Apple's iOS 14 Found Many Popular Apps Snooping On Users' Clipboards

Chrome pasted from Notes

Apple allows apps on its mobile devices to have unrestricted access to the system-wide general pasteboard, or also referred to as the clipboard.

But that doesn't mean that they can access them at anytime they want. When Apple launched iOS 14 as the successor of iOS 13, the mobile operating system has been getting a lot of attention as users found that their favorite apps were snooping on them.

Soon, users on Twitter and YouTube reported that iOS 14 started showing alert banners to notify them that their installed apps were trying to access their phone’s clipboard without permission.

From TikTok to LinkedIn and then Reddit and many others, the apps were capable of reading users' clipboard when they are launched.

Researchers Talal Haj Bakry and Tommy Mysk have compiled a list of the many apps that could have done this.

"The apps we chose in this investigation belong to various App Store categories, e.g. games, social networking, and news. As we described in our previous article, the severity of the pasteboard vulnerability is greatest when popular and frequently-used apps exploit it. Thus, we targeted a variety of popular apps we found on the top lists of the App Store."

Clipboard snooping is a method of seeing whatever is copied inside the clipboard.

Smartphones have become the extension of PCs and laptops in many ways that the devices have become extremely similar with each other. One of which, is having a clipboard to store data temporarily.

In iOS, content is stored on the clipboard as users move between apps. And using the Universal Clipboard iOS, users can also copy and paste across devices.

Users can store almost anything inside the clipboard. From harmless information like an item for a shopping list or a link to a news article, to sensitive data like password, full name, address, bank account, credit card number and others could all be stored inside the clipboard.

And this issue here, apps have been obtaining that data, and send it to its servers without users even knowing.

During the WWDC 2020, Apple introduced iOS 14, and with the operating system, Apple introduced a tool to catch apps that snoop into users clipboard.

Starting with the version of the mobile operating system, iOS can deliver a notification every time an app reads the clipboard.

In an interview with Rene Ritchie, Apple's Katie Skinner said that the feature is all about helping users understand what was happening to their data.

TikTok was one of the very first apps to say something about this.

The Chinese social media app said that its clipboard snooping ability was an anti-spam measure, made to stop people spamming comments. But due to fact that its anti-spam means snooping and people aren't liking it, TikTok said that it has updated its app to remove the feature.

LinkedIn was among the next that addressed the issue.

After being found snooping on users' clipboard data, a LinkedIn spokesperson said that the ability was actually a bug in the company's iOS app, and was not an intended behavior.

"We’ve traced this to a code path that only does an equality check between the clipboard contents and the currently typed content in a text box," said Erran Berger, LinkedIn’s vice president of engineering, who addressed the problem directly on Twitter.

"We don’t store or transmit the clipboard contents."

Berger followed up saying that LinkedIn would fix the bug. Later, Berger said that LinkedIn had released an updated version of its app to fix the issue.

The next was Reddit.

A Reddit spokesperson said that the app does not store or send any content it finds in the clipboard, adding that it was also releasing a fix.

"We tracked this down to a codepath in the post composer that checks for URLs in the pasteboard and then suggests a post title based on the text contents of the URL," the Reddit spokesperson said. "We do not store or send the pasteboard contents. We removed this code and are releasing the fix on July 14th."

While clipboard snooping is certainly a breach in privacy, there are actually a number of explanation why apps do this intentionally or otherwise.

For instance, a phone app may want to snoop inside users' clipboard to find a copied phone number. A web browser may also want to snoop into users' clipboard to find a copied URL, a courier app wanting to search for a copied tracking number, or a banking app wants to automatically pick up a copied IBAN.

It should also be noted that, some other apps may also have a reason to read clipboard data on some occasions, or at certain times.

In other words, there are actually plenty of legitimate reasons why an app would want to see the contents of the clipboard.

However, the trouble is that it's difficult to separate apps that are reading users clipboard for the right reasons, and apps that are doing it for the wrong purposes, or apps that shouldn't be doing this at all.

With iOS 14, Apple has given its users a way to catch those apps red handed.

As people started speculating and complaining, developers are also waking up to this issue and joined the discussions. Some tried to explain why this is happening on their apps, while other developers thank their users for raising the issue and tried fixing it.

With the conversations won't be ending anytime soon, users of iOS 14 should at least take note of the apps that are reading their clipboard, and see whether or not the apps in question really need to read the clipboard.

Seek for developers assistance. If users aren't happy with the response, or getting none from them, users may want to rethink about having the apps installed on their phones, or think about the balance between wanting to use the particular apps, and not wanting the apps to read their clipboard.