So, I downloaded Newegg onto my 10.5 iPad and when I went to login the app was able to access my safari saved passwords to autofill my password. It was able to do this without me even using touchID or putting in my device passcode. On top of this, the app has the option to "show" the password—essentially showing what would normally be a hidden password. This got me thinking about all the websites that also have the option to reveal the hidden password on the password field. I believe the assumption is that our devices must first be unlocked with the use of touchID or the device password before access is granted to autofill our saved passwords, but it would seem to me that this is very short sighted. A nefarious person would only need access to an unlocked device and they could view any password to a site or app that has the "view" toggle or something similar.
iOS and macOS require the input of a device password or touchID in order to access our full list of saved passwords, so why is this same standard not applied when autofilling passwords into apps or websites? I personally feel this is a glaring oversight in security. There should at least be an option in settings to require the input of a device password or touchID whenever access to the saved passwords is needed, particularly when auto filling passwords into apps or websites. That toggle should also be password protected, much like the "Find my —" setting is protected. From what I have read, this issue seems to have been addressed in iOS 11, at least in the case when an app requests access to your saved passwords (it will require touchID). The security flaw likely still remains when auto filling website passwords.
Has this been addressed before? Am I missing somethIng? Is there a setting I'm missing that performs the security functions I outlined above or something similar? If this has been addressed and is still an issue, WTF APPLE!
I have attached a photo of the Newegg app to illustrate what I mean by an option to show password. Also, while Newegg app does prompt for Touch ID, you only need to hit cancel and the saved password prompt comes up. While this is certainly a flaw in the Newegg app, the issue illustrated above still applies to websites that autofill passwords. A great example would be the sign in page for google, which I have also attached a photo of.
iOS and macOS require the input of a device password or touchID in order to access our full list of saved passwords, so why is this same standard not applied when autofilling passwords into apps or websites? I personally feel this is a glaring oversight in security. There should at least be an option in settings to require the input of a device password or touchID whenever access to the saved passwords is needed, particularly when auto filling passwords into apps or websites. That toggle should also be password protected, much like the "Find my —" setting is protected. From what I have read, this issue seems to have been addressed in iOS 11, at least in the case when an app requests access to your saved passwords (it will require touchID). The security flaw likely still remains when auto filling website passwords.
Has this been addressed before? Am I missing somethIng? Is there a setting I'm missing that performs the security functions I outlined above or something similar? If this has been addressed and is still an issue, WTF APPLE!
I have attached a photo of the Newegg app to illustrate what I mean by an option to show password. Also, while Newegg app does prompt for Touch ID, you only need to hit cancel and the saved password prompt comes up. While this is certainly a flaw in the Newegg app, the issue illustrated above still applies to websites that autofill passwords. A great example would be the sign in page for google, which I have also attached a photo of.