1Password – Password Manager and Secure Wallet 6.7.2 (iOS / App Store)

175x175bb (17)

This application is available for iOS. This app is designed to be a powerful password manager developed by AgileBits. The latest build was released on Jun 19, 2017. Our latest check was performed on Oct 7th, 2016.

Findings Summary

Our examination revealed total 14 items, where were 8 DAR items and 6 DIT items found. Among DAR items were found 0 worst items, 6 bad items, 2 good items, and 0 best items. Among DIT items were found 0 worst items, 1 bad item, 5 good items, and 0 best items.

Below you find 2 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

 

 

This slideshow requires JavaScript.


Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

 

Application Description

Let’s cite the description of this application below:

1Password remembers all your passwords for you, and keeps them safe and secure behind the one password that only you know.
1Password: the password manager that’s as beautiful and simple as it is secure. Just add your passwords and let 1Password do the rest. Sign in to websites and apps with just a few taps, and use the password generator to change your passwords and make them stronger.
Featured on NBC’s Today Show: **Coolest must-have phone apps of 2017**!
Try 1Password free for 30 days, then keep going with a 1Password subscription*.
PUT PASSWORDS IN THEIR PLACE

  • Create strong, unique passwords and memorizable pass-phrases for your online accounts
  • Fill usernames, passwords, credit card numbers and addresses into websites and supported apps
  • Access your information on all your mobile devices and computers

GET ORGANIZED

  • Store items in more than a dozen categories: logins, credit cards, addresses, notes, bank accounts, driver’s licenses, passports, and more
  • Create multiple vaults to keep different areas of your life separate
  • Organize your information with tags and favorites
  • Add custom fields to your items to store security questions, extra URLs, and any other information you can think of
  • Use Spotlight to search for information when you need it, fast

STAY SAFE
Everything you store in 1Password is protected by a Master Password that only you know. 1Password uses end-to-end encryption, so your data is only ever decrypted offline. The encryption keys never leave your device, and you are the only one who can see your passwords.

  • Unlock the app quickly and securely with Touch ID
  • Lock the app automatically to ensure your data is protected, even if your device is lost or stolen
  • Use 1Password as your authenticator: store two-factor authentication (TOTP) codes and access them quickly when it’s time to sign in
  • Get alerts when a site you use has been compromised and you need to change your passwords

SHARE WITH TEAMS AND FAMILIES
1Password for iOS has full support for team and family accounts. It’s never been so easy to share the simple security of 1Password with those you work and live with.

  • Add all your accounts — family, team, individual — and see all your information in one place
  • Easily migrate information between accounts
  • Share passwords, documents, and more with teammates and family members

TRY FREE
Get a 30-day free trial when you install 1Password, and subscribe at any time using the in-app purchase*.
Your subscription includes the full 1Password experience for all your computers and mobile devices. Your data syncs securely and automatically between your devices, and can also be accessed on the web.
LOVED AND USED BY MILLIONS
1Password has been highlighted in The New York Times, The Wall Street Journal, Forbes, The Verge, Ars Technica, Mashable, and The Guardian. We’ve also received many awesome honors:

  • Named One of The World’s Greatest 100 Apps by Business Insider
  • Inducted into Macworld’s App Hall of Fame
  • Received an Ars Design Award

We’re proud of this recognition, and we’re even happier that millions of people love and use 1Password every day.
WE LOVE TO HEAR FROM YOU
We love 1Password and strive to make it the best it can be. Connect with us with us at support@agilebits.com, @1Password on Twitter, and Facebook.com/1Password!
* 1Password.com is a monthly service that costs $3.99 for individuals or $6.99 for a family of 5 (prices vary by region). Payment will be charged to iTunes Account at confirmation of purchase and auto-renews at the same price unless disabled in iTunes Account Settings at least 24 hours before the end of the current period. Your subscription can be managed in your iTunes Account Settings. No cancellation of the current subscription is allowed during the active subscription period.
* Privacy policy: https://1password.com/legal/privacy/
* Terms of Use: https://1password.com/legal/terms-of-service/

 

Protection levels.

Locally stored data (Data-at-Rest, DAR).

Locally stored data groups include Media Information, Application Information, Credentials Information, Log Information, Device Information.
The average DAR value is 4.25 points (7.00 points of system protection and 1.50 points of own protection). It is higher than a typical value (3.5 points, where’s 7 points of system protection and 0 points of own protection).

Items’ GROUP #1 with average value 6.50 points (7 points of system protection, 6 points of own protection) means data protection levels have following definitions. Frankly talking, protection and privacy issues are still possible but might involve interaction with an app code where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – data is not available in backups.

– Screen Snapshots (‘Media Information’ Group) – Screenshots of your device screen running certain apps; common as an iOS app multitasking feature (app swipes) or browser tab swipes. This data item related to mentioned group meant to be any data like photo, image, video, audio,

– Credentials Sync Data (‘Credentials Information’ Group) – Information about your credentials including credentials plus additional info about linked services. This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Items’ GROUP #2 with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn’t be accessed where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – stored as is.

– Application Configs (‘Application Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to the app, app settings, including installed apps or installers,

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Device Data (‘Log Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be any information stored in local or network logs,

– Application Events (‘Log Information’ Group) – App events referred to user actions ‘n’ activities were done. This data item related to mentioned group meant to be any information stored in local or network logs,

– Environment (‘Device Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be details about your device

Also, keep in mind, using jailbroken device means the system protection level is 0 points and you’re using out-of-date iOS < 8.3 the system protection level is 2 points. If some data marked as shareable via iTunes, then the system protection level is 4 points.

Transferred data (Data-in-Transit, DIT).

Transferred data groups include Credentials Information.
The average DIT value is 6.17 points (5.00 points of system protection and 7.33 points of own protection). It is higher than a typical value (4 points, where’s 4 points of system protection and 4 points of own protection).

Items’ GROUP #1 with average value 6.50 points (5 points of system protection, 8 points of own protection) means data protection levels have following definitions. Frankly talking, protection and privacy issues are still possible but might involve interaction with an app code where system protection level means – some techniques are available to developers to keep connection bypassing system settings, like proxy settings, etc., and own protection level means – own vpn or own crypto but compliance.

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Encryption Key (‘Credentials Information’ Group) – Encryption key found in app data folders, traffic or code of app used to protect your data. This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials Sync Data (‘Credentials Information’ Group) – Information about your credentials including credentials plus additional info about linked services. This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Items’ GROUP #2 with average value 4.50 points (5 points of system protection, 4 points of own protection) means data protection levels have following definitions. Frankly talking, data available if it’s allowed only and may require user action where system protection level means – some techniques are available to developers to keep connection bypassing system settings, like proxy settings, etc., and own protection level means – bypassed by fake/stolen root certificates.

– Device Data (‘Credentials Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Keep in mind if you’re using out-of-date iOS < 9.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Privacy Policy

Full application privacy policy is available here.