Researchers discovered that location data can be leaked to third-party apps on iOS and iPadOS via the clipboard. However, Apple doesn’t see it as a problem.
The contents of your clipboard can be accessed by third-party apps, and there is no way to tell if an app uses it without your knowledge. As one example, a person could copy a photo to the clipboard, exposing its location data in EXIF. Other data that can be read include the time stamp, device model, and OS.
It’s not just photos though; many types of content can be stored in the clipboard, like documents, PDFs, URLs, passwords, spreadsheets, etc. It’s also possible for a malicious app to not only read the clipboard, but alter the data stored there. And thanks to Universal Clipboard it affects macOS, too.
iOS and iPadOS are designed to allow apps to read the pasteboard only when apps are active in the foreground. However, there are other techniques a malicious app can implement in order to increase the likelihood the app can read the pasteboard.
As we will discuss later in the demonstration app, a widget extension can read the pasteboard as long as it is visible in the Today View. As a result, a widget placed on top of the Today View can read the pasteboard every time the user swipes to the Today View, hence expanding the vulnerability window.
The researchers shared their report and source code of their test apps with Apple on January 2, 2020. Although they don’t provide the exact quote the company gave them, they say “Apple informed us that they don’t see an issue with this vulnerability.”