During Apple’s WWDC 2020 keynote, we learned that iOS 14 will lock down your iPhone’s clipboard. We’re learning, a few third-party apps at a time, why that’s so important. A developer using the iOS 14 beta has discovered that Reddit and LinkedIn are among a handful of apps that spy on the iOS clipboard.
What We’ve Learned About the Clipboard Problem
We learned that the iOS 14 beta includes a feature that detects when a third-party app is found to spy on the iOS clipboard. For those who don’t know, the clipboard is where iOS stores data when you copy it from one app to another.
When we dove into the iOS 14 beta, we quickly discovered that we were getting notifications when certain apps were snooping around the iOS clipboard. Apps like TikTok and Accuweather were caught snooping. This means those apps could copy things like your PIN numbers, credit card information, Social Security Numbers, and more. Those apps aren’t necessarily doing this, but they could.
Even More Apps that Spy on the iOS Clipboard
Developer Don Morton has discovered even more apps that spy on the iOS clipboard. Microsoft’s networking app, LinkedIn, is a notable culprit, as is the social networking app Reddit.
That means three apps, just since the beta released to developers on June 22, have been caught red-handed in the iOS clipboard. TikTok, Reddit, and LinkedIn are on Don Morton’s list. Others have noted that Google News, Patreon, Call of Duty, Fruit Ninja, and Philips Sonicare App will also start copying clipboard data once the apps are opened.
Some Developers’ Response to Being Caught in the iOS Clipboard
A spokesperson from LinkedIn told ZDNet that the app could spy on the iOS clipboard as part of a bug. LinkedIn is fixing it in an update. The site’s engineering vice president, Erran Berger, stated that the app does not “store or transmit the clipboard contents.”
TikTok claimed that the spying activity was because of an anti-spam “fraud detection mechanism,” and that it never copied any content from anyone’s iPhone. Nevertheless, TikTok has removed that mechanism in an update.
Finally, Reddit says it will be issuing its own software update. This will remove the code causing it to access the iPhone user’s clipboard without good cause. Users can expect that update around July 14, 2020.
Steps You Can Take to Protect Your iOS Clipboard
There are some steps you can take to protect your data, and more could be forthcoming. First of all, some password manager apps automatically clear your clipboard after a certain amount of time has passed. For example, 1Password has a feature that will automatically clear any field copied from that app in 90 seconds. Any of these features can help stop an app from being able to spy on the iOS clipboard.
A group of developers and users are taking things a step further. They will be asking Apple to further restrict iOS clipboard access. They want it to be a permission that users must agree to give to an app.
Jeff:
One of the jobs I briefly held during my hiatus between university and medical school was with a correctional system. My job was to entice employers to hire previously incarcerated youth, which meant that I had to read their files, interview them and then find an appropriate venue of employment. One of those files regarded a fellow who accidentally entered a house and inadvertently left with some property belonging to said house. Forgot he had it. And then repeatedly stumbled into other houses throughout the neighbourhood over a series of weeks. When I asked him if he felt that continued breaking and entering would be a problem, he replied that he didn’t intentionally break and enter; it just sort of happened. You try a door, a window and, hey, it’s open. So, you go check it out, right? As one does. I had to break it to him that, no, not right; and that act, when done repeatedly is not bug; it’s a feature. Burglary.
Call me cynical. Call me jaded. I’m not buying that an app ‘accidentally’ stumbles upon and collects data from your iOS clipboard anymore than I bought that this kid accidentally stumbled into someone’s home and accidentally walked out with some jewellery. If the cops come and find the kid in the house with the jewelleries in his hand, should they give him a pass if he says that he only entered because the door was open and that he didn’t know that these were jewels, and in any case, he wasn’t planning to actually walk out with them? Or how about, he only came in because the door was open and he wanted make sure that the family was safe, and upon finding no one home, and seeing the jewels out in the open, was only trying to move them to a safer place? (Not this guy, but another of his colleagues gave me this explanation for his unfortunate event).
Because for every lock, there’s a burglar with the talent to defeat it, how about Apple encrypting the data that is sent to the clipboard with a token that only the paste command can accept and decode, and once pasted, compulsorily erases the clipboard? Locks are there simply to keep honest people honest. Even if iOS 14 alerts the user that an app is snooping, is it not simply a matter of time and talent (or state-sponsored resources) before an exploit evades that monitoring system and nabs said clipboard content? If that content is encrypted, it’ll be about as useful to said thieves as a getaway car with no engine block.
In any case, going forward, violators should be given a one-off warning, followed by removal from the App Store for repeat offence.