Why do we not have to unlock the app to update it?

@dwightk - I'm not quite sure what you mean. If you have 1Password for Mac from us (AgileBits), you are in control of when you check for updates. Like many Mac apps, you can choose to check automatically (recommended), or you can use either the 1Password menu or Preferences > Updates to check manually. Both of these can be done either with 1Password locked or unlocked. And since updates are typically not affecting your data in any way, we haven't seen much reason to change that. Can you explain a little more about what you're concerned about?

@dwightk -- it is never "dumb" to think proactively and creatively about your own security, so don't worry about that at all! We're glad to see our users getting more involved in the process of protecting their digital lives. We think we offer a great tool to assist you in that regard, but it's always been our idea that security is a process, not a product. I'm much more worried about people that think because they bought 1Password (or a VPN, or any other security software), that they are somehow invulnerable forever. In short, don't apologize: you're doing it right!

Having said that, let me put your mind hopefully at more ease. First, as you seem to have realized, that's a pretty unlikely scenario to occur in the real world -- but not an impossible one. However, even in the case you imagine, there's no real benefit to installing a 1Password update through normal channels. It would NOT mean the attacker has "an app they control," it just means they'd be doing some update work for you! ;)

However, if you run your Mac in an Admin account (as opposed to a standard user account), and someone physically gets hold of it while it's unlocked, all bets are pretty much off if they're a skilled adversary. With an Admin account open, there's not much a truly knowledgeable adversary couldn't do to you. Our Chief Defender Against the Dark Arts here, Jeff Goldberg has a saying that if an adversary can execute arbitrary code on your computer running as root, then it can no longer truly be considered your computer. That's why we encourage people to set more-restrictive settings on how long before their screen-saver or sleep function kicks in, and requiring their computer's password to recover from sleep or screen saver. It's why we urge people not to run their day-to-day operations as root or in an Admin account -- but these are well outside the scope of 1Password itself. Suffice it to say, unless an adversary got hold of your Mac AND had a malicious version of our app all ready on a USB flash drive or similar, to install as a fake update, you're not in much danger from such a scenario. Thanks for being an active member of this forum, however, and feel free to drop by anytime if you have questions!