1Password – Password Manager and Secure Wallet 6.5.3 (Android / Google Play)

175x175bb (17)

This application is available for Android. This app is designed to be a powerful password manager developed by AgileBits. The latest build was released on July 5, 2017. Our latest check was performed on Oct 7th, 2016.

Findings Summary

Our examination revealed total 13 items, where were 7 DAR items and 6 DIT items found. Among DAR items were found 0 worst items, 7 bad items, 0 good items, and 0 best items. Among DIT items were found 0 worst items, 0 bad items, 1 good item, and 5 best items.

Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

 

 

 

 

 

This slideshow requires JavaScript.


Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

 

Application Description

Let’s cite the description of this application below:

1Password: the password manager that”s as beautiful and simple as it is secure. Simply add your passwords, and let 1Password do the rest. Try 1Password free for 30 days, then keep going with a 1Password.com subscription.
Selected by Android Central as the Best Password Manager for Android: “For those who want the absolute best password manager for their phone, tablet, and computers, 1Password is the way to go.”
PUT PASSWORDS IN THEIR PLACE
1Password remembers all your passwords for you, and keeps them safe and secure behind the one password that only you know.

  • Create strong, unique passwords for all your online accounts
  • Fill usernames and passwords into websites and apps
  • Access your information on all your mobile devices and computers
  • Share passwords securely with your family or company
  • Unlock with a single tap using Fingerprint Unlock

GET ORGANIZED
1Password is for more than just passwords: it’s the ideal place for financial information, personal documentation, or anything you need to keep secure and accessible.

  • Store information in more than a dozen categories: logins, credit cards, addresses, notes, bank accounts, driver licenses, passports, and more
  • Create multiple vaults to keep different areas of your life separate
  • Organize your information with favorites
  • Use search to find and filter your information

STAY SAFE
Everything you store in 1Password is protected by a Master Password that only you know. 1Password uses end-to-end encryption, so your data is only ever decrypted offline. The encryption keys never leave your device, and you are the only one who can see your passwords.

  • Unlock the app quickly and securely with Fingerprint Unlock
  • Lock the app automatically to ensure your data is protected, even if your device is lost or stolen

SHARE WITH TEAMS AND FAMILIES
1Password for Android has full support for team and family accounts. It’s never been so easy to share the simple security of 1Password with those you work and live with.

  • Add all your accounts — family, team, individual — and see all your information in one place
  • Easily migrate information between accounts
  • Share passwords and more with teammates and family members

TRY FREE
Get a 30-day free trial when you install 1Password, and subscribe at any time on 1Password.com.
Your subscription lets you use 1Password everywhere. Your data syncs securely and automatically between your devices, and can also be accessed on the web. Learn more at https://1password.com.
LOVED AND USED BY MILLIONS
1Password has been highlighted in The New York Times, GQ, The Wall Street Journal, Forbes, The Verge, Ars Technica, Mashable, and The Guardian.

  • Featured on NBC’s Today Show: Coolest must-have phone apps of 2017!
  • Named One of The World’s Greatest 100 Apps by Business Insider

We’re proud of this recognition, and we’re even happier that millions of people love and use 1Password every day.
WE LOVE TO HEAR FROM YOU
We love 1Password and strive to make it the best it can be. Connect with us at support+android@agilebits.com, @1Password on Twitter, and Facebook.com/1Password! We”re also available for feedback or questions in our discussion forums at https://1pw.ca/AndroidForum.

 

Protection levels.

Locally stored data (Data-at-Rest, DAR).

Locally stored data groups include Application Information, Credentials Information, Log Information, Device Information.
The average DAR value is 3.50 points (7.00 points of system protection and 0.00 points of own protection). It equals to a typical value (3.5 points, where’s 7 points of system protection and 0 points of own protection).

Items with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn’t be accessed where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – stored as is.

– Application Configs (‘Application Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to the app, app settings, including installed apps or installers,

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Device Data (‘Log Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be any information stored in local or network logs,

– Application Events (‘Log Information’ Group) – App events referred to user actions ‘n’ activities were done. This data item related to mentioned group meant to be any information stored in local or network logs,

– Credentials Sync Data (‘Credentials Information’ Group) – Information about your credentials including credentials plus additional info about linked services. This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Environment (‘Device Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be details about your device

Keep in mind if you’re using some Android devices such Samsung, LG or another device with an unlocked or non-locked loader that allow rooting your device without user action, the system level equals 6 points instead of 7. It means your data can be stolen without involving your actions.

Transferred data (Data-in-Transit, DIT).

Transferred data groups include Credentials Information.
The average DIT value is 6.67 points (6.00 points of system protection and 7.33 points of own protection). It is higher than a typical value (4 points, where’s 4 points of system protection and 4 points of own protection).

Items’ GROUP #1 with average value 7.00 points (6 points of system protection, 8 points of own protection) means data protection levels have following definitions. Frankly talking, compliance but there are publicly known techniques to access the data including forensics one where system protection level means – MITM prevented or fake certificate importing prevented, but plaintext non-protected traffic is intercepted, and own protection level means – own vpn or own crypto but compliance.

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Encryption Key (‘Credentials Information’ Group) – Encryption key found in app data folders, traffic or code of app used to protect your data. This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials Sync Data (‘Credentials Information’ Group) – Information about your credentials including credentials plus additional info about linked services. This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Items’ GROUP #2 with average value 5.00 points (6 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data is not available all the time or partially accessed where system protection level means – MITM prevented or fake certificate importing prevented, but plaintext non-protected traffic is intercepted, and own protection level means – bypassed by fake/stolen root certificates.

– Device Data (‘Credentials Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Keep in mind if you’re using out-of-date Android < 7.0, the system level equals 4 points instead of 6. It means your data can be stolen with a crafted preinstalled certificate on the device or if someone makes you install a certificate. Also, if you’re using out-of-date Android < 5.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Privacy Policy

Full application privacy policy is available here.

You may find privacy policy details proceeding the link above to compare developer’s vision on data protection with our results.