Please leave our clipboards alone.
#pleasenocopypasta🍝
The Problem
Our clipboards go through and see a lot: passwords, bank account information, credit cards, private crypto keys, etc.
Over the past week, IOS 14 has given us some insight into what apps are doing behind the scenes. The new operating system (which is still in beta), will notify you every time your clipboard is accessed. Yesterday, I tweeted calling out Microsoft’s LinkedIn showing that it was accessing my clipboard every keystroke.
This is a problem. However, the real problem and thing that scares me is the fact that ANY app has the ability to access the clipboard without permission.
I could easily see “phishing apps” starting to pop up (if they are not already) with the sole intention to scrape as much clipboard data as possible. To me, this is just as bad or even more worrying than the companies that have already been called out for it. For the most part, the companies that have been getting called out have motive to be “good”. I’m just starting to think about companies or apps that have no intention of being good.
Think of all the apps your parents or your siblings use; if you’re reading this you are probably informed enough and have already installed the new IOS or deleted questionable apps off your phone. Your parents, siblings, grandparents, etc. are the real targets here.
One interesting note — There are a ton of apps that are doing it on startup, but not every keystroke. This makes me wonder if this is caused by a common library they are all using — or what the real reasoning behind doing a clipboard call on load is.
The Response
LinkedIn did respond to my tweet, a big thanks to everyone who retweeted it and gave it visibility.
“We've traced this to a code path that only does an equality check between the clipboard contents and the currently typed content in a text box” — Erran Berger
Now I do think that we should believe LinkedIn, as they have a lot to lose. Erran linked an open-source Github repository with a fix for the problem and from what was there before/changed it does not look like there was anything malicious going on. However, there is no way to verify if this is the actual code inside the LinkedIn app so take that as you will.
The List
(I will update the list with links to responses the companies have made, these are all ones I have confirmed myself.)
Every Keystroke
On Startup of App
Google News
Patreon
Call of Duty
Fruit Ninja
Philips Sonicare App
What can we do
Being able to get some insight on what apps are doing behind the scenes is a real game changer. If you can: install IOS 14, send me a DM of any apps you find doing this — I will confirm and then add it to this list ^^.
I saw lots of buzz on twitter about password managers and the exposure that users of password managers might have. I read this article by Chris Hoffman and he had a good find. Some password managers have a feature that will wipe your clipboard a certain amount of seconds after the initial copy.
He details it with a picture here:
We can also ask Apple to require permissions for apps to have access to our clipboard. Google is a big fan of this feature, we’ve seen them use the “from your clipboard” suggestion in apps like Google Search, Maps, etc. I understand that it’s a nice feature to have but the security threat it imposes warrants a notification in my opinion.
Please, just ask next time. #pleasenocopypasta🍝
Thanks for reading! I will be writing some more about startups, privacy, and gaming. If you would like to hear more from me -
On Startup: Microsoft Edge, eMag, Foodpanda, KIWI.com, LastPass, Pinterest, SoundCloud, TuneIn Radio, 0700;
All the time: Google Chrome, Google Maps;
Two more: PhotoSi and Hodl!