By Chand Bellur
July 5, 2020 at 12:15 p.m. PT
- iOS 13 allows third-party developers to read and store the contents of the Clipboard, a virtual container used to hold cut or copied data.
- Although over 50 apps read the Clipboard’s contents, Reddit, TikTok, and LinkedIn do this with every few keystrokes, which seems to indicate excessive user surveillance.
- iOS 14 sends notifications to users when third-party apps access the Clipboard.
iOS 13 Allows Apps to Access Clipboard Data
It’s not a flaw. It’s not a bug. Apple specifically designed iOS to grant third-party developers access to the Clipboard. If you copy a password for a website or app onto the Clipboard, any app can access it, even if you don’t paste the content into the app.
When I first heard the news, it freaked me out. I completely changed the way I deal with passwords. It’s now clear that over 50 major, widely used apps have been spying on end-users’ clipboards.
Developers such as Reddit claim that accessing the Clipboard was used to anticipate user interaction. They used it to recommend a post title based on a URL stored in the Clipboard. This seems like a weak justification, and surely they noticed, in testing, that all Clipboard data could be accessed.
TikTok and LinkedIn offered similar, inadequate explanations as to why they were spying on Clipboard data. Again, between QAT and beta testing, they should have realized they were doing something wrong.
Google, a company usually accused of violating end-user privacy, didn’t steal data from the Clipboard. Most of the offending apps are from major news providers, such as ABC, CBS, Fox News, and even The Economist (very disappointing).
There’s no good reason for a news portal app to be reading clipboard data, without the user initiating an action, such as pasting text. It would make some sense for apps that create content, but for apps that provide content, it’s all about spying on the end-user.
iOS 14 Still Grants Apps Access to Clipboard Data
If you think Apple fixed this problem, guess again. Instead, the Cupertino tech giant displays a notification when a third-party app accesses the Clipboard without user interaction.
Notifications aren’t the best solution to this problem. It’s possible that this is another anti-competitive move from Apple. Similar to pop up Notifications about Location Services used in the background, these messages will repel users from offending apps, driving them to Apple’s offerings. Apple may even “Sherlock” some of the offending apps, which are now opportunities.
There are some cases where accessing the Clipboard may come in handy; however, the downside is tremendous. People often store sensitive information on the Clipboard. Beyond text, the Clipboard can contain images. Apple users must now think before they cut or copy text, images, or any other object.
The company that boasts about security and privacy seemingly left a big security hole wide open. It may be too challenging to address this security flaw. Perhaps this is why Apple refuses to fix the problem. As usual, the Cupertino tech company remains silent about the issue.
Apps Can Access Universal Clipboard, Exposing Other Devices to Surveillance
The security flaw goes beyond iOS devices. Apple’s Universal Clipboard allows users to cut, copy, and paste data across the entire Apple ecosystem. This means that an iOS or iPadOS app can read the clipboard on a Mac. Developers and security analysts have found that this is already happening. Twitter user @DonCubed found that the LinkedIn app on his iPad Pro was accessing the Clipboard on his MacBook Pro:
“LinkedIn is copying the contents of my clipboard every keystroke. IOS 14 allows users to see each paste notification. I’m on an IPad Pro and it’s copying from the clipboard of my MacBook Pro. Tik tok just got called out for this exact reason.”
Why Does Apple Allow Apps to Access Clipboard Data Without User Intervention?
Why does Apple allow this to happen? Although I understand software and coding very well, I cannot see Apple’s source code for iOS. It’s not open source. At best, I can research what other developers and security experts say about the issue. They’re similarly baffled as to why Apple allows this.
The best answers shrug the issue off as being difficult to fix. Clipboards need to work across apps, and third-party apps need to access them in some way. For example, if you have text in a Pages document and want to paste it in an email, the email client must be able to access the Clipboard. But why allow access to the Clipboard without user interaction?
Keep in mind, the Clipboard transcends the device. It’s in the cloud now. That’s how the Universal Clipboard works. Indeed, Apple’s Clipboard implementation is very complicated. It may be that the problem is difficult to fix, and policing the App Store is too challenging. For now, all they’re willing to do is pop up messages. This could be an anti-competitive move to tarnish the reputation of competing apps. After all, Apple is in the news business, along with most of the offending apps.
Most end users seem to be clamoring for a fix. For now, users of any Apple device need to be careful about what they cut, copy and paste. If you have a document full of passwords, don’t copy and paste them. This is a real hardship if you’ve opted for the long, cryptic, generated passwords that security experts recommend. Although Apple’s keychain feature stores passwords, many users, including myself, don’t trust it. Given problems with the Clipboard, it looks like there’s good reason to be skeptical of Apple’s technology.