For 1Password, which I am using, the following things were found in their Android App:
- Subdomain Password Leakage: The password manager does not distinguish between subdomains of the same 2nd level domain. So for domain1.password.org and domain2.password.org the same passwords are offered (and filled in).
This is not a problem in the way I am using 1Password on the Desktop (it’s not filling things in unasked, and it does not hit return), and even less so on Android.
- https downgrade to http: In the internal browser the default scheme is set to http.
This is not a problem the way I am using 1Password on the Desktop (I do not use 1Password to navigate), and even less so on Android.
- Titles and URLs Not Encrypted in 1Password Database: In the database of the password manager, the titles and URLs of website entries are not encrypted. The article does not clarify if that affects Dropbox stored keychains, and if so which of the two formats.
See also How to switch to the OPVault format from Agile Keychain, which addresses a similar, but different earlier problem on the Desktop versions of 1Password.
- Read Private Data From App Folder in 1Password Manager: The built-in web browser allows files from the app’s private data directory to be extracted. This also allows access to the database file and the file containing the app’s shared preferences.
Only a problem if you are using the internal browser (which I don’t).
- Privacy Issue, Information leaked to Vendor: When the user creates a new entry containing credentials for a website, the respective target domain is leaked to the vendors’ web server.
1Password downloads an Icon. That can be disabled (on the Desktop Version, at least).
All in all nothing earth shattering, and nothing in it that would have compromised passwords in the way I am using it.