Copy, paste catastrophe: how Apple’s iOS 14 disrupted clipboard espionage

Over the last few weeks, you’ve likely seen many stories — both from MobileSyrup and others — about apps accessing the iOS clipboard. Some probably wonder what the big deal is. After all, apps access your clipboard for copy and paste, a tool many of us use regularly.

Unfortunately, not all apps use the clipboard as they should. Most of the recent iOS clipboard coverage traces back to two things: iOS 14 and app developer Mysk. In February 2020, German-based developer Tommy Mysk and Toronto-based developer Talal Haj Bakry shared a blog post explaining how iOS and iPadOS apps have unrestricted access to the clipboard.

The duo highlighted how this access could lead to security vulnerabilities, such as exposing users’ precise location. For example, if someone copied a picture they took to their iPhone’s clipboard, any app that accessed the clipboard could obtain the image and the GPS coordinates embedded in the photo when it was taken.

Further, based on how people often use their smartphone, other essential data like passwords, addresses or other information copied to the clipboard could be vacuumed up by apps without user consent.

The blog post includes a disclaimer that Mysk submitted the details to Apple in January, but the company told the developers it didn’t see an issue with the vulnerability.

However, with the release of iOS 14 betas to developers and later the public, it became clear that Apple did see a problem with clipboard access. iOS 14 reworks the clipboard and notifies users when apps copy data from it.

The story quick spiralled from there as beta testers and developers stumbled across multiples apps hoovering data from the clipboard at every opportunity.

Name and shame

When Apple made iOS 14 available for developers, the software instigated what I like to call a ‘name and shame’ campaign. Apple’s latest mobile operating system ushered in two significant changes for the clipboard; a notification to tell users when apps accessed clipboard data and a new API that makes the clipboard more secure.

That first change was the catalyst for all the recent stories naming apps that misused the clipboard. Thanks to the coverage, it also lead to the ‘shame’ aspect with many developers walking back clipboard features.

It’s important, however, to note that many apps do use the clipboard properly. Further, many apps use the clipboard with good intentions. For example, some browser apps on iOS check the clipboard for URLs and offer a quick ‘paste-and-go’ shortcut. Users can tap a button and navigate to the copied URL instead of needing to open a new tab, tap the address bar and press-and-hold to paste the URL.

Still, for all the apps doing this properly, many arguably don’t. Since late June, people have caught over 50 apps abusing clipboard access. This can come in many forms, from some apps accessing the clipboard without user interaction to others that constantly checked the clipboard for no good reason. Some developers pushed updates to stop accessing the clipboard, claiming the issues were bugs. We’ve compiled a list of these apps, which you can view at the bottom of this story.

Offering a better way

Along with naming and shaming the apps that aren’t using the clipboard properly, Apple has updated its clipboard APIs in iOS 14 to protect user privacy better.

When iOS 14 officially arrives later this year, it will allow apps to query the clipboard without seeing its data. Going back to the browser example used above, apps can use the new API to ask iOS what’s in the clipboard.

iOS can then tell the browser whether it has a URL, text, a picture, or something else. Plus, the software can do this without revealing what’s in the clipboard.

If iOS says a URL is available, the browser can paste it from the clipboard, triggering the notification and letting the user know what transpired. If there isn’t a URL, the app doesn’t access the clipboard data, the user’s information remains secure and iOS doesn’t notify the user.

While on the surface it’s a simple change that will hopefully prevent apps from snooping on users’ clipboard, it may also take time for developers to implement proper support in their apps.

How can I protect my clipboard now?

Unfortunately, for many users, apps will still have free rein for the next few months. iOS 13 doesn’t offer the same clipboard protections as iOS 14 will and it also doesn’t notify users when apps access the clipboard.

Thankfully, there are a few steps people can take to protect themselves. First up, keep an eye out for the apps that have been caught accessing the clipboard. If possible, stop using apps caught snooping on clipboard data. Alternatively, access them through a trusted web browser instead of the native iOS app, as native apps have full clipboard access.

Those running the iOS 14 beta likely haven’t caught every app engaged in clipboard espionage yet. Plus, some people will have apps they need to use that still snoop on the clipboard. So, the other active step you can take is avoiding copying any sensitive data to your clipboard. If you do have to copy something, take steps to replace it with other information after. Hopefully this will prevent leaking sensitive data to apps that misuse the clipboard.

It’s also worth noting that Apple offers a cloud clipboard feature that enables users to copy and paste across iOS, iPadOS and Mac devices. Apps snooping on the clipboard can get data from your laptop or tablet too. If you don’t use this feature, you can turn it off by going to ‘System Preferences’ > ‘General’ > ‘Allow Handoff between this Mac and your iCloud devices’ and deselecting that option. On your iPhone or iPad, you can turn it off under ‘Settings’ > ‘General’ > ‘Handoff.’

Finally, if you use a password manager app, avoid copying and pasting your passwords when possible. Many support iOS’ autofill settings, which should mean you don’t need to copy and paste passwords manually. Some password managers offer the ability to clear your clipboard after a short time, so turn on that setting.

None of those solutions are ideal, but until iOS 14 arrives with the new clipboard API, they’re all we have.

What about Android users?

After reading all this, you may wonder if the clipboard on your Android phone or Windows PC is safe. In short, probably not.

How-To Geek offers a great rundown on clipboard access. On smartphones, any app you install can access the clipboard. In fact, Mysk told Ars Technica that Android is more lenient with the clipboard than iOS.. Hopefully, Google follows Apple and implements a similar system to iOS 14 on Android.

Laptops running Windows 10 or macOS operate a little differently. Many apps you install can still access the clipboard whenever they want — unfortunately, that part is still the same. However, both desktop operating systems also offer some kind of cloud clipboard feature. As mentioned above, macOS has ‘Universal Clipboard,’ which shares copied data across macOS, iOS and iPadOS. That means anything you copy will pass through Apple’s servers.

Windows 10 has a ‘Clipboard history’ setting that saves a record of everything you copy and paste. You can access this by tapping Windows+V. Windows 10 will sync your clipboard history across devices as well if you enable that setting.

The one saving grace here is websites. Web apps can’t automatically access your clipboard. Users have to paste content manually for a website to access it.

Regardless if you use iOS, Android or something else, you should be cautious with what you copy to your clipboard and how. When possible, avoid copying any sensitive data and use available tools to clear that data out when you’re done with it.

It could be a good idea to get in the habit of copying non-sensitive data to your clipboard to replace any sensitive data since most clipboards only store the last thing you copied. Anyone who wants to be really cheeky should copy “Stop looking at my clipboard” and let apps see that whenever they snoop.

Apps that access the clipboard without user consent

The below list of apps was compiled from a combination of previous reporting and MobileSyrup’s own testing. The list primarily contains apps that copy clipboard data without user interaction, or repeatedly access the clipboard while in use. While not every app accessing the clipboard is doing something wrong, by accessing the data without user consent, those apps are potentially seeing sensitive data.

The list below is not an exhaustive account of apps using the clipboard. It also includes anything developers have said in response. Sources include The Telelgraph, Ars Technica, MSPoweruser and Mysk.

  • Firefox
  • Google Chrome
  • Discord
  • TikTok – said it would update its app
  • Fox News
  • The New York Times
  • Wall Street Journal
  • Bejeweled
  • Fruit Ninja
  • PUBG Mobile – stopped clipboard snooping
  • Viber – told MobileSyrup it “blocked” the option to save clipboard data
  • Weibo
  • Zoosk
  • AccuWeather
  • DAZN – stopped clipboard snooping
  • Overstock
  • CBC News – stopped clipboard snooping
  • CBS News – stopped clipboard snooping
  • ABC News – stopped clipboard snooping
  • Al Jazeera English – stopped clipboard snooping
  • CNBC
  • News Break
  • NPR
  • Reuters
  • ntv Nachrichten – stopped clipboard snooping
  • Russia Today
  • Stern Nachrichten
  • Huffington Post
  • The Economist
  • Vice News
  • 8 Ball Pool– stopped clipboard snooping
  • Amaze – stopped clipboard snooping
  • ToTalk
  • Tok
  • Truecaller – stopped clipboard snooping
  • Block Puzzle
  • Classic Bejeweled – stopped clipboard snooping
  • Class Bejeweled HD – stopped clipboard snooping
  • Watermarbling
  • Total Party Kill
  • Tomb of the Mask – stopped clipboard snooping
  • Tomb of the Mask: Color – stopped clipboard snooping
  • FlipTheGun
  • Golfmasters
  • Letter Soup – stopped clipboard snooping
  • Love Nikki
  • My Emma
  • Plants vs. Zombies Heroes
  • Pooking – Billiards City
  • 10% Happier: Meditation – promised to stop the behaviour and followed through
  • AliExpress Shopping App
  • Bed Bath & Beyond
  • Hotels.com – stopped clipboard snooping
  • 5-0 Radio Police Scanner – stopped clipboard snooping
  • Hotel Tonight – promised to stop and did so
  • The Weather Network – removed a “diagnostic functionality” that was accessing the clipboard
  • Pigment – Adult Coloring Book
  • Recolor Coloring Book to Color – stopped clipboard snooping
  • Sky Ticket
  • Microsoft Teams
  • Call of Duty Mobile
  • Google News
  • LinkedIn – said the clipboard access was a bug, updated its app
  • Reddit – released a fix to remove the clipboard access code
  • McDonald’s – working to fix the issue
  • Starbucks – issue to be fixed in upcoming update
  • Wendy’s – a fix is underway

View original article here Source