Popular iPhone and iPad Apps Reportedly 'Snooping' on Pasteboard Data

[MacRumors]

According to new research by Talal Haj Bakry and Tommy Mysk, dozens of popular iOS apps are reading the contents of the pasteboard without user consent, which could include sensitive information.

The investigation discovered that many popular apps, such as TikTok, 8 Ball Pool™, and Hotels.com, quietly read any text found in the pasteboard every time the app is opened.

iOS and iPadOS apps have unrestricted access to the system-wide pasteboard, also known as the clipboard, as of iOS 13.3.

Text left in the pasteboard may be inconsequential, but it could also be highly sensitive data such as passwords or financial information. The potential security risks of this vulnerability have previously been investigated by Bakry and Mysk, where they found that precise location information was leaking through the system pasteboard.

A diverse range of apps, from popular games and social networking apps, to news apps of major news organizations such as Fox News or The Wall Street Journal, were examined using standard Apple development tools. Many of these apps do not provide any UI that manages text, yet they read the text content of the pasteboard every time they are opened.

It is also of note that if Universal Clipboard is enabled, an app may also access whatever has been copied on a Mac.

What exactly these apps do with the contents of the pasteboard once they have read it is unknown.

Article Link: Popular iPhone and iPad Apps Reportedly 'Snooping' on Pasteboard Data

 

[cmaier]

sometimes when switching to or opening an app on iphone or ipad i get the pop-up dialog about it pasting the icloud clipboard contents. Always wondered why.

 

[I7guy]

This is clearly a GTN. (Good to know) Although the pasteboard is unrestricted it’s interesting how apps are sneaky as alleged in the article.

 

[Mascots]

I assume we'll get an additional permissions dialog to cover this soon.

It can be useful: in many instances, apps will read the pasteboard to determine if a URL or other information (like numbers related to their services) were copied from the browser so the app can shortcut a response to that data. One of my favorite instances is Deliveries: If you have a copied tracking number or link, it'll ask and can automatically start the adding process for you.

But I also get how allowing anyone to freely read it can be a major issue.

 

[Will Tisdale 🎗]

I saw a possible explanation for this, it could be one of the SDKs for implementing things like push notifications. Can’t remember the name of it though.

It would make more sense for iOS to request permission for apps to access the clipboard - like it does for most other sensitive things.

 

[apfelbaum]

I would like to see an option in the iOS settings to clear the pasteboard on a regular basis. If I copy something in one app and paste it in another app I don’t need that content anymore, so have it being cleared for example every 30 seconds would be no problem for me.

 

[HiVolt]

Well that's a rather huge oversight, especially like the article mentions some apps don't even have text fields that read the clipboards.

My guess this will be restricted soon, will not be able to read on startup, and only when a text field is selected by the user.

And probably another popup or notification that apps are attempting this.

 

[Porco]

I would welcome a system-wide default to restrict all reading of the copy/paste buffer to be purely manually-instigated by the user, always. I have often thought this was a potential issue and behaved accordingly, but I don’t think it’s something the average user should have to worry about, the default should be to block reading it unless given specific, informed permission.

 

[ghanwani]

I do not trust a single app nowadays. Especially on iOS, iPadOS, watchOS. (As opposed to macOS. Android apps are at another level of badness.)

Why?

Most companies are too cheap to hire the skills to develop their app from scratch. So they outsource the development to 3rd parties who use code from all over the place without even knowing what it does. So even if the company putting the app out doesn’t have malicious intent, in reality they themselves have no idea what the app really does beneath the hood.

Look at apps from even reputable companies like AT&T and Comcast and they are so buggy and have such a poor, unfriendly UI, you know they are orphan projects within the company with tiny budgets and little oversight.

Kind of like Apple “discovering” that one of its suppliers is using child labor, because they have no idea what is really going on at their outsourced partners.

 

[Macula]

This is ridiculous.

 

[redgreenski]

That is why I try to use as much Apple apps as possible. And everything else done within the browser.

 

[BWhaler]

Apple should just have a policy that any action like this, which takes customer data in a way which is not part of the core experience and not intuitive to the user based on the nature of the app will result in an immediate and lifetime ban.

all this crap would stop. Otherwise, if it’s just rule after rule, but in a culture of stealing personal data, Apple will never catch up.. App publishers will think of ways around the rules or do something not covered yet by a rule—like stealing clipboard info. Just make it a death sentence for your business if you steal customer data will result in a lifetime ban. Then it will stop—at least from the big companies.

It’s like the government Rico statues. Very broad but allows any type of organized crime to be prosecuted.

ive deleted every app I don’t absolutely need on my phone. I now don’t download apps just to play with for awhile because I don’t know what tricks they play with my data and how they track me. And no, a privacy policy which no human reads doesn’t solve the problem.

And I don’t want tons of security dialogs and privacy settings which take time and constant surveillance to monitor. It’s facebook’s dirty trick, and iOS privacy settings are becoming equally cumbersome.

As more and more apps become spyware in ways consumers cannot imagine, it will kill the core of the app economy.

 

[Sharewaredemon]

I do not trust a single app nowadays. Especially on iOS, iPadOS, watchOS. (As opposed to macOS.)

Why?

Most companies are too cheap to hire the skills to develop their app from scratch. So they outsource the development to 3rd parties who use code from all over the place without even knowing what it does. So even if the company putting the app out doesn’t have malicious intent, in reality they themselves have no idea what the app really does beneath the hood.

I'm with you, I have 3 non Apple apps on my iPhone, that's it.

 

[SteveJUAE]

Why is anyone surprised by this

Apple's security umbrella only applies to native bundled app's even then there are minor concerns for the paranoid

Apples clever marketing has made many a user more vulnerable by placing to much faith in assuming a perception of invulnerability

 

[Optheduim]

Well hopefully Apple will Lockton this down

 

[switcher3365]

This has been the case in the Google app. Copy a line of text and then open their app to perform a search. It will suggest searching for the text that you copied earlier.

 

[cmaier]

This has been the case in the Google app. Copy a line of text and then open their app to perform a search. It will suggest searching for the text that you copied earlier.

Sure, but that isn’t really the problem situation. The problem is when apps that don’t actually need to clipboard for anything are silently accessing it for purposes unknown.

 

[djcerla]

This has been the case in the Google app. Copy a line of text and then open their app to perform a search. It will suggest searching for the text that you copied earlier.

This makes sense though.

 

[iBluetooth]

Are the password apps using the pasteboard for delivering some passwords? Then, this could be a high risk for those using the password apps like 1Password and LastPass.

 

[Will Tisdale 🎗]

Are the password apps using the pasteboard for delivering some passwords? Then, this could be a high risk for those using the password apps like 1Password and LastPass.

1Password doesn’t unless you choose to copy the password from the app. Normal autofill uses the iOS API. It does, however, use the clipboard for 2FA codes, but it clears it after a short while.

 

[the_marcinm]

Well, that’s the nature of a globally shared memory. All you can do is make users be more aware of the fact. But it’s quickly gonna become inconvenient. It’s like trying to put a deny rule on every activity. You’re gonna end up with no allow rules, which will effectively render any utility unusable.

 

[iBluetooth]

1Password doesn’t unless you choose to copy the password from the app. Normal autofill uses the iOS API. It does, however, use the clipboard for 2FA codes, but it clears it after a short while.

Yes, that's what I thought and used *some* passwords. Before the API it used the clipboard for delivery, thus users running older iOS may be at risk. The clearing after a short while thing is also a risk as we usually check many apps in succession.

 

[BootsWalking]

System-wide clipboards are inherently unsafe as a function of their utility - they allow easy sharing of data between apps. This is fine for data that isn't sensitive but is a disaster when needing to share personal data between apps.

The solution is to split the existing system clipboard into two clipboards - one that is accessible to all apps without restriction and one that requires user-granted privileges to access, similar to how apps are granted location sharing access. The copy pop-up would have two options - "Copy" and "Copy Sensitive".

A more sophisticated implementation could have app-level clipboards where you can specify which apps have access to which clipboards.

 

[now i see it]

I always thought the pasteboard/clipboard function in iOS sucked big time due to persistence and the inevitable pasting of clipboard contents somewhere you never intended it to go because of the fat finger effect.

So many years ago I downloaded a clipboard manager- and problem solved. There's a few free ones in the App Store. They have a widget that allows you to see the clipboard contents with a swipe, and easily clear it too.

 

[I7guy]

I always thought the pasteboard/clipboard function in iOS sucked big time due to persistence and the inevitable pasting of clipboard contents somewhere you never intended it to go because of the fat finger effect.
....

Unfortunately windows works the same way.