Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Popular iPhone and iPad Apps Reportedly 'Snooping' on Pasteboard Data
- Thread starter MacRumors
- Start date
- Sort by reaction score
The length of time to clear the clipboard used to be adjustable. This is not the case anymore. It is now 90 seconds with no other options although there may be an option to disable clipboard altogether - I’ll have to check that later.
This is on 1Password for iOS.
[automerge]1584381296[/automerge]
USPS, UPS and FedEx (IIRC) all check the clipboard upon opening the app. It’s convenient, but I would forgo this convenience for security in a heartbeat.
iOS also recognizes tracking numbers when you select one. I don’t know if this uses the clipboard or not.
Last edited:
As an app developer I can tell you why we do it -> attribution.
In short, you do something on our website and then end up opening our app a bit later. We want to know that it's you without necessarily having you logged in everywhere. If you looked at most of these apps you'll find they are looking for specific strings in the pasteboard, because they also put those strings there themselves.
It's also a common technique for attributing app installs. You know those "Download in the App Store" buttons? Apple don't pass along any attribution data, so I don't know who you are when you download the app or how you arrived there. When you tap that button I can place a string in the pasteboard, and then when you open the app I read it so I know how you arrived at my website and then ended up downloading my app.
Could pasteboard be misused by bad actors? Of course. Do most apps do bad things with this data (including "selling it" as some seem to claim)? No.
In short, you do something on our website and then end up opening our app a bit later. We want to know that it's you without necessarily having you logged in everywhere. If you looked at most of these apps you'll find they are looking for specific strings in the pasteboard, because they also put those strings there themselves.
It's also a common technique for attributing app installs. You know those "Download in the App Store" buttons? Apple don't pass along any attribution data, so I don't know who you are when you download the app or how you arrived there. When you tap that button I can place a string in the pasteboard, and then when you open the app I read it so I know how you arrived at my website and then ended up downloading my app.
Could pasteboard be misused by bad actors? Of course. Do most apps do bad things with this data (including "selling it" as some seem to claim)? No.
Simple solution: Copy and paste the following before opening any app ever again. 😉
$#%! YOU FOR READING MY PASTEBOARD DATA YOU @#$!ING LOWLIFE PIECE OF @#$%!
$#%! YOU FOR READING MY PASTEBOARD DATA YOU @#$!ING LOWLIFE PIECE OF @#$%!
You're on to something. An automated app to DoS the snoopers and overflow their database with pasteboard junk inbetween valid copy/paste.
Last edited:
I work on a fairly popular app in my day job, and that app's been snooping on the user's pasteboard ever since we integrated Firebase Dynamic Links. Basically if you try to open a dynamic link, but don't have our app installed, Firebase copies the link to your pasteboard and takes you to the App Store. Then if you install and open the app, it immediately reads the link off your system pasteboard, and acts as if the app was opened from that URL.
While I understand the motivation, the fact that it reads the user's pasteboard every single time the app enters the foreground has never sat right with me. This is a situation I continually encounter though: I'm asked to embed privacy-invading code in our app so we can deliver better analytics, or support marketing campaigns, and while on a personal, moral level I strongly object to it, as a software developer I lack the leverage to prevent this stuff from happening. That's seemingly a pretty common scenario from talking to other developers, and explains the slow creep of ever-worse analytics tech in apps.
For my own part, I've pushed internally for us to evaluate what we're actually using, and if possible scale back how much data we collect. It also helps that our userbase is young and fairly savvy, and I can point to articles like this every other week to show the bad PR we're opening ourselves up to if we keep up our current attitude towards analytics. I've managed a few hard-won victories thanks to the general climate around privacy these days, so my hope is that news sites (as well as Apple themselves) keep banging this drum, and continue making it less acceptable to take such a laissez-faire attitude towards user privacy.
While I understand the motivation, the fact that it reads the user's pasteboard every single time the app enters the foreground has never sat right with me. This is a situation I continually encounter though: I'm asked to embed privacy-invading code in our app so we can deliver better analytics, or support marketing campaigns, and while on a personal, moral level I strongly object to it, as a software developer I lack the leverage to prevent this stuff from happening. That's seemingly a pretty common scenario from talking to other developers, and explains the slow creep of ever-worse analytics tech in apps.
For my own part, I've pushed internally for us to evaluate what we're actually using, and if possible scale back how much data we collect. It also helps that our userbase is young and fairly savvy, and I can point to articles like this every other week to show the bad PR we're opening ourselves up to if we keep up our current attitude towards analytics. I've managed a few hard-won victories thanks to the general climate around privacy these days, so my hope is that news sites (as well as Apple themselves) keep banging this drum, and continue making it less acceptable to take such a laissez-faire attitude towards user privacy.
I'm so damn tired of permissions popups. I know why they exist, but the last time I tried to open a document in a new app on my Mac as I was navigating the open dialog box (that I caused), it asked for permission for every single folder I went to (documents, downloads, pictures, etc). It's making my Mac feel un Mac like, and I'm afraid of iOS going further down that path too.
If I were developing a Copy/Paste system that works across apps, I'd make sure that the Paste operation could only happen as a direct result of the user initiating a paste from the other app's user interface (and a system-controlled part of the UI at that). There are ways and means of enforcing that kind of thing, and you don't necessarily have to provide a clipboard that can be accessed willy nilly to do that.
I use this feature regularly with the Paprika recipe app, to download recipes from a copied URL. I do agree that there should be an opt-in permission request to do it though, rather than just letting all apps silently do it just because they're currently allowed to.
I remember when we didn’t have copy and paste on iPhone. I doubt apps are observing the pasteboard and uploading it somewhere. Seems like a non-issue. If they get a random password, good luck trying to figure out what service it’s associated with or what email address used. Really not worried.
Try CloudClip - set limits on how many copies you want. See what's on your clipboard. Sync on your devices. Instantly delete any/all clips.
According to new research by Talal Haj Bakry and Tommy Mysk, dozens of popular iOS apps are reading the contents of the pasteboard without user consent, which could include sensitive information.
The investigation discovered that many popular apps, such as TikTok, 8 Ball Pool™, and Hotels.com, quietly read any text found in the pasteboard every time the app is opened.
iOS and iPadOS apps have unrestricted access to the system-wide pasteboard, also known as the clipboard, as of iOS 13.3.
Text left in the pasteboard may be inconsequential, but it could also be highly sensitive data such as passwords or financial information. The potential security risks of this vulnerability have previously been investigated by Bakry and Mysk, where they found that precise location information was leaking through the system pasteboard.
A diverse range of apps, from popular games and social networking apps, to news apps of major news organizations such as Fox News or The Wall Street Journal, were examined using standard Apple development tools. Many of these apps do not provide any UI that manages text, yet they read the text content of the pasteboard every time they are opened.
It is also of note that if Universal Clipboard is enabled, an app may also access whatever has been copied on a Mac.
What exactly these apps do with the contents of the pasteboard once they have read it is unknown.
Article Link: Popular iPhone and iPad Apps Reportedly 'Snooping' on Pasteboard Data
