1Password for Mac update featured image

Trouble with Mac App Store updates? We can help.

Last week we released 1Password version 6 for Mac on both our website and in the Mac App Store. Major version updates are always a little scary for us, but we were hopeful because our last update went so smoothly for our customers. This time? Not so much. A small percentage of our users are experiencing issues after updating 1Password via the Mac App Store.

Some of you dutifully updated and discovered that 1Password would not respond upon launching, eventually telling you that it failed to connect to 1Password mini. This is obviously no good. We know how important 1Password is to you, and we must do whatever is in our power to make sure this kind of thing doesn’t happen.

If you were affected by this, I’m really sorry.

Rebooting Helps… Even on OS X

The good news is that the fix is super easy: A reboot will likely resolve the issue. If it doesn’t, please email us at support@agilebits.com so that we can help you get up and running again as quickly as possible.

mban4505_hi_1024

We don’t know why this just started happening in this release. We’ve had many updates over the last few years and this is the first time that we’ve seen this happen like this.

You may be wondering why rebooting helps. Historically OS X hasn’t been known for needing reboots to solve issues, so this advice may sound peculiar. Read on to learn why.

A Tale of Two Apps

Let’s go over what we think is going on with this update and why we believe the update has gone as poorly as it has, and what we’re going to try to do about it.

1Password for Mac consists of two apps, bundled together as one: 1Password (what we like to call the Main app) and 1Password mini, which lives in your menu bar. The Main app does very little on its own; it’s dependent on 1Password mini for everything, which is why it’s critical for the main app to be able to connect to mini on launch. The vast majority of users opt to have mini always running in the background, which is the recommended approach.

Unfortunately, the mechanism that 1Password uses to talk to 1Password mini isn’t quite perfect. Both apps are bundled together, and you would think that we could have 1Password tell the system that it’d like to communicate with the version of 1Password mini that’s bundled within itself. Instead, 1Password can only say, “I’d like to communicate with the app whose unique identifier is onepassword-helper.” The operating system will then find 1Password mini (whose unique identifier looks like onepassword-helper), and if it’s not launched already, the system will launch it. This works nicely almost all of the time.

It’s…Complicated

Often times, 1Password mini is running when the Mac App Store is updating 1Password. 1Password mini includes code to detect when it has been trashed, and when that happens it attempts to terminate itself. It understands that either an update is coming and old mini should make way for new mini, or that the user is uninstalling the app—in which case it should get out of their hair. From what I’ve seen so far, it looks like this code was failing. Either the Mac App Store didn’t trash our app first, or we didn’t catch the event as we should, or we didn’t react as we should. What matters is that the old version of 1Password mini was still around.

Having an old mini running isn’t a big problem for you as a user. You’ll still be able to use mini just fine, and keep filling forms in your browser. The problems don’t start to appear until you run the main 1Password app. 1Password will ask the system to communicate with mini and the system will say “here’s a connection to [old] mini”. 1Password will say hello to mini and include a version number. 1Password mini is smart enough to compare the version numbers and refuse to communicate with a newer main app. What it should do in this situation is terminate itself. The operating system should then re-launch the new mini, and the main app should connect to it. It seems that in this case, the operating system continually relaunched the old mini, which put us into a loop.

So then why does rebooting help? Rebooting should cause the operating system to rebuild its list of apps on the system and forget that the old version of 1Password exists. It should then launch the new mini instead of the old and get us out of the loop.

Making It Better

This issue seems to have affected a small percentage of users, but that’s still more than we’re comfortable with. Let’s look at how we’re going to try to make this better in upcoming releases of 1Password for Mac.

Better Trash Detection

We have to do more research and understand why 1Password mini didn’t detect that it was going be upgraded and then terminate itself properly.

Better Communication With the User

As the 1Password main app was in this loop with the wrong mini, users were given no indication of what was going on. We need to do better here. 1Password should explain what’s going on to the user. Even just explaining that it’s attempting to connect to 1Password mini, and showing the countdown to giving up (60 seconds) would give some indication of what’s happening.

Better Detection of Multiple Instances of 1Password mini

In 1Password 5.4.3, we added code to detect multiple installations of 1Password during updates of our AgileBits Store version of 1Password. This greatly reduced the number of issues encountered while upgrading that version of the app. I think it’s time for us to run this kind of detection upon starting the main app, to catch these kinds of issues even before we ask the operating system to connect us to a mini.

We’re Here to Help

If ever you have trouble updating 1Password to a new version, or have any other kind of problem with the app, please reach out to us. We love hearing from you, and we’re here to help.

1Password for Mac update featured image

1Password 6 for Mac is here!

[Update] 1Password 6 is now available in the Mac App Store. *squee*

It’s a new year and we’re starting things off on a strong note with a great new update to 1Password for Mac: Version 6.0! This latest version of everyone’s favorite password manager is looking better than ever, and we couldn’t have done it without you. Your awesome feature requests, suggestions, bug reports, and usage scenarios really helped us decide what to include in this release.

All Vaults view

All VaultsMultiple vaults is one of my favourite features in 1Password. It keeps all of my information neatly organized and shared with the right people. But, with a great number of vaults comes greater opportunity for (dis)organization. And with 1Password for Teams, odds are you have a lot more vaults than you did before!

With the new All Vaults view, you can see all of your items in the main app and in 1Password mini without switching vaults. Do you have a family vault set up for your parents? How about that Teams vault that holds all the business social accounts? You probably have vaults that you need to keep for reference but that you don’t want cluttering up your everyday view. The All Vaults view is customizable so you can choose which vaults you see there.

All Vaults preferencesSee all the information you want. See only the information you want.

Powered-Up Strong Password Generator

One of our most frequently requested features is here! 1Password 6 for Mac features a refined and simplified Strong Password Generator. If you use 1Password for iOS, you’ve already seen our fancy new wordlist password generator. Now you can take advantage of this feature on Mac as well. Choose the new Words option to create a password comprising random words chosen from a list approved by our Chief Defender Against the Dark Arts. Wordlist passwords are easy to remember and type, without sacrificing strength and security. If you prefer a jumble of letters, numbers, and symbols, the Characters option you know and love is still there for you.

Strong password generator

iCloud sync

Surprise! Thanks to some pretty significant changes Apple made recently, we are now able to offer iCloud sync to customers who bought 1Password for Mac directly from the AgileBits Store. As you probably know, this was previously only available to Mac App Store customers, and we’re super excited to be able to offer it to everyone.

You might be wondering how we’re able to do this. You can read all the details in our blog post. If you’re a Mac app developer, you’ll want to read it too! We have something special just for you. :D

If you own the AgileBits Store version of 1Password for Mac and are excited to set up iCloud sync RIGHT NOW, our User Guide will help you.

Access all your Teams vaults

If you’ve been waiting to sign up for 1Password for Teams Beta, now’s a great time.  You can easily add your team to 1Password 6 for Mac. It even has a Teams-only mode, so if you’ve never used 1Password before, it’s easier than ever to get started on your Mac.
Teams preferences

All this can be yours for the low low price of…

Zero! Zip! Zilch! We’re thrilled to say that 1Password 6 is a free update for all 1Password 4 and 1Password 5 for Mac owners.  If you already own a license for 1Password, you can check for updates from within 1Password to upgrade to version 6. The AgileBits Store version is available now, and we’ll hit the “Publish” button on the Mac App Store version just as soon as it’s approved!

If you want to know all the details about the shiny new awesome, read the full release notes.

DevBits header

AgileCloudKit: iCloud Sync Gets Its Wings

At the last WWDC, Apple announced some changes to CloudKit, the technology that enables an app to sync with iCloud. As many of you know, it was previously impossible for non-Mac App Store apps to sync with iCloud. The changes that Apple made to CloudKit have opened up some really exciting possibilities, and today, we’re happy to announce that we have been able to implement iCloud sync in the AgileBits Store version of 1Password.

1Password 6 for Mac Sync Preferences (iCloud)

Wait…what?

1Password uses the CloudKit API to sync your data with iCloud. In OS X 10.10 Yosemite, the CloudKit framework provided by Apple did all the heavy lifting by communicating with Apple’s servers for the app, but it was only available for apps that were codesigned by the Mac App Store. This meant that only the Mac App Store version of 1Password could sync with iCloud.

You can read more about this in the post that Roustem wrote last fall.

What’s changed?

CloudKit is still the way that developers access the iCloud database, but Apple has provided a brand new way of accessing their CloudKit servers: CloudKit web services. CloudKit web services allows apps to access CloudKit via a really nice web framework called CloudKit JS. When these changes were announced at WWDC, we were excited to start working with this new framework to see what possibilities it would present. Ultimately, CloudKit JS enabled us to support iCloud sync in our AgileBits Store version of 1Password.

[Update] If you are a Mac app developer, and would like to use AgileCloudKit so that your app can sync with iCloud, your app must also be in the App Store. Your customers, however, will now be able to choose whichever version they want.

How did we do it?

To make sync as seamless and stable as possible we wanted to make very few changes to the existing sync code in 1Password. We felt the best way to do that was to make a framework that looks and acts like Apple’s native CloudKit framework, but uses the CloudKit web services. This means 1Password can use Apple’s native CloudKit framework in the Mac App Store version, and our new AgileCloudKit framework in the AgileBits Store version.

There are a lot of internal differences between native CloudKit and CloudKit web services. CloudKit web services relies on JavaScript but native CloudKit uses Cocoa classes for data storage, so we knew that we couldn’t reuse the existing code without something to translate the requests and data back and forth.

In order to talk to Apple’s servers, we needed a mediator. Adam Wulf and I created a class that takes native CloudKit API calls, translates them to web service API calls, and translates the responses back to native Cocoa code. The 1Password sync code is now completely ignorant as to whether it’s connecting to native CloudKit or CloudKit web services. This means that 1Password can find your data in iCloud, whether you’re using the Mac App Store version or the AgileBits Store version. We’re extremely pleased with this outcome!

From our customers’ point of view, iCloud Sync in the AgileBits Store version of 1Password will look a little bit different during the initial setup. CloudKit JS does not use the iCloud settings from OS X, so to authenticate with Apple, 1Password will prompt you to log in to your iCloud account by displaying the iCloud login page in your default web browser. Once you have logged in to your iCloud account, CloudKit web services sends an authentication token back to 1Password, which it then stores (securely, of course). This enables 1Password to sync with iCloud without having to reauthenticate each time. Since the iCloud login for CloudKit JS is completely separate from the iCloud settings in OS X System Preferences, you can even use a completely different iCloud account if you like!

1Password 6 for Mac iCloud auth

Share the knowledge

One of the challenges we faced when developing this framework was that no one else seemed to be working on this particular problem yet. We want AgileCloudKit to continue to grow and improve and we can think of no better way to ensure that than to release it as open source. We are currently busy prepping it for release and plan to have more information (including a release date) soon. If you’re interested in learning more about this framework, reach out to us at support+agilecloudkit@agilebits.com.

To everyone at Apple who worked hard to make this new functionality possible: thank you. You’re awesome.

Shield Security header

When a Leak Isn’t a Leak

Over the weekend Dale Myers wrote a blog post that examined our .agilekeychain format. The post featured a good discussion and analysis of our older data format, but it raised some questions among 1Password users and the wider technology community.

Dale states that he plans to continue using 1Password and has no concerns over the safety of his passwords themselves, but his main concern was how the AgileKeychain handles item URLs. While we widely documented this design decision and shared it publicly, Dale was surprised to find out that we didn’t encrypt URLs within the keychain. We want to reassure users that rely on AgileKeychain that their password data is safe and secure, and take the time to walk through our data formats to explain the issue completely.

AgileKeychain & OPVault Data Formats

Back in 2008, we introduced the AgileKeychain as a way to help our users better synchronize data across platforms and devices. At this time, 1Password had significantly less processing power to draw from for tasks like decryption, and doing something as simple as a login search would cause massive performance issues and battery drain for our users. Given the constraints that we faced at the time, we decided not to encrypt item URLs and Titles (which resembled the same sorts of information that could be found in browser bookmarks).

In December 2012, we introduced a new format that encrypted much more of the metadata. OPVault, our newer and stronger data format, provided authenticated encryption as well as many other improvements for 1Password users.

This format worked well in situations where we didn’t need to worry about backwards compatibility, including iCloud and local storage on iOS and Mac. For Windows, Android, and Dropbox syncing, however, we needed to decide if we should migrate to the new format or provide compatibility with older versions of 1Password.

We decided to take a conservative approach and not automatically migrate everyone over to OPVault because many users depend upon older versions of 1Password and they wouldn’t be able to log into their accounts. We knew we could trust the security of the AgileKeychain to protect confidential user data so we didn’t want to rush into something that would disrupt people’s workflows.

Switching to OPVault

Despite the security of AgileKeychain remaining intact, Dale reminded us that its time to move on. The OPVault format is really great in so many ways and we should start sharing it with as many users as possible.

We’ve already started making changes to use OPVault as the default format. In fact, the latest beta of 1Password for Windows does this already. Similar changes are coming to Mac and iOS soon, and we’re planning on using the new format in Android in the future. Once all of these things are complete, we will add an automatic migration for all 1Password users. For users who would like to switch to OPVault sooner than this, here’s how you can get started immediately:

To avoid losing access to your data, be sure to back up your 1Password data beforehand, and only follow these instructions if you are NOT using any legacy versions of 1Password. If you have any questions or concerns, or would like to migrate but aren’t sure if your version of 1Password is affected, our knowledgebase, forums and support team are here to help.

1Password 5 for Mac logo

1Password 5.4 for Mac: The Convenience Edition

Picture this. You’re on your Mac, and this website is asking you to enter particular characters from your password. But your password is 50 characters of 1Password-generated gibberish; how are you supposed to find the 5th, 14th, and 32nd characters without losing your place? Wouldn’t it be amazing if 1Password could make it just a little bit easier for you?

Picture this. You’ve just found out about the great Multiple Vaults feature and excitedly set up a vault to share with your family. Awesome. But sometimes, secondary vault passwords need to be changed. Wouldn’t it be cool if 1Password made it easy for you to do that?

As of today, it can. And it does. You’ll find these and other new convenience and security features in 1Password 5.4 for Mac: The Convenience Edition, ready to download right now in the Mac App Store and from our website. Read on for the lovely details, then sally forth and download—for the low, low price of free, if you’ve already bought 1Password 5 for Mac.

Large type option now available for passwords

Easily enter specific characters from your password with the new Large Type feature. Selecting this option for your password will display it in big, friendly, colour-coded letters on your screen.

1Password 5.4 for Mac: Large Type

You already know that you can hover over a password in an item’s detail view to copy or reveal it. You’ll see the new large type option in that same menu, always within easy reach.

1Password 5.4 for Mac: Large Type menu option

This feature is also great if you need to enter your Apple ID password on the Apple TV across the room or give guests access to your home Wi-Fi network.

Change the password of a secondary vault

Since your 1…Password (that never gets old around here) unlocks your primary vault and your secondary vaults, it’s very easy to create a secondary vault and never think about its password again. Until now, changing that secondary vault password meant basically recreating the vault.

We’ve made things much more convenient for you in 5.4: you can now change the secondary vault password at will. While you’re at it, don’t forget that it’s a good idea to save this password in your primary vault; since you don’t use it all the time, it’s easy to forget! If you’ve already done that, fantastic! Don’t forget to update that item when you change the secondary vault’s password. =)

A view from the top

Did you know that 1Password for Mac offers multiple layouts? The default is a three-column view, but there’s also a “top” layout option. If you’re a fan of the classic Mail.app layout, you’ll like this one. You can try it out by selecting the View > Item List Layout > Top menu option. We’ve made some improvements to this view in 5.4, all based on your feedback. Thanks for your help!

A new layer of security

We all rely on 1Password to keep our secrets secure. In the 5.4 update for 1Password for Mac, our developers have made 1Password securer than ever by adding a new secret agent to safeguard the communication between 1Password and your web browser.

Safari 9 in Yosemite and El Capitan includes important security updates that address the XARA vulnerability, so please update to the latest Safari and to El Capitan as soon as possible. Our 1Password update works hand in hand with Apple’s OS X security updates to ensure that cross-process communication between 1Password and the web browser in OS X remains secure and properly authenticated.

Because this is a brand new way for the various bits of 1Password to talk to each other, it currently requires the beta browser extension. We’d love your help in ensuring that we didn’t break anything. It’s easy: simply use 1Password in your web browser as you normally do, and let us know if something unexpected happens. If you’re interested in helping us out, please install the 1Password beta extension in your web browser and let us know how things are working in our forums. Thanks very much!

We thank Apple for giving us the tools we need to keep 1Password secure. We’ll have a blog post coming later today explaining the details of this important fix.

But wait, there’s more!

You can find the entire list of new features, improvements, and bug fixes in the release notes.

1Password 5.4 for Mac is available now as a free update if you already have a 1Password 5 for Mac license (or downloaded 1Password 5 from the Mac App Store). Choose the 1Password 5 > Check for Updates menu option, or grab the new version from our downloads page. If you are a Mac App Store customer, the update will download automatically or appear on the Updates tab in the App Store app, depending on your settings.

Got feedback? We’d love to hear from you. Add a comment here or in our discussion forums, or start a conversation with us on Twitter, ADN, or Facebook.

Featured Image: Google Chrome (Scenery)

Adventures in beta testing, continued: Google Chrome Canary

Or, If you’re living on the bleeding edge, expect some paper cuts.

The Chromium team (the open-source project behind Google Chrome) is doing an amazing job of constantly moving the web forward and making the web a safer place for users of Google Chrome.

Recently, many users of the latest pre-release versions of Google Chrome have notified us that the 1Password extension refuses to work in OS X and Windows, showing the following error message:

1Password extension looking for app

What is going on?

The Google Chrome developers have started implementing changes to the types of connections extensions are allowed to establish. These changes are part of a larger and more complex plan to harden Google Chrome against certain kinds of web-based attacks (like cross-site request forgery attacks), in which a malicious website or extension attempts to compromise internal network devices and processes listening on the localhost IP address.

Unfortunately, in the process of implementing these new security measures, something was broken in a way that results in many Chrome extensions, including 1Password, not working anymore in the Canary build and the dev channel of Chrome.

What seems to be the issue?

The 1Password web browser extension needs to communicate with a helper process that runs in the background to access your 1Password data (1Password mini in OS X and 1Password Helper in Windows). This is facilitated by establishing WebSocket protocol connections at the localhost address of a computer. WebSocket connections are similar to the typical HTTP requests your web browser performs when visiting a website.

The way we understand the current situation is this:

  1. An extension tries to open a ws:// (WebSocket) connection.
  2. Chrome recognises the chrome-extension protocol and checks whether the connection attempt has a secure origin.
  3. If Chrome determines that the connection is not secure, it rejects the attempt and any further connection requests are never even attempted beyond that.

In the case of 1Password, this results in the extension thinking that the 1Password application does not exist on the PC/Mac in the first place or that something is blocking the WebSocket connection.

What is going to happen?

This is an ongoing issue that we’re still investigating but so far it is clear that the Chromium development community has recognised that many extensions communicate with host applications using WebSocket and other protocols. To our current knowledge, they are treating this issue as a regression in need of fixing, but any fix requires careful consideration in light of their efforts to increase security.

There are various active discussion threads and bug reports related to this situation in the Chromium project. To name only a few:

What to do now?

Testing pre-release software can be fun and is incredibly useful for the developers of that software and the developers of apps that interact with it — seriously, we love our beta testers. 1Password supports the latest stable builds of Safari, Chrome, Firefox, and Opera. While we make every effort to maintain compatibility with Beta, Dev, Nightly, Canary builds or other birds or browsers, we can’t guarantee that 1Password will always work as browsers go through their various development and release cycles.

If 1Password is as essential to your daily life as it is to ours, our suggestion is to temporarily return your browser to the stable version and check out the new Canary build/dev channel releases in a week or two — did I mention how much we appreciate beta testers sending in feedback? If you do want to live on the bleeding edge, please be aware of the potential for bugs in development and public beta versions of browsers and software in general and be patient with the developers of browsers, apps, and extensions as they negotiate a shifting landscape. We’ve added the article, “Prerelease (beta, dev, nightly) browser builds,” to our knowledge base to keep you apprised of any issues with unfinished versions of browsers.

As with any other questions regarding 1Password, please sound off about any issues you run into when using 1Password with pre-release versions of browsers in our discussion forums.

1Password 5 for Mac logo

Adventures in beta testing: 1Password, El Capitan, and iOS 9

Let’s talk about betas. Specifically, let’s talk about Apple’s operating system betas. It used to be that you had to be an active member of the Apple Developer Program to get access to the betas. Last year, Apple launched a beta software program that enables anyone to sign up to test-drive pre-release versions of OS X. This year, for the first time, anyone can sign up to evaluate iOS 9 beta in addition to OS X 10.11 El Capitan beta.

Newshiny

There’s something thrilling about using beta software. It’s exciting to experience the software development process, with frequent updates that fix and improve things before our very eyes. It’s gratifying to participate in that process, seeing our bug reports get resolved and change requests considered and sometimes implemented. I don’t know about you, but I love feeling like I’ve helped make an improvement from which everyone using the software will benefit.

Hark, the cheers from developers far and wide

One of the most difficult things for software developers is getting the feedback they need before an application version goes public. This is because the pool of beta testers is generally so small. We could think everything is just fine, and then it gets out there and—BOOM—suddenly there are all these edge cases that never came up during the beta, because there are so many more people using it.

Public betas can be a real boon to developers, in that they help to increase the size of the beta pool and the degree to which the beta application is tested.

Hard hats required

under construction

Perhaps you remember those “Under construction” images from the early days of web publishing? It’s a very real metaphor for beta software. The most important thing to remember1 is that beta software is incomplete. Some things will not be implemented yet, some will be broken, and some may cause unexpected system kerfufflery.

Here are a few tips to help make your beta experience safe and enjoyable:

Spare a square

Ideally, beta software should be installed on spare hardware. If you have only one Mac, you can install El Capitan beta on separate partition of your Mac’s hard drive. If the iPhone you use every day is your only iOS device, it’s probably best not to install iOS 9 beta. If you have a non-critical iPad or an iPod touch, that would be a good place to install the beta.

Back that thang up

I know some of you are going to ignore me completely and install the betas on your mission-critical devices. Before you do that, please make sure to create a reliable backup!

We hear you

Your feedback is indispensable. If you notice anything wonky, be sure to report it to developers. I’ve seen beta issues reported in App Store reviews. While developers certainly read those and learn from them, they have no way of reaching out to the customer to help. It is best to contact developers directly with your beta feedback.

If you’re using 1Password beta, we have dedicated beta discussion forums. The beta forums are monitored by our developers and our support team is around to help you seven days a week!

If something you report isn’t immediately addressed, don’t worry. Developers may not be able to do anything about it just yet. Rest assured that the issue will be resolved as quickly as possible.

1Password 5, El Capitan, and iOS 9

I’m happy to tell you that we have thus far encountered no major issues in our testing. I have noticed a couple of graphical and layout issues in El Capitan beta, but it’s too early to tell whether the issues are in 1Password 5 for Mac or in El Capitan beta. We don’t want to spend time fixing something that may not actually be broken on our end, so for the moment we’re waiting to see how things pan out. We’ve documented the issues so we don’t lose track of them.

How to test 1Password beta for Mac

You are warmly invited to join our family of beta testers. The more, the merrier! 1Password 5.4 beta for Mac doesn’t require El Capitan beta, but it does require that you use the AgileBits Store version of 1Password, not the Mac App Store version. It’s very easy to switch over, but you will not be able to sync with iCloud.

How to test 1Password beta for iOS

Apple’s TestFlight Beta Testing program enables developers to extend a limited number of invitations to customers. There has been a great deal of interest in 1Password beta for iOS, and we are not looking for additional testers at this time. You can be the first to hear about opportunities to join our beta family for iOS by following @1PasswordBeta on Twitter.

1Password beta for Mac does not require 1Password beta for iOS.

1Password happy face

Have fun!

I lied earlier. The most important thing is to have fun, but keeping in mind the foibles of beta software and protecting yourself against them are a close second. =)

DevBits header

Debugging Next Key View Loops

When you create a window and populate it with views, AppKit automatically links your controls into a tab loop by setting the nextKeyView property on each view. This process is handled by the recalculateKeyViewLoop method inside NSWindow. The order of your views in this loop is based on the geometric location of each view in the window. Most of the time, this automatic mechanism works great, and you don’t have to think about it. But sometimes a window is too complex, and the automatic method produces incorrect results. When this happens, manual adjustment of the nextKeyView loop is required.

This is the situation we faced with the item detail view in 1Password for Mac 5. The detail view consists of a view-based NSTableView with multiple custom cell views. During the development of this view, we were constantly breaking the nextKeyView loop. Every time a new text field was added, or a button moved, some part of the nextKeyView loop would invariably break.

To make this debugging simpler, we wrote a utility class to visually overlay nextKeyView information on top of the detail view. Here is how it works.

The header

Let’s start with the header (.h):

//
//  OPTestKeyLoopView.h
//

#import <Cocoa/Cocoa.h>

@interface OPTestKeyLoopView : NSView

+ (void)enableForView:(NSView *)startView;
+ (void)disable;

@end

The header provides a simple interface to enable and disable key loop debugging on a particular view. OPTestKeyLoopView is a Singleton, so these methods operate on the Class.

Private class to store visual overlay info

Moving on to the implementation (.m):

First, let’s define a simple private class used to store the visual overlay information about a particular view.

//
//  OPTestKeyLoopView.m
//

#import "OPTestKeyLoopView.h"


@interface OPTestKeyView : NSObject

@property (nonatomic, strong) NSString *title;
@property (nonatomic, strong) NSString *subtitle;
@property (nonatomic, strong) NSColor *color;
@property (nonatomic, strong) NSFont *font;
@property (nonatomic, assign) NSRect frame;

@end


@implementation OPTestKeyView

@end

This class doesn’t do anything other than store the properties of a view overlay.

OPTestKeyLoopView implementation

Next, we begin implementing OPTestKeyLoopView by writing the Singleton and Class methods.

@interface OPTestKeyLoopView ()

@property (nonatomic, strong) NSView *rootView;
@property (nonatomic, strong) NSMutableArray *keyViews;
@property (nonatomic) NSRect rootFrame;

@end


@implementation OPTestKeyLoopView

+ (OPTestKeyLoopView *)sharedTestKeyLoopView {
    static OPTestKeyLoopView *sharedView = nil;
    
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        sharedView = [[self alloc] init];
        sharedView.autoresizingMask = NSViewWidthSizable | NSViewHeightSizable;
    });
    
    return sharedView;
}

+ (void)enableForView:(NSView *)startView {
    [self sharedTestKeyLoopView].rootView = startView;
    [[NSNotificationCenter defaultCenter] addObserver:[self sharedTestKeyLoopView] selector:@selector(mainWindowFlagsChanged:) name:OPMainWindowFlagsChangedNotification object:nil];
}

+ (void)disable {
    [self sharedTestKeyLoopView].rootView = nil;
    [[self sharedTestKeyLoopView] clear];
    [[NSNotificationCenter defaultCenter] removeObserver:self];
}

Sidebar: OPMainWindowFlagsChangedNotification

This is a good time to pause and talk about the OPMainWindowFlagsChangedNotification notification. We want our overlay to appear when you press the Option key. The standard way to catch an Option key down event is to override

- (void)flagsChanged:(NSEvent *)theEvent

in your NSWindow or NSWindowController subclass. In our case, our window controller overrides this method and posts a notification so that other parts of the UI can easily respond to modifier key events. Here is what it looks like:

// From our NSWindowController subclass
- (void)flagsChanged:(NSEvent *)theEvent {
    [super flagsChanged:theEvent];
    [[NSNotificationCenter defaultCenter] postNotificationName:OPMainWindowFlagsChangedNotification object:nil];
}

Add the notification handler

Moving back to the implementation of OPTestKeyLoopView, next we’ll add the notification handler:

- (void)mainWindowFlagsChanged:(NSNotification *)aNotification {
    NSUInteger modifierFlags = ([NSApp currentEvent].modifierFlags & NSDeviceIndependentModifierFlagsMask);
    if (modifierFlags & NSAlternateKeyMask) {
        NSView *hitView = self.rootView;
        while (YES) {
            NSPoint mouse = [hitView convertPoint:[[self.rootView window] mouseLocationOutsideOfEventStream] fromView:nil];
            BOOL hitSubView = NO;
            for (NSView *subview in hitView.subviews) {
                if (subview == self) {
                    continue;
                }
                if (NSMouseInRect(mouse, subview.frame, hitView.isFlipped)) {
                    hitView = subview;
                    hitSubView = YES;
                    break;
                }
            }
            if (!hitSubView) {
                break;
            }
        }
        
        if (modifierFlags & NSShiftKeyMask) {
            [self showPreviousKeyViewLoopForView:hitView];
        }
        else {
            [self showNextKeyViewLoopForView:hitView];
        }
    }
    else {
        [self clear];
    }
}

This method checks for the Option key down and locates the furthest child view under the mouse. This child view will be the start of our next key view loop. Then we call a method to show the next key view loop overlay. If the shift key is also held down, we reverse the loop and show the previous key view loop.

Insert overlay view into view hierarchy

Next, we implement methods to insert our overlay view into the view hierarchy, and to build our list of keyViews. We do this by following the nextKeyView (or previousKeyView) property of the starting view and recording information about each view we encounter.

- (void)insertIntoViewHirarchy {
    if (self.superview) {
        [self removeFromSuperview];
    }
    self.frame = [[[self.rootView window] contentView] frame];
    [[[self.rootView window] contentView] addSubview:self positioned:NSWindowAbove relativeTo:nil];
}

- (void)showPreviousKeyViewLoopForView:(NSView *)startView {
    [self insertIntoViewHirarchy];
    
    if (!self.keyViews) self.keyViews = [NSMutableArray new];
    [self.keyViews removeAllObjects];
    
    NSLog(@"+++PreviousKeyViewLoop");
    NSView *view = startView;
    NSMutableSet *visitedViews = [NSMutableSet new];
    NSInteger num = 0;
    do {
        NSRect frameInWindow = [view convertRect:view.bounds toView:nil];
        OPTestKeyView *keyView = [[OPTestKeyView alloc] init];
        keyView.frame = [self convertRect:frameInWindow fromView:nil];
        keyView.title = [NSString stringWithFormat:@"%ld", num];
        keyView.color = [NSColor redColor];
        keyView.font = [NSFont fontWithName:@"Menlo" size:12];
        
        NSLog(@"%ld %@", num, [view className]);
        [self.keyViews addObject:keyView];
        
        [visitedViews addObject:view];
        view = view.previousKeyView;
        num--;
    } while (view && ![visitedViews containsObject:view]);
    NSLog(@"---");
    
    self.rootFrame = [self convertRect:[startView convertRect:startView.bounds toView:nil] fromView:nil];
    [self setNeedsDisplay:YES];
}

- (void)showNextKeyViewLoopForView:(NSView *)startView {
    [self insertIntoViewHirarchy];
    
    if (!self.keyViews) self.keyViews = [NSMutableArray new];
    [self.keyViews removeAllObjects];
    
    NSLog(@"+++NextKeyViewLoop");
    NSView *view = startView;
    NSMutableSet *visitedViews = [NSMutableSet new];
    NSInteger num = 0;
    do {
        NSRect frameInWindow = [view convertRect:view.bounds toView:nil];
        OPTestKeyView *keyView = [[OPTestKeyView alloc] init];
        keyView.frame = [self convertRect:frameInWindow fromView:nil];
        keyView.title = [NSString stringWithFormat:@"%ld", num];
        keyView.color = [NSColor blueColor];
        keyView.font = [NSFont fontWithName:@"Menlo" size:12];
        
        NSLog(@"%ld %@", num, [view className]);
        [self.keyViews addObject:keyView];
        
        [visitedViews addObject:view];
        view = view.nextKeyView;
        num++;
    } while (view && ![visitedViews containsObject:view]);
    NSLog(@"---");
    
    self.rootFrame = [self convertRect:[startView convertRect:startView.bounds toView:nil] fromView:nil];
    [self setNeedsDisplay:YES];
}

- (void)clear {
    [self.keyViews removeAllObjects];
    [self removeFromSuperview];
}

Draw the overlay

Now that we have overlay information to display, and our OPTestKeyLoopView is in the view hierarchy, we can draw the overlay.

- (NSDictionary *)attributesWithFont:(NSFont *)font color:(NSColor *)color {
    NSMutableParagraphStyle *paragraphStyle = [[NSParagraphStyle defaultParagraphStyle] mutableCopy];
    [paragraphStyle setAlignment:NSCenterTextAlignment];
    [paragraphStyle setLineBreakMode:NSLineBreakByTruncatingTail];
    [paragraphStyle setLineSpacing:0];
    
    NSDictionary *attributes = [[NSDictionary alloc] initWithObjectsAndKeys:
                                font, NSFontAttributeName,
                                color, NSForegroundColorAttributeName,
                                paragraphStyle, NSParagraphStyleAttributeName, nil];
    return attributes;
}

- (void)drawRect:(NSRect)dirtyRect {
    if (self.keyViews.count > 0) {
        [[NSColor colorWithDeviceRed:1 green:0 blue:0 alpha:0.03] set];
        NSRectFillUsingOperation(self.rootFrame, NSCompositeSourceOver);
    }
    
    for (OPTestKeyView *keyView in self.keyViews) {
        [keyView.color set];
        [NSBezierPath setDefaultLineWidth:0.5];
        [NSBezierPath strokeRect:NSOffsetRect(NSIntegralRect(keyView.frame), 0.25, 0.25)];
        NSDictionary *attributes = [self attributesWithFont:keyView.font color:keyView.color];
        NSSize size = [keyView.title sizeWithAttributes:attributes];
        NSRect textRect = NSIntegralRectWithOptions(NSInsetRect(keyView.frame, (keyView.frame.size.width - size.width)/2, (keyView.frame.size.height - size.height)/2), NSAlignMinXOutward|NSAlignMaxXInward|NSAlignMinYOutward|NSAlignMaxYInward);
        [[NSColor whiteColor] set];
        NSRectFill(textRect);
        [keyView.title drawInRect:textRect withAttributes:attributes];
    }
}

In drawRect: we loop through our keyView array and draw the overlay information for each keyView.

Tidy up

Lastly, we do some housekeeping by making sure our OPTestKeyLoopView is non-opaque and does not respond to mouse clicks.

- (BOOL)isOpaque {
    return NO;
}

- (NSView *)hitTest:(NSPoint)aPoint {
    return nil;
}

@end

Here is what this looks like in action:

Debugging Next Key View Loops

Here is the code contained in this article (under an MIT license):

We’ve found this technique extremely useful when dealing with complex windows, and we hope you find it helpful too.

Security

1Password inter-process communication: a discussion

Recently, security researcher Luyi Xing of Indiana University at Bloomington and his co-authors released the details of their research revealing security vulnerabilities in Apple’s Mac OS X and iOS that allow “a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome.”  It has since been described in the technology press, including an article in the Register with a somewhat hyperbolic title. I should point out that even in the worst case, the attack described does not get at data you have stored in 1Password.

The fact of the matter is that specialized malware can capture some of the information sent by the 1Password browser extension and 1Password mini on the Mac under certain circumstances.  But roughly speaking, such malware can do no more (and actually considerably less) than what a malicious browser extension could do in your browser.

For 1Password, the difficulty is in fully authenticating the communication between the 1Password browser extension and 1Password mini; however, this problem is not unique to 1Password. The difficulty of securing inter-process communication on the operating system is a problem system-wide. A recent paper, “Unauthorized Cross-App Resource Access on MAC OS X and iOS” (PDF),  by Luyi Xing (Li) and his colleagues shows just how difficult securing such communication can be. Since November 2014, we’ve been engaged in discussion with Li about what, if anything, we can do about such attacks. He and his team have been excellent at providing us with details and information upfront.

As always, we are limited in what we can do in the face of malware running on the local machine. It may be useful to quote at length the introduction of that article

I have said it before, and I’ll say it again: 1Password […] cannot provide complete protection against a compromised operating system. There is a saying […] “Once an attacker has broken into your computer […], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

In practice, however, there are steps we can and do take which dramatically reduce the chances that some malware running on your computer [could obtain your 1Password data].

That was written more specifically about  keystroke loggers, and there are some things that set the new attack apart. Like superficial keystroke loggers it doesn’t require “admin” or “root” access, but they were able to sneak a proof of concept past Apple reviewers.

The threat

The threat is that a malicious Mac app can pretend to be 1Password mini as far as the 1Password browser extension is concerned if it gets the timing right. In these cases, the malicious app can collect Login details sent from the 1Password browser extension to the fake 1Password mini. The researchers have demonstrated that it is possible to install a malicious app that might be able to put itself in a position to capture passwords sent from the browser to 1Password.

Note that their attack does not gain full access to your 1Password data but only to those passwords being sent from the browser to 1Password mini. In this sense, it is getting the same sort of information that a malicious browser extension might get if you weren’t using 1Password.

Background

1Password provides its own security. What I mean by this is that for the bulk of what we do, we don’t generally rely upon security mechanisms like sandboxing or iOS Keychain. So it doesn’t matter whether those sorts of security measures provided by the operating system fail.

The careful reader will note, however, that I used phrases like “for the bulk of what we do” and “don’t generally rely upon” in the previous paragraph. There are some features and aspects for which some of 1Password’s security makes use of those mechanisms, and so vulnerabilities in those mechanisms can allow for harm to us and our customers.

1Password mini listens to the extension

Application sandboxing is a good thing for security. But it limits how the 1Password browser extension can actually exchange data with 1Password itself. Indeed, the extension (correctly) has no direct access to your data. Keeping your data out of the browser (a relatively hostile environment) is one of our security design choices. But this does mean that the 1Password browser extension needs to find a way to talk to something that does actually manage your data. 1Password mini (originally the 1Password Helper) was invented for this purpose.

One of the few ways that a browser extension can communicate locally is through a websocket. Browser extensions are free to talk to the Internet as a whole, but we certainly don’t want our browser extension doing that; we only want it talking to 1Password locally. So we restrict the browser extension to only talking to 1Password mini via a local websocket.

Mutual authentication

Obviously we would want 1Password mini and the browser extension to only talk to bona fide versions of each other, so this becomes a problem of mutual authentication. There should be some way for 1Password mini to prove to the extension that it is the real one, and there should be a way for the browser extension to prove to 1Password mini that it is a real 1Password browser extension.

The difficulty that we face is that we have no completely reliable mechanism for that mutual authentication. Instead, we employ a number of separate mechanisms of authentication, but each has its own limitations. We have no way to guarantee that when the browser extension reaches out to 1Password mini it is really talking to the genuine one.

There are a number of checks that we can (and do) perform to see if everyone is talking to who they think they are talking to, but those checks are not perfect. As a result, malware running on your Mac under your username can sometimes defeat those checks. In this case, it can pretend to be 1Password mini when talking to the browser extension and thus capture any information sent from the 1Password browser extension that is intended for the mini.

What can be done

Neither we nor Luyi Xing and his team have been able to figure out a completely reliable way to solve this problem. We thank them for their help and suggestions during these discussions. But, although there is no perfect solution, there are things that can be done to make such attacks more difficult.

What you can do

1. Check “Always Keep 1Password Mini Running” in Preferences > General

In the specific attack that Luyi Xing demonstrates, the malicious malware needs to be launched before the genuine 1Password mini is launched. By setting 1Password mini to always run, you reduce the opportunity for that particular attack.

keep mini running

 

 

2. Keep using the 1Password browser extension

Although what is described is an attack against the communication between 1Password mini and the browser extension through specialized malware, using the 1Password browser extension protects you from a more typical malware attack of pasteboard/clipboard sniffers. Likewise, the 1Password extension helps fend off phishing attacks because it will refuse to fill into pages that don’t match the domain for your saved Logins.

Quite simply, the 1Password extension not only makes life easier for you, but it is an important safety feature on its own.

3. Pay attention to what you install

As always be careful about what software you run and install on your system. On your Mac, open System Preferences > Security & Privacy > General. You’ll see an Allow apps downloaded from: setting there. We strongly recommend confirming that this setting is configured so that only apps from trusted sources can be opened. You can read more about the setting and its options on Apple’s support site.

Now Xing and his team point out that this isn’t a guaranteed way to prevent malware being installed. They were able to get a malicious app approved by the Mac App Store review process. However, I think it is reasonable to assume that now that Apple reviewers know what to look for, it will be much harder for that specific kind of malware to get through.

What we can do

There are additional (defeasible) mechanisms that we can add to our attempts at mutual authentication between the extension and 1Password mini. I will briefly mention a few that we’ve considered over the years.

Encryption with an obfuscated key

One option is to have a shared obfuscated key in both 1Password mini and the extension. (Remember that the browser extension never sees your Master Password so any secret it stores for authentication cannot be protected by your Master Password.)

Obfuscation only makes things harder for attackers until someone breaks the obfuscation, and every system designer should assume that obfuscation will be broken. See our discussion of Kerckhoffs’ Principle in our article, “You have secrets; we don’t,” for some background on why we tend to be reluctant to use obfuscation. Of course, it may be warranted in the absence of a more effective alternative, so this remains under consideration.

In anticipation of a likely suggestion, I should point out that even the magic of public key encryption wouldn’t save us from having to rely on obfuscation here; but I will save that discussion for our forums.

Using the OS X keychain

Another option would be to store authentication secrets in the OS X keychain, so that both our browser extension and 1Password mini would have access to it. This could be made to work for authenticating 1Password mini to the extension for those browsers that allow easy use of the OS X keychain.

This might solve half the problem for some browsers, but to date we’ve been focusing on solutions that work across all of the browsers we support.

An extreme solution

In the extreme case, we could have some explicit pairing (sort of like Bluetooth) between 1Password mini and the extension.  That is, the browser extension may display some number that you have to type into 1Password mini (or the other way around).  With this user intervention we can provide solid mutual authentication, but that user action would need to be done every time either the browser or 1Password mini is launched.

Quite frankly, there is no really good solution for this. To date, our approach has been to put in those authentication checks that we have and keep an eye out for any hints of malware that exploits the known limitations of what we do.

Is 1Password for iOS affected?

The research paper isn’t limited to discussing inter-process communication (IPC) that is done through websockets, but covers a wide range of mechanisms used on Apple systems. This includes some mechanisms that we may use for some features in 1Password for iOS.

Shared data security

1Password for iOS shares some of its data with the 1Password app extension. As most of that data is encrypted with your Master Password, it is not a substantial problem if that data becomes available to attackers. The exception, of course, is the TouchID secret.

As yet, we have not had a chance to test whether there is any exposure there, but watch this space for updates.

Conclusion

We truly are grateful for the active security community, including Luyi Xing and his team, who take the time to test existing security measures and challenge us to do better. Our analysis of the researchers’ findings will continue and we will post an update if further action is necessary.

1Password tips

Quick Tip: Migrate your details between 1Password items

We all have our own ways of keeping things neat and tidy, and having something out of place can just throw your whole day out of whack. Luckily, 1Password mini can help you keep things organized just the way you like them.

Let’s say someone sends you the details for the Wi-Fi router at their house, but it’s in a Secure Note instead of the Wireless Router template for 1Password.

Wireless network data stored in a Secure Note

If you’re like me, this is the kind of thing that could make you a bit, well…

homer_go_crazy

So, let’s move the relevant data over to a new Wireless Router item and set things right with a few simple steps:

1. Create the new item

In 1Password, create a new item in the proper category. Launch 1Password, and choose File > New Item > Wireless Router. This is the new item where the previous Secure Note’s content will go. Leave this new item in edit mode.

Create a new Wireless Router item

2. Open the original item in 1Password mini and anchor it

Click the 1Password mini icon in the toolbar and search for or browse to the Secure Note containing the details you want to migrate to the new entry. Click the anchor button in the bottom left of the detail view to keep the item on screen.

Copy and paste the details

3. Copy and paste

At this point, you can copy and paste the relevant information from the original item. You can also create new sections and fields for any important information that doesn’t fit elsewhere. When you’re finished, save the new item.

4. Delete the original item

At this point, the original item is no longer needed and can be safely deleted.

5. Bonus points: share!

Share the new entry with the person who sent you the Secure Note version using the item’s Share button.

Share the item

This use case comes up for me more often than I would have thought in the past. The Wireless Router example is a real one from a recent trip to visit the team in our Toronto office. Beyond that, I have quite a few items I exported from Yojimbo long ago, and those only exported as plain text files. I imported those text files as Secure Notes in 1Password and I have been migrating them to proper 1Password entries here and there over time. Instead of switching back and forth between items in 1Password, using 1Password mini’s anchored windows helps to make the process of migrating data between categories a lot simpler.