1Password inter-process communication: a discussion

Recently, security researcher Luyi Xing of Indiana University at Bloomington and his co-authors released the details of their research revealing security vulnerabilities in Apple’s Mac OS X and iOS that allow “a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome.”  It has since been described in the technology press, including an article in the Register with a somewhat hyperbolic title. I should point out that even in the worst case, the attack described does not get at data you have stored in 1Password.

The fact of the matter is that specialized malware can capture some of the information sent by the 1Password browser extension and 1Password mini on the Mac under certain circumstances.  But roughly speaking, such malware can do no more (and actually considerably less) than what a malicious browser extension could do in your browser.

For 1Password, the difficulty is in fully authenticating the communication between the 1Password browser extension and 1Password mini; however, this problem is not unique to 1Password. The difficulty of securing inter-process communication on the operating system is a problem system-wide. A recent paper, “Unauthorized Cross-App Resource Access on MAC OS X and iOS” (PDF),  by Luyi Xing (Li) and his colleagues shows just how difficult securing such communication can be. Since November 2014, we’ve been engaged in discussion with Li about what, if anything, we can do about such attacks. He and his team have been excellent at providing us with details and information upfront.

As always, we are limited in what we can do in the face of malware running on the local machine. It may be useful to quote at length the introduction of that article

I have said it before, and I’ll say it again: 1Password […] cannot provide complete protection against a compromised operating system. There is a saying […] “Once an attacker has broken into your computer […], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

In practice, however, there are steps we can and do take which dramatically reduce the chances that some malware running on your computer [could obtain your 1Password data].

That was written more specifically about  keystroke loggers, and there are some things that set the new attack apart. Like superficial keystroke loggers it doesn’t require “admin” or “root” access, but they were able to sneak a proof of concept past Apple reviewers.

The threat

The threat is that a malicious Mac app can pretend to be 1Password mini as far as the 1Password browser extension is concerned if it gets the timing right. In these cases, the malicious app can collect Login details sent from the 1Password browser extension to the fake 1Password mini. The researchers have demonstrated that it is possible to install a malicious app that might be able to put itself in a position to capture passwords sent from the browser to 1Password.

Note that their attack does not gain full access to your 1Password data but only to those passwords being sent from the browser to 1Password mini. In this sense, it is getting the same sort of information that a malicious browser extension might get if you weren’t using 1Password.


1Password provides its own security. What I mean by this is that for the bulk of what we do, we don’t generally rely upon security mechanisms like sandboxing or iOS Keychain. So it doesn’t matter whether those sorts of security measures provided by the operating system fail.

The careful reader will note, however, that I used phrases like “for the bulk of what we do” and “don’t generally rely upon” in the previous paragraph. There are some features and aspects for which some of 1Password’s security makes use of those mechanisms, and so vulnerabilities in those mechanisms can allow for harm to us and our customers.

1Password mini listens to the extension

Application sandboxing is a good thing for security. But it limits how the 1Password browser extension can actually exchange data with 1Password itself. Indeed, the extension (correctly) has no direct access to your data. Keeping your data out of the browser (a relatively hostile environment) is one of our security design choices. But this does mean that the 1Password browser extension needs to find a way to talk to something that does actually manage your data. 1Password mini (originally the 1Password Helper) was invented for this purpose.

One of the few ways that a browser extension can communicate locally is through a websocket. Browser extensions are free to talk to the Internet as a whole, but we certainly don’t want our browser extension doing that; we only want it talking to 1Password locally. So we restrict the browser extension to only talking to 1Password mini via a local websocket.

Mutual authentication

Obviously we would want 1Password mini and the browser extension to only talk to bona fide versions of each other, so this becomes a problem of mutual authentication. There should be some way for 1Password mini to prove to the extension that it is the real one, and there should be a way for the browser extension to prove to 1Password mini that it is a real 1Password browser extension.

The difficulty that we face is that we have no completely reliable mechanism for that mutual authentication. Instead, we employ a number of separate mechanisms of authentication, but each has its own limitations. We have no way to guarantee that when the browser extension reaches out to 1Password mini it is really talking to the genuine one.

There are a number of checks that we can (and do) perform to see if everyone is talking to who they think they are talking to, but those checks are not perfect. As a result, malware running on your Mac under your username can sometimes defeat those checks. In this case, it can pretend to be 1Password mini when talking to the browser extension and thus capture any information sent from the 1Password browser extension that is intended for the mini.

What can be done

Neither we nor Luyi Xing and his team have been able to figure out a completely reliable way to solve this problem. We thank them for their help and suggestions during these discussions. But, although there is no perfect solution, there are things that can be done to make such attacks more difficult.

What you can do

1. Check “Always Keep 1Password Mini Running” in Preferences > General

In the specific attack that Luyi Xing demonstrates, the malicious malware needs to be launched before the genuine 1Password mini is launched. By setting 1Password mini to always run, you reduce the opportunity for that particular attack.

keep mini running



2. Keep using the 1Password browser extension

Although what is described is an attack against the communication between 1Password mini and the browser extension through specialized malware, using the 1Password browser extension protects you from a more typical malware attack of pasteboard/clipboard sniffers. Likewise, the 1Password extension helps fend off phishing attacks because it will refuse to fill into pages that don’t match the domain for your saved Logins.

Quite simply, the 1Password extension not only makes life easier for you, but it is an important safety feature on its own.

3. Pay attention to what you install

As always be careful about what software you run and install on your system. On your Mac, open System Preferences > Security & Privacy > General. You’ll see an Allow apps downloaded from: setting there. We strongly recommend confirming that this setting is configured so that only apps from trusted sources can be opened. You can read more about the setting and its options on Apple’s support site.

Now Xing and his team point out that this isn’t a guaranteed way to prevent malware being installed. They were able to get a malicious app approved by the Mac App Store review process. However, I think it is reasonable to assume that now that Apple reviewers know what to look for, it will be much harder for that specific kind of malware to get through.

What we can do

There are additional (defeasible) mechanisms that we can add to our attempts at mutual authentication between the extension and 1Password mini. I will briefly mention a few that we’ve considered over the years.

Encryption with an obfuscated key

One option is to have a shared obfuscated key in both 1Password mini and the extension. (Remember that the browser extension never sees your Master Password so any secret it stores for authentication cannot be protected by your Master Password.)

Obfuscation only makes things harder for attackers until someone breaks the obfuscation, and every system designer should assume that obfuscation will be broken. See our discussion of Kerckhoffs’ Principle in our article, “You have secrets; we don’t,” for some background on why we tend to be reluctant to use obfuscation. Of course, it may be warranted in the absence of a more effective alternative, so this remains under consideration.

In anticipation of a likely suggestion, I should point out that even the magic of public key encryption wouldn’t save us from having to rely on obfuscation here; but I will save that discussion for our forums.

Using the OS X keychain

Another option would be to store authentication secrets in the OS X keychain, so that both our browser extension and 1Password mini would have access to it. This could be made to work for authenticating 1Password mini to the extension for those browsers that allow easy use of the OS X keychain.

This might solve half the problem for some browsers, but to date we’ve been focusing on solutions that work across all of the browsers we support.

An extreme solution

In the extreme case, we could have some explicit pairing (sort of like Bluetooth) between 1Password mini and the extension.  That is, the browser extension may display some number that you have to type into 1Password mini (or the other way around).  With this user intervention we can provide solid mutual authentication, but that user action would need to be done every time either the browser or 1Password mini is launched.

Quite frankly, there is no really good solution for this. To date, our approach has been to put in those authentication checks that we have and keep an eye out for any hints of malware that exploits the known limitations of what we do.

Is 1Password for iOS affected?

The research paper isn’t limited to discussing inter-process communication (IPC) that is done through websockets, but covers a wide range of mechanisms used on Apple systems. This includes some mechanisms that we may use for some features in 1Password for iOS.

Shared data security

1Password for iOS shares some of its data with the 1Password app extension. As most of that data is encrypted with your Master Password, it is not a substantial problem if that data becomes available to attackers. The exception, of course, is the TouchID secret.

As yet, we have not had a chance to test whether there is any exposure there, but watch this space for updates.


We truly are grateful for the active security community, including Luyi Xing and his team, who take the time to test existing security measures and challenge us to do better. Our analysis of the researchers’ findings will continue and we will post an update if further action is necessary.

because we love you sale, feature image

The Because We Love You Sale

UPDATE: The Because We Love You Sale will be ending the evening of May 27, 2015.

Everything we do here at AgileBits is with you in our hearts & minds: whether it’s sharing tips & tricks to enhance your security, squashing bugs & implementing exciting new features, or answering your questions in our Support Forums, our focus is always on you.  And every once in a while we like to go all out and show how much we appreciate you by having a good old-fashioned sale.

We usually like to focus a sale around a holiday or a release from a certain California-based fruit company, but today we were searching for another reason to celebrate. So we gathered our crack marketing team around the MacBook and started brainstorming ideas:

  • Dinosaurs are awesome! Okay, maybe we’re just really excited for that new prehistoric blockbuster that’s coming soon to a theater near you.
  • Someone on the team had a birthday! It’s true, there’ve been a number of May birthdays here at AgileBits, but we’ve already overdosed on sugary frosting.
  • Baseball’s back! But really, we just wanted to sing “Take me out to the ballgame.”
  • Spring is here?  It’s been done a billion times before.  Boring.
  • We love you! Oh, there it is. What better reason do we need than just to simply say…

we love you. And to show how much we care, we’re knocking 30% off 1Password across the board on Mac, Windows, iOS, and Android.

While our love for you will last forever, this sale won’t. So if you or someone you love has been holding off on buying 1Password, now is the time to say, “I love you, too.”

You can pick up a Mac/Windows bundle (or grab them separately) on our AgileBits Store. 1Password for Mac is also available on the Mac App Store. And 1Password for iOS is on the iOS App Store, and 1Password for Android on Google Play.


1Password for Apple Watch: Putting Security Within Arm’s Reach

1Password for Apple Watch 01Today’s the day! A number of you (and a number of us) are finally going to be able to play with the latest and greatest addition to our gadget family: Apple Watch. No doubt, once you have sent your heartbeat to someone, put in your height and weight measurements for fitness tracking, and marveled at just how cool the haptic feedback is, you’re going to start playing with all the apps that have added support for Apple Watch. As you may have noticed from our latest iOS update, 1Password is one of those apps. We’re thrilled to introduce 1Password for Apple Watch and answer all of your burning questions about this handy little companion app to 1Password for iOS.

Is all of my 1Password data on my watch?

Add to Apple WatchNope! Much like Apple Watch is a companion device to your iPhone, 1Password for Apple Watch is a companion app to 1Password for iOS. After you enable Apple Watch functionality in 1Password’s settings, a new option will appear on the item detail screen which will allow you to “Add to Apple Watch”. You choose which pieces of information you want to make available on your Apple Watch. Logins, Passwords, Credit Cards, and Secure Notes are all fair game to add to Apple Watch.

What am I going to use this for?

When Apple Watch was announced, we immediately began brainstorming ways to bring 1Password to this incredibly personal device. Our first idea was a bit of a no-brainer: the small screen of Apple Watch, coupled with being able to access it quickly, made it the ideal place for one time passwords (TOTP). For a long time that was all our Apple Watch app did; however, after some more thought we realized it could be used for so much more.

As a recent blog post explains, 1Password can be used to store all kinds of information beyond website logins. Locker combinations, bike lock combinations, garage door codes, office keyless entry codes, banking PINs…. All of these pieces of information can be stored in 1Password, and with the introduction of Apple Watch they can now be stored on your wrist.

This is where 1Password for Apple Watch shines: Small pieces of secure data that you need throughout your day can literally be kept within arm’s reach at all times.

Store your locker combination on your Apple Watch.

Store your locker combination on your Apple Watch.

1Password for Apple Watch can ensure that your door's unlock code is always handy.

1Password for Apple Watch can ensure that your door’s unlock code is always handy.

Ok, I’m in! How do I get started?

We have a much more detailed User Guide that goes in-depth on how to set up 1Password for Apple Watch, but we’ll give you the 30,000 foot view of it here.

Step 0: Ensure you have set a device PIN code (or, preferably, a longer, more secure passphrase) and that you have purchased our Pro Features.

Step 1: Open 1Password for iOS and tap on Settings > Apple Watch > Enable Apple Watch. Set a PIN code for use on Apple Watch, and you’re good to go.

Step 2: Add an item to your Apple Watch by tapping on “Add to Apple Watch” in the item details screen.

There is no step three! (And no, we didn’t cheat by starting at zero).

Well this sounds lovely

We hope you love using 1Password on your Apple Watch as much as on all of your other devices! How will you use it to help keep all of your bits of information easily accessible? Leave a note in the comments and let us know.

1P iOS icon 1024

1Password 5.4 for iOS: The “Go Go Gadget Watch!” Edition

watchdrawn_2xYou’ve come to love 1Password as the handiest of multi-tools on all your gadgets: your computer, your phone, your tablet…and now, your watch.

That’s right, 1Password for Apple Watch is here, ready to save the world (and, more importantly, your time)!

You don’t need to be an intrepid inspector (or a precocious crime-solver in pigtails) to appreciate the awesomeness of having 1Password on your wrist. 1Password for Apple Watch helps you find the little pieces of secret info you need every day, quickly and easily. If you need the code to open your garage door, one of your one-time passwords, or to look up the Konami Code for those extra lives when playing Contra, 1Password is right there for you.

After a couple months of diligently attending the gym, you’ve earned a coveted private locker. Of course, remembering your locker combination is probably not a priority when you’re counting reps. But if you store that combination in 1Password, it only takes a couple of taps for you to see the combination in 1Password for Apple Watch when you’re back at your

You don’t have to be a secret agent on a mission to see how 1Password for Apple Watch is the best partner your wrist could ask for. No matter what you need to have with you, 1Password for Apple Watch is there.

We’d love to know what sort of items you’re most excited to add to your new Apple Watch! Let us know in the comments or in our discussion forums.

1Password for Apple Watch is included at no additional cost for owners of the Pro Features. If you don’t yet have the Pro Features you can find them in Settings > Pro Features for $9.99.

Hand-Polished 18-karat Cogs & Sprockets

1Password 5.4 for iOS isn’t all about Apple Watch. Our quartermasters have made some other refinements to the app as well. Based on your feedback, the Message Center now has a button to mark everything as read. We also added a toggle to remove the unread badge from the settings tab. We hope you enjoy the tips we’re sharing with you via the Message Center, but this improvement will ensure it’s not distracting you during important covert missions.

1Password’s memorization skills have been fine-tuned, and it will now remember whether you were viewing Favorites or Categories and take you back there when you reopen the app.

With the 5.4 update for 1Password for iOS, quickly accessing your secure information is easier than ever, whether on your wrist, or in your pocket.

Go Go Gadget Ears!

If you want to learn more about 1Password for Apple Watch, the Chief has a message for you. Don’t worry, this one won’t self-destruct! Sign up for our Apple Watch newsletter to get relevant communiques sent directly to your inbox!

Update 2015-04-15: Changed a use case example. 

1Password 4 for iOS icon

1Password 5.3 for iOS: The Extended Brainiac Edition is out!

This major, free update to 1Password for iOS is so awesome, we thought about pulling a Harry Potter and releasing it in two parts. But when Apple told us Daniel Radcliffe wasn’t available, and they didn’t even have his number in the first place, we just had to give it all to you at once.

A 400 percent better App Extension

1P iOS 5.3 App Extension CC Identities borderYou know how our App Extension can fill Logins into Safari, our own 1Browser, and hundreds of other apps with a single tap? Now it can also:

  • fill Identities
  • fill Credit Cards
  • create new Logins when you’re signing up for new services
  • show all Logins if none are found for the current app (App Extension only)

It’s all in the name of saving you even more time when logging in and now filling long forms and shopping carts.

A brand new Brain

We affectionately call 1Password’s under-the-hood tools and form-filling logic the “Brain,” and we gave it a huge upgrade in 5.3. It’s much smarter about matching websites and subdomains and fills forms even faster.

We need to talk

OPI 5.3 Message Center

There is so much great stuff going on with 1Password that we added a new Message Center to keep you in the know. It brings you 1Password news and tips right in our in-app Settings. Don’t worry, Push Notifications need not apply.

So, so much more

We added Large Type so you can view usernames and passwords in Jumbo Size, and we fixed a couple Zoom Mode bugs and a crash for iPhone 6 Plus users. Truly, there is a mountain of improvements you can check out in the full release notes.

Our free 1Password 5.3 for iOS update is now live in the App Store, so take it for a spin and let us know what you think on TwitterFacebook, and in our newly redesigned forums!

Workflow icon

Community Goodie: Workflow + Chrome for iOS + 1Password

Have you discovered Workflow for iOS yet? It joins Launch Center Pro and others in the category of Super Useful Apps that can save you a ton of time doing repetitive tasks or complicated things that span multiple apps. They can also just blow your mind with tasks you didn’t know iOS could pull off.

One of Workflow’s tricks is that it can make your workflows available inside other apps via its own App Extension. Harnessing the true power of this knowledge, 1Password user and Redditor papa-lozarou created a Workflow that searches 1Password for the domain of the current tab right within Chrome for iOS.


Picture this: you’re groovin’ along in Chrome for iOS, and you have to log into a thing to do a thing. Instead of switching to 1Password to unlock, manually search, copy, switch back over, and paste your password, you can now simply trigger Workflow right inside of Chrome. From there you can invoke 1Password’s in-app extension, which then automatically searches for the URL of your current tab.

You’ll still have to tap into the item to copy your password, but you’re still in Chrome where you can easily paste it and get on with your bad self.

Let’s give a shout out to Redditor papa-lozarou and Workflow for being just great. On an iOS device, you can download the Chrome workflow here.


Apps ❤ 1Password: They really, really do

The number of apps adding support for our 1Password App Extension for iOS 8 is growing briskly. I know of dozens of apps that are gaining support as you read this, and we are at nearly 100 shipping apps right now.

We are deeply grateful to every developer adding support, and thankful to our users for helping us to spread the word. If you haven’t checked out the apps that are making it easier to create accounts, log in with a tap, and stay secure online, here are some of the latest categories gaining new entries from developers and businesses all around the world.




Social Networking

1P Pro features

TOTP for 1Password users

1P Pro features1Password 5.2 for iOS and 1Password for Windows are out, and they provide support for using Time-based One Time Passwords (TOTP) in your Logins (note: in iOS, it’s part of our Pro Features). Note that this is not for unlocking 1Password itself, but to aid with logging into sites for which you may be using TOTP, such a Dropbox and Tumblr.

To learn how to have 1Password help you manage your TOTP Logins, go straight to our user guide. If you would like to better understand when and why TOTP is useful for 1Password users, and what to do if you truly want two-factor security, continue reading here.

TOTP countdownI’ve previously written (at excessive length, in some cases) about TOTP in general, but in each instance pointed out that it is of limited utility to 1Password users. This is because such schemes are of most use to those people who have weak or reused passwords. If you are using a strong and unique password for a site, then many of the gains of two-step (or multi-step) verification are not relevant for you.

But “most” is not the same as “all”. There still are some cases where multi-step verification is useful to people using 1Password.

Sometimes you must use TOTP

Sometimes a site or service will simply require that TOTP always be used along with your regular password. Patty (one of my dogs) is working with a research group analyzing the structure of heart worm DNA. When she connects to the lab’s server, she is required to use TOTP.

TOTP example in 1Password for Windows

TOTP example in 1Password for Windows

She has set up an app on her laptop that just constantly displays the current TOTP code. It’s sitting there ticking away all the time her laptop is running. Ideally, it should only be visible when she actually needs it, but she is understandably just trying to save time. Clearly, she could use TOTP more securely if it were available for the Login item within 1Password.

One-timeness? Yes

One-time passwords (the “OTP” in “TOTP”) are useful over insecure networks. Normally, when you submit a password to a site or service, you send the same password each time. Ideally, that connection is well encrypted so that the password cannot be captured when it is in transit. This is why it is very important to:

  • use HTTPS instead of HTTP when doing anything sensitive
  • pay attention to the lock icon in your browser’s address field (indicating HTTPS)
  • heed browser warnings about such connections

But networks are easy to compromise. Recently Molly (my other dog) was at the Barkville Airport. When she connected to Wifi, she saw several open wifi IDs. One was BVT-access, and the other one was “Airport Free Wifi”. As it turned out, BVT-access was the legitimate one, but she connected to Airport Free Wifi. Airport Free Wifi was actually a laptop operated by Mr Talk, our neighbor’s cat.

Mr Talk is using SSL-strip on his rogue wifi hotspot. If Molly isn’t paying close attention to the HTTPS status of her browser’s connection, she can send things unencrypted over Mr Talk’s network while thinking it is a secure connection. I should probably point out that Molly lacks the discipline to pay close attention to anything other than a squirrel or rabbit. This way, Mr Talk can capture Molly’s passwords in transit to the servers and save them for later use.

That is one of several ways that passwords can be captured in transit. The point of one-time passwords is that they are not reusable even if they are captured in transit. In this way, TOTP provides a meaningful defense against plausible attacks even though there is nothing “second factor” about how it is being used.

Second factor? No

We need to make the distinction between one time passwords and second factor security. One time passwords are often part of second factor security systems, but using one time passwords doesn’t automatically give you second factor security. Indeed, when you store your TOTP secret in the same place that you keep your password for a site, you do not have second factor security.

However, you still have the benefits of the one-timeness of TOTP codes.

Systems like TOTP are sometimes used as part of second (or multi) factor authentication systems. But this is far from their only usage. To be truly second factor, the TOTP secret (from which the one time password is generated) must not be stored on the same device that you use the regular password on.

Let’s consider an example. Molly has a Tumblr where she posts pictures of the squirrels she is after. So far, she has been using the Authy app on her phone to manage TOTP. If she never logs into to Tumblr on the same phone, then she is using her phone as a second factor. But if she is also using Tumblr from her phone and has had to use her one time password from there, then there is no second factor.

In general, there is a reason why many services that offer TOTP refer to it as “two-step verification” instead of as “second factor authentication”. The security that such sites seek to gain from this is not in the second-factorness; it is in the one-timeness. In particular, many of the sites and services that offer or require two-step verification with one time passwords are doing so because many of their users have weak or reused passwords. Although that should not apply to 1Password users, there are other benefits to one time passwords as I discussed above.

If you really want true two factor

If you would like to turn a site’s offering of TOTP into true two-factor security, you should not store your TOTP secret in 1Password (or in anything that will synchronize across systems). Furthermore, you should not use the regular password for the site on the same device that holds your TOTP secret.

Put simply: the device that holds your TOTP secret should never hold your password if your aim is genuine two factor security.

Personally, I don’t think that following that practice would be worthwhile for anything but a very small number of special circumstances, in which case, you should probably be using a specialized second factor device instead of something like a phone. But not everyone shares my opinion on this, and if you have a need for true second-factor security for some particular site or service, you should take that into account before adding a TOTP secret to 1Password.

For everyone else, if you find the one-timeness of TOTP worthwhile on its own (or are required to use it), 1Password’s new support in v5.2 for iOS and v4.1.0.538 makes it easier to use than ever.

1Password 4 for iOS icon

1Password 5.2 for iOS: The Awesomesauce Edition is here

OPI 5.2 jar of AwesomesauceThe holiday season may be over, but we saved your best present for last! Well, at least the best present with ‘AgileBits’ printed on it somewhere. 1Password 5.2 for iOS is now making its way to the App Store, and we even saved you the time to unwrap it.

(Get it? Because software is digital and therefore impossible to wrap with paper.)

This free update goes out to our new customers and Pro feature owners. To start, we added our first-ever Login Creator, a really slick new tool that makes it easy, dare I even say fun, to add your existing Logins to 1Password and get a feel for how much time it can save you.

Login Creator has a polished workflow for hundreds of sites and services, and we hope it makes getting started with 1Password even easier.

1P iOS Login Creator

For our Pro feature owners, let’s start with a new One-Time Password tool. This helps you sign into a growing number of services (like Amazon and Tumblr) that support a secondary, randomized password for that extra… je ne sais quoi. You can learn more about One-Time Passwords at


Pro owners can now also delete attachments from the item editor and add many new custom field types like addresses, dates, and month/year.

Rounding up this release are plenty of additions in the 1Password App Extension, design, sync, Accessibility, and translation departments. You can check out the full iOS changelog if you want all the details or skip straight to the App Store and pick up the latest and greatest 1Password for iOS!

While you’re there, please take a minute to give us a great review—it helps more than you may know! Finally, let us know what you think of this release on Twitter and Facebook, and stay in touch with the Agile Newsletter.

Homescreen icon

Check out the other apps on 1Password user #Homescreens!

Homescreen iconA little while ago, the fine folks at Betaworks released a clever app called #Homescreen. With a tap, you can share a screenshot and list of apps on your homescreen with your Twitter pals, then check out everyone’s apps at

But #Homescreen’s cleverness runs much deeper. Not only can you click each app and check it out in the App Store, you can see some really cool stats (like 1Password is on 23 percent of homescreens!) and even all the other apps used by, say, the 1Password community.

Turns out 1Password is in some great company! Of course, Facebook and Twitter are there, and so are great apps (and favorites among AgileBits staff) like Fantastical, Day One, and Reeder. There’s also Slack (which we love for office chat), Launch Center Pro, Workflow, and Mailbox, and the list goes on. It’s also dynamically generated as more people share their homescreens, so it might even change over time.

Check out the full list of apps your 1Password comrades use, there are plenty of gems to discover! Give #Homescreen a try too—it’s a smart, simple way to learn more about your fellow homescreens.