It appears the clipboard reckoning is upon us.
Both LinkedIn and Reddit have announced plans to stop repeatedly copying data from the clipboard following a change in iOS that exposed clipboard snooping. Popular app TikTok was also found reading users’ clipboard contents, as well as 53 other apps revealed by security researcher and app developer Mysk, which completed some of the research in Canada.
Shortly after Apple’s 2020 WWDC event, developer sessions revealed new details about upcoming changes to the company’s operating systems. Plus, developers and enthusiasts got their hands on beta software and began exploring all the changes. One of the more interesting changes with iOS 14, the next version of Apple’s iPhone operating system, is a new way to handle the clipboard.
iOS 14 notifies users when apps access the clipboard
MobileSyrup has already covered the changes extensively — you can read up on that here. In short, iOS 14 will notify users when apps copy information from the clipboard. The change should act as a form of “name and shame” public punishment in hopes to force app developers to use Apple’s new clipboard API.
The new API better protects user data by hiding what’s in the clipboard and communicating what type of data it is. For example, web browsers on iOS often include a ‘paste and go’ feature that checks that clipboard for a URL, copies it and pastes it automatically so users can tap a button to load the website. Apple’s new system could tell the app whether there’s a URL in the clipboard without exposing the actual content. If there’s a URL, the app then copies it. If not, the app doesn’t do anything and the clipboard contents remain private.
Although some apps do use the clipboard legitimately, many apps constantly check the clipboard to scrape user data or for other nefarious reasons. With the iOS 14 change, apps that constantly copy user data have been exposed thanks to the new notification, which pings users every time something accesses the clipboard.
LinkedIn repeatedly copied users clipboards as they typed
Twitter user ‘Don from urspace.io’ (@DonCubed) highlighted the privacy-invasive practice in LinkedIn. In a video shared on Twitter, you can see a near-constant stream of notifications appear as the user types. LinkedIn, which is owned by Microsoft, said it would stop repeatedly copying clipboard contents and in a statement to ZDNet, called the behaviour a bug.
Hi @DonCubed. Appreciate you raising this. We've traced this to a code path that only does an equality check between the clipboard contents and the currently typed content in a text box. We don't store or transmit the clipboard contents.
— Erran Berger (@eberger45) July 3, 2020
LinkedIn’s vice president of engineering, Erran Berger, responded on Twitter and explained the app copies the clipboard to perform an “equality check between the clipboard contents and the currently typed content in a text box.” Further, Berger says LinkedIn doesn’t store or transmit the data. He also shared a link to an open-sourced code library containing the equality check and fix on GitHub.
The Mysk Twitter account also chimed in at this point to acknowledge that the clipboard-reading code was harmless, but the frequency of checks was concerning. “Reading the clipboard with that frequency might be used as a cover-up of clipboard snooping,” the tweet said.
Reddit also copied clipboard contents while users typed in the post composer
Likewise, Reddit was also caught repeatedly copying data from the clipboard by Don on Twitter. Similar to LinkedIn, the Reddit app would trigger a clipboard notification in iOS 14 with each keystroke a user typed in the app.
UPDATE: Seems like Reddit is capturing the clipboard on each keystroke as well 😕
Seeing the notification come up just as much. pic.twitter.com/nzbElmRG2a
— Don 𝘧𝘳𝘰𝘮 urspace.io (@DonCubed) July 2, 2020
Reddit told The Verge that it tracked the issue to a “codepath in the post composer that checks for URLs in the pasteboard.” The tool is supposed to check the copied URL and suggest a post title based on the text contents of that URL. Additionally, Reddit said it doesn’t “store or send” the clipboard contents.
“We removed this code and are releasing the fix on July 14th,” Reddit told The Verge.
Considering the new clipboard privacy features in iOS 14 are still part of a limited beta for developers, it’s likely that we don’t yet know the full scope of clipboard snooping. Apple is expected to release a public beta of iOS 14 in the coming weeks and, later this year, the public release of iOS 14 will arrive. As more people use iOS 14, more apps will likely be caught snooping on users’ clipboards.