Keyboard logging on iPhone?

xprmntlav8r

In this article ([url]http://www.telegraph.co.uk/technology/apple/7880155/How-your-Apple-iPhone-spies-on-you.html) about how "police experts" can use the iPhone to catch bad guys, they state that: "... the iPhone's keyboard logging cache, which was designed to correct spelling ... meant that an expert could retrieve anything typed on the keyboard over the past three to 12 months...".



If this is truly the case, then a hacker could do the same thing on a stolen/lost iPhone, and thus, compromise the numerical and main passwords that open up 1Password.



Could you please assure me that this is not the case and that keyboard logging is negated when inputting the 1Password passwords.



Thanks

bulbous

So I just read the same article -- was a bit surprised to find that this post hadn't been replied to, as I have been quite impressed with 1password, and the level of security. Hopefully this bump will get a reply. This is pretty seriously concerning to me. (although it seems pretty likely that agile has disabled caching or something while they're typing in their password -- I'm going to see if I can find a way to retrieve my keyboard cache entries, to confirm)



Thanks,

Kem



[quote name='xprmntlav8r' timestamp='1278714432' post='6171']

In this article ([url]http://www.telegraph.co.uk/technology/apple/7880155/How-your-Apple-iPhone-spies-on-you.html) about how "police experts" can use the iPhone to catch bad guys, they state that: "... the iPhone's keyboard logging cache, which was designed to correct spelling ... meant that an expert could retrieve anything typed on the keyboard over the past three to 12 months...".



If this is truly the case, then a hacker could do the same thing on a stolen/lost iPhone, and thus, compromise the numerical and main passwords that open up 1Password.



Could you please assure me that this is not the case and that keyboard logging is negated when inputting the 1Password passwords.



Thanks

[/quote]

jpgoldberg

[quote name='bulbous' timestamp='1288912344' post='14504']

So I just read the same article -- was a bit surprised to find that this post hadn't been replied to, as I have been quite impressed with 1password, and the level of security. Hopefully this bump will get a reply.[/quote]



Thanks bulbous and xprmntlav8r. I'm sorry that we missed xprmntlav8r's original post. We try to follow up on every thread, but sometimes things on the forums can slip through the cracks. If you suspect that that has happened, please do bump as you did.



[quote] This is pretty seriously concerning to me. (although it seems pretty likely that agile has disabled caching or something while they're typing in their password -- I'm going to see if I can find a way to retrieve my keyboard cache entries, to confirm)[/quote]



As you can imagine, spell-checking/auto-correction is not enabled for passwords; so password information never gets into the keyboard cache.



It's great that folks are thinking about these sorts of things. I believe that the more people investigate security issues, the more confidence they will have in 1Password. So please let us know if you have more questions.



Cheers,



-j

bulbous

Cool -- sort of a follow up to this that I was thinking about. What happens if I install an application on my iPhone that is malicious (and made it through Apple's screening process). Is there any kind of process level security that prevents keystroke logging or this kind of thing? Obviously this could be a problem on your mac if you install something malicious there too, and being careful with what you install is always very important, it seems like they could prevent keystroke logging relatively easily though, so I guess I'm hoping they have.



[quote name='jpgoldberg' timestamp='1288963707' post='14538']

Thanks bulbous and xprmntlav8r. I'm sorry that we missed xprmntlav8r's original post. We try to follow up on every thread, but sometimes things on the forums can slip through the cracks. If you suspect that that has happened, please do bump as you did.







As you can imagine, spell-checking/auto-correction is not enabled for passwords; so password information never gets into the keyboard cache.



It's great that folks are thinking about these sorts of things. I believe that the more people investigate security issues, the more confidence they will have in 1Password. So please let us know if you have more questions.



Cheers,



-j

[/quote]

khad

Once an application is installed on your Mac, if you have granted it admin rights (by typing in your OS X account password), all bets are off. The good news is that if you only authenticate trusted software, this process functions quite well to protect you from malicious software. Of course, there are also hardware key loggers, so it is equally important that your computer is not physically accessible by ne'er-do-wells. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



I would imagine the same is true for iOS apps. I'm sure Apple has some great automated tools to detect such malicious apps, but it is also wise to know what you are installing and trust the developer. Trusted sources will never cease to play a role in computer security no matter how tightly controlled an app store is.



Additionally, I was unable to find out the complete details of the original story, but it is quite likely that if you have set a passcode for your iOS device, the attack is all but useless. Take a look at our own [url="http://help.agile.ws/1Password_touch/iOS_security_details.html"]iOS Security Details[/url] document and consider the [url="http://forum.agile.ws/index.php?/topic/2003-security-question-ios-keychain/"]issues discussed in this thread[/url].



I hope that helps. Please let me know.

brenty

[quote name='bulbous' timestamp='1288982140' post='14564']

What happens if I install an application on my iPhone that is malicious (and made it through Apple's screening process). Is there any kind of process level security that prevents keystroke logging or this kind of thing?

[/quote]



It's been mentioned elsewhere on this forum, but a key feature of iOS is its [url="http://developer.apple.com/library/ios/#documentation/iphone/conceptual/iphoneosprogrammingguide/RuntimeEnvironment/RuntimeEnvironment.html"]application sandboxing[/url]. This ensures that each app's data is secure by encrypting it and keeping it essentially quarantined. (Perhaps this is part of the reason copy and paste support was so long in coming.)



It really is quite different from OS X in that regard, since Apple had an opportunity to start from scratch. In this age of malware, I think a lot software vendors would like to do the same, but the burden of legacy support makes re-engineering an entire platform a tough sell.

roustem

[quote name='bulbous' timestamp='1288982140' post='14564']

Cool -- sort of a follow up to this that I was thinking about. What happens if I install an application on my iPhone that is malicious (and made it through Apple's screening process). Is there any kind of process level security that prevents keystroke logging or this kind of thing? Obviously this could be a problem on your mac if you install something malicious there too, and being careful with what you install is always very important, it seems like they could prevent keystroke logging relatively easily though, so I guess I'm hoping they have.

[/quote]



Applications that are installed through the App Store have very limited access to the system and they won't be able modify it and perform keystroke logging or any other low-level system activity. Every application runs in a separate "sandbox" and it cannot access other apps or their data:



From [url=http://developer.apple.com/library/ios/#documentation/iphone/conceptual/iphoneosprogrammingguide/RuntimeEnvironment/RuntimeEnvironment.html]iOS Application Programming Guide[/url]:

[quote]

For security reasons, iOS restricts an application (including its preferences and data) to a unique location in the file system. This restriction is part of the security feature known as the application’s “sandbox.” The sandbox is a set of fine-grained controls limiting an application’s access to files, preferences, network resources, hardware, and so on. In iOS, an application and its data reside in a secure location that no other application can access. When an application is installed, the system computes a unique opaque identifier for the application. Using a root application directory and this identifier, the system constructs a path to the application’s home directory. Thus an application’s home directory could be depicted as having the following structure:



/ApplicationRoot/ApplicationID/

During the installation process, the system creates the application’s home directory and several key subdirectories, configures the application sandbox, and copies the application bundle to the home directory. The use of a unique location for each application and its data simplifies backup-and-restore operations, application updates, and uninstallation. For more information about the application-specific directories created for each application, see “A Few Important Application Directories.” For information about application updates and backup-and-restore operations, see “Backup and Restore.”

[/quote]

bulbous

Thanks much for all the information everyone -- iOS sandboxing is nice, good to know about. Sounds like I've got nothing to worry about,



Cheers <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



[quote name='roustem' timestamp='1289070232' post='14663']

Applications that are installed through the App Store have very limited access to the system and they won't be able modify it and perform keystroke logging or any other low-level system activity. Every application runs in a separate "sandbox" and it cannot access other apps or their data:



From [url=http://developer.apple.com/library/ios/#documentation/iphone/conceptual/iphoneosprogrammingguide/RuntimeEnvironment/RuntimeEnvironment.html]iOS Application Programming Guide[/url]:

[/quote]

khad

We are all happy to help! If you have any other questions, please don't hesitate to ask. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



Cheers!