Why does 1Password (on my iPhone) need access to all my Dropbox files and folders?

gamma6gamma6
edited September 2013 in iOS

Hey, I just enabled Dropbox sync on 1Password 4 on my iPhone and noticed that it gets access to all my files and folders instead of just its own files. I read that 1Password 4 for iOS already uses the latest Dropbox API so why doesn't it use the Apps folder? Is it because the desktop version of 1Password 4 isn't out yet?

Comments

  • khadkhad Social Choreographer

    Team Member

    No other API existed when Dropbox syncing was first implemented. Now many users have custom folder hierarchies. It's not impossible to change but needs to be done carefully and slowly. :)

  • Hm, I don't know. Having full access to your users Dropboxes seems like a pretty big security issue to me, especially for an application thats supposed to make your digital life more secure. You'd think that would be a high priority no? Since you redesigned 1Password 4 from the ground up, will the access level change once the desktop versions are out?

  • khadkhad Social Choreographer

    Team Member

    I can't comment on future plans, but this is definitely on our radar. I'm not sure I see how it is a security issue, though. You are already putting the password to your Dropbox account in 1Password.

  • When? I can't remember how it was when I enabled 1Password for Mac, but doesn't it just save to the Dropbox folder? And on iOS it opens the Dropbox app.

  • khadkhad Social Choreographer

    Team Member

    You don't have a Login item saved in your data file for your Dropbox account?

  • Doesn't this make a mockery of security?
    I want to sync my mobile devices to my Mac. At this point it appears that Dropbox is the only option. But I do not want to give 1Password read/write access to all my Dropbox files. Is it time to find a different password manager?

  • khadkhad Social Choreographer

    Team Member
    edited September 2013

    Hi @PatriciaW,

    I merged your post with this existing thread. Please see above and let me know if you still have any questions. Also keep in mind that if you are using 1Password on your desktop computer it also has complete access to your file system. We think that if you trust 1Password with your sensitive data you might also trust us not to abuse file system access.

    You can monitor 1Password network activity for yourself to confirm that your data, even encrypted, is never sent to us.

    The simplest way for us to protect your privacy is to have no data about you or your use of 1Password to protect. And so to keep things simple, we gather no information from 1Password on your device or computer.

  • I agree that this would be a useful security improvement. However, I do not consider it a major risk (the point mentionned above about my Dropbox password being stored in 1password is interesting - however it is true that a vulnerability in 1password could affect all my Dropbox content right now even if it didn't mean access to the encrypted passwords).

    If you sync with iCloud, iCloud is built in a way where each app has only their own data, so that could be a workaround for you.

  • @Administrator: Although I have read your reply above, I consider this a major intrusion into my systems and had I realized that it was doing so I would not have purchased 1Password. I can see no justification for accessing my data. I am going to investigate alternatives.

    @gross: the desktop version of 1Password does not support syncing via iCloud AFAIK

  • khadkhad Social Choreographer

    Team Member

    iCloud syncing is a v4 feature, so it is definitely available on iOS right now. It will also be available on Mac soon. If you would prefer to use iCloud, that is certainly an option.

  • I need that option now ... since I use mobile and desktop versions. But that does not address the fact that 1Password can read/write all of my files on the desktop. Where in the license fine print does it say that. If it does it should be in BIG print. For many years I trusted 1Password. Now I think that was blind trust.

    For others who were as naive as me, I recommend checking Dropbox and looking for the applications that have full access to your files. It is an eye opener.

  • khadkhad Social Choreographer

    Team Member

    All Mac apps (unless they are sandboxed) can read and write all the files in your Home folder. This is how it has always been and is not unique to 1Password. That's the point of the burgeoning application sandboxing.

    I should note that 1Password 3.9 is sandboxed. (Being on the Mac App Store it is required to be sandboxed just like every app sold through the Mac App Store.) 1Password 3.8 is not sandboxed.

    As I mentioned above, many users have set up custom folder hierarchies for their 1Password data files within Dropbox. Restricting 1Password's access would completely break syncing in all of those cases for all of those users. In fact, it is precisely because of sandboxing that many users run into trouble after moving their Dropbox folders from the default location while using 1Password 3.9 for Mac.

    Sandboxing is indeed a Good Thing, but it needs to be tempered with user expectations. It removes a level of control that many users expect (and some circumstances even require).

  • @admin: I should add that the main reason I trusted 1Password was because of the assurance that my passwords were encrypted with a secure key ... in fact you even warn that we have to be sure to remember our master password because you can't get help us if we forget it. Was that true?

  • khadkhad Social Choreographer

    Team Member

    That's correct. 1Password creates your data file using the password you provided when you first launched the application. This password is not kept anywhere and it is never logged. Furthermore, there is no “back door” mechanism to recover your data or password. This approach is very important in order to be able to say that 1Password keeps your data safe and secure. However, because of it, once your password is forgotten, there is nothing we can do to help you recover it.

  • khadkhad Social Choreographer

    Team Member

    "Full Dropbox" access is not unusual at all. It is simply required if you expect to be able to read and write a file in an arbitrary location. Here is my own list from the "My Apps" tab in my Dropbox account. If these apps didn't have full access I could only use them in a very limited capacity.

    It also breaks the ability to share a folder (and thus the 1Password data inside it) with another Dropbox user. Many users take advantage of this to share a single data file between husband and wife, for example. That is not possible without "Full Dropbox" access.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited November 2013

    You are right, @gamma6.

    If we could go back and change history, we certainly wouldn't be in a situation where 1Password requests read/write access all of Dropbox.

    But way back in the before times, we allowed people to put their 1Password data anywhere on Dropbox and so also created a file in the root of the Dropbox folder, called ".ws.agile.1Password.settings", that told 1Password where to find the data.

    So 1Password needs to read and write to that file as well as read and write to where ever you put your data. The only way to get that peculiar combination of permissions from Dropbox is to ask for permission for all of it.

    Had we enforced a fixed location back in the early days (so didn't need that settings file) or had waited until Dropbox introduced sandboxing in a way that worked for us, we wouldn't be in this position. But as we aren't the political appointees to the Texas textbook review panel, we can't rewrite history.

    It will take time to transition everyone and their data to a structure where the "principle of least privilege" works for us. So I have to just ask for your patience.

    Cheers,

    -j

    –-
    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits
    http://agilebits.com

  • If I want to get 1Password 3.9 do I have to purchase it again?

  • khadkhad Social Choreographer

    Team Member

    I think my post above about application sandboxing may have introduced some confusion. I could be wrong, but I'm guessing that the reason you are asking about this is because you may be conflating application sandboxing with Dropbox sandboxing.

    1Password 3.9 for Mac does not have any effect on the fact that 1Password requires "Full Dropbox" access in order to sync via Dropbox. Application sandboxing just means that it can only read your data file if your Dropbox folder is located in the default location (the root of your Home folder). All versions of 1Password on all platforms require "Full Dropbox" access as far as Dropbox sandboxing is concerned.

    As @jpgoldberg mentioned, there are historical reasons for this, and as I mentioned above a transition to a sandboxed approach cannot happen overnight because it will break things for possibly thousands (or more?) of 1Password users.

    It's not impossible to change but needs to be done carefully and slowly not rushed into hastily.

  • @khad: What I understood was that if I want to prevent 1Password from having full access to all files and folders on my desktop I use a Sandboxed version. I did not think this had anything to do with Dropbox because I understood that is because of earlier design considerations. Am I right?

    Because of the Dropbox problem I will switch to iCloud sync between my mobile devices and wait for version 4.0 when I should be able to sync via iCloud from my desktop. But these are all problems caused by agilebits ... I was forced into this trap because they stopped allowing syncs via iTunes and WiFi and forced me to use Dropbox or give up syncing.

  • khadkhad Social Choreographer

    Team Member

    Again, I'm sorry if I haven't been clear. All current versions of 1Password use "Full Dropbox" access. This is not related (except conceptually) to application sandboxing which I shouldn't have brought up. I was only using it as a point of comparison. Application sandboxing in OS X has nothing to do with Dropbox sandboxing.

    If you don't wish to use Dropbox to sync your data from your iOS device(s) to your Mac(s), you can sync via USB or Wi-Fi.

    Please let me know if there is anything else I can help with, and I hope you have a wonderful and relaxing weekend. :)

  • I don't think AgileBits Inc. is so small nor Dropbox Inc. so big that they couldn't cooperate to smooth the migration from full access to app sandbox.

    A bit long as a topic reply, I wrote up one potential strategy in this gist.

    The highlights:

    • requires some backend favors from Dropbox Inc.
    • supports old clients for a long time during the transition
    • allows for keychain location migration to begin immediately
  • MeganMegan 1Password Alumni

    Hi @toolbear,

    I'd like to thank you so much for putting so much effort into your response here! I'll admit, I don't have the technical expertise to fully appreciate the details, so I'm asking one of our security experts ( @jpgoldberg‌ ) to weigh in here with his thoughts.

    Keep being awesome :)

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hi @toolbear‌!

    As a matter of fact we have been and continue to be in communication with the folks at Dropbox. Indeed, they have given us a couple of "grandfathering" extensions of deadlines. But as they correctly want to build a tighter security model throughout, they really did need to ditch some of their legacy access mechanisms.

    By the way, since the question was originally asked here, there is a document on this general issue: Why does 1Password need to see all of Dropbox?

  • Hey,

    I'm glad we eventually got a more detailed response than the one we originally got. I hope you guys will be able to figure out a solution to this in the future.

  • sjksjk oversoul

    Team Member

    Hey @gamma6,

    Please let us know if you have any remaining questions about this. I'm sure Jeff ( @jpgoldberg ) would be glad to answer them. :)

  • thightowerthightower T-Dog Agile's Mascot
    edited April 2014

    @jpgoldberg‌

    I don't think the article explains the true situation 100%. You may wish to add to that document. According to Dropbox, sandboxed folders cannot be shared. Equating to no folder sharing between accounts, business employees nor a husband and wife. They couldn't easily access 1Password shared vaults, that is if 1Password were to change to the sandbox version.

    The help topic eludes to this if you read closely but doesn't IMHO explain it in enough detail.

    Dropbox has stated emphatically in the user forums and private discussions with the moderators (myself being one) that they have no plans to change how sandboxed folders work (sharing). Its designed intent is to keep things sandboxed period. Of course you may have more privileged info. They AFAIK ... and what I am privy to, have not wavered on this in the years since sandbox access debuted.

    I really think you also need to convey this portion, in that help document. This one point alone can also eliminate a lot of concern about the need for such broad access on 1Password's part. I for one as well as countless others out there rely on shared vaults across Dropbox accounts and now with the addition of multiple vaults this further complicates things.

    This point needs.. No has to be conveyed to the end user. Its as much a design on your end as it is with Dropbox. Restricting access to a sandboxed environment would basically eliminate your new feature of shared vaults. IMHO it would eliminate about 1/5 of what I call useful features of 1Password 4. It would also cause me a really long time user to question if I needed to pursue my use of 1Password or move elsewhere simply because I rely on so much shared data.

    To give an example almost all the following would be rendered useless by a change.

    • My Vault
    1. My Dropbox account
    • Shared Vault thru shared folder
    1. Wife - respective Dropbox Account
    2. Son 1 (admin) - respective Dropbox Account
    3. Son 2 (admin) - respective Dropbox Account
    4. Son 3 (admin) - respective Dropbox Account
    5. Son 4 (admin) - respective Dropbox Account
    6. Dad - respective Dropbox Account
    7. Friend - respective Dropbox Account
    8. Work - respective Dropbox Account
    9. Wife's work - respective Dropbox Account
    10. Family Shared Vault (admin) - respective Dropbox Account

    I am not trying to sound overly harsh, I am just passionate about you guys being the best you can be. I have spent years of my life here in the forums and I want what's best for you. I also believe immensely in Dropbox. Thats the reason I participate here and at the Dropbox forums.

    Really this is not a 1Password issue its more a Dropbox issue that would be eliminated simply by maybe a new class of sandboxed folder aka one that can be shared.

    This would solve both cases people wanting security and people wanting limited access.

    We have been laying the groundwork to remedy this for quite some time, but we will still need to transition individuals to a data arrangement that conforms to modern sandboxing.

    You all are way smarter than I, but as it stands unless Dropbox changes things, this can never occur with the desktop app. That is unless you are getting access to the Desktop app API ? Which IMHO could be great. But I have seen no indication of this happening on Dropbox's end. I thought I saw it in the MoneyWell app but thats another discussion, as it could have been something entirely different.

    Just to make sure things haven't changed and I wasn't aware I took a screen shot this evening of myself trying to share an apps folder.

  • thightowerthightower T-Dog Agile's Mascot

    Hmm looking at the the Desktop API section from Dropbox https://www.dropbox.com/developers/sync seems to moving along nicely for OSX, but Windows may be behind, I see no mention of it. So look like until other desktop OS become of age things may still be determined by the desktop model now in place.

    Again this is my simple understanding, those guru's residing in the Palace probably know more than us folks living and working on Tatooine or Dagobah. I just want a ride in the Millennium Falcon. ;)

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Thank you @thightower‌!

    You are absolutely correct that sharing changes everything. Our document on Dropbox permissions assumes no sharing. Once sharing is introduced, there is simply no way within current Dropbox APIs to sandbox to a specific location.

This discussion has been closed.