oPass Personal
iPhone Password Manager
Data Protection
Account data and passwords are stored using the Data Protection feature built into the iPhone and iOS. More information is available at:
https://support.apple.com/guide/security/data-protection-overview-secf6276da8a/web
https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf
Encryption
Account data and passwords are encrypted at rest by the iPhone's hardware AES256 DMA encryption engine.
Account Data
Account data (including photos and PDFs) are stored using NsFileProtectionComplete. This ensures account data can be accessed only when the phone is powered on and unlocked.
Passwords
Passwords are stored in the keychain with kSecAttrAccessibleWhenUnlocked. This ensures passwords can be accessed only when the phone is powered on and unlocked, and it ensures Apple's protections are applied to passwords in backups. kSecAttrSynchronizable is not set by default, and is set only if you enable the app's option to "Allow iCloud Keychain".
App Lock
The app allows you to use biometric and passcode authentication to guard access to the app.
Authentication is handled by iOS through a call to canEvaluatePolicy using LAPolicy.deviceOwnerAuthentication.
No third party software libraries
The app is built entirely on native Apple iOS APIs. Open source or third party software libraries are not used. SDKs for mobile analytics or collecting usage data are not used.
Background screenshot suppression
The app suppresses the screenshot taken when an iOS app goes into the background. The view is a white screen. This prevents the app deck from disclosing passwords or account information. The app deck is displayed when the iPhone's Home button is double-clicked.
Phone dictionary prevention
The app disables autocorrect for input fields, so account data and passwords are kept out of the phone’s word dictionary.
Custom keyboard prevention
The app does not use custom keyboards or keyboard extensions. These can contain malware or spyware, which could steal passwords or collect information.
Last account display and last password change information
The Display Account screen provides two system fields:
- "Last Account Display” - the last date and time the account information was displayed
- “Last Password Change” - the last date and time the password was changed in the app
These values are initialized to the current date and time when an account is created.
No use of Advertising identifier (IDFA)
The app does not use Apple’s iPhone Advertising Identifier (IDFA).
Swift programming language
The app is written in Swift, providing a higher level of security than Objective-C. There are no bridging headers to Objective-C.
Foreign language characters
The app uses the Swift String and Character objects, allowing the app to be Unicode-compliant. A wide range of languages and characters can be used for account data and passwords. More information about Unicode support in Swift is available at:
See the FAQ here
See the app in the App Store