A device clipboard – the functionality that allows cutting, copying, and pasting – is a boring feature, but it contains sensitive information.
Not only personal information and messages, but usernames and passwords. Remember that password managers use the clipboard as a way to get your usernames and passwords the manager to the app your signing into.
And a new iOS features (found in the iOS 14 beta) shows just how many apps snoop on your clipboard.
Clipboard Reading
The danger of apps reading clipboard contents is not new, but it does deserve more attention.
Earlier this year a couple of security researchers – Talal Haj Bakry and Tommy Mysk – discussed this issue and found 53 iOS apps that engaged in clipboard snooping behavior.
You can see a proof-of-concept video of how these apps work here:
While this behavior can happen on both iOS and Android devices, it’s more dangerous on iOS because of the integration on iOS (and MacOS) devices. This means a a nosy phone (or iPad) app can see the contents of your clipboard on other devices. The app can even view the clipboard contents if it is not actively open (having an active widget is enough).
This behavior wasn’t confined to small or unknown apps, either. Some of apps with the behavior include:
- Fox News
- New York Times
- Fruit Ninja
- Bejeweled
- TikTok
- Accuweather
- Hotels.com
A full list of apps that were found to engage in this behavior were posted on Tommy Mysk’s blog post about the issue. It’s very likely you’ve got at least one of them installed on your iPhone right now.
Why Apps May Watch Your Clipboard
When I first heard about this happening about a month ago, I was wondering why apps would even have the option to look at your clipboard. Well, it turns out it’s a pretty convenient feature – as long as it’s not misused.
The designed use for this functionality is something like this:
Let’s say you’re browsing the Internet, and you see an interesting-looking article on CBSNews.com. You decide you want to read it in the app (since the website is bad), so you copy the article’s URL, close Safari, and tap on the CBSNews app. When you open the CBSNews app, it immediately asks “Do you want to read [article link here]?”, so you click yes and continue on your way.
The “Do you want to read” prompt is caused by the CBSNews app reading your clipboard, finding the URL, and recognizing it as a URL belonging to CBSNews.com.
Unfortunately, the news and weather apps that Mysk found will read the clipboard regardless of whether there is a relevant URL in the clipboard. It is possible for an app to only read the clipboard if it contains a URL, but these apps wills read the clipboard no matter what it contains.
This may not be malicious, but it is definitely lazy and shows a disregard for user data.
What Apps Don’t Need This
The questions that aren’t answered, though, are why games would need this kind of access at all.
Most games (at least to my knowledge) don’t have traditional web links to deal with. I’m unclear what valid reason a game developer would ever have to read contents of the users clipboard.
TikTok is Invasive
Additionally, TikTok is aggressive about reading the clipboard.
It checks the clipboard whenever the user enters punctuation or taps the space bar. Meaning the app could easily read the clipboard once every second or so. I can’t think of a legitimate reason why this would be needed – it’s certainly not to check if the user has a TikTok link in their clipboard while they are typing.
When TikTok’s clipboard snooping feature was originally found in March, TikTok said that they would end the practice in “the coming weeks”. No surprise that is was still present in the app as recent as late June:
Ars Technica asked TikTok about this “feature” after the iOS 14 beta came out a few days ago and showed the feature was still present, and TikTok claims that this was a “anti-spam feature”.
TikTok also claimed to have never implemented this feature in the Android version. When asked what happened to the iOS clipboard data, why they didn’t remove the feature, and if the Android app had any clipboard-monitoring at all, Ars received no reply. No surprise there.
Android is (maybe) Worse
While the situation is definitely not good on iOS, I’m glad that Apple shows when apps request this kind of access. Hopefully this encourages apps to only request this access when they need it, and this will stop apps like Bejeweled and TikTok from using it completely.
Unfortunately, Android users aren’t (yet) so lucky.
According to Mysk’s research, Android versions prior to 10 let background apps read the clipboard. I don’t know what the current state of Android’s clipboard access is – hopefully they take cue from Apple and notify users if apps access the clipboard.
Of course, the big problem with Android is that so many people use older phones that never get updated, it doesn’t matter what security updates are introduced in Android 11 until it’s in widespread use.
According to Google’s own distribution numbers (updated back in May 2020), Android 10 only had about 10% of the total active Android devices. Even if it’s doubled, that’s still a big minority of Android devices with exposed clipboards and no way to know (or prevent) access by misbehaving apps.
What to Do?
The biggest thing you can do to protect yourself is don’t install apps you don’t need or don’t trust.
Getting rid of apps like Facebook, TikTok, and Instagram would also be good idea – not only for productivity but also for protecting your data.
It’s a bit counter-intuitive, but both Android’s Chrome and iOS’s Safari browser offer much better security and privacy than these apps, so do your social media browsing on your phone’s web browser.
