⌘ December 29, 2023

The Secrets App Makes a Good iCloud Passwords Companion and Is Free Today Thanks to Indie App Santa

If you, like me, are considering a switch from 1Password to iCloud Passwords & Keychain, you should definitely check out Indie App Santa right now. Today’s deal (Friday, December 29) is a FREE $80 (see update below) one-time lifetime unlock for the Secrets app. The skinny: Its feature set, which includes shared vaults, usually goes for around $100. Today’s discounted unlock works across iPhone, iPad, and Mac, plus it’s available to the other members of your Family Sharing group, so only one of you needs to go get it and do the in-app purchase” right now.

Indie App Santa app featuring Secrets, and a guide of where to find the in-app store to unlock the full feature set for free.
Download the app from the App Store, then go to Settings → Store → Editing + Sharing to unlock everything.

You might be asking, If you’re switching over to iCloud Passwords, why are you recommending that I download a second password manager app?”

Great question! It’s because iCloud Passwords doesn’t allow for website-less logins, or other random sensitive info like bank account numbers, licenses, and other stuff that you probably need easy access to but still want to be secured. For the past few months, I’ve been saving these items to an Apple Note. But there are several downsides to that method:

  • No quick-copy function.
  • You’ll want to have that note locked for extra security…
  • But locking it prevents it from being shared with a spouse or other trusted partner.
  • And, more troubling because of recent revelations regarding your iPhone’s passcode, you don’t need biometrics (Face ID or Touch ID) to view the note — your phone’s passcode will unlock it as well.

A Sidebar on Why Having a Biometric Authentication-Only Option Is Crucial These Days

You might not realize it, but your passcode is the primary unlocking mechanism to your phone. Not Face ID or Touch ID, which you use more often, but the 4+ digit passcode (or alphanumerical password if you set that up). It’s required when your phone restarts, for example. And it works as the failsafe when Face or Touch ID doesn’t unlock for some reason. That’s all well and good, but passcodes are easy to steal and fingerprints and 3D scans of your face are not.

If you don’t know why this matters, I encourage you to read Joanna Stern and Nicole Nguyen’s reporting for the Wall Street Journal (News+ link) concerning how bad actors are using social engineering to learn your phone’s passcode before stealing it from you. It’s not as dramatic as an interrogation and a mugging. No, this typically happens at a bar or somewhere they can get buddy-buddy with you and then offer to take your group photo or connect on social media. But — ah shoot — your phone is locked so they can’t get the shot. You willingly offer up your passcode because, hey, you’re never going to see them again so what could it hurt? But then, later on, they pickpocket you and now they have both physical access to your phone and your passcode.

This sounds bad because now they can look at nearly anything on your phone including private photos, passwords, banking apps, peer-to-peer payment apps, and more. But in fact, it’s worse. Because so many people forget their critical Apple ID password, Apple has made it possible for you to reset that password with only your iPhone’s passcode. So an enterprising crook can go in and change that password, effectively stealing not just your physical phone, but everything associated with your Apple ID. Messages gone. Photos gone. iCloud backups gone. Apps and purchased media gone. And no way to get it back.

[Stern recently did a follow-up on this report by interviewing a man convicted of this very crime.]

The good news is that Apple is going to introduce a new (optional) feature called Stolen Device Protection with the upcoming iOS 17.3 software release. With Stolen Device Protection turned on, there will be additional safeguards to prevent the passcode from having so much power. Your iCloud Keychain passwords will require Face ID or Touch ID to be viewed — no passcode failsafe. And, crucially, your Apple ID password will also require two biometric unlocks with at least an hour-long buffer between them.

Apple has done a thorough job thinking through the threat models and I think they’ve come up with a reasonable and fairly elegant solution. But I’m left with one particular worry:

Since iCloud Passwords doesn’t offer a way to store non-website credentials, where are people putting their bank account numbers, their license numbers, their Social Security numbers, and their credit card numbers?

My guess? Probably in Apple Notes which, as we have already established, allows for a passcode override if Face/Touch ID doesn’t work. And that’s if the user ever bothered to lock the individual note to begin with!

I don’t believe that iOS 17.3 changes any behavior in Notes, but you can bet that I’ll be checking when that update is released.

Keep it Secret, Keep it Safe

All of that is to say, I’m really glad that with the Secrets app, you can require biometric authentication to unlock the app and you don’t have to allow a passcode as a backup.

Secrets options for locking the device with Face ID and/or a passcode or passphrase. Also, it can lock automatically on exit, or after 1, 5, 15 or 30 minutes.
Secrets provides excellent options for how and when the app will lock.

I’ve happily moved over the data that I was storing in an Apple Note (one that I had titled Secrets’, funnily enough) into the Secrets app. Secrets, while not the most polished app, appears to be a solid contender in the password manager space. It at least checks off all the shortcomings of using an Apple Note:

✅ You can quick-copy items from the list view (long press to get a context menu) or in the item view (tap on the field to reveal a Copy’ button).
✅ The app is locked by default, you can choose to have it unlock with biometrics only (or with a passcode or passphrase if you want — but don’t), and how quickly it locks again when you exit the app.
✅ Vaults can be shared (and making changes to a vault’s settings requires an additional unlock) so you can make different buckets to share items with family, friends, colleagues, etc.
✅ And the data you save is all encrypted and synced via iCloud. No third-party syncing system is required. Not that third parties do a bad job as a rule, but I trust Apple to have top-notch resources and engineers to secure my data.

One More Unresolved Threat

There is, unfortunately, at least one more way that criminals could still really screw you over if they have access to your phone and passcode: Too many apps don’t offer any sort of authentication protection, and those that do almost always allow for your passcode to work in place of biometrics. For example, if I cover up my face and open up my bank app, after a few fails it just offers to let me type in my phone’s passcode to open it.

When Face ID fails for PayPal, it lets you log in using the PayPal username and password, which can be accessed with your phone’s passcode right now, but come iOS 17.3, will be fenced off by biometrics specifically. 👍

I’ll give kudos to both the Cash App and Venmo, which allows you to set a separate 4-digit PIN to use in case of biometric failure. So don’t set it the same as your phone’s passcode! I’ve gone ahead and made new ones for them and saved them to — you guessed it — Secrets.

I’m focusing on financial apps here because they are the most obvious way that a criminal is probably going to try to continue to steal from you. They’ll empty your bank account to theirs. They’ll take your account numbers to make purchases. They’ll request money from your friends.

But honestly, I think Apple should cover all their bases here and offer a way to lock access to any app, system-wide, behind discreet authentication. They can even follow Secrets’ lead here by giving users the option to lock an app behind biometrics and/or a passcode/passphrase. And you know what? Build in those same locking delay options we saw above as well.

I should be able to prevent anyone from freely jumping into my photos app, my notes app, SnapChat, Discord, or anything that they could, intentionally or not, do some damage if I hand them my phone. And I shouldn’t have to wait for every app developer to build the feature and then go hunting for it in every app. Having a way to lock the important ones right from the Settings app is the way it should work. And I happen to know such a feature would be a godsend for parents of young children. A few years ago, my sister specifically asked me if I knew how to lock apps because when she handed her phone or iPad over to her kids for a little screen time they were deleting things by mistake or getting into ones that they shouldn’t.

Apple has the opportunity to solve this headache in one fell swoop. Sure, there will be edge cases to work around — like what happens when someone locks themselves out of every app by mistake? — but I believe Apple’s engineers are up for the challenge. They’ve proven with their approach to Stolen Device Protection that they can come up with a solution that balances security and convenience for most people, most of the time. The fact that they addressed passcode theft so head-on gives me hope that attending to these related problems is next on the to-do list.

My home screen with (before) an app icon for my ‘Secrets’ note, and (after) with the Secrets app in its place.
A seamless transition.

In the meantime, don’t forget to download and unlock Secrets before the Indie App Santa discount expires in just a few hours. I think you’ll be glad that you did.


Update: It appears that the Secrets team changed their discount at some point today. What was a 100% discount on the Editing + Sharing purchase is now a $20 discount, bringing the one-time purchase price down to $80. It could be worth that $80 to pay only once (as opposed to 1Password’s $60 per year for a shared plan), but $80 is steep to jump in on a whim.

Sorry about that. 😕

Apps Tips


❮ Previous post

Current writing progress… December 29, 2023

Next post ❯

I Made a Bookmarklet That Runs a Shortcut on a URL December 30, 2023