{"id":28410,"date":"2020-03-17T16:52:41","date_gmt":"2020-03-17T20:52:41","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=28410"},"modified":"2020-03-17T16:52:41","modified_gmt":"2020-03-17T20:52:41","slug":"ios-apps-snooping-on-pasteboard-data","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2020\/03\/17\/ios-apps-snooping-on-pasteboard-data\/","title":{"rendered":"iOS Apps Snooping on Pasteboard Data"},"content":{"rendered":"

Talal Haj Bakry and Tommy Mysk<\/a> (via MacRumors<\/a>):<\/p>\n

\n

This article provides an investigation of some popular apps that frequently access the pasteboard without user consent. These apps range from popular games and social networking apps, to news apps of major news organizations. We found that many apps quietly read any text found in the pasteboard every time the app is opened. Text left in the pasteboard could be as simple as a shopping list, or could be something more sensitive: passwords, account numbers, etc.<\/p>\n

[…]<\/p>\n

The method is simple: Once we connect and pair the devices with Xcode, we can read the system log of the device. Fortunately, all pasteboard events are clearly logged.<\/p>\n

[…]<\/p>\n

We include any app that requests and reads the content of the system-wide pasteboard every time it’s opened, and consider it to be highly suspicious. There are games and apps that do not provide any UI that deals with text, yet they read the text content of the pasteboard every time they’re opened.<\/p>\n<\/blockquote>\n\n

Nick Heer<\/a>:<\/p>\n

\n

Most apps do not breach user trust in this manner, so it is surprising to see the breadth of very popular apps that are doing so in this case — many of which have no practical reason for reading pasteboard data in the first place. It’s the kind of thing that makes me wonder if they are all, perhaps, using a shared development framework or analytics bundle.<\/p>\n

One way to resolve this may be to require consent from the user before the app can access the pasteboard. That consent can be provided in the form of the user tapping the paste button, upon which point the app is authorized.<\/p>\n<\/blockquote>\n\n

Just because I once pasted something into an app doesn’t mean I want it to have ongoing access to read the pasteboard. Yet I don’t want to be prompted for each and every access, either. This seems like another case where it would be helpful for the system to maintain an audit log of what each app was doing.<\/p>\n\n

Previously:<\/p>\n