This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Pretty big security hole

bigphaty
bigphaty Junior Member
edited December 1969 in iOS
I loaded 1password on my MBP and my new iPhone 4. I was getting the settings worked out, and turned off my phone (while it was still on the 1password settings page)



When I turned my phone back on, it was still right there in 1password, everything viewable. I didn't have to enter the passcode to access it.



That's kind of a big hole in security, right? I just tried it again... turned the phone off on the "logins" page; turn the phone back on and there they are... wide open.



I have the auto-lock settings set to "only on exit or device lock"



Thanks
Flag

Comments

  • MikeT
    MikeT Agile Samurai
    edited December 1969
    I haven't been able to reproduce this on my iPhone 3GS with iOS 4 on it. I have the setting to auto lock out only on exit or device lock and time set to 3 min to lock out. So far, i didn't get this bug that you're seeing.
    Flag
  • [Deleted User]
    [Deleted User]
    edited December 1969
    [quote name='bigphaty']I loaded 1password on my MBP and my new iPhone 4. I was getting the settings worked out, and turned off my phone (while it was still on the 1password settings page)



    When I turned my phone back on, it was still right there in 1password, everything viewable. I didn't have to enter the passcode to access it.



    That's kind of a big hole in security, right? I just tried it again... turned the phone off on the "logins" page; turn the phone back on and there they are... wide open.



    I have the auto-lock settings set to "only on exit or device lock"



    Thanks[/QUOTE]



    Hi, bigphaty



    I'm sorry for the trouble here, we have been able to reproduce this here and it looks like it's a bug in the current version of 1Password. Our developers are working hard to fix this issue and we hope to have it resolved in the next update.



    For now, we're suggestion that users quit the app by going back to the home screen before locking their device.



    Sorry I don't have a more immediate fix for you.
    Flag
  • bigphaty
    bigphaty Junior Member
    edited December 1969
    Thanks for the reply Stu! I'm still getting used to the "multitasking" thing where i come back to applications where they were. It throws me off a bit sometimes.
    Flag
  • [Deleted User]
    [Deleted User]
    edited December 1969
    [quote name='bigphaty']Thanks for the reply Stu! I'm still getting used to the "multitasking" thing where i come back to applications where they were. It throws me off a bit sometimes.[/QUOTE]



    You're welcome!



    We'll be adding multitasking support in an update to 1Password, then the timer you set to lock 1Password will work while the app is in 'standby'. I'm not entirely sure when this will be ready, but I know Roustem is working hard on it, we may even let him out of his cage soon!
    Flag
  • nev
    nev Junior Member
    edited December 1969
    I also noticed this problem on my iPhone 3GS using 1Password "Pro". Although I have the "Auto-Lock" security settings to lock "Only on Exit or Device Lock", the app does NOT lock on device lock.



    When the iPhone locks, and I unlock it, the app is open and everything's viewable.
    Flag
  • MartyS
    MartyS AgileBits Customer Care (retired)
    edited December 1969
    [quote name='nev']I also noticed this problem on my iPhone 3GS using 1Password "Pro". Although I have the "Auto-Lock" security settings to lock "Only on Exit or Device Lock", the app does NOT lock on device lock.



    When the iPhone locks, and I unlock it, the app is open and everything's viewable.[/QUOTE]



    This appears to be something that's slated to be addressed in our next 1Password mobile apps updates.
    Flag
  • ski22
    ski22 Member
    edited July 2010
    I don't mean to sound rude, but isn't this the same unresolved security issue I repeatedly posted here on these forums starting 7 months ago ?



    [url]http://support.agilewebsolutions.com/showthread.php?21649-Security-issue-1Password-does-not-autolock-when-iPhone-goes-into-sleep-mode&highlight=ski22[/url]
    Flag
  • jpgoldberg
    jpgoldberg Agile Customer Care
    edited December 1969
    Hi ski22. Thanks for reminding us of that earlier discussion.



    It is important to be frank and direct when reporting on a (long standing) security issue. So don't worry about sounding rude. We are glad to see your comments.



    Yes, this is pretty much the same problem you reported earlier. We haven't been ignoring this problem, but it has been hard to get 1Password on iOS to detect and act when the phone is put to sleep.



    In iOS 4, while we still don't have ideal access to a "sleep event", the timing for a lock certainly works. Among the finer and more sensible controls we have for locking settings, there is one that we are testing that will lock 1Password when you switch to another app or lock the device. We have been working hard testing these various settings, and so I can't promise the exact behavior that will be in the finished product, I can promise you that there will be much finer control and more secure behavior for auto lock of both the master password and the unlock code in the forthcoming version.



    I know it's been a long wait (and we still don't know exactly how much longer it will be), but I am confident that you will be happy with the results once you see them



    Cheers,



    -j
    Flag