Security

1Password inter-process communication: a discussion

Recently, security researcher Luyi Xing of Indiana University at Bloomington and his co-authors released the details of their research revealing security vulnerabilities in Apple’s Mac OS X and iOS that allow “a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome.”  It has since been described in the technology press, including an article in the Register with a somewhat hyperbolic title. I should point out that even in the worst case, the attack described does not get at data you have stored in 1Password.

The fact of the matter is that specialized malware can capture some of the information sent by the 1Password browser extension and 1Password mini on the Mac under certain circumstances.  But roughly speaking, such malware can do no more (and actually considerably less) than what a malicious browser extension could do in your browser.

For 1Password, the difficulty is in fully authenticating the communication between the 1Password browser extension and 1Password mini; however, this problem is not unique to 1Password. The difficulty of securing inter-process communication on the operating system is a problem system-wide. A recent paper, “Unauthorized Cross-App Resource Access on MAC OS X and iOS” (PDF),  by Luyi Xing (Li) and his colleagues shows just how difficult securing such communication can be. Since November 2014, we’ve been engaged in discussion with Li about what, if anything, we can do about such attacks. He and his team have been excellent at providing us with details and information upfront.

As always, we are limited in what we can do in the face of malware running on the local machine. It may be useful to quote at length the introduction of that article

I have said it before, and I’ll say it again: 1Password […] cannot provide complete protection against a compromised operating system. There is a saying […] “Once an attacker has broken into your computer […], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

In practice, however, there are steps we can and do take which dramatically reduce the chances that some malware running on your computer [could obtain your 1Password data].

That was written more specifically about  keystroke loggers, and there are some things that set the new attack apart. Like superficial keystroke loggers it doesn’t require “admin” or “root” access, but they were able to sneak a proof of concept past Apple reviewers.

The threat

The threat is that a malicious Mac app can pretend to be 1Password mini as far as the 1Password browser extension is concerned if it gets the timing right. In these cases, the malicious app can collect Login details sent from the 1Password browser extension to the fake 1Password mini. The researchers have demonstrated that it is possible to install a malicious app that might be able to put itself in a position to capture passwords sent from the browser to 1Password.

Note that their attack does not gain full access to your 1Password data but only to those passwords being sent from the browser to 1Password mini. In this sense, it is getting the same sort of information that a malicious browser extension might get if you weren’t using 1Password.

Background

1Password provides its own security. What I mean by this is that for the bulk of what we do, we don’t generally rely upon security mechanisms like sandboxing or iOS Keychain. So it doesn’t matter whether those sorts of security measures provided by the operating system fail.

The careful reader will note, however, that I used phrases like “for the bulk of what we do” and “don’t generally rely upon” in the previous paragraph. There are some features and aspects for which some of 1Password’s security makes use of those mechanisms, and so vulnerabilities in those mechanisms can allow for harm to us and our customers.

1Password mini listens to the extension

Application sandboxing is a good thing for security. But it limits how the 1Password browser extension can actually exchange data with 1Password itself. Indeed, the extension (correctly) has no direct access to your data. Keeping your data out of the browser (a relatively hostile environment) is one of our security design choices. But this does mean that the 1Password browser extension needs to find a way to talk to something that does actually manage your data. 1Password mini (originally the 1Password Helper) was invented for this purpose.

One of the few ways that a browser extension can communicate locally is through a websocket. Browser extensions are free to talk to the Internet as a whole, but we certainly don’t want our browser extension doing that; we only want it talking to 1Password locally. So we restrict the browser extension to only talking to 1Password mini via a local websocket.

Mutual authentication

Obviously we would want 1Password mini and the browser extension to only talk to bona fide versions of each other, so this becomes a problem of mutual authentication. There should be some way for 1Password mini to prove to the extension that it is the real one, and there should be a way for the browser extension to prove to 1Password mini that it is a real 1Password browser extension.

The difficulty that we face is that we have no completely reliable mechanism for that mutual authentication. Instead, we employ a number of separate mechanisms of authentication, but each has its own limitations. We have no way to guarantee that when the browser extension reaches out to 1Password mini it is really talking to the genuine one.

There are a number of checks that we can (and do) perform to see if everyone is talking to who they think they are talking to, but those checks are not perfect. As a result, malware running on your Mac under your username can sometimes defeat those checks. In this case, it can pretend to be 1Password mini when talking to the browser extension and thus capture any information sent from the 1Password browser extension that is intended for the mini.

What can be done

Neither we nor Luyi Xing and his team have been able to figure out a completely reliable way to solve this problem. We thank them for their help and suggestions during these discussions. But, although there is no perfect solution, there are things that can be done to make such attacks more difficult.

What you can do

1. Check “Always Keep 1Password Mini Running” in Preferences > General

In the specific attack that Luyi Xing demonstrates, the malicious malware needs to be launched before the genuine 1Password mini is launched. By setting 1Password mini to always run, you reduce the opportunity for that particular attack.

keep mini running

 

 

2. Keep using the 1Password browser extension

Although what is described is an attack against the communication between 1Password mini and the browser extension through specialized malware, using the 1Password browser extension protects you from a more typical malware attack of pasteboard/clipboard sniffers. Likewise, the 1Password extension helps fend off phishing attacks because it will refuse to fill into pages that don’t match the domain for your saved Logins.

Quite simply, the 1Password extension not only makes life easier for you, but it is an important safety feature on its own.

3. Pay attention to what you install

As always be careful about what software you run and install on your system. On your Mac, open System Preferences > Security & Privacy > General. You’ll see an Allow apps downloaded from: setting there. We strongly recommend confirming that this setting is configured so that only apps from trusted sources can be opened. You can read more about the setting and its options on Apple’s support site.

Now Xing and his team point out that this isn’t a guaranteed way to prevent malware being installed. They were able to get a malicious app approved by the Mac App Store review process. However, I think it is reasonable to assume that now that Apple reviewers know what to look for, it will be much harder for that specific kind of malware to get through.

What we can do

There are additional (defeasible) mechanisms that we can add to our attempts at mutual authentication between the extension and 1Password mini. I will briefly mention a few that we’ve considered over the years.

Encryption with an obfuscated key

One option is to have a shared obfuscated key in both 1Password mini and the extension. (Remember that the browser extension never sees your Master Password so any secret it stores for authentication cannot be protected by your Master Password.)

Obfuscation only makes things harder for attackers until someone breaks the obfuscation, and every system designer should assume that obfuscation will be broken. See our discussion of Kerckhoffs’ Principle in our article, “You have secrets; we don’t,” for some background on why we tend to be reluctant to use obfuscation. Of course, it may be warranted in the absence of a more effective alternative, so this remains under consideration.

In anticipation of a likely suggestion, I should point out that even the magic of public key encryption wouldn’t save us from having to rely on obfuscation here; but I will save that discussion for our forums.

Using the OS X keychain

Another option would be to store authentication secrets in the OS X keychain, so that both our browser extension and 1Password mini would have access to it. This could be made to work for authenticating 1Password mini to the extension for those browsers that allow easy use of the OS X keychain.

This might solve half the problem for some browsers, but to date we’ve been focusing on solutions that work across all of the browsers we support.

An extreme solution

In the extreme case, we could have some explicit pairing (sort of like Bluetooth) between 1Password mini and the extension.  That is, the browser extension may display some number that you have to type into 1Password mini (or the other way around).  With this user intervention we can provide solid mutual authentication, but that user action would need to be done every time either the browser or 1Password mini is launched.

Quite frankly, there is no really good solution for this. To date, our approach has been to put in those authentication checks that we have and keep an eye out for any hints of malware that exploits the known limitations of what we do.

Is 1Password for iOS affected?

The research paper isn’t limited to discussing inter-process communication (IPC) that is done through websockets, but covers a wide range of mechanisms used on Apple systems. This includes some mechanisms that we may use for some features in 1Password for iOS.

Shared data security

1Password for iOS shares some of its data with the 1Password app extension. As most of that data is encrypted with your Master Password, it is not a substantial problem if that data becomes available to attackers. The exception, of course, is the TouchID secret.

As yet, we have not had a chance to test whether there is any exposure there, but watch this space for updates.

Conclusion

We truly are grateful for the active security community, including Luyi Xing and his team, who take the time to test existing security measures and challenge us to do better. Our analysis of the researchers’ findings will continue and we will post an update if further action is necessary.

1Password tips

Quick Tip: Migrate your details between 1Password items

We all have our own ways of keeping things neat and tidy, and having something out of place can just throw your whole day out of whack. Luckily, 1Password mini can help you keep things organized just the way you like them.

Let’s say someone sends you the details for the Wi-Fi router at their house, but it’s in a Secure Note instead of the Wireless Router template for 1Password.

Wireless network data stored in a Secure Note

If you’re like me, this is the kind of thing that could make you a bit, well…

homer_go_crazy

So, let’s move the relevant data over to a new Wireless Router item and set things right with a few simple steps:

1. Create the new item

In 1Password, create a new item in the proper category. Launch 1Password, and choose File > New Item > Wireless Router. This is the new item where the previous Secure Note’s content will go. Leave this new item in edit mode.

Create a new Wireless Router item

2. Open the original item in 1Password mini and anchor it

Click the 1Password mini icon in the toolbar and search for or browse to the Secure Note containing the details you want to migrate to the new entry. Click the anchor button in the bottom left of the detail view to keep the item on screen.

Copy and paste the details

3. Copy and paste

At this point, you can copy and paste the relevant information from the original item. You can also create new sections and fields for any important information that doesn’t fit elsewhere. When you’re finished, save the new item.

4. Delete the original item

At this point, the original item is no longer needed and can be safely deleted.

5. Bonus points: share!

Share the new entry with the person who sent you the Secure Note version using the item’s Share button.

Share the item

This use case comes up for me more often than I would have thought in the past. The Wireless Router example is a real one from a recent trip to visit the team in our Toronto office. Beyond that, I have quite a few items I exported from Yojimbo long ago, and those only exported as plain text files. I imported those text files as Secure Notes in 1Password and I have been migrating them to proper 1Password entries here and there over time. Instead of switching back and forth between items in 1Password, using 1Password mini’s anchored windows helps to make the process of migrating data between categories a lot simpler.

because we love you sale, feature image

The Because We Love You Sale

UPDATE: The Because We Love You Sale will be ending the evening of May 27, 2015.

Everything we do here at AgileBits is with you in our hearts & minds: whether it’s sharing tips & tricks to enhance your security, squashing bugs & implementing exciting new features, or answering your questions in our Support Forums, our focus is always on you.  And every once in a while we like to go all out and show how much we appreciate you by having a good old-fashioned sale.

We usually like to focus a sale around a holiday or a release from a certain California-based fruit company, but today we were searching for another reason to celebrate. So we gathered our crack marketing team around the MacBook and started brainstorming ideas:

  • Dinosaurs are awesome! Okay, maybe we’re just really excited for that new prehistoric blockbuster that’s coming soon to a theater near you.
  • Someone on the team had a birthday! It’s true, there’ve been a number of May birthdays here at AgileBits, but we’ve already overdosed on sugary frosting.
  • Baseball’s back! But really, we just wanted to sing “Take me out to the ballgame.”
  • Spring is here?  It’s been done a billion times before.  Boring.
  • We love you! Oh, there it is. What better reason do we need than just to simply say…

we love you. And to show how much we care, we’re knocking 30% off 1Password across the board on Mac, Windows, iOS, and Android.

While our love for you will last forever, this sale won’t. So if you or someone you love has been holding off on buying 1Password, now is the time to say, “I love you, too.”

You can pick up a Mac/Windows bundle (or grab them separately) on our AgileBits Store. 1Password for Mac is also available on the Mac App Store. And 1Password for iOS is on the iOS App Store, and 1Password for Android on Google Play.

more than just passwords

Staying on top of deadlines and expiry dates

1Password is at its best when it’s helping us forget — not just our passwords and credit card numbers, but also where we put that thing. 1Password remembers, so we don’t have to. It’s easy to get hooked on this line of thinking. You start to ask yourself: what else can I afford to forget about?

How about deadlines? I’m not talking about calendar appointments. Think instead of the warranty on your laptop — the one that always runs out days before you need to use it. Think of the gift card you need to spend before Father’s Day. The domain name you keep forgetting to renew. The annual subscription you plan to cancel before you get charged again.

So much of our sensitive information comes with a best before date — and 1Password is great at keeping track of best before dates.

expires soon

You’re probably used to filling in the expiry date field for your credit card, but you might know that it’s also built into lots of other 1Password items — Passports, Memberships, Driver’s Licenses, etc. You can also add it to your own items using custom fields.

Once you assign expiry dates to all your time-sensitive items, you’re one smart folder away from seeing anything that needs your immediate attention.

expiry smart folder

The key to making this work is the second field (“Any Value” -> “contains”), which I’ve set to the current year. You could also fill in “2015-05″ to see only the items that expire in May, but tweaking this value every month might be too fiddly for your tastes. I find a year’s worth of expiry dates is manageable so long as I review the folder every once in a while.

1Password won’t ever replace my calendar, but there are some due dates it handles with style — especially when it comes to information I can’t risk keeping anywhere else.

How do you use 1Password to make your life a little more manageable? We’d love to find out. Share your creative ideas in the comments!

1PM icon 1024

1Password 5.3 for Mac: The Bionic Edition is out!

We last heard from our hero, 1Password for Mac, in version 5.1. Sadly, version 5.2 suffered a tragic accident. The development team refused to give up. “We can rebuild it,” they said. “We have the technology. We have the capability to make the world’s first bionic password manager. 1Password 5.3 for Mac will be that app. Better than it was before. Stronger…Faster…Better.”

We proudly present 1Password 5.3 for Mac, now available for Mac App Store and AgileBits Store customers, and it won’t cost six million dollars (it’s a free update for all 5.x owners).

Two-Steps Stronger

Barcode Scanner With BorderWe recently introduced our TOTP feature — Time-Based One-Time Passwords — in iOS and Windows, and now we’re bringing it to the Mac. TOTPs are increasingly used as an extra layer of security by companies from Dropbox to Tumblr, so now you’re ready for them with 1Password for Mac. To learn how to add TOTP to 1Password for Mac, check out our handy dandy guide and video!

Faster Communication

1Password makes you more secure online, but it also saves you time by logging you in and filling long, tedious forms with a single click. Now it can help you make phone calls and start emails with one click, too.

We’ve added great new features in v5.3 to make it even easier for you to keep in contact with your sidekick. You can click on phone numbers that you’ve added to Identities to start FaceTime Audio or Skype calls, or click on an email address to start emails.

This works not only in the default fields for these in items like Identities and Software Licenses, but also in custom fields.

synapse_brainA Better Brain

Did you know 1Password has a Brain that handles the under-the-hood tasks of figuring out webpages and filling your Logins, Identities, and Credit Cards into forms? In v5.3, we gave the Brain a heavy dose of B and D vitamins, as well as some omega–3 dev classes and shared objects to make it much faster and smarter when filling said forms and generally saving you oodles of time.

Too much more to list

We also implanted a plethora of custom field options, some great 1Password mini nips and tucks, and Secure Notes can now have custom fields and sections.

Actually, I’d love to list all the great stuff we packed into this free update, but there’s a chance such an extensive post might break WordPress. Instead, you can check out the full details in our release notes. To get the update, just hit the Mac App Store’s Updates tab, or for our AgileBits Store version, click 1Password 5 > Check for Updates in the menubar.

1PM icon 1024

The new wonderful-ness of Wi-Fi sync

The ability to have your secure password data with you on all of your devices is one of the most important features of 1Password. Of course, strong encryption of your data is vital as well, but it is sync that ensures that you can use these strong and unique passwords across all your devices easily.

Ensuring that users have access to their data everywhere they need it is not always a simple process. Let’s take a look at the development of Wi-Fi sync in 1Password, and see some of the great improvements our developers have made lately.

The beginning of Wi-Fi

We begin back before the dawn of 1Password 4. The Wi-Fi Sync of 1Password 3 provided a… less than ideal user experience. When our developers sharpened their tools to craft 1Password 4, the initial version of 1Password 4 for iOS was released without the feature.

Users were not content with this omission and lobbied us by forum and by email and by all means necessary, declaring their love for Wi-Fi Sync (and as well they should!) Hearing their pleas, our developers went back to the Agile Forge and re-designed Wi-Fi Sync for its triumphant return in 1Password 4 for Mac.

Wi-Fi’s triumphant return

Even after we reintroduced Wi-Fi Sync in 1Password 4 for Mac, we knew we could do better. We kept polishing and strengthening the feature, and now with the release of the Syncerrific Edition, Wi-Fi Sync is the powerful, cloud-free sync option that our users both need and deserve.

Let’s look at some of the improvements to Wi-Fi sync in 1Password 5:

  • Attachments: Wi-Fi sync now syncs every nook and cranny of your vault … including all of your attachments.
  • Multiple Vaults: Got multiple vaults? No problem. Wi-Fi sync can handle that. Sync all your vaults to your mobile devices without ever touching the cloud.
  • Automatic: No more need to frequently type in secrets – sync your data whenever your devices are linked to the same Wi-Fi network as your Mac.

1Password 5 Wi-Fi preferences

Learn about how to set up Wi-Fi sync for all of your vaults in our User Guide.

We’d like to thank all our wonderful users for their persistence. 1Password is a better, stronger, faster product for you today because you keep us on our toes.

Keep being awesome.

1PM icon 1024

1Password 5.1 for Mac: The Syncerrific Edition is here

Judging from the title, you might think this update is about Watchtower enhancements or properly formatting credit card numbers, but you would be only half right! 1Password 5.1 for Mac, rolling out now to the the AgileBits Store and Mac App Store, is all about sync.

In short, we completely overhauled how you manage sync for your primary and secondary vaults to save you time. In Preferences > Sync, you can now view all your vaults and how they sync, and change sync methods with a click.

OPM5 new sync pane

Wi-Fi Sync users also get a whole new Preferences pane that makes setup much easier. Oh, and secondary vaults can now sync via Wi-Fi!

We packed lots of other great changes into v5.1 for Mac, from copying addresses in Identities with just a click to support for Portuguese. You can view the full changelog for all the details.

1Password 5.1 for Mac is a free update available now for all v5 owners. If you’re a Mac App Store customer, please leave us a great rating and review, they really help!

As always, let us know what you think on Twitter and Facebook, and stay in touch with the AgileBits newsletter!

iMore Best 2014 Awards

iMore names 1Password 5 for iOS an App of the Year for 2014!

It isn’t every day that we have a chance at winning a best-of-the-year award from iMore. In fact, I am told that the opportunity comes only once a year.

And this year we won!

We are thrilled and thankful and just plain touched that iMore named 1Password 5 as the iOS Utility App of the Year for 2014, and 1Password 5 for Mac as a runner-up for Mac Utility App of the Year!

iMore reviewed and listed a ton of stuff for its awards this year, from apps to accessories for both iOS and the Mac. It’s a great list from a bunch of smart folks, so be sure to give the entire thing a look!

1P5 1P mini me

1Password for Mac Tips: meet 1Password mini and its not-so-mini list of shortcuts

1P5 1P mini me

What might seem like one of the smallest new features in 1Password 5 for Mac is actually one of its biggest. We completely redesigned it so you can find what you need more easily, but we also gave it a huge dose of keyboard shortcuts so you can work faster and keep important items at your fingertips.

If you want to impress friends and family and save even more time with 1Password, give these 1Password mini shortcuts1 a try:

  • Open 1Password mini: ⌥-⌘-\ (Option-Command-backslash by default)
  • Open 1Password mini’s preferences: ⌘-comma (Command-comma)
  • Select a category or item: ↑ ↓
  • Open item detail window: →
  • Close item detail window: ←
  • Copy selected field: ⏎ (Return key)
  • Copy the password value for the selected Login item: ⌘-⇧-C
  • Switch vaults: ⌘-1 through 9
  • Edit an item: ⌘-E (Command-E)
  • Save an item: ⌘-S (Command-S)
  • Anchor button (to open an item in its own window): ⌘-O (Command O as in the word “open”)
  • Reveal password field: Hold ⌥ (Option key)

Keep 1Password items on screen while you work

You can even pin 1Password items on-screen in order to reference or copy their details to other apps. Just click the Anchor button (or press ⌘-O) to open an item in a separate, free-floating window. The item detail window remains open until you click the red close button. Plus, you can anchor as many items as you like.

Naturally, there’s a bonus tip here: To close multiple anchored windows all at once, hold ⌥ when you close a window using the red button.

We hope you like these shortcuts, so let us know what you think of them and if we should add any more!

  1. Naturally, these all require that, in 1Password > Preferences > General, the setting to “Always keep 1Password mini running” is enabled.
iCloud borderless icon

About iCloud changes in 1Password 5

iCloud borderless iconOne of the big changes in 1Password 5 for Mac and iOS is a brand new iCloud sync engine. This change is a huge, order-of-magnitude-improvement over what we had in 1Password 4, but it came at a cost. I would like to explain how we arrived at this decision.

Mac App Store and AgileBits Web Store

There are two versions of 1Password for Mac. One is available on the Mac App Store and the other is in our own AgileBits Store. For the most part, these two versions are identical. One major difference is that Mac App Store version of 1Password is sandboxed to satisfy the store requirements. Another big difference is the access to iCloud features. Starting with 1Password 5, only apps downloaded from iOS or Mac App Stores have access to iCloud.

Hey Siri, define “iCloud”

“iCloud” is a name that covers many different services and technologies. This umbrella name makes it difficult to talk about iCloud.

For Mac and iOS users, iCloud could mean:

  • Services that keep track of your iTunes Movies and Music purchases
  • Services that keep your application data and iPhone backups
  • iCloud.com
  • And more: apple.com/icloud

For developers, iCloud could mean:

  • a low-level API that is used to read and write files to the local iCloud container folders
  • a document-based API that is used to store documents for apps like TextEdit or Preview
  • an API for apps using Core Data framework
  • new CloudKit API
  • More information is here: developer.apple.com/icloud/index.html

1Password 4 was using the low-level API tied to the local iCloud container folder. It is similar for both Mac App Store and iOS apps. Because the local container folder was available to all apps on Mac, our Web Store version of 1Password could also use iCloud for syncing.

History

Here is a short history of iCloud and 1Password:

  • 2011: iCloud introduced in iOS 5
  • 2012: iOS includes many fixes and new APIs in iCloud. 1Password 4 for iOS 6 (finally!) adds support for iCloud
  • 2013: 1Password 4 for Mac is out with iCloud support
  • 2014: iCloud gets completely re-implemented and reintroduced as CloudKit and iCloud Drive.
  • One-time migration of user data is performed when upgrading to iOS 8 and OS X Yosemite. 1Password 5 for Mac and iOS now use CloudKit

1Password 4 and iCloud

From the developer’s perspective, the original iCloud was pure magic. To sync with iCloud, the “only” thing that the app had to do was to save its files into a special folder and the operating system took care of the rest. The files were magically transferred between all computers and devices.

When the magic worked it was great. When it didn’t, it could be frustrating because there was no way to tell why.

Over time, after dealing with the problems we “learned” and made defensive changes in the app. For example, after initially syncing to iCloud, 1Password would show a message that the data will be available on other devices “in a few minutes”, even though we had no way to tell when it would actually happen. If you were setting up a new device and downloading a lot of data, it would take hours for your 1Password data to appear.

1Password was not the only app affected by iCloud issues:

There is no doubt that these issues triggered a major change in iCloud and the introduction of iCloud Drive and CloudKit. Unfortunately, it seems that iCloud Drive might have inherited some of the issues.

CloudKit

In 2014, Apple announced CloudKit, available exclusively to apps in iOS 8 and OS X Yosemite. It is a simple and elegant network API that allows apps to store data remotely on Apple servers. The biggest difference from iCloud is that there is no magic. Instead of writing the files locally and then waiting for them to magically appear on other devices, the app simply makes a request to update its data on the server. It does require developers to write more code, but the end result is a hundred times better.

CloudKit is very fast, efficient, and makes it easy to detect and troubleshoot errors. CloudKit is predictable. 1Password now knows if the item was successfully updated on the server and is available to other devices. If the operation fails, the app now gets a detailed error message explaining why it happened, be it a network error, a downed server, no space available, or the user was rate-limited.

We don’t have to guess when something goes wrong anymore, and we no longer have to tell our users to perform a set of magic steps hoping that some of them would trigger iCloud to work. CloudKit solved the problems we had with the old iCloud.

Other advantages of CloudKit include:

  • CloudKit stores data as records instead of files. It allows apps to perform partial record fetches and updates that make syncing more efficient and do not force dowloading or uploading an entire file.
  • Remote CloudKit database supports queries that allow 1Password perform syncing faster compared to scanning a directory of files.
  • CloudKit supports “server change tokens”. They are used by 1Password to quickly test for changes made on other devices.
  • 1Password on both Mac and iOS uses CloudKit Remote Push Notifications to perform syncing almost instantly when a change made on a remote device or Mac.
  • CloudKit provides a special record asset type (CKAsset) that is used to sync large attachments.

All these features made a huge difference. We tested CloudKit integration in early betas of 1Password 5 and we immediately became very excited about it. After using CloudKit in the beta for several weeks, we decided it is the best way for 1Password to support iCloud sync.

Conclusion

I hope this explains why we made a decision to switch to CloudKit. The performance and reliability of CloudKit, combined with issues of the old iCloud sync, made it impossible for us to not use CloudKit in 1Password 5.