Hello AgileBits team,
I discovered a bug which was a startling security flaw. I went to log in to my BoxCrypter app on my phone using the 1Password keyboard, only to find I did not need to type my 1Password password to access all of my passwords (more than 24 hours after I had logged in). My 1Password app it set to not lock on exit, but to lock after 3 minutes. While my 1Password app locks up, my keyboard extension remains logged in seemingly indefinitely.
I ran a few tests. I was able to do this multiple times over the past 3 days. I have not tried this with anything other than BoxCrypter. If I log in to my 1Password app and click 'Exit' (rather than wait the 3 minutes), it does log me out of the keyboard extension as well. If I restart my phone, it logs me out of the keyboard extension.
I use an LG G3 (VS985 4G LTE), Android vesion 6.0. (Perhaps it's just a bug on my phone alone?)
Let me know if you want me to try anything else. For now, I have been logging out using the proper 'Exit'.
1Password Version: 6.4
Extension Version: Not Provided
OS Version: Android LG-G3
Sync Type: Google Drive