1Pal: a new jailbreak tweak for saving 1Password’s master password to the Keychain [updated]

By , Jan 10, 2014

1Pal

I know, I know. It’s very stupid to use any tweaks with something as crucial as 1Password. I know, I know, it’s identity theft waiting to happen.

Not exactly. 1Pal is a new jailbreak tweak that works in tandem with existing Touch ID tweaks like BioLockdown. It allows you to save the Master Password to iOS’ keychain for quick logins. Since the 1Password app itself is protected with Touch ID, the process is innately secure. The only real way this poses a security issue is if someone gains access to your fingerprint. Not impossible, but not exactly likely either.

At the end of the day, 1Pal is an awesome tweak for 1Password users. If you’re like me and you use 1Password each and every day, you’ll find 1Pal to be a real time saver.

Remember, you must have a Touch ID enabled device for this to work. Right now, only the iPhone 5s features Touch ID. Have a look at our video walkthrough inside as I showcase how it works.

Before you even think about installing 1Pal on your device, you need to have some sort of Touch ID protection tweak installed to protect individual applications. I highly recommend Ryan Petrich’s BioLockdown tweak. It allows you to protect specific apps using the Touch ID fingerprints already established on your iPhone 5s. There are other Touch ID protection tweaks available, but this one is by far the best in my opinion.

The next thing you need to do is to secure the BioLockdown Settings pane and the 1Password app using BioLockdown. You can verify this by trying to launch 1Password. If it forces you to verify with Touch ID before launching, then you’re good to go.

BioLockdown 1Pal

1Password should now be ready and waiting to store the password in iOS’ keychain. Once you do this, you’ll get a confirmation dialogue box, and you’ll be logged in.

1Pal Store Keychain

Now all you need to do is close out of 1Password, and reopen it. It should ask you for your Touch ID credentials first, and then log you right in, bypassing the Master Password page. That’s all there is to it; now you can quickly log in to 1Password using nothing more than your Touch ID verified fingerprint. Talk about a real time saver!

If at any time you’d like to delete your 1Password Master Password from the keychain, simply venture to 1Pal’s preference panel in the stock Settings app, and enable the toggle for Clear Keychain. Kill the 1Password app; reopen it, and then you should be met with a dialogue box stating that the password was deleted from the keychain permanently.

1Pal Reset

I know that some will still balk at the idea of saving such an important password in the device’s keychain, but remember, as long as you have your app secured using BioLockdown, your 1Password app and its contents should remain safe.

We are in no way recommending or condemning this tweak’s usage. It’s going to have to be your own personal choice. I will state that I trust the setup enough to use it and it’s saving me a load of time.

What do you think?

Note: in a previous update I noted that the green box surrounding the master password login was indicative of iPal’s presence. This actually isn’t the case. The green rectangle box was the result of the developer’s other Touch ID tweak, iTouchSecure. I’m in the testing stages with iTouchSecure, and will be back with a full review in a day or so. I apologize for any confusion.

Update: Unfortunately, after doing some more tinkering around to ensure the integrity of this tweak, I’ve stumbled upon a pretty big issue. As it turns out, placing the device in safemode will compromise the BioLockdown security for 1Password. This is an issue in itself, as I believe that BioLockdown (or BioProtect) should prevent access to the app even if safe mode is enabled, but this is not the stage for that discussion.

The big problem is that 1Pal essentially leaves your 1Password app completely exposed when in safe mode. This is because 1Pal still continues to work even with safe mode enabled. It would be nice if 1Pal refused to log in automatically with safe mode enabled.

It’s really a two-fold issue. When in safe mode, BioProtect and BioLockdown can’t communicate with SpringBoard and hence can’t provide the protection needed. Couple this with the fact that 1Pal continues to auto submit the master password from the keychain, logging you into 1Password automatically.

The reason why this is such a huge problem is because safe mode is relatively easy to achieve on a jailbroken device. In fact, sometimes the SpringBoard crashes and you enter safe mode inadvertently. Although the average person probably doesn’t know how to access safe mode, it’s still technically possible.

Until this issue is resolved in some manner, then I simply can’t recommend using 1Pal. It’s a great tweak, don’t get me wrong, but it’s hard to suggest using it at this point knowing that such a big flaw exists.

I’ll be sure to follow up once I hear from the developer.

  • Share:
  • Follow:
  • Casey H.

    I saw this in cydia, but I thought I would wait until trusty iDB told me all about it.

    • http://www.appcast.fm/ Jeff Benjamin

      That’s the spirit.

      • Lady GAGA

        I have no idea how I ended up here

      • 123bob

        Why is lady gaga here

      • Brandon Miranda

        And it appears he was right to wait Jeff! Nice work.

  • Bathplug

    What is this, amateur hour? I expect better quality videos in the future.

    • ✪ aidan harris ✪

      This has been debated many times in the past but people seem to prefer Jeff’s videos with the device visible like that rather than just recording the screen and adding it to an iPhone frame with a blurred background (which if you look on the myjailbreakmovies YouTube channel is what some videos were)…

    • Ali

      You don’t pay them to “expect” anything. Not much is going on at the moment, but they are trying to keep their blog active.

      • Kieran.Lillis

        What do you mean not much is going on at the moment?! The iOS 7 jailbreak was released less than a month ago and loads of new jailbreak tweaks are coming out!

    • http://www.appcast.fm/ Jeff Benjamin

      Okay, what would you suggest then hotshot?

      • Bathplug

        Not taking 15 seconds to kill an app.

      • http://www.appcast.fm/ Jeff Benjamin

        K, thank you for the feedback.

      • jack

        Jeff = monk

      • Guest

        I’m just kidding haha I edit src code

  • ✪ aidan harris ✪

    Does it work with BioProtect or is BioLockdown a requirement?

    • http://www.appcast.fm/ Jeff Benjamin

      Works with both; I just recommend BL.

    • Joel Thomas

      Works with BioProtect as well. According to the Cydia description, the dev tweets as well as Jeff’s piece here, it autochecks in the background if any Touch-ID authentication tweaks are installed (currently I only know of BioProtect and BioLockdown but presumably the way this documentation is worded implies he’ll add support for any other such utilities that may hit Cydia) and works in tandem with them.

      Frankly, you can even use 1Pal without Touch-ID as it provides a disable switch for that background check within 1Pal settings but honestly that just seems like a stupendously terrible idea from a security standpoint. But the option is there regardless if you want it. As far as I gather from the devs wording, 1Pal has no dependencies, but it’s designed to work in tandem with Touch-ID authentication, regardless of what tweak is implementing it.

      • http://www.appcast.fm/ Jeff Benjamin

        Yeah, I didn’t even mention that in the article, because I don’t want anyone to try that. That would be so incredibly dumb to leave 1PW exposed like that. :-D

  • Jeff Chow

    What I really want to see is 1Password integration into mobile Safari and Chrome. Hate going to other browsers and/or copy pasting from one app to another.

    • ✪ aidan harris ✪

      I use this bookmarklet but it’s still annoying having to switch between two apps:

      javascript:window.location=’onepassword://search/’+window.location.hostname

      • Jeff Chow

        Thanks! Didn’t know there was a bookmarklet. (Perhaps that’s how a devs can execute the 1Password macro). I think most the other steps are already possible with existing tweaks.

    • http://www.appcast.fm/ Jeff Benjamin

      Wholeheartedly agree. This would be amazing. But probably impossible. Prove me wrong!

      • Jeff Chow

        Maybe it can be a macro where it gets the site address, opens and logs into 1Password via TouchID, searches and copies the password and switche back toChrome/Safari and pastes it in.

      • lemonhead

        makros are so damn slow !
        it would be a way better idea to make a standalone tweak which has access to 1password & uses the autofill feature which is build into ios 7

    • Joel Thomas

      I concur with Aidan, the bookmarklet is the easiest way to transfer website data between safari and 1Password. I also agree with Aiden and Jeff that it’s still not perfect but it’s as good an implementation as we’re likely to get on iOS for now, they’re leveraging url schemes to transfer the data and iOS doesn’t really lend itself for deeper inter-app communication than that.

      The bookmarklet can be installed from within 1Password settings, they have a tutorial walkthrough for it. As for chrome, perhaps try typing in “op” before any url you want to send to 1Password then hit enter and it should launch right in the app. Again, not a perfect solution, but it’s workable.

      • Joel Thomas

        Ignore that last part regarding chrome, I can’t recreate it on my phone. I guess it’s only a safari thing.

  • hankdu

    Can someone just uninstall biolock down through Cydia and gain access to 1password that way?

    • http://www.appcast.fm/ Jeff Benjamin

      You should put a lock on Cydia as well.

      • hankdu

        I see. Thanks! Will give this tweak a go!!

      • Question

        Lol i’m wondering why jeff is replying to every comment here and realize that this about 1Password. Jeffs fav app :D

      • lemonhead

        just something to add…
        still could deinstall the tweak over terminal, so it wouldn’t be a bad idea to change the alpine password

  • Chris

    This tweak looks great but I for one wouldn’t trust my master password going into a lower grade 3DES encryption compared to 1Password 4 which uses HMAC-SHA256 on top of the U.S standard AES encryption.

    Don’t get me wrong I trust the keychain with my passwords but I would never trust it with a password that protects a whole range of information that includes account information, software licenses etc.

    Maybe I’m just paranoid but I believe the security caveats out-way the quick and easy shortcut this tweak gives you.

  • La Cucaracha

    I want a tweak that hides apps, pictures and videos when a passcode is used to unlock my phone. But everything would be visible if my phone was unlocked using the fingerprint scanner. Good idea??

    • ✪ aidan harris ✪

      So basically you want a blank homescreen with absolutely nothing visible when unlocking with a passcode and everything visible with touch ID? Just get a better passcode if you’re that paranoid…

      • La Cucaracha

        No lol my wife keeps on asking for my passcode and asks me to open the apps that i lock on biolockdown or else its world war 3

  • Jason

    I just installed this and now I cannot sync with Dropbox. Anyone else having this problem?

    • John Sklikas

      It’s not the result of the tweak. Dropbox was attacked by DDOS yesterday and all of the dropbox services are quite choppy today.

  • John Smith

    Waiting on a video for itouchsecure

  • http://twitter.com/jkldogg Instagram @jkldogg

    I have not, and NEVER will understand the point of “password manager” apps/services.

    I want to have a secure password and don’t ever want to get my information leaked/hacked into. Hmm, maybe I should give my passwords to a company to protect them for me! Wow, that makes sense! Maybe if I buy an app/service to do this for me it will make my passwords/information safer! This makes sense!

    OR…you can just keep them to yourself and not have some company auto-logging into your account for you and having all your personal information at their fingertips.

    • ✪ aidan harris ✪

      You seem to be under the impression that 1Password can access any of your passwords should they want to. This is a common misconception. Unlike services like iCloud keychain or Google Chrome Sync, etc 1Password has zero access to your password data. Theoretically if you use iCloud sync or Dropbox sync someone could gain access to your encrypted (the key word being encrypted) password data and try to brute force it to crack the encryption. This would likely take a long time, too much time…

      • http://twitter.com/jkldogg Youtube.com/slayerlife

        I’m not a programmer/hacker or anything so I don’t know how to read code and see what does what.All i’m saying is that I use common sense with my personal info. It isn’t wise to give out your passwords/credit card info to some random app to autofill it for you. That’s stupid and nothing can make me change my mind about it.

      • ✪ aidan harris ✪

        What about firewallIP? It allows you to see all of the requests that are made and either allow or block it? Just because you don’t understand code (for the record I’m no programmer either) it doesn’t mean you can’t protect yourself from risks. Also when a company uses military grade encryption you should be pretty safe if that isn’t clear to see then I don’t know what is…

      • http://twitter.com/jkldogg Youtube.com/slayerlife

        i know what a firewall does, those are useful. and you don’t have to give them any passwords or anything

  • Monreal Michael

    This is a great tweak, but i think it needs a little bit of seriousness in the interface. Also, I would really like a tweak that lets you use Airdrop between iPhone and Macbook. That will come really handy.

  • Joseph R Watson

    i think this is awesome

  • blastingbigairs

    I am so glad Jailbreaking is finally back for all to enjoy, it’s like having Christmas Day all year long!!!

  • Megan O’Brien

    Hi guys,

    I work for AgileBits, and I must say, this is an intriguing hack! Our developers have been hoping to take advantage of TouchID in the future, but it just hasn’t made it off the drawing board yet.

    Of course, I do need to caution users here: we do not recommend entering your Master Password into anything other than 1Password – it sure would be a shame to have your password compromised by a tampered app!

    That being said, we’re excited to see so many people want this feature and we’ll have to look into adding it into the official release :)

    • Martin

      The only reason I jailbroke my device was because of the great new tweaks that are being released taking advantage of the TouchID sensor. If you guys were to implement TouchID into 1Password I think you would gain A LOT more users. I say go for it!

      • Megan O’Brien

        Unfortunately Apple has not yet made TouchID available to third-party developers, so we can’t officially make it happen just yet.

        As soon as this feature is opened up we will be happy to look into the possibilities. :)

    • Niclas

      Make an official extension and put it up on cydia!

  • Anil samal

    Is Jeff white, black, asian, or mix?

  • burlow

    Just use isecure tweak. Let’s you touch ID any password field

  • Unknown

    I downloaded this but its not showing up on the homescreen. The icon of course, but it is showing in the settings and do have BioLockdown installed. Why isn’t it on the homescreen as shown on yours.

  • Sigsrus

    i have installed this tweak several times and still have not seen the app other than in settings can’t set master password is there something that i am supposed to do so that i can see this app?