We and our customers benefit greatly from the work that TeamSIK did in their excellent analysis of 1Password 6.3.3 for Android. The particular issues they reported to us at the beginning of September 2016 were quickly addressed in beta versions of 1Password for Android (6.4.1-BETA-1 on September 13 and 6.4.1-BETA-2 on September 21). The fixes were included in the full release of 1Password for Android 6.4.1 on September 27, 2016.
Although the TeamSIK report is highly critical of the security offered by password managers on Android in general, we hope that readers of their overview will take the time to recognize that their general statements do not apply universally, and that the issues that were specific to 1Password on Android were promptly addressed.
TeamSIK reported five vulnerabilities: one “high” severity issue (SIK-2016-039), three “medium” severity issues (SIK-2016-038, SIK-2016-040, SIK-2016-041), and one “low” severity issue (SIK-2016-042):
- SIK-2016-039 (defaulting to HTTP instead of HTTPS when no scheme is specified in a login item) and SIK-2016-040 (default vault creation to legacy Agile Keychain format instead of more modern alternatives) are both cases in which we did not move swiftly enough to more secure defaults. There is a clear lesson for us in that.
- SIK-2016-038 (subdomain matching) is really two issues. One issue is the use of regular expressions for parsing URIs. As it happens, we were already in the process of replacing regular expression parsing with stricter and more suitable parsing. The issue of when a subdomain should match a domain is often something that has to be addressed on a case by case basis. There is no single rule for whether a 1Password login for ccc.bbb.aaa should also match a site with a domain of ddd.ccc.bbb.aaa. And so we adjust these various cases when we can.
- SIK-2016-041 (Read data from app folder) was the one that took us by surprise. It was a simple and unambiguous bug. We addressed it within a couple hours of the report.
- SIK-2016-042 (privacy of our Rich Icons server) is the “low” severity issue that has long been documented and discussed in our documentation on rich icons and your privacy. Rich icons can be turned off.
We’re extremely grateful for the work done by TeamSIK. Their report inspired swift action in some areas and correctly identified challenges that face all password managers.
We have a long history of dedicated collaboration with the security community, and we always welcome scrutiny in the way we design our products. Being open and transparent is the best way to design and develop a secure product.
Learn more about our commitment to openness and transparency: