EverType - Auto Type Extension for EverPass

Features

One of the most convenient Features of EverPass is its ability to log you in automatically. Not only into your favourite website but also into applications on your Mac. All you need to do, is press ^⌘A when prompted for your username and password and EverPass will:

  • Determine which username and password is required
  • Ask you to select one of your accounts if it is uncertain
  • Send username, password to the website or application

Installation

In order to enable this feature, you first need to:

  • Install EverPass from the Mac App Store.
  • Download and install the Evertypem addon.
  • Run Evertype once by double clicking it in your applications folder.

Frequently asked Questions

Why is Evertype not bundled with EverPass?

In the early days this extension was actually bundled with EverPass. But since app store apps now have to be sandboxed they are no longer allowed to do certain things. One of these things is: send keystrokes to other applications.

Why does auto typing interfere with sandboxing?

Mac's sandboxing is a very smart security architecture which ensures that applications cannot access e.g. files on your computer which you don't want them to read. In order to achieve this the Mac way, sandboxing restrictions are not based on a fixed rule set, but adjust themselves based on a users interaction with an app.

For example: a downloaded app usually is not allowed to read files from your local disk. If you interact with the app and open a file (by using the file open dialog), OSX creates a temporary exception, allowing the app to access exactly that particular file which you selected. That's pretty smart - its very secure and at the same time transparent and convenient for the user.

There is just one thing: in order for this feature to work, OSX needs to be confident, that the user interaction (e.g. opening a file) is an actual user interaction and not simulated by the app itself. Therefore Apple has restricted access to all APIs which allow the simulation of user input, including those which we use to simulate input when entering your cerdentials into a web form.

How does Evertype sove this issue?

Evertype is a non-sandboxed app so it is allowed to simulate keyboard input. EverPass can connect to it and pass the credentials for the current form in an encrypted format. Evertype will decrypt these credentials and send them as simulated keyboard input to the target website or application.

How Secure is Evertype?

Evertype comes as a developer signed application. It's signed with the same certificate as EverPass and is developed and maintained by the same people. Your Mac won't run Evertype unless you direct it to do so once (teherfore you need to run it after the installation to make it available for EverPass to connect to it). Evertype is a single package which simply needs to be placed in your Appliactions folder. There is no installation program and it does not modify anything on your system. To permanently remove it from your Mac you just need to delete the file Evertype.app.

EverPass and Evertype communicate only during a login procedure and exchange only the credentials for this specific login. All communication happens in memory and is strongly encrypted. At no time your master password for the password store is transmitted to Evertype. Neither is Evertype able to access password or any information unless it is used for logging in. Evertype does not store any of the information transferd to it. Evertype clears all information immediately after it has ben used to simulate your input.

Having that said you shold be aware that neither EverPass nor Evertype are able to protect your information after it has been sent to an application or website. In particular: if your computer is infected with malware which logs your keyboard input it may also be able to log Evertype's simulated keyboard input.

Does Evertype bypass sandbox security?

Evertype does not actually bypass sandbox security. Since it runs as a separate process, its simulated user input does not affect the restrictions imposed on the sandboxed app.