All the major products (1Password, LastPass, KeePass, etc.) encrypt each stored password with some AES/PBKDF2 combo using a master password as a key, then store the data locally or on some server (usually iCloud or Dropbox). Most claim that the master key is never stored, so I guess that means the user needs to enter it anytime they need to use one of these apps, which also perform autofill on most sites via a browser plug-in and can create custom passwords as well. Other than brute forcing the master password or keylogging the phone, I would assume the best/only way to access the manager app would be an exploit in one of these plug-ins, but I don't know if that could get you into the entire app or just the password to a specific website.
Just wondering if anyone's taken a good look at these apps or messed around with them. Please note I'm not asking anyone to do anything, just wondering if an attack on one of these is plausible. Might do a write-up for a class. The amount of information people put on these things is staggering considering it's all behind a single password.
Also, I thought I hastily posted this earlier today on my way out the door, but I may not have gotten it up after all. If I did and someone took it down for whatever reason, my bad.
