Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Popular iPhone and iPad Apps Reportedly 'Snooping' on Pasteboard Data
- Thread starter MacRumors
- Start date
- Sort by reaction score
I suspect this is something that noone at Apple ever considered until now - unrestricted access from apps to the Clipboard is something that was the case since the invention of the Clipboard (in the early 90s, I believe).
The whole purpose of the Clipboard is to be this insecure pile of data that can be easily moved from app to app. But I guess that left it open to abuse...
EDIT: although Clipboard access from the webpages is restricted with either permission dialogues or a requirement for users to initiate the access - so someone thought about it.
The whole purpose of the Clipboard is to be this insecure pile of data that can be easily moved from app to app. But I guess that left it open to abuse...
EDIT: although Clipboard access from the webpages is restricted with either permission dialogues or a requirement for users to initiate the access - so someone thought about it.
On the contrary, the native bundled apps are partially exempt from the sandboxing restrictions.
Wait, Apple's marketing is to blame when third parties are creepy?
iOS needs the feature of a per-app firewall, so that you can completely disable internet for any app that shouldn't be accessing the net (yes, Apple apps included, when you don't want iCloud). I would enable internet only for web browsers, protonmail, telegram, and weather apps. All the rest of apps blocked, and if any other needs the net for running, just uninstall it. It's a real problem that iOS doesn't offer this feature.
iOS does have multiple pasteboards, but in practice, it's a usability complexity Apple doesn't really want to deal with. They don't even offer clipboard history, after all.
They sort of have this on the Mac now, where AppleEvents have an opt-in not only per-source app, but also per-destination app.
I suppose that might work, but it is bordering on too hard to grasp:
Obviously, this doesn't really show what in particular is being pasted, but that would make the dialog even more unwieldy.
There could be a second dialog, then, just like in iOS 13 for locations. This would appear about once a week:
"TikTok" has been accessing your clipboard. Do you want to continue allowing this?
TikTok uses your clipboard to make pasting pictures and other things easier.
(Big collage/gallery of recent clipboard items goes here. Maybe you can swipe horizontally?)
Change to Only While Using
Always Allow
Let's see....Tiktok is run by the Chinese communist party so I wonder what they are doing with all that info. hmm..
Google Maps on iOS 13 has your clipboard. That seems very wrong.
Sure it’s nice once in a while when you have an address you want to paste. But the rest of the time it’s Evil.
I don’t want a prompt asking me to use the clipboard either. I want the app to have it when I select paste.
It shouldn’t be this complicated!
Sure it’s nice once in a while when you have an address you want to paste. But the rest of the time it’s Evil.
I don’t want a prompt asking me to use the clipboard either. I want the app to have it when I select paste.
It shouldn’t be this complicated!
From a UI point of view: If I have data in application A, and want to use it in application B, what do I do? I select, choose "Copy", select a location in the other app, choose "Paste". There's the question if you want to make this more complicated for the user. Now it would be possible to only allow reading the clipboard if the user selected a "Paste" action. That would be safer. It might be less convenient. Tricky question.
[automerge]1584291055[/automerge]
Surprise, surprise: Your clipboard manager can read all the contents of yuur clipboard!
This is a nit, but: For 30 years it's has been known as a clipboard; it's a clipboard, OK? Communicating among ourselves is difficult enough without people (and I know this isn't a term MR came up with) inventing another term for the same thing, especially since the original term is both adequate *and* well-known.
Next up: What's scary here is that these products are obviously being conceived, designed, and implemented with the expressed intent to steal your private sh*t, i.e. companies are setting out with this theft of private information as a design "feature" of their product!! It is a premeditated, conscious act. They should go to jail.
Next up: What's scary here is that these products are obviously being conceived, designed, and implemented with the expressed intent to steal your private sh*t, i.e. companies are setting out with this theft of private information as a design "feature" of their product!! It is a premeditated, conscious act. They should go to jail.
So I'm not entirely sure on the history. I know macOS 1 ("System 1") had copy & paste; presumably, so did the Lisa before it. But it may not yet have established the term of a "clipboard". The Finder eventually gained a "Show Clipboard" command (which it has to this day!), but I wouldn't be surprised if that didn't ship until around System 6.
NeXTSTEP, OTOH, called it the "pasteboard". Maybe this was to avoid trademark disputes between NeXT and Apple? Again, I don't know if that includes the very early versions of NeXTSTEP. But it was carried over to Mac OS X, and therefore eventually to iOS as well.
Because of that, the internals call it call it the pasteboard. This can be seen in several ways:
- the pbcopy and pbpaste commands. Interestingly, they must have realized this confusion when writing their manpage: it says "pbcopy, pbpaste - provide copying and pasting to the pasteboard (the Clipboard) from command line"
- the AppKit APIs NSPasteboard, NSPasteboardItem, etc.
I'm not sure iOS has any UI whatsoever exposing this term. Even the Mac's is fairly limited.
That's why universal clipboard always has been a security nightmare. One compromised device and your clipboard data is in foreign hands. Even locally on a desktop clipboard is a security issue, which is why password tools don't just copy & paste passwords, but emulate a keyboard and enter the password by a mixture of keyboard strokes and copy & paste operations.article said:
Not if you use the iOS autofill feature. If you go into LastPass and copy a password, then that will be on the clipboard so other apps can access it.
Not true, unless that device is not only compromised but also nearby.
Continuity uses:
- Bluetooth for device discovery (so it needs to be close)
- Time of flight to prevent relay attacks (so, again, it needs to be close)
- Apple ID for authentication
- Wi-Fi for transmission
Yes and no. 1Password does use the clipboard, but clears it again after a while.
As for snooping from other apps: on macOS, password tools can use EnableSecureEventInput to prevent a third app from reading keystrokes.
How about doing a little bit of research before spreading FUD? Android 10 doesn't allow unrestricted access to clipboard like iOS/iPadOS. Even prior to Android 10 it can be done manually per app via ADB.
https://developer.android.com/about/versions/10/privacy/changes#clipboard-data
https://www.xda-developers.com/stop-apps-reading-android-clipboard/
It seems lately that we're learning more and more often that iOS apps aren't as wholesome and honest and true as everyone has been led to believe.
[automerge]1584294841[/automerge]
He said "Android" (in general), not "Android 10". How many Android users would you speculate are actually on 10? The couple of phones I have seem to be stuck on Oreo or Pie forever.
[automerge]1584294841[/automerge]
He said "Android" (in general), not "Android 10". How many Android users would you speculate are actually on 10? The couple of phones I have seem to be stuck on Oreo or Pie forever.
Why do any apps *need* access to the clipboard? Shouldn’t it be left to the OS to feed the clipboard data to the active app *only* when the user selects paste?
At the end of the day, obviously depending what you copy and paste, this is probably, at worst, a minor privacy issue. Even if you copy a password from a password manager and some app reads it - unless you’ve copied the web address, then the username, then the password, they’re not going to have much context on what that random string is for.
🤣
It’s well known TikTok is owned by the Chinese government. I can’t say I’m surprised they’re on the list.
It’s well known TikTok is owned by the Chinese government. I can’t say I’m surprised they’re on the list.
There’s only one caveat to that, it says either an IME or ‘is the app that currently has focus’ - there’s no specific clipboard permission that you can revoke in Android 10 either.
So I’m assuming (big assumption) that iOS works similarly - in that only the focused app can access the clipboard.
Don't install apps on your iPhone. Problem solved.