, I also opened a data file from my Mac's 1Password keychain in a text editor and saw that the URL was not encrypted. While URLs are obviously not as sensitive as passwords, I don't feel great about the fact that a hacker who acquires my 1Password keychain can get the URLs of all the password-protected pages I use, especially since many of those URLs contain my username.Flag 0 -
Thanks for following up, xyglyx. While designing the 1Password data file format, we had to make some decisions that would ensure data integrity without compromising performance and convenience too much. The balance we found was to not encrypt titles and URLs. You can read more about this in our design document about the 1Password data file:
[url]http://help.agile.ws/1Password3/agile_keychain_design.html[/url]Flag 0