According to new research by Talal Haj Bakry and Tommy Mysk, dozens of popular iOS apps are reading the contents of the pasteboard without user consent, which could include sensitive information.
The investigation discovered that many popular apps, such as TikTok, 8 Ball Pool™, and Hotels.com, quietly read any text found in the pasteboard every time the app is opened.
iOS and iPadOS apps have unrestricted access to the system-wide pasteboard, also known as the clipboard, as of iOS 13.3.
Text left in the pasteboard may be inconsequential, but it could also be highly sensitive data such as passwords or financial information. The potential security risks of this vulnerability have previously been investigated by Bakry and Mysk, where they found that precise location information was leaking through the system pasteboard.
A diverse range of apps, from popular games and social networking apps, to news apps of major news organizations such as Fox News or The Wall Street Journal, were examined using standard Apple development tools. Many of these apps do not provide any UI that manages text, yet they read the text content of the pasteboard every time they are opened.
It is also of note that if Universal Clipboard is enabled, an app may also access whatever has been copied on a Mac.
What exactly these apps do with the contents of the pasteboard once they have read it is unknown.
Top Rated Comments
It can be useful: in many instances, apps will read the pasteboard to determine if a URL or other information (like numbers related to their services) were copied from the browser so the app can shortcut a response to that data. One of my favorite instances is Deliveries: If you have a copied tracking number or link, it'll ask and can automatically start the adding process for you.
But I also get how allowing anyone to freely read it can be a major issue.
all this crap would stop. Otherwise, if it’s just rule after rule, but in a culture of stealing personal data, Apple will never catch up.. App publishers will think of ways around the rules or do something not covered yet by a rule—like stealing clipboard info. Just make it a death sentence for your business if you steal customer data will result in a lifetime ban. Then it will stop—at least from the big companies.
It’s like the government Rico statues. Very broad but allows any type of organized crime to be prosecuted.
ive deleted every app I don’t absolutely need on my phone. I now don’t download apps just to play with for awhile because I don’t know what tricks they play with my data and how they track me. And no, a privacy policy which no human reads doesn’t solve the problem.
And I don’t want tons of security dialogs and privacy settings which take time and constant surveillance to monitor. It’s facebook’s dirty trick, and iOS privacy settings are becoming equally cumbersome.
As more and more apps become spyware in ways consumers cannot imagine, it will kill the core of the app economy.
Why?
Most companies are too cheap to hire the skills to develop their app from scratch. So they outsource the development to 3rd parties who use code from all over the place without even knowing what it does. So even if the company putting the app out doesn’t have malicious intent, in reality they themselves have no idea what the app really does beneath the hood.
Look at apps from even reputable companies like AT&T and Comcast and they are so buggy and have such a poor, unfriendly UI, you know they are orphan projects within the company with tiny budgets and little oversight.
Kind of like Apple “discovering” that one of its suppliers is using child labor, because they have no idea what is really going on at their outsourced partners.