Dev Time

There’s been a lot of chatter on the internet lately about the security of webviews embedded in 3rd party applications. Basically that application has full access to what you are typing in to that webview, so if you’re navigated to another website or anything and enter a password, that password could be read.

I think an interesting factor in iOS 8 that enhances security in a more subtle matter are the action extensions. Action extensions allow apps like 1Password/Last Pass etc to perform small actions. In particular for password managers: insert password data into Safari (and other apps that allow it). This allows people to use a variety of passwords and still easily access them for authentication, which is great for security on its own, but there’s more to it than that.

The previous strategy these apps used was you would enter the application, choose the password you wanted and copy it to the pasteboard. You could then paste it into whatever application you needed that password in. This data would have to be in the general pasteboard to be used/shared between apps, and most people simply paste the password and forget what’s in their pasteboard. This also means every app they open afterwards has access to the plaintext version of this password (and a nice shiny identifier that a com.agilebits.onepassword has an existing UIPasteboard as well). At least as far as I can tell.

I start out by going to 1Password and copying a password.

I next compile and run my app, using a simple println/NSLog on the UIPasteBoard in my AppDelegate, and my password is revealed. The code looks like this:
(In Swift for …fun?)

var pasteBoard = UIPasteboard.generalPasteboard()
println(pasteBoard.items)


The result:
[{
"public.utf8-plain-text" = <My_Password_Here_In_Plaintext>;
}, {
"com.agilebits.onepassword" = <Random_Numbers_Here>;
}]

Apparently you have to use the public.utf8-plain-text UTI for your pasteboard data if you want it accessible in Notes/Mail etc, according to Erica Sadun.

Doing some basic filtering on that data to exclude obviously too-long passwords, URLs, etc you could come up with some decent options for passwords to try again later.

I would love to hear if my thoughts here are wrong (perhaps debugging allows for extra access? or something else along those lines).

Edit:

It seems 1Password has a setting to clear your clipboard between 30 seconds and 3 minutes later, with the default being never. LastPass will let you manually clear it, but doesn’t seem to contain the same auto-clearing option.

So, iOS 7 features a brand new “light” interface, with thin fonts to take “full advantage” of the retina displays on new iOS devices. Now, whether or not you like it or agree with the decision (personally I wasn’t a fan to start, but I’m really starting to like iOS 7 now!), there’s one little snag incoming.

Apple didn’t release an iPad version of the iOS 7 beta yet, and I think I might know part of the reason why. There were rumors that iOS 7 was slightly behind schedule, so obviously they focused on the iPhone to get a good announcement and initial beta going. However, I think the iPad mini is an issue that I’m interested to see how they will address. It’s the only non-retina device that supports iOS 7, and since it came out so recently it has to be supported for a couple versions at least. I’m assuming a retina iPad mini will be coming out soon, but even so, how will it work on the iPad mini? I just got mine and don’t want to give it up anytime soon (it’s not so cheap to easily replace 🙁 ). Will the text be legible? I guess they’ll probably just make the font a bit thicker, but I’m curious if they will compromise on their vision of what iOS 7 should look like.

Just a random stream of consciousness post.

Edit:

@joshhinman brings up a good point that the iPad 2 is also supported. That’s even less pixel dense than the iPad mini, so we’ll see how iOS 7 works on those devices. In any case, I think that Apple can drop the iPad 2 in iOS 8 without too much uproar while the mini should stick around a bit longer. I still wonder what they have planned for non-retina screens.