Is 1password vulnerable to clipboard attacks on android?

Comments

  • Until recently, the answer is yes, because the only way to get passwords into the browser or an app requires copy and paste.

    The latest version has a fill method using the accessibility features. I don't know if this uses the clipboard. I would hope not.

  • I don't know if this uses the clipboard. I would hope not.

    Can we please get an update on this issue?

  • saadsaad

    Team Member

    We recently published an article on our blog that talks about how 1Password on Android uses the system clipboard. I think this article will address some of the questions you might have! If you have any further questions, please feel free to directly post a reply to the blog post or on this thread (whichever works for you).

  • So all smoke screens aside the plain and simple answer to the original question is YES.

    ..... unless you go with lollipop or use 1password browser.

  • Having spent a few hours educating myself on PW / Android I've decided to stop using the c/p function , for login in related tasks, on my android devices - until serious changes are made in how clipboadrs are handled and/or hooks become available to integrate pw to stock browsers ( not just 1passsword but all other pw apps available). No wonder all seem to have a 'built in' browser of their own.

    The link to the article in post 1 of this thread points to a study (http://fc13.ifca.ai/proc/4-2.pdf ) which makes for interesting reading .

    ... now to verify if my phone is infected with pwsniffer. lol

  • mverdemverde

    Team Member

    @StanWiz‌ Anything copied to the clipboard is open to capture by a third-party app, and text copied from 1Password is no exception. Unfortunately, there is no clear cut way to check if third-party apps are monitoring the contents of your clipboard. This is because no special permissions are required to register for clipboard events on Android.

    In general, we try to minimize the need for our customers to rely on the system clipboard. As you noted above, this is one of the reasons that we provide a built-in browser in 1Password 4 on Android. This is also why we decided to go Lollipop-only for filling into third-party apps in our beta (supporting Jelly Bean and KitKat would have required the use of the clipboard).

    However, we also recognize that there are still times when you may want or need to use the clipboard to transfer information from 1Password. For those occasions, your best defence against any apps that might attempt to monitor the contents of your clipboard is to be very selective of the apps that you choose to install on your devices. In some ways, it's analogous to being selective of who you let into your home.

This discussion has been closed.