Tuesday, March 17, 2020

iOS Apps Snooping on Pasteboard Data

Talal Haj Bakry and Tommy Mysk (via MacRumors):

This article provides an investigation of some popular apps that frequently access the pasteboard without user consent. These apps range from popular games and social networking apps, to news apps of major news organizations. We found that many apps quietly read any text found in the pasteboard every time the app is opened. Text left in the pasteboard could be as simple as a shopping list, or could be something more sensitive: passwords, account numbers, etc.


The method is simple: Once we connect and pair the devices with Xcode, we can read the system log of the device. Fortunately, all pasteboard events are clearly logged.


We include any app that requests and reads the content of the system-wide pasteboard every time it’s opened, and consider it to be highly suspicious. There are games and apps that do not provide any UI that deals with text, yet they read the text content of the pasteboard every time they’re opened.

Nick Heer:

Most apps do not breach user trust in this manner, so it is surprising to see the breadth of very popular apps that are doing so in this case — many of which have no practical reason for reading pasteboard data in the first place. It’s the kind of thing that makes me wonder if they are all, perhaps, using a shared development framework or analytics bundle.

One way to resolve this may be to require consent from the user before the app can access the pasteboard. That consent can be provided in the form of the user tapping the paste button, upon which point the app is authorized.

Just because I once pasted something into an app doesn’t mean I want it to have ongoing access to read the pasteboard. Yet I don’t want to be prompted for each and every access, either. This seems like another case where it would be helpful for the system to maintain an audit log of what each app was doing.


5 Comments RSS · Twitter

I don't know what these apps might be doing, but there may be legitimate reasons. Triggering some kind of developer/debug mode for example. Type a known string into Notes, copy it, and launch the app. The app notices this special string and shows debug menus and/or info. Developers and/or support people can then use this to diagnose app issues in the field.

I think I probably do want to be prompted before pasting. Under what other conditions would the pasteboard be read?

The only time I regularly use the pasteboard without hitting 'paste' is with password managers. So, yes, I'd allow that interruption to my workflow to protect my passwords. Whitelisting of certain combinations of apps might be an option.

Sören Nils Kuklau

@ Tom: yeah, there are definitely legitimate uses. For example, apps like Instapaper will prompt if you want to read the article from the URL in the clipboard. Apollo will detect a reddit link and ask to go there. Deliveries will try and parse the clipboard for a package tracking ID (Amazon, DHL, whatever) and ask if you want to track that package.

But I think those uses (where the user doesn’t provide consent by explicitly tapping “Paste” in some way) are specific enough that a prompt wouldn’t be a huge burden. Moreover, I believe this may justify something like AppleEvents on macOS, where not only do you have to allow clipboard access per-app, but you have to allow it app-to-app.

So, if the user explicitly taps Paste, they establish temporary consent.

But if the app wants to do something automatically, the user needs to opt-in.

Allow “TikTok” to access your

TokTok uses your clipboard to make
pasting pictures and other things

You copied something in Safari 6
minutes ago.

[ Allow for Items from “Safari” ]
[ Allow for All Items ]
[ Allow Once ]
[ Don’t Allow ]

Maybe there’s no need for “all items” here. Four buttons is kind of a lot.

And then, iOS 13-style, you get another prompt after a week or so:

“TikTok” has been accessing
your clipboard. Do you want to
continue allowing this?

TikTok uses your clipboard to make
pasting pictures and other things

(there’d be some kind of collage/
gallery/carousel of recent clipboard
items here. Maybe you can swipe

[ Change to Only While Using ]
[ Always Allow ]

This would be like iOS 13’s location prompt, except instead of a map, you’d see some kind of visual representation of what your clipboard items that the app had access to look like.

3rd party ad-sdks use this for tracking: when you tap on an ad, you’ll get redirect to a website with a download button. If you tap on the button, it copies a uuid to your clipboard (this is allowed by safari, because it’s a user interaction) and then you get redirect to the app store. The ad-sdk in the app then checks for that uuid so they can track the effectiveness of the ad.

People in adtech seem to have a lack of morality, unfortunately :(

[…] monitors the user’s clipboard does not mean that it should be stealing your information. In This report In the comments area, some netizens pointed out that some developers will use this function to […]

Leave a Comment