Hi @Felghana
Thanks for using Codebook and posting on the discussion forum.
Does it decrypt the database on every website load
No, the database is only decrypted once you select a credential and choose a credential to fill, then authenticate with the Codebook interface at which point Codebook will pass the password back through to AutoFill to be used for filling.
or cache the emails/usernames in some way?
Yes, this is closer to the correct idea overall. Codebook provides AutoFill with credential identities which involve email/username + serviceIdentifier combos – but not passwords (service identifiers are how AutoFill knows which email/usernames to associate with which websites/apps). This occurs once for all your data once AutoFill is initially setup (it will prompt you to configure it when you first enable it in settings) or the next time Codebook is unlocked after you enable it. After which, this “store” will be updated as you edit data within Codebook. Once you select one of these identities to fill, Codebook will present it’s interface to authenticate you, fetch the appropriate credential’s password, then pass it on through to AutoFill for filling into the appropriate field.
Most of the documentation Apple has available on the subject is somewhat technical, but there’s a pretty good overview of the high level points in this document: Apple Platform Security - Apple Support (starting on page 73). Specifically this excerpt:
Users can designate a conforming third-party application as a credential provider to AutoFill in Passwords & Accounts settings. This mechanism is built on extensions. The credential provider extension must provide a view for choosing credentials, and can optionally provide iOS metadata about saved credentials so they can be offered directly on the QuickType bar. The metadata includes the website of the credential and the associated user name, but not its password. iOS will communicate with the extension to get the password when the user chooses to fill it into an app or a website in Safari. Credential metadata is stored inside the credential provider’s sandbox, and is automatically removed when an app is uninstalled.
At this years WWDC (World Wide Developer Conference) they had a good presentation on how to implement AutoFill Credential providers in third party applications, like password managers (Codebook) which can provide credentials to other applications. Again, while this video is mainly technical, there are some pretty good visual diagrams about that’s going on when you select a credential to use for AutoFill. Here’s a link to the video: WWDC18 - Videos - Apple Developer There’s an overview of what’s happening when a credential is displayed and selected within the QuickType bar starting at about the 8:00 minute mark.
Let me know if this clarifies how AutoFill works, and if there’s anything else I can do to assist. Thanks!
Cheers,
Micah