A Universal clipboard feature in iOS14 has exposed how apps spy on smartphone users, with LinkedIn found copying clipboard content from iOS devices with every keystroke.
A couple of iPhone apps have been caught copying the contents of the clipboard & keyboard presses.
According to a blog post by Don Morton, a Twitter user @Doncubed, discovered that LinkedIn had been copying clipboard content from iOS devices with every keystroke.
iOS14
“LinkedIn is copying the contents of my clipboard every keystroke. iOS 14 allows users to see each paste notification,” he tweeted. The invasion of privacy was discovered using a new feature on iOS 14 beta called the Universal clipboard privacy feature. Not only does this allow copying & pasting between Apple devices, but also alerts users if another app also has access that data.
Their Consumer Products’ VP Engineering, Erran Berger recognised the problem & explained the issue & had “traced this to a code-path that only does an equality check between the clipboard contents, & the currently typed content in a text box.
Clipboard
“We don’t store or transmit the clipboard contents,” he observed.
In a further report, this same feature showed that Reddit has similar issues with its app. A video shared by Don Morton revealed that the Reddit app also triggers notifications by the Universal Clipboard feature, every time the keyboard was depressed.
In a statement to ‘The Verge’, Reddit commented that the issue was due to a ‘code-path that checks for URLs & then suggests a post title’.
Code
“We do not store or send the pasteboard contents. We removed this code & are releasing the fix on July 14,” the spokesperson explained.
Morton said in his blog post that he could “easily see “phishing apps” starting to pop up, if they are not already with the one intention to grab as much clipboard data as possible.”
Worrying
“To me, this is just as bad or even more worrying than the companies that have already been called out for it.
For the most part, the companies that have been getting called out have motive to be “good”. I’m just starting to think about companies or apps that have no intention of being good,” he mentioned.
Apple
Morton suggested that users should ask Apple to ‘require permissions for apps’ in order to have access to the clipboard.
“Google is a big fan of this feature, we’ve seen them use the “from your clipboard” suggestion in apps like Google Search, Maps, etc. I understand that it’s a nice feature to have but the security threat it imposes warrants a notification in my opinion,” he went on to say.
Mitigations
David Kennefick, Product Architect at Edgescan, described that very few mitigations exist at present, & it seems that practices such as this may have been in place for a while.
“From late 2019, the US Army was advising that applications from Chinese owned companies should not be installed on work devices, this included the very popular TikTok.”
Security & Privacy Perspective
“The best advice from a security & privacy perspective is very simple – if you suspect an application may be copying your clipboard content unknowingly, delete the application,” he further explained.
Tom Davison, Technical Director, International, at Lookout, explained that apps are mainly built with functionality in mind, & privacy & security considerations may take 2nd place. While the intent may be good, the consequences can be problematic.
Regulated Business
“For consumers it may be an unwelcome surprise, to a regulated business under GDPR, potential data leakage is a serious issue.
The problem here is transparency, particularly when an API exposes data without needing user consent.
Device manufacturers need to strictly control API access, users should pay attention to privacy policies, & enterprises should use tools to assess % govern compliant app usage,” he concluded.
