Apple’s iOS 14 has a great new privacy feature that sends you a notification whenever an application inspects what’s on your iPhone’s clipboard. It’s sounds like a smart addition, but it’s also uncovered some potentially unsettling behaviour from several apps.
Take a look at this example posted by Twitter user Jeremy Burge, which shows all the iOS 14 clipboard alerts he received when using TikTok:
Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification pic.twitter.com/OSXP43t5SZ
— Jeremy Burge (@jeremyburge) June 24, 2020
Several developers looked into the issue to see what was going on. According to their findings and the ensuing discussions on Twitter, it appears that these apps are only reading the clipboard rather than grabbing, copying or saving the data they find there — in theory, anyway.
There are legitimate reasons why an app would do this, so I wouldn’t be alarmed if, or when, you see this notification in your favourite apps.
Some apps check for URLs or other content on the clipboard as a feature (eg Apollo for Reddit) to check if it can use the clipboard contents and offer functionality to the user. Other apps don’t make the purpose clear (eg Microsoft Teams).
— Jeremy Burge (@jeremyburge) June 25, 2020
Some developers even found that their apps are triggering the notification unexpectedly — even if they aren’t made to access the clipboard in the first place — so it’s possible that there are new APIs in iOS 14 that need to be implemented by an app to prevent over-notifications for unexpected behaviour.
Still, it makes one wonder how many of these apps are covertly accessing the iOS clipboard, and if they’ve been doing the same thing on Android and older iOS versions without our knowledge. However, I’d bet that most people are going to have a single question when they see a notification like this: Should you be worried that TikTok and other apps could be stealing your clipboard data?
I would say “no” for TikTok, based on what the company has said. But I wouldn’t extend that blanket trust to every app, especially if you’re prone to tinkering around with untested, lightly reviewed apps from unknown developers.
Hard to confirm it for sure, but FWIW both TikTok and Google (whose SDK it was in this case, according to TikTok) said on the record that no user data was ever sent off device. Supposedly it’s just not the way the SDK(s) work. Take that as you will!
— Laurence Dodds (@LFDodds) June 25, 2020
In a perfect world, Apple would adjust its notifications to more clearly indicate when an app is scanning your clipboard to see if anything is on it versus when it’s actively using the information on the clipboard for another purpose. Even then, apps have always been able to access the clipboard without restriction.
We (the users) cannot tell which apps access the clipboard to ‘inspect’ it to offer features, or which apps access the clipboard to potentially paste + send the contents to a remote server
If there is a way to detect what an app does with its clipboard access, I’d love to know
— Jeremy Burge (@jeremyburge) June 25, 2020
For now, it’s wise to think twice about what you’ve got copied to your device’s clipboard before you open or when you’re using an app. Perhaps it’s best to not copy and paste important details — your email address, your password, your 2FA codes, etc. — if you can avoid it.
Leave a Reply
You must be logged in to post a comment.