iOS App not auto-locking

oldmankit

I discovered a security vulnerability while I had invited a couple of people round to my house, to show them my wifi password. My iPad 1Password app is set to auto-lock after two minutes, but after leaving my iPad lying around half an hour, I came back and found that 1Password was still unlocked.

Steps to replicate:

Open a login and select "Large Type" to reveal password
Close case on iPad
Wait for half an hour or so. (More than whatever the auto-lock for 1Password is set to, but less than the iOS autolock. Mine is set to "Require Passcode" after 1 hour)
Open the case on the iPad
1Password briefly shows the "enter passcode" screen but then jumps straight into the app, unlocked.

I felt a bit nervous as I had left my iPad with these people who I didn't know very well at all, knowing that 1Password was set to autolock after a couple of minutes. I left them on there own for a while and got a bit of a shock when I came back, opened the iPad and saw it wasn't locked at all.

---

1Password Version: 6.9.1
Extension Version: Not Provided
OS Version: iOS 11.0.3
Sync Type: Dropbox

Ben

Hi @oldmankit

Thanks for taking the time to report this.

I’ve attempted to reproduce the problem, given the steps you provided, but have been unable to. I set 1Password’s auto-lock timer to 1 minute (less than the iOS lock time), opened a Login item, opened the Large Type for the password field, and left it sit for 1 minute. 1Password operated as expected, locking (prompting for Touch ID) at the 1 minute mark.

Is there any additional information you may have that would help us reproduce this issue?

Ben

oldmankit

Hi Ben,

Thanks for checking it out.

In your reply, you mentioned autolock, which might not be the iOS setting I'm talking about.

• Settings > Display & Brightness > "Auto-Lock after…"
• Settings > Passcode > "Require Passcode after…" <- This is the one I am talking about. Mine is set to one hour, and it won't interfere with this testing.

Also, you just left the iOS device to sit, whereas I closed the case of my iPad.

However, after reading your reply and doing a bunch of tests, I think I've narrowed it down to this: 1Password is not consistently auto-locking on my iPad.

Steps to replicate:

1. Completely close 1Password in iOS to get a fresh start
2. Open 1Password
3. Check 1Password auto-lock is set to 1 Minute
4. Select a login
5. Tap on password and reveal in large text
6. Close iPad case
7. Wait 1 minute
8. Open iPad case.

What happens after this is not consistent:

1. Sometimes it briefly shows the screen as it was before it locks (i.e. with large text password), and then takes you to the 1Password enter passcode screen. Even this is not awesome, as it briefly displays the password. However worse is:
2. Sometimes it just shows the screen as it was before. I.e. 1Password is still unlocked.

I had to test this about 20 times (repeating steps 4-7), and can't discern a pattern as to why sometimes it locks and sometimes it doesn't. It doesn't seem to be tied to a specific password, as sometimes the same password will autolock properly, and next time won't autolock.

However, after it has failed to lock following steps 0-7, it will continue to fail. I don't need to close the iPad case or anything. I just leave 1Password open, wait 1 minute, and nothing happens. It simply fails to autolock.

It's an iPad Air.

Ben

@oldmankit,

I believe the Settings > Passcode > Require Passcode After... setting may be the difference. On my iPad Air 2 the only option I have is “immediately.”

With it set that way I don’t seem to be able to reproduce this problem. Can you try setting yours to immediately and see if you still have the same difficulty?

Ben

oldmankit

Hi Ben,

The issue only happened when closing the iPad case and waiting for a period of time longer than the 1Password "auto-lock" setting (in the case of my testing, more than one minute), but shorter than the iOS "Require passcode" setting (which was set to one hour).

I've tested this again with iOS "Require passcode" set to "Immediately", and the issue doesn't arise, but that's exactly what I would have predicted: in that case the 1Password auto-lock time period would be longer than the iOS "require passcode" setting, and so the window in which this potential bug arises doesn't exist.

My iPad Air 1 does not have touch ID, so things are a bit different from yours!

Kit

Ben

Thanks @oldmankit. I don’t have any devices that do not have Touch ID anymore, but I’ll ask one of my colleagues who does to follow up on this and file a report with our development team.

Ben

Tully

Hi @oldmankit, my name's Tully, and I'm the lucky fingerprintless iPad Air owner here at AgileBits – unfortunately I've not been able to reproduce this issue following the steps you posted above (using an Apple Smart Cover, for what it's worth). I note your original post from a couple weeks back indicates you were using 1Password 6.9.1 and iOS 11.0.3 at the time – I'd be interested to know whether you've subsequently updated one or both of these, and if this has any effect on the frequency of this issue. For the sake of completeness, are you able to tell us the make of your iPad case? I've a slight suspicion (largely unfounded) that the intermittent nature of this issue for you may be down to locking magnets misaligning or misfiring… once we hear back we'll see what else we can come up with. Looking forward to your reply!

Henry

Hi @oldmankit my name's Henry! Just like @Tully, I've got a fingerprintless iPad Air, and I just spent a while testing for this issue too, with no luck. I'm running 1Password 6.8.2 and iOS 10.3 (and also have the Apple Smart Cover), and had no luck reproducing this, with 1Password reliably bringing up the PIN entry screen each time, whether my iPad locks or not.

A few questions to help me reproduce it:

• Do you have a passcode set on your device?
• Is 1Password set to "Lock on Exit"
• Are you using your Master Password or a PIN code to unlock 1Password?
• What's your time to "Require Master Password" in 1Password's Settings > Advanced > Security?

Also, bonus points: a video would be really, really nice :).

Thanks, and sorry we weren't able to get this to happen on our own iPads!

oldmankit

Hi Henry and Tully, thanks a bunch for testing this out.

Well, the bad/good news is that I can no-longer replicate this after updating to the latest version of 1Password (7.0.3). I also just updated iOS to 11.1.2.

Just in case this information is still useful:

• My iPad case is the Ozaki "Relax" case. I'm not sure about the idea that the locking magnets were maybe not functioning properly, as I do see this but very, very rarely (when I close the cover but the screen remains on). If the screen wasn't 'closed' properly, I would be aware of it, as my iPad is always set to auto-lock the screen after 1 hour (iOS Settings > Display & Brightness > "Auto-Lock after…" = 1 hour). On the rare occasion that the cover doesn't successfully turn the screen off, I have noticed significant battery drain as the screen remains on for a whole hour.
• In 1Password > Settings > Security, 'Lock on exit' is off; "Auto-lock" is set to 1 minute, and "PIN Code" is on.
• In 1Password > Settings > Advanced > Security, "Require Master Password" is set to "After Device Restart"

I would have liked to make a video but the issues isn't happening anymore!

Ben

Thanks for the update and additional information about the problem @oldmankit! Glad to hear you're no longer able to reproduce this using the latest versions. If there is anything else we can do, please don't hesitate to contact us.

Ben