Back in March, a pretty serious security vulnerability was discovered affecting iPhones and iPads. Strangely enough, nobody really talked about it.
An iOS developer duo that operate under the moniker “Mysk” published a blog post with their findings. They connected their iPhone to a Mac while Xcode logged what apps were doing. They discovered that quite a lot of apps are accessing the clipboard – that’s where the stuff you copy stays – without any legitimate reason. What’s worse, the user not only does not consent, but absolutely has no idea.
They submitted their findings to Apple back in January, but were told that there’s no issue with this behavior – calling it “intended behavior”.
Sure, apps can improve your experience by accessing your clipboard. Mainly shipping apps that automatically pick up the tracking number you copied, speeding up the process and making it more seamless. On the other hand, people often copy some very sensitive information to their clipboards. Including phone numbers, addresses, credit card information, and most importantly: passwords and 2FA codes.
Mysk included in their blog post a non-exhaustive list of apps that snoop on your clipboard data. The list includes 17 news apps, 19 games, 7 social media apps and a bunch of weather, travel and shopping apps. Even a police scanner app made the list.
There’s been a considerable uptick in the adoption of password managers over the last few years. They work by generating strong passwords for you that you never need to remember, because they stay locked in a secure vault and you just copy paste them when needed.
As the old saying goes, a chain is only as strong as its weakest link. How secure is your data on your iPhone if it allows other apps to monitor the clipboard? (Including your Mac’s clipboard. Thanks, ecosystem!)
The potentially bigger issue is that of two factor authentication (2FA), which is far more common than password managers. Most of us don’t even bother reading the codes we receive on our phones or in our email inbox. We just copy and paste into the correct field. The whole idea behind 2FA is to add an extra layer of security because your password can be guessed, stolen or brute forced. What good is it if your 2FA codes also get leaked? Now, granted: Fortunately, 2FA codes tend to expire very quickly, limiting their utility to a potential attacker, but this begs the question: Why is this even happening on Apple devices?
For years, Apple has paid lip service to privacy being a “fundamental human right”, and talked up and down their dedication to privacy and security by protecting user data and not selling it. As this and other past instances have shown, this is merely PR to paint itself as the good guy opposite data hog Google.
In typical Apple fashion, despite not acknowledging the flaw when presented to them, their new iOS 14 update addresses it – somewhat. The shiny new OS version includes a subtle feature that alerts you when an app accesses your clipboard. To clarify, iOS 14 merely notifies you. It doesn’t prevent this behavior, nor does it grant you control over which apps you can allow access to your clipboard. In contrast, Android has prevented app access to the clipboard since Android 10. The keyboard app is the exception, so make sure that’s a conscious choice. As a long time SwiftKey fan, I had to let it go when Microsoft bought it.
Mysk took to Twitter to rightfully gloat with their “I told you so”, sharing a screen recording of the new behavior. That’s as close as they’re likely to get to an acknowledgment or an apology from Apple. Twitter users shared screen recordings of other apps, like the Tencent-owned Call of Duty, also accessing the clipboard. PUBG, TikTok, Weibo and other Chinese-owned apps were on the list in Mysk’s original blog post.