Pretty big security hole

bigphaty
bigphaty
Community Member
edited December 1969 in iOS
I loaded 1password on my MBP and my new iPhone 4. I was getting the settings worked out, and turned off my phone (while it was still on the 1password settings page)

When I turned my phone back on, it was still right there in 1password, everything viewable. I didn't have to enter the passcode to access it.

That's kind of a big hole in security, right? I just tried it again... turned the phone off on the "logins" page; turn the phone back on and there they are... wide open.

I have the auto-lock settings set to "only on exit or device lock"

Thanks

Comments

  • MikeT
    edited December 1969
    I haven't been able to reproduce this on my iPhone 3GS with iOS 4 on it. I have the setting to auto lock out only on exit or device lock and time set to 3 min to lock out. So far, i didn't get this bug that you're seeing.
  • bigphaty
    bigphaty
    Community Member
    edited December 1969
    Thanks for the reply Stu! I'm still getting used to the "multitasking" thing where i come back to applications where they were. It throws me off a bit sometimes.
  • nev
    nev
    Community Member
    edited December 1969
    I also noticed this problem on my iPhone 3GS using 1Password "Pro". Although I have the "Auto-Lock" security settings to lock "Only on Exit or Device Lock", the app does NOT lock on device lock.

    When the iPhone locks, and I unlock it, the app is open and everything's viewable.
  • MartyS
    MartyS
    Community Member
    edited December 1969
    nev wrote:
    I also noticed this problem on my iPhone 3GS using 1Password "Pro". Although I have the "Auto-Lock" security settings to lock "Only on Exit or Device Lock", the app does NOT lock on device lock.

    When the iPhone locks, and I unlock it, the app is open and everything's viewable.


    This appears to be something that's slated to be addressed in our next 1Password mobile apps updates.
  • ski22
    ski22
    Community Member
    edited July 2010
    I don't mean to sound rude, but isn't this the same unresolved security issue I repeatedly posted here on these forums starting 7 months ago ?

    http://support.agilewebsolutions.com/showthread.php?21649-Security-issue-1Password-does-not-autolock-when-iPhone-goes-into-sleep-mode&highlight=ski22
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited December 1969
    Hi ski22. Thanks for reminding us of that earlier discussion.

    It is important to be frank and direct when reporting on a (long standing) security issue. So don't worry about sounding rude. We are glad to see your comments.

    Yes, this is pretty much the same problem you reported earlier. We haven't been ignoring this problem, but it has been hard to get 1Password on iOS to detect and act when the phone is put to sleep.

    In iOS 4, while we still don't have ideal access to a "sleep event", the timing for a lock certainly works. Among the finer and more sensible controls we have for locking settings, there is one that we are testing that will lock 1Password when you switch to another app or lock the device. We have been working hard testing these various settings, and so I can't promise the exact behavior that will be in the finished product, I can promise you that there will be much finer control and more secure behavior for auto lock of both the master password and the unlock code in the forthcoming version.

    I know it's been a long wait (and we still don't know exactly how much longer it will be), but I am confident that you will be happy with the results once you see them

    Cheers,

    -j
This discussion has been closed.