Security hole on install

mak3rmak3r
edited February 2014 in Android Beta

Summary:
I downloaded and installed 1P4Android_20140124.apk earlier today. At the time, I went ahead and hooked it up to dropbox where my 1Password file resides and also logged in to the app for the first time with my main 1P password. I then went on and did some other things, got sidetracked and about 4 hours later returned to 1Password to find that it was completely unlocked and had anyone gotten hold of my phone during that time, would have had access to all my secure data and passwords. Ack!

Phone model: Samsung Galaxy S3 (SGH-I747)
OS version: 4.3

To reproduce:

  1. Install 1Password via apk
  2. point to existing dropbox file
  3. Login with master password
  4. Switch to another app
  5. Switch back to 1Password

Did you have to login to see secure data?

Also, I tested, that at this point app switching does lock the app as expected.

--
Mak3r

Comments

  • mverdemverde

    Team Member

    Hi @mak3r,

    I've moved this post to the Android beta forum where can be seen by other members of our beta community. We recently became aware of this issue through another beta user who had a similar encounter to yours. We have been able to reproduce the issue on our end and a fix is in the works. Thank you for the feedback!

This discussion has been closed.