This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Security concern

<div class="IPBDescription">How data is stored within app</div>I have been using 1Password Pro on my iPhone for a year now. I really like the product and enjoy the convenience of having all my passwords in one easy-to-use location. However I am also concerned about this password data geting compromised and into the wrong hands. I have already configured all the proper security settings for my iPhone and the app itself. My question is the actual data file containing all the password data that is stored within the iPhone. How is this data file secured? Is all the data within the file encrypted? To what encryption strength? Is the name and location of this file documented anywhere, such that a rogue app could find it and send it somewhere else in the background without my knowledge?



Thank you,

Scott

Comments

  • brenty
    edited April 2011
    Hiya, Scott! Welcome to the forums!



    There have been some great discussions around these concerns in other threads, so I will recap for you and then point you in the right direction if you'd like more detail.



    The short version is that each iOS app can choose whether or not its data is available to others. 1Password encrypts your keychain, and iOS has an additional layer of encryption that ensures only apps can access their private data. Jailbreaking can of course be used to circumvent this being enforced, but will still need to be decrypted using your Master Password.



    Our beloved (and feared -- jk!) Defender Against the Dark arts, Jeff, [url="http://blog.agile.ws/2011/02/lost-iphone-safe-passwords/"]wrote a great blog post[/url] recently concerning this, and he also [url="http://forum.agile.ws/index.php?/topic/2003-security-question-ios-keychain/page__view__findpost__p__20054"]elaborates a few more points in this thread[/url] as well.



    Let me know if this helps. If you have further questions, just ask. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



    [quote name='scottcave' timestamp='1303404309' post='25328']

    I have been using 1Password Pro on my iPhone for a year now. I really like the product and enjoy the convenience of having all my passwords in one easy-to-use location. However I am also concerned about this password data geting compromised and into the wrong hands. I have already configured all the proper security settings for my iPhone and the app itself. My question is the actual data file containing all the password data that is stored within the iPhone. How is this data file secured? Is all the data within the file encrypted? To what encryption strength? Is the name and location of this file documented anywhere, such that a rogue app could find it and send it somewhere else in the background without my knowledge?



    Thank you,

    Scott

    [/quote]
  • roustem
    roustem AgileBits Founder
    [quote name='scottcave' timestamp='1303404309' post='25328']

    ... My question is the actual data file containing all the password data that is stored within the iPhone. How is this data file secured? Is all the data within the file encrypted? To what encryption strength? Is the name and location of this file documented anywhere, such that a rogue app could find it and send it somewhere else in the background without my knowledge?

    [/quote]



    To add a few more technical details: 1Password for iOS is using a format similar to the one used on Mac or Windows. The only difference that instead of the individual files, the items are stored in SQLite database. The encryption key is protected with your master password using AES-128 encryption with PBKDF2 (1,000 iterations). The item data is encrypted using AES-128.
  • Great information, thank you. I appreciate the attention you have placed on securing your app. I feel better now about using it.



    Thank you,

    Scott
  • khad
    khad Social Choreographer
    I'm glad that you found the information helpful. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_bigsmile.png' class='bbc_emoticon' alt=':-D' />



    If we can be of further assistance, please let us know.



    We are always here to help!
  • I just found this post searching, does 1Password for iPhone store the data only on the iPhone itself and doesn't send it to a website server or Cloud base anything?
  • MikeT
    MikeT Agile Samurai
    edited September 2011
    Hi SilverRavage,



    The encrypted data is always stored locally. If you use Dropbox, a copy of the encrypted data is stored on their servers to use as a *cloud* server to sync between your iOS devices and your computers.



    If you do not use Dropbox or Wi-Fi for the sync purposes, than nothing enters or leaves the 1Password app on the iOS devices.