Many popular iOS and iPadOS apps appear to be snooping on device clipboards, according to new research, although there isn't currently any evidence of abuse.
Apps on iOS or iPadOS generally have unrestricted access to data copied or cut into the systemwide keyboard. Apple, for its part, has said that this is intended behavior. But a pair of iOS developers have discovered that apps may be reading this data without user knowledge every time the app is open.
In a blog post, developers Tommy Mysk and Talal Haj Bakry name a list of about 50 apps that read the contents of the iOS clipboard every time they're open without a user's knowledge. The list includes popular apps like TikTok, Accuweather, Truecaller, Overstock and a slew of news publications.
The developers, who used Xcode and Xcode Command line to analyze the behavior of apps, also published a proof-of-concept video demonstrating the apparent loophole.
To be clear, the research doesn't suggest that these apps are doing anything malicious with the data, or even exfiltrating it. They're just reading it. But that fact alone leaves a door open to potential abuse.
While data stored in the clipboard is typically fairly benign, the method could be used to read sensitive copied information such as credit card numbers or plaintext passwords. If a user copies an image in their camera roll, it could also include metadata with specific locations or coordinates, though the apps the developers analyzed only looked at text.
This isn't the first time that Mysk and Bakry have looked into clipboard vulnerabilities. In February, the duo submitted their research into clipboard location data to Apple.
Reportedly, the Cupertino tech titan told them that they didn't see an issue with the behavior, because only apps in the foreground could read the clipboard. Mysk and Bakry then created a widget that showed apps can access the clipboard in the Today View. They also showed that the flaw could be used to read text copied on a Mac via the Universal Clipboard.
There could be non-malicious reasons why this clipboard-reading is occurring. The developers told Forbes that it might be due to a legacy library reading the pasteboard, and that some developers may not be aware that this is happening.
Mysk and Bakry argue that Apple should act to close the vulnerability because it would be fairly trivial to create malicious code that exfiltrates this data covertly.
The vulnerability becomes more worrisome given the security and privacy concerns of some of the apps, such as TikTok.
In April 2019, the Indian government urged Apple to remove TikTok from the India App Store over child safety concerns. While the app was restored within a week, TikTok is under scrutiny in other parts of the world, too. The U.S., for example, has opened a national security review of the app, The New York Times reported.
9 Comments
Is there a way to clear the clipboard?
I’ve noticed the UPS app will present a message to the effect of “We notice you copied what appears to be a tracking number. Would you like to attempt to track that number?” when I open the app after copying a tracking number.
Perfect example of the “thousand grains of sand” data collection method.