iPhone Apps Stealing Clipboard Data

iOS apps are repeatedly reading clipboard data, which can include all sorts of sensitive information.

While Haj Bakry and Mysk published their research in March, the invasive apps made headlines again this week with the developer beta release of iOS 14. A novel feature Apple added provides a banner warning every time an app reads clipboard contents. As large numbers of people began testing the beta release, they quickly came to appreciate just how many apps engage in the practice and just how often they do it.

This YouTube video, which has racked up more than 87,000 views since it was posted on Tuesday, shows a small sample of the apps triggering the new warning.

EDITED TO ADD (7/6): LinkedIn and Reddit are doing this.

Tags: , , , ,

Posted on June 29, 2020 at 10:24 AM19 Comments

Comments

Wulf June 29, 2020 10:46 AM

Some malicious apps take screenshots for gathering sensitive data. Perhaps it would be also a good idea for an OS to display a message when apps take screenshots.

JonKnowsNothing June 29, 2020 11:06 AM

@Wulf

re:

a good idea for an OS to display a message when apps take screenshots.

There are settings to stop apps from accessing parts of the phone you don’t authorize but in real world use most folks enable everything.

There are the hidden no-settings-for-you parts of the system where you don’t have access at all.

Consider: Someone who is a app-junkie downloading everything “new and viral” from the app stores.

Now every time an app takes a pictures some message is logged:
  Took Your Picture

Logging a message isn’t going to fix the issue because the underlying/hidden users of your phone want to exfiltrate all the data they can.

In the case of the clipboard, only Apple can fix it … if it is fixable.

Clive Robinson June 29, 2020 11:10 AM

@ ALL,

I guess the obvious question is why are these apps in Apple’s walled garden?

Apple’s promise about it’s walled garden was the safety of the user experience from malware etc etc etc.

The notion of “least privilege” appears not to be a consideration. Perhaps users should think about the implications of this.

And perhaps Apple should rather than put up a banner change the functionality of the clip board so it is rather more under user control than application control.

After all it was not that long ago that “security experts” recomended that users have password managers on their Internet connected devices and that the user “cut-n-paste” a complex random password from the managers display window into the password box in the web page or application…

Thunderbird June 29, 2020 11:13 AM

Interesting. Of course the clipboard has to work like that–I’ve seen apps offer to insert something that was in the clipboard before so they can obviously see it, but it never occurred to me that it was a security issue. And I’ve been doing security stuff for more than thirty years.

So how would you make a clipboard secure? It might help if the clipboard were cleared when it was read, but the only way that really seems foolproof (for some degree of fool, and for only thinking about it briefly) would be to have the system catch and interpret paste requests so an explicit user request was needed. And I get the impression that is not how iOS works…

wiredog June 29, 2020 11:27 AM

It would be interesting to see the results of other OSes did this. Windows, MacOS, Linux, Android, would all probably be popping up a lot of warnings.

JDM June 29, 2020 11:35 AM

I know Windows used to allow this, back around Windows 98SE. I remember warning some folks on forums about it after I’d learned about it. There was a way to turn it off, and I assume -yeah – they plugged that one at some time. But later iterations?

Alejandro June 29, 2020 3:03 PM

Just awful. They can get your passwords, just about anything. Here is a list of alleged reputable news media apps which collect your clipboard data….maybe you have heard of one or two of them:

ABC News — com.abcnews.ABCNews
Al Jazeera English — ajenglishiphone
CBC News — ca.cbc.CBCNews
CBS News — com.H443NM7F8H.CBSNews
CNBC — com.nbcuni.cnbc.cnbcrtipad
Fox News — com.foxnews.foxnews
News Break — com.particlenews.newsbreak
New York Times — com.nytimes.NYTimes
NPR — org.npr.nprnews
ntv Nachrichten — de.n-tv.n-tvmobil
Reuters — com.thomsonreuters.Reuters
Russia Today — com.rt.RTNewsEnglish
Stern Nachrichten — de.grunerundjahr.sternneu
The Economist — com.economist.lamarr
The Huffington Post — com.huffingtonpost.HuffingtonPost
The Wall Street Journal — com.dowjones.WSJ.ipad
Vice News — com.vice.news.VICE-News

Read the support docs for more surprises.
User beware!

Clip Bored June 30, 2020 2:05 AM

Fortunately I don’t use any of the listed apps. However I agree that notifications about which apps accessed my clipboard and when is a good step.

I still wonder why does the OS even let the clipboard contents linger once it’s been pasted? Or like 1 minute after paste in case you have to paste a password more than once.

Or just autoclear the effing clipboard based on user setting — same as the one for “require unlock password after: immediately, 1 min, 5 mins, 15 mins” in user settings.

Or maybe have a separate private clipboard for copying from “sensitive apps” like password managers and bitcoin wallets.

Ismar Duderija June 30, 2020 4:04 AM

Why, o why, should the apps be allowed to access clipboard content without user interaction – what possible valid scenario would allow for hijacking of this functionality?

One way for an OS to implement a decent compromise between security and convenience here is by

  1. Only allow reading from clipboard (copying, cutting) and writing to clipboard (pasting) when user initiates the action
  2. Restrict clipboard history to the same app – i.e. don’t allow apps to read content of the clipboard populated from a different app apart from the last clipboard entry (and also only when initiated by the user via UI – point 1.)

This will cover the majority of scenarios where you need to paste some text you just copied from, say, a pdf file into, say, an email as a quote that might be too long to type in manually.

Unfortunately, the trends towards convenience still seem to be winning and now you can even sync your clipboards between devices as well – what kind of usage workflow would this be supporting I have now idea ?

https://support.microsoft.com/en-au/help/4028529/windows-10-clipboard

Ergo Sum June 30, 2020 7:35 AM

@Ismar Duderija..

Unfortunately, the trends towards convenience still seem to be winning and now you can even sync your clipboards between devices as well – what kind of usage workflow would this be supporting I have now idea ?

Not to downplay the risk of security and privacy implications of the clipboard history, but…

By default, the clipboard history is disabled in Windows 10. For the ignorant masses, enabling it is just a simple click in settings. Unless, the administrator of the systems disabled clipboard history in the registry, which he/she should.

Without enabling clipboard history, there’s only the last clipboard entry available.

I’ve been using Bruce’s excellent Password Safe. His program locks after 5 minutes or so inactivity and wipes the copied password from the clipboard. In addition, Ctrl+Delete deletes the copied password from the clipboard. It does the same, if and when the program is closed. Copying text to overwrite the password is not necessary, but certainly doesn’t hurt.

The copy/paste is a useful function in any OSes. It’s doubtful that it’ll be ever removed and controlled to the level to remove risk to privacy and/or security.

Alejandro June 30, 2020 9:13 AM

A small mean thought: Think how much fun it would be scamming the collectors by putting…irreverent….comments on your copy/paste cache. Tee Hee.

Chris June 30, 2020 11:00 AM

I tend to give all those apps the benefit of the doubt regarding scraping the clipboard intentionally. To me it looks more like they all use some intrusive SDK, perhaps Google’s or Facebook’s or one of the many product usage analytics solutions, that does it. Of course, without inspecting the app source code, this is just a speculation. Which begets the question whether there is a known open-source app that also triggers the warning.

The clipboard is there to facilitate data exchange between different applications and it is inherently insecure, which is why passwords should never be copied and pasted. Instead, one should use a password manager with autotype (on desktop) or with system keyboard integration (on mobile).

Gruel June 30, 2020 4:15 PM

Copy and paste between different apps is the majority of my personal usage of the feature, both on desktop and mobile.

What should happen is that copy/paste should be an OS-provided service that apps have no access to… all the apps see is a stream of characters coming in on paste that look exactly the same as if the user had literally typed them out. That’s all. No direct access to the clipboard for apps.

I guess that would only support text clipboards, not images. I personally rarely if ever use images. But I could see that being different for some others. To support that case, you restrict access to the clipboard such that, when a user interacts with the paste function of the OS, the focused app gets notified that an incoming paste is ready, and then it’s given the ability to read the paste, but only that one app, and only that one paste, and only that one time. No other access to the clipboard for apps.

What about a “clipboard viewer” app, you might ask? Well, under either of these safer models, that would have to be an OS-provided feature.

It’s the same as screenshots. Also should be an OS-provided feature. No direct access from apps.

Ideally the same for cameras and microphones, though I guess in practical terms it has to be some sort of prompt for confirmation and obvious visual indication that they’re on, rather than a complete block.

Clive Robinson June 30, 2020 6:12 PM

@ Gruel,

You’ve got the general idea.

But text it’s self is a problem because it frequently has attributes that people want to keep after transferring it such as “bold”, “italicized”, and a whole lot more.

But even if they don’t the question of “fonts” and “extended characters” for the likes of Internationalization occurs.

Which brings in the issues of multibyte characters and backwards and forwards compatability.

The whole thing is just an entite mess that users generaly do not get to see except for when they don’t get what they want, which often boils down to the equivalent of a cut and cropped image not “text”.

I once had a less than fun time explaining to a university lecturer that whilst the desktop publishing program had a licence to display certain fonts the printer did not have a licence for the font in question nor did the word processor, therefore the best I could do was get the desktop publishing program to output an image file that could then be included “as is” into other applications. I actualy felt for the guy, he was an amiable person and what he was trying to do should have been not just possible but simple. But more than a quater of a century ago that was not the way money was made in Silicon Valley and Seattle.

Mark July 1, 2020 9:47 PM

absolutely insane that Apple let this happen. How many passwords and other sensitive data leaked? This is on Apple for failing to secure the OS.

Ilsa Loving July 2, 2020 5:41 PM

I’m both amused and greatly dissappointed by all the instant armchair security experts commenting on this. “”This is such an obvious security issue!” “How can Apple allow such a thing? So much for their walled garden!”

An easily accessible clipboard has literally been around for as long as multitasking operating systems have existed. That means every single OS in recent memory is affected by this including Android, Windows, etc. It is not an Apple exclusive issue.

Hell, people even shoehorned similar functionality into DOS with TSRs. That means there’s been an open clipboard for coming onto 40 years now, give or take. So maybe it isn’t as obvious as these 20/20 hindsighters think, hmm?

Espionage software and malware has been taking advantage of this fact for a long time, but nothing was ever done because “normal” software developers would never do something so underhanded. If they polled the clipboard, it was either for a good but intentional reason, usually to do with user convenience, or it was a bug that was subsequently fixed.

What HAS changed is that we now live in the age of facebook, where almost everyone has basically given up trying to protect their privacy for one reason or another. In addition, we are in the age of telemetry where companies feel that they are justified in sucking down whatever information they can get their sticky fingers on.

That means the social contracts that used to exist for responsible data handling have only relatively recently been thrown out the window. This clipboard issue is basically the wakeup call that yes, the situation really has gotten that far out of hand. Be happy that Apple is addressing the issue at all. That’s more than literally anyone else is doing right now.

Clive Robinson July 3, 2020 3:33 AM

@ Ilsa Loving,

That means there’s been an open clipboard for coming onto *40 years* now, give or take. So maybe it isn’t as obvious as these 20/20 hindsighters think, hmm?

Have you ever done “Rainbow book”[1] development?

Or later secure systems development. Well the likes of clipboards and their security issues and what to do about them was well known even back fifty years ago.

A little history for you. *nix amongst other OS’s in potentia back in the 1960’s and 70’s were mainly used via serial terminals of one form or another (IBM of course had it’s propriety keep the profits higher version). Well terminals could be all over a building and quite often the user would not have a phone extension of their own or even in adjacent rooms… So somebody came up with the idea of what became a “chat” or terminal to terminal messaging system (think SMS for the pre-nerd age).

Well in the mid 1970’s terminals of the old KSR and ASR Teletype (TTY) mechanical type had more or less been replaced with “green screen” Visual Display Units (VDUs) and these were getting smart real smart. DEC had gone for amber rather than green and they had realy driven the smarts on their terminals. However they had included a peculiarity in the “ESCape Codes” which was that the computer could send an escaped string to the terminal, that the terminal would then send back to the computer as if the user had typed it at the keyboard. With it you could in effect cut and paste from one terminal to another so it could be used as a clip board.

However pranksters found that by using chat or similar you could get the equivalent of a “mess with my day” joke.

Only some were not funny. The Prime OS from Prime Computers was used by what is now BT for it’s BT Gold Business service. Any way the Prime OS had a remote “shutdown” feature such that someone logged into the admin account could shut the system down safely. To stop people doing it by mistake the command could be locked to the admin terminal as part of the OS configuration. However if as some did they made the mistake of using such terminals as had that DEC terminal write back feature for their admin terminal then you could still prank it by the terminal to terminal chat feature…

So yes the dangers of clip boards etc were well known back in the 1970’s[3]…

But most of these data stealing apps give themselves away by their network traffic. There was a tweet that indicates that one of the worst offenders –as normal– was “linkedin” apparently they were copying the clipboard on every key stroke… Spotting such network activity would not normally be hard but both Google and Apple make doing it on their walled garden OS’s quite difficult. They both know this, thus you think that their security testers of applications they let in their walled garden would pay a little more attention to this asspect of the apps, but apparently not. Read into that what you will but Google with it’s Project Zero should remember that like “charity”, “security begins at home”.

[1] I’m talking about the US Dod books on security not those other books of which the series for CD’s is also well known. They were “the goto computer security books” during the 1980’s and early 1990’s and made quite a stack to lean against a wall. They’ve been long superseded and about the only place you can get electronic copies these days is the Federation of American Scientists web site,

https://fas.org/irp/nsa/rainbow.htm

[2] The BT Gold business service in the 1980’s was being pushed rather heavily by UK Prime Minister Maggie Thatcher. Unfortunately it came to fame via the fact that most journalists could not tell it appart from Prestel, thus when Robert Schiffren and Steve Gold alledgedly “hacked Prince Philips Electronic Mail box” they conflated it with the rather embarising BBC Micro Live “hackers song” from Oz and Yug. BT tried to cover up what had happened on the BBC program seen by an estimated third of the country with a series of very expensive adverts, in which they effectively lied. Knowing about Prime OS at the time I wrote a piece pointing this out and giving sufficient details for the Micronet 800 group on Prestel. Well it caused monsterous ructions and it was only my sixth sense that stopped me getting the same “arresting” treatment that Rob and Steve got.

[3] One of the things I moan about “from my armchair” from time to time is the fact that as an industry ICT especially ICTsec is very good at amnesia and not learning from it’s quickly forgotton history. Thus mistakes easily inside living memory get repeated over and over every decade or so… Untill ICTsec practitioners start to wake the heck up, they will continue to sleep walk into such known security blunders.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.