Hi, I just noticed that the App Privacy Report on iOS only shows inappcheck(dot)itunes(dot)apple(dot)com as contacted domain and nothing else. I know that 1Password syncs properly on my device, but I’m curious if it shouldn’t show more contacted domains. 1Password Version: 8.10.23 Extension Version: Not Provided OS Version: iOS 17.3 Browser: Not Provided

Hello Damnatus! 👋 Thanks for the question! Apple's App Privacy Report is an iOS feature that reports and records data, sensor, and network activity from the apps that you use on your iPhone. I just took a look at mine and I see quite a few different connections listed for the 1Password app, although the date appears to be delayed by a few days for some of the domains. How long ago did you turn on App Privacy Report? Has it been more than seven days? If you'd like to know which domains 1Password uses, we've documented that here: 1Password ports and domains -Dave

Hi 1P_Dave, Hmm. Curious. I know about the help page regarding used domains by 1Password, but thanks for sharing! I have activated App Privacy Report since it’s introduction because I like to know what’s going on. I just noticed after updating to iOS 17.3 that the report only recorded said one domain. I’m not sure if after an update the App Privacy Report log is reset. And I think before the point three update it showed more connections. But not sure. The lack of recorded connected domains was just very obvious in 1P and I don’t know if it does affect other apps, but it doesn’t seem so. I’m more alerted about the possible unreliability of the App Privacy Report than 1Password, but I wanted to inform you, in case you can look into it even if it ends up to be an Apple issue. And if it is, I feel like that a company like AgileBits reporting it has more oomph than a single user. In case it is isolated, I will do the usual: soft reset, deactivate and reactivate App Privacy Report and lastly reinstall 1P. But since you mentioned that in your case there seems a delay, I will wait a week to see if it needs time after the update. If you want to look into it and need further info, let me know ☺️

Damnatus Thank you for the reply and for those details. It looks like the development team does have this issue in their backlog and early indications seem to point to iOS sometimes not recognizing network calls made by certain programming languages. 1Password is written in languages like Rust and Swift and it looks like certain calls from the non-Swift side of things aren't being recognized in certain situations. After seven days, can you post a screenshot of what you see for the 1Password app in the App Privacy Report? This would help us to better understand the issue and move the investigation forward. -Dave ref: dev/core/core#16937

Sure 1P_Dave! Will do! Thanks for letting me know that it is a known issue that is currently investigated. I’m a bit surprised that it apparently only needs non-Swift code to (accidentally in this case) circumvent a privacy/security feature, even if non-critical like the App Privacy Report. If true, I hope Apple will address it soon.

Damnatus Thanks for the reply. I've spoken to one of our developers and they confirm that, because our network code is written in Rust, App Privacy Report may not show all of 1Password's network traffic on that screen due to the App Privacy Report feature only reporting on certain types of network calls that 1Password doesn't rely on solely. Since we have an explanation for the behaviour, there's no need to provide a screenshot after seven days anymore. We have this filed internally. I'm not sure why the iOS feature doesn't report on all kinds of network calls and, since this is an Apple feature that we don't any control over, I would recommend that you report the issue to Apple as well. 🙂 -Dave

App Privacy Report for 1P only displays one contacted domain

15 Replies

1P_Dave
Moderator
2 years ago
Damnatus

That's great news. Thank you for letting me, and the rest of the community, know! 🙂

-Dave
Damnatus
Dedicated Contributor
2 years ago
1P_Dave just wanted to let you know that this issue has been resolved in iOS 17.5 (and corresponding updates) as CVE-2024-27807.
1P_Dave
Moderator
2 years ago
Thank you Damnatus. 🙂

-Dave
Damnatus
Dedicated Contributor
2 years ago
I can understand that 1P_Dave. Thank you for your patience. I have now asked Apple Security if sysdiagnose potentially collects third party app user data.

I will let you know when the case either gets closed or resolved.
1P_Dave
Moderator
2 years ago
Damnatus

Since Sysdiagnose isn't made by our team we're unable to provide advice on how to use it or analysis on the information that it collects. We don't want to give you incorrect information about another company's product, especially when that information concerns your privacy.

Reaching out to discuss this with the developer of the tool, Apple, is the best option. I'm sorry that I'm not able to help more.

-Dave
Damnatus
Dedicated Contributor
2 years ago
Hi 1P_Dave, yep read through the page carefully already ☺️ and got the Privacy Policy linked and that the logs „might contain personal information found on your device or associated with your iCloud accounts and/or Apple ID, including but not limited to your name, user name, email address, email settings, file paths, file names, downloads, your computer's IP addresses, and network connection“ and that they do not share with other companies. I think that this is the extend of detail I can expect.

Sure I can go through the logs, but as it is a systemwide log dump, that is practically not humanly doable for a person, especially when not knowing what to look for.

That’s why I asked if you or the iOS Dev Team maybe have more insight in regard to how sysdiagnose and 1Password interact in regards to personal information.

After looking at the Security Design White Paper again ( https://1passwordstatic.com/files/security/1password-white-paper.pdf#page18 ), there shouldn’t be much as authentication via biometrics is handled through Secure Enclave and only item overview is seen after authentication, but no item details are
decrypted until actively chosen and closing the app should clear temporary written data.
1P_Dave
Moderator
2 years ago
Damnatus

Thanks for the update! You can find more information about Sysdiagnose tool on Apple's website: Using Sysdiagnose to Troubleshoot iOS or iPadOS — Apple Device Support Tutorials | Apple Training

You're able to open the log and review it to see what it contains before sending it to Apple Support.

For details about what kind of information the tool collects I would reach out to Apple Support since they would be in the best position to answer those questions and to clarify how that information is handled according to their privacy policy.

-Dave
Damnatus
Dedicated Contributor
2 years ago
Hi 1P_Dave,

I’ve heard back from Apple with a request for video demonstrating the use of 1Password 8 and the App Privacy Report and then run sysdiagnose and send it too as they’re not able to reproduce it.

I haven’t used sysdiagnose and as you and/or your colleagues from the iOS Dev Team have way more experience with that, it would be nice if you could answer some questions.

My cursory research shows that it is diagnostic snapshot. I have not found info about how to end it but that it can take up to 10 Mins to collect the data.

Do you know what timeframe is logged?

As this is my private device, I feel hesitant in disclosing personal info, especially when it’s a sysdiag log around my password manager.

what is your/ the iOS Dev Teams experience with sysdiagnose logging around the 1Password app, specifically with potential personal info leakage into logs?

(There just recently has been a fix in iOS 17.3 where the phone number could be extracted through logs, so I’m just extra careful and try to cover my bases. Which is hard when being not a programmer but understanding just enough to know about the potential risks). I also know that Apple is usually decent in privacy preserving logging, but because a password manager is involved, I want to double check.

Thanks!
1P_Dave
Moderator
2 years ago
Damnatus

Thank you for reporting the iOS App Privacy Report issue to Apple! I'm not sure how they would classify this but, if you can, please do let me know if you hear back from them.

-Dave
Damnatus
Dedicated Contributor
2 years ago
Good to know 1P_Dave! I made a report to Apple and included the link to this thread. What I found curious was that the Feedback Assistant Website from Apple was blank after log in (probably bc I’m no registered dev or don’t use beta), so I made the report via the Security Bounty. Not sure if it qualifies for that, but as it is a Privacy feature partly circumvented, I felt it could be counted as vulnerability. What’s your take on that, if you don’t mind me asking.

Forum Discussion

App Privacy Report for 1P only displays one contacted domain

15 Replies

Featured discussions

November at 1Password: the Access-Trust gap, planning your estate, and an updated unlock experience

Recent discussions

When I enable passkeys on Amazon, my OTP is removed

Custom Templates

Passkeys Not Working on Android – Always Falls Back to Google, Despite Troubleshooting

When I open Safari on my iMac, the 1Password symbol on the toolbar does not have the lock symbol.

How to integrate Edge Browser