iPhone Apps Stealing Clipboard Data

iOS apps are repeatedly reading clipboard data, which can include all sorts of sensitive information.

While Haj Bakry and Mysk published their research in March, the invasive apps made headlines again this week with the developer beta release of iOS 14. A novel feature Apple added provides a banner warning every time an app reads clipboard contents. As large numbers of people began testing the beta release, they quickly came to appreciate just how many apps engage in the practice and just how often they do it.

This YouTube video, which has racked up more than 87,000 views since it was posted on Tuesday, shows a small sample of the apps triggering the new warning.


Posted on June 29, 2020 at 10:24 AM • 16 Comments

Comments

WulfJune 29, 2020 10:46 AM

Some malicious apps take screenshots for gathering sensitive data. Perhaps it would be also a good idea for an OS to display a message when apps take screenshots.

JonKnowsNothingJune 29, 2020 11:06 AM

@Wulf

re:

a good idea for an OS to display a message when apps take screenshots.

There are settings to stop apps from accessing parts of the phone you don't authorize but in real world use most folks enable everything.

There are the hidden no-settings-for-you parts of the system where you don't have access at all.

Consider: Someone who is a app-junkie downloading everything "new and viral" from the app stores.

Now every time an app takes a pictures some message is logged:
  Took Your Picture

Logging a message isn't going to fix the issue because the underlying/hidden users of your phone want to exfiltrate all the data they can.

In the case of the clipboard, only Apple can fix it ... if it is fixable.

Clive RobinsonJune 29, 2020 11:10 AM

@ ALL,

I guess the obvious question is why are these apps in Apple's walled garden?

Apple's promise about it's walled garden was the safety of the user experience from malware etc etc etc.

The notion of "least privilege" appears not to be a consideration. Perhaps users should think about the implications of this.

And perhaps Apple should rather than put up a banner change the functionality of the clip board so it is rather more under user control than application control.

After all it was not that long ago that "security experts" recomended that users have password managers on their Internet connected devices and that the user "cut-n-paste" a complex random password from the managers display window into the password box in the web page or application...

ThunderbirdJune 29, 2020 11:13 AM

Interesting. Of course the clipboard has to work like that--I've seen apps offer to insert something that was in the clipboard before so they can obviously see it, but it never occurred to me that it was a security issue. And I've been doing security stuff for more than thirty years.

So how would you make a clipboard secure? It might help if the clipboard were cleared when it was read, but the only way that really seems foolproof (for some degree of fool, and for only thinking about it briefly) would be to have the system catch and interpret paste requests so an explicit user request was needed. And I get the impression that is *not* how iOS works...

wiredogJune 29, 2020 11:27 AM

It would be interesting to see the results of other OSes did this. Windows, MacOS, Linux, Android, would all probably be popping up a lot of warnings.

JDMJune 29, 2020 11:35 AM

I know Windows used to allow this, back around Windows 98SE. I remember warning some folks on forums about it after I'd learned about it. There was a way to turn it off, and I assume -yeah - they plugged that one at some time. But later iterations?

AlejandroJune 29, 2020 3:03 PM

Just awful. They can get your passwords, just about anything. Here is a list of alleged reputable news media apps which collect your clipboard data....maybe you have heard of one or two of them:

ABC News — com.abcnews.ABCNews
Al Jazeera English — ajenglishiphone
CBC News — ca.cbc.CBCNews
CBS News — com.H443NM7F8H.CBSNews
CNBC — com.nbcuni.cnbc.cnbcrtipad
Fox News — com.foxnews.foxnews
News Break — com.particlenews.newsbreak
New York Times — com.nytimes.NYTimes
NPR — org.npr.nprnews
ntv Nachrichten — de.n-tv.n-tvmobil
Reuters — com.thomsonreuters.Reuters
Russia Today — com.rt.RTNewsEnglish
Stern Nachrichten — de.grunerundjahr.sternneu
The Economist — com.economist.lamarr
The Huffington Post — com.huffingtonpost.HuffingtonPost
The Wall Street Journal — com.dowjones.WSJ.ipad
Vice News — com.vice.news.VICE-News

Read the support docs for more surprises.
User beware!

Clip BoredJune 30, 2020 2:05 AM

Fortunately I don't use any of the listed apps. However I agree that notifications about which apps accessed my clipboard and when is a good step.

I still wonder why does the OS even let the clipboard contents linger once it's been pasted? Or like 1 minute after paste in case you have to paste a password more than once.

Or just autoclear the effing clipboard based on user setting -- same as the one for "require unlock password after: immediately, 1 min, 5 mins, 15 mins" in user settings.

Or maybe have a separate private clipboard for copying from "sensitive apps" like password managers and bitcoin wallets.

Ismar DuderijaJune 30, 2020 4:04 AM

Why, o why, should the apps be allowed to access clipboard content without user interaction - what possible valid scenario would allow for hijacking of this functionality?

One way for an OS to implement a decent compromise between security and convenience here is by

1. Only allow reading from clipboard (copying, cutting) and writing to clipboard (pasting) when user initiates the action

2. Restrict clipboard history to the same app - i.e. don't allow apps to read content of the clipboard populated from a different app apart from the last clipboard entry (and also only when initiated by the user via UI - point 1.)

This will cover the majority of scenarios where you need to paste some text you just copied from, say, a pdf file into, say, an email as a quote that might be too long to type in manually.

Unfortunately, the trends towards convenience still seem to be winning and now you can even sync your clipboards between devices as well - what kind of usage workflow would this be supporting I have now idea ?

https://support.microsoft.com/en-au/help/4028529/windows-10-clipboard


Ergo SumJune 30, 2020 7:35 AM

@Ismar Duderija..

Unfortunately, the trends towards convenience still seem to be winning and now you can even sync your clipboards between devices as well - what kind of usage workflow would this be supporting I have now idea ?

Not to downplay the risk of security and privacy implications of the clipboard history, but...

By default, the clipboard history is disabled in Windows 10. For the ignorant masses, enabling it is just a simple click in settings. Unless, the administrator of the systems disabled clipboard history in the registry, which he/she should.

Without enabling clipboard history, there's only the last clipboard entry available.

I've been using Bruce's excellent Password Safe. His program locks after 5 minutes or so inactivity and wipes the copied password from the clipboard. In addition, Ctrl+Delete deletes the copied password from the clipboard. It does the same, if and when the program is closed. Copying text to overwrite the password is not necessary, but certainly doesn't hurt.

The copy/paste is a useful function in any OSes. It's doubtful that it'll be ever removed and controlled to the level to remove risk to privacy and/or security.

AlejandroJune 30, 2020 9:13 AM

A small mean thought: Think how much fun it would be scamming the collectors by putting...irreverent....comments on your copy/paste cache. Tee Hee.

ChrisJune 30, 2020 11:00 AM

I tend to give all those apps the benefit of the doubt regarding scraping the clipboard intentionally. To me it looks more like they all use some intrusive SDK, perhaps Google's or Facebook's or one of the many product usage analytics solutions, that does it. Of course, without inspecting the app source code, this is just a speculation. Which begets the question whether there is a known open-source app that also triggers the warning.

The clipboard is there to facilitate data exchange between different applications and it is inherently insecure, which is why passwords should never be copied and pasted. Instead, one should use a password manager with autotype (on desktop) or with system keyboard integration (on mobile).

GruelJune 30, 2020 4:15 PM

Copy and paste between different apps is the majority of my personal usage of the feature, both on desktop and mobile.

What should happen is that copy/paste should be an OS-provided service that apps have no access to... all the apps see is a stream of characters coming in on paste that look exactly the same as if the user had literally typed them out. That's all. No direct access to the clipboard for apps.

I guess that would only support text clipboards, not images. I personally rarely if ever use images. But I could see that being different for some others. To support that case, you restrict access to the clipboard such that, when a user interacts with the paste function of the OS, the focused app gets notified that an incoming paste is ready, and then it's given the ability to read the paste, but only that one app, and only that one paste, and only that one time. No other access to the clipboard for apps.

What about a "clipboard viewer" app, you might ask? Well, under either of these safer models, that would have to be an OS-provided feature.

It's the same as screenshots. Also should be an OS-provided feature. No direct access from apps.

Ideally the same for cameras and microphones, though I guess in practical terms it has to be some sort of prompt for confirmation and obvious visual indication that they're on, rather than a complete block.

Clive RobinsonJune 30, 2020 6:12 PM

@ Gruel,

You've got the general idea.

But text it's self is a problem because it frequently has attributes that people want to keep after transferring it such as "bold", "italicized", and a whole lot more.

But even if they don't the question of "fonts" and "extended characters" for the likes of Internationalization occurs.

Which brings in the issues of multibyte characters and backwards and forwards compatability.

The whole thing is just an entite mess that users generaly do not get to see except for when they don't get what they want, which often boils down to the equivalent of a cut and cropped image not "text".

I once had a less than fun time explaining to a university lecturer that whilst the desktop publishing program had a licence to display certain fonts the printer did not have a licence for the font in question nor did the word processor, therefore the best I could do was get the desktop publishing program to output an image file that could then be included "as is" into other applications. I actualy felt for the guy, he was an amiable person and what he was trying to do should have been not just possible but simple. But more than a quater of a century ago that was not the way money was made in Silicon Valley and Seattle.

MarkJuly 1, 2020 9:47 PM

absolutely insane that Apple let this happen. How many passwords and other sensitive data leaked? This is on Apple for failing to secure the OS.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.