Clipboard snooping still rife across many popular iOS apps

Posted:
in iOS
The clipboard-snooping antics of apps isn't limited to just TikTok, as it has been discovered over 50 apps that were found to be accessing data from the iOS clipboard in March were continuing the practice months later.

Apple's Universal Clipboard works across iPhone and Mac
Apple's Universal Clipboard works across iPhone and Mac


As part of the new features arriving in iOS 14 and iPadOS 14 this fall, Apple included a number of measures designed to help increase the privacy of user data. One of those features will alert users to whenever an app attempts to access the clipboard, in order to educate users of the types of apps that can potentially access their data.

The feature prompted reports referencing allegations uncovered in March that apps like TikTok frequently accessed the clipboard and grabbed content, even when the app was put in the background. TikTok has since publicly relented, claiming it was a spam-reduction feature that was triggering the mechanism, and that it had been removed in an updated version of the app submitted for App Store approval.

However, while TikTok is the highest-profile app that was caught out back in March, other apps found to be doing the same thing at the time are continuing the practice. In a report by Ars Technica, 54 from a collection of 56 found by researchers Tommy Mysk and Talal Haj Bakry were still reading the clipboard.

The list of apps includes many popular titles, including social apps like Weibo and Zoosk, news apps including NPR and Fox News, games such as Fruit Ninja and three different versions of Bejeweled, and others such as Accuweather and Hotels.com.

Only two apps had altered their behavior, with 10% Happier: Meditation and Hotel Tonight doing so shortly after the original report circulated. While TikTok had promised action at the time, it failed to make any changes that stopped the snooping.

The clipboard is intended to be a way for users to provide apps with data for use in an intended way, though its real functionality isn't always as users may intend it. Apps have the ability to pull data stored in a clipboard, which means there is the possibility it could be accessing data not intended for use by it if it conducts such snooping.

With the addition of the Universal Clipboard across the Apple ecosystem, such apps offer the further risk of pulling data from the clipboard that wasn't even added from the device it is installed on. For example, text copied on a Mac could be read by a clipboard-snooping app on an iPhone.

"It's very, very dangerous," said Mysk on Friday. "These apps are reading clipboards, and there's no reason to do this. An app that doesn't have a text field to enter text has no reason to read clipboard text."

Mysk added the work by the researchers is being credited for the creation of the iOS 14 clipboard notification feature.

Comments

  • Reply 1 of 16
    dws-2dws-2 Posts: 276member
    I think a bigger story is that most apps include libraries from Google and Facebook and many others, which among other things, collect as much information as possible about you. I suspect that's where a lot of the clipboard access is coming from. The "good" thing is that they don't care about passwords; hey just want to figure out what you're doing and interested in so they can sell better ads. For example, if you copy the name of a restaurant to search in maps, they can peak and sell some restaurant ads of similar places.
    edited June 2020 williamlondonPetrolDavelongpathchiawatto_cobra
  • Reply 2 of 16
    Rayz2016Rayz2016 Posts: 6,957member
    Bejeweled!
    Fruit Ninja!

    Deleted.

    dws-2 said:
    I think a bigger story is that most apps include libraries from Google and Facebook and many others, which among other things, collect as much information as possible about you. I suspect that's where a lot of the clipboard access is coming from. The "good" thing is that they don't care about passwords; hey just want to figure out what you're doing and interested in so they can sell better ads. For example, if you copy the name of a restaurant to search in maps, they can peak and sell some restaurant ads of similar places.
    Why am I not surprised. 

    https://9to5mac.com/2020/06/25/tiktok-to-stop-reading-user-clipboards-after-being-exposed-by-ios-14-privacy-feature/

    Seems that Google News does it too.

    GoogleGuy incoming!
    williamlondonleavingthebiggchiarazorpitwatto_cobra
  • Reply 3 of 16
    longpathlongpath Posts: 373member
    Does iOS14 merely alert to the practice, or does it give a way to block it?
    williamlondonPetrolDavecgWerkswatto_cobracaladanian
  • Reply 4 of 16
    Apple could use one or a few of the most popular apps as an example of them flouting the App Store rules and throw them out.
    Sadly that would just give more ammo to those wanting Apple to open up the App Store so that it is as virus/malware ridden as the Play Store. With all this Anti-trust stuff going on as well, Apple needs to tread carefully.
    At the very least, a list of the offenders should be made public. Then we the users can make an informed decision about the apps we keep on our devices.
    razorpitwatto_cobra
  • Reply 5 of 16
    Apps should be given a ‘three strikes, you’re out’ tolerance. 

    Once a sinister feature is found, the app gets immediately suspended, and the developer has 10 days to remedy. 

    On the third occurrence, an Android-exclusive it becomes!!
    longpathbeeble42razorpitwatto_cobra
  • Reply 6 of 16
    gatorguygatorguy Posts: 23,321member
    Rayz2016 said:
    Bejeweled!
    Fruit Ninja!

    Deleted.

    dws-2 said:
    I think a bigger story is that most apps include libraries from Google and Facebook and many others, which among other things, collect as much information as possible about you. I suspect that's where a lot of the clipboard access is coming from. The "good" thing is that they don't care about passwords; hey just want to figure out what you're doing and interested in so they can sell better ads. For example, if you copy the name of a restaurant to search in maps, they can peak and sell some restaurant ads of similar places.
    Why am I not surprised. 

    https://9to5mac.com/2020/06/25/tiktok-to-stop-reading-user-clipboards-after-being-exposed-by-ios-14-privacy-feature/

    Seems that Google News does it too.

    GoogleGuy incoming!
    I guess you called me because you were clueless as to a possible reason? You could have searched.

    From the ArsTechnica's article on the same snooping, and found under the subsection "Clipboard reading done right". (That means it benefits you in case you're confused):
    "...in the event it’s a URL, (Google) will prompt the user to browse to it".
    https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-ios-apps-still-snoop-your-sensitive-clipboard-data/

    As for Android and iOS ability to browse a user's clipboard Android is far more permissive than iOS. It's only been in the past few weeks that Google has signaled a similar change is coming to Android's clipboard manager, I'm guessing in the next full-Android version? I'm not running that beta so not certain. Anyway Apple is currently much more privacy-centric on this than Android which is to be expected. 
    edited June 2020 ctt_zhMetriacanthosaurus
  • Reply 7 of 16
    mac_dogmac_dog Posts: 933member
    Apple should remove them from the store until they remove their spyware. 
    watto_cobracaladanian
  • Reply 8 of 16
    toto98toto98 Posts: 1member
    How funny if AppleInsider app did the same :smile: 

    razorpitwatto_cobra
  • Reply 9 of 16
    There should be severe penalties for things like clipboard snooping. Maybe they should be permanently banned, or at the very least immediately blocked from the store until they fix it, and their cut of App Store proceeds permanently reduced (e.g. Apple takes 60% instead of 30%, and the offenders can accept it or leave). And public shaming, of course. 
    cgWerkswatto_cobra
  • Reply 10 of 16
    crowleycrowley Posts: 9,342member
    I'm not sure why Apple even allow apps coded access to the clipboard anyway.  Can't they limit it to user invocation when in a text or photo selection dialog?  Maybe I'm overlooking some use cases.
  • Reply 11 of 16
    jdwjdw Posts: 1,016member
    LOL.  As if that teensy tiny walk-back on the part of TikTok will somehow make us ignore their remaining invasive privacy breaches!

    https://www.boredpanda.com/tik-tok-reverse-engineered-data-information-collecting/
    longpathwatto_cobra
  • Reply 12 of 16
    mjtomlinmjtomlin Posts: 2,504member
    crowley said:
    I'm not sure why Apple even allow apps coded access to the clipboard anyway.  Can't they limit it to user invocation when in a text or photo selection dialog?  Maybe I'm overlooking some use cases.

    I agree. There's really no reason for an app to need access to the clipboard until the user decides to paste the contents (just as is done with drag&drop). Maybe Apple determined that there's very little chance that someone would copy and paste sensitive information from app to app?

    It seems to me that it would be trivial to add a timed lock to the clipboard giving the app access to the clipboard after the user invokes a paste, and then locking read access after so many seconds.
    cgWerkswatto_cobracaladanian
  • Reply 13 of 16
    I once thought Apple had our backs on Apps in the App Store. I've come to realize that was naive.

    I don't use Google products, Twitter or Facebook.

    I limit my Third Party apps on my iPhone/iPad/ATV/AppleWatch/MacBook to the bare minimum. The ones I've used, I've emailed to see if they are stealing my data...most said no, and some were offended I had asked. :)

    I try to use only Apple native apps for everything. 

    I try to use Safari/Duck Duck Go to access the interwebs.

    Oh well...
    razorpitwatto_cobra
  • Reply 14 of 16
    MplsPMplsP Posts: 3,495member
    So how many app developers are quickly readying new versions that don’t snoop before the release of iOS 14? I think Apple should have just added the alert with no notice to out all the snooping apps!

    I once thought Apple had our backs on Apps in the App Store. I've come to realize that was naive.

    I don't use Google products, Twitter or Facebook.

    I limit my Third Party apps on my iPhone/iPad/ATV/AppleWatch/MacBook to the bare minimum. The ones I've used, I've emailed to see if they are stealing my data...most said no, and some were offended I had asked. :)

    I try to use only Apple native apps for everything. 

    I try to use Safari/Duck Duck Go to access the interwebs.

    Oh well...
    I think in general Apple does have our backs. The problem is there are a thousand little holes in the dam and new features that add convenience also add potential risks so it’s a never-ending game of whackamole. 
    razorpitwatto_cobra
  • Reply 15 of 16
    There should be severe penalties for things like clipboard snooping. Maybe they should be permanently banned, or at the very least immediately blocked from the store until they fix it, and their cut of App Store proceeds permanently reduced (e.g. Apple takes 60% instead of 30%, and the offenders can accept it or leave). And public shaming, of course. 
    Lol. Severe penalties for things that are allowed and have legitimate use? Right. This is why the little kids aren't allowed to make policy.

    crowley said:
    I'm not sure why Apple even allow apps coded access to the clipboard anyway.  Can't they limit it to user invocation when in a text or photo selection dialog?  Maybe I'm overlooking some use cases.
    Not Maybe.

    mjtomlin said:
    crowley said:
    I'm not sure why Apple even allow apps coded access to the clipboard anyway.  Can't they limit it to user invocation when in a text or photo selection dialog?  Maybe I'm overlooking some use cases.

    I agree. There's really no reason for an app to need access to the clipboard until the user decides to paste the contents (just as is done with drag&drop). Maybe Apple determined that there's very little chance that someone would copy and paste sensitive information from app to app?

    It seems to me that it would be trivial to add a timed lock to the clipboard giving the app access to the clipboard after the user invokes a paste, and then locking read access after so many seconds.
    That doesn't seem logical. A user could easily copy sensitive information in one app, paste it, and then seconds later move on a totally different app that reads the clipboard without any user interaction.

    And yeah, Universal Copy and Paste between iOS and macOS devices already work this way...the synced clipboard contents expire after some time. In fact I've found that the original clipboard contents come back after the expiration, which is also a bit strange.
    caladanian
  • Reply 16 of 16
    cgWerkscgWerks Posts: 2,752member
    longpath said:
    Does iOS14 merely alert to the practice, or does it give a way to block it?
    One would think copy/paste should have to require user action (which Apple should be able to secure).
    Is there any reason why an app should be able to do this on its own?

    gatorguy said:

    From the ArsTechnica's article on the same snooping, and found under the subsection "Clipboard reading done right". (That means it benefits you in case you're confused):
    "...in the event it’s a URL, (Google) will prompt the user to browse to it".
    https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-ios-apps-still-snoop-your-sensitive-clipboard-data/

    That's NOT a kind of 'benefit' I want! Geez.

    mjtomlin said:
    I agree. There's really no reason for an app to need access to the clipboard until the user decides to paste the contents (just as is done with drag&drop). Maybe Apple determined that there's very little chance that someone would copy and paste sensitive information from app to app?

    It seems to me that it would be trivial to add a timed lock to the clipboard giving the app access to the clipboard after the user invokes a paste, and then locking read access after so many seconds.
    One would think. Seems like common sense... like how you'd think it should have worked all along. This should be one of the biggest security stories of the decade (or more). And it wasn't the first time this has been mentioned, either.
    watto_cobra
Sign In or Register to comment.