What is clipboard snooping, and should I be worried about it?
If you follow Apple news with even the slightest interest, you've no doubt heard the words "clipboard snooping" thrown around in the last few weeks. Since WWDC 2020 and the release of the iOS 14 beta, the chatter has grown louder still. But what is clipboard snooping? Why are we only just hearing about it now? Should I be worried? Here's a full rundown of everything you need to know.
A history lesson
Clipboard snooping first caught the attention of the media back in March, following the pioneering work of developer duo Mysk. In an article earlier this year, they outlined how popular apps in iOS 13 were reading the clipboard of iOS users without their knowledge, or their permission. Culprit apps included social media, games, and news, including big names like TikTok, the New York Times, CNBC, 8 Ball Pool, Weibo, and more.
What is it?
So what are these apps doing exactly? Well, research revealed that apps were able to access the content on your clipboard. Whenever you copy and paste something on iOS, the content is stored on the clipboard as you move between those steps. If you copy something, it is stored on the clipboard and then pasted from that location. Apps on iOS and iPadOS have unrestricted access to iOS's general clipboard, and of equal concern, the Universal Clipboard iOS uses to allow for copying and pasting across devices.
Naturally, as soon as this issue was raised, alarm bells started to go off. Whilst your clipboard contents might include simple, harmless information like an item for a shopping list or an excerpt from a news article, it could be information as important as a password, a name, address, date of birth, bank account information or even a credit card number.
Despite the obvious concern around the nature of this issue, awareness and interest remained minimal, and the problem was not addressed in subsequent versions of iOS.
It wasn't until last week at WWDC 2020, that iOS 14 was unveiled, and with it, a new tool in the fight against clipboard snooping. As announced by Apple, iOS 14 will deliver a notification every time an app reads your clipboard. In an interview with Rene Ritchie, Apple's Katie Skinner said that this was about helping users understand what was happening to their data.
Big news in and of itself, this iOS announcement became even more important as users began to install betas on their devices, and found themselves barraged with notifications. It became immediately clear that the issue was far more prominent, both in the breadth of apps that it affected, and the frequency at which it was occurring. Leading to scenes like this one:
Not in fact a bug, the above shows that TikTok was reading user clipboards every two or three keystrokes.
Soon, Twitter became littered with early iOS 14 beta users questioning why apps they used on daily basis were reading their clipboard, alongside Tiktok, there were questions about Fantastical, Reddit, and more recently LinkedIn.
There are a number of explanations as to why apps do this, as well as technical explanations within various bits of code and APIs as to why developers might be snooping on your clipboard, intentionally or otherwise. The trouble is, that it's hard to separate apps that are reading your clipboard for the right reasons, and apps that are doing it for the wrong reasons or shouldn't be doing it at all. Not only that, some apps may have a reason to read your clipboard on some occasions, but not others and some apps might be hiding malicious clipboard snooping amongst lots of harmless snooping.
For example, TikTok says that the feature was an anti-spam measure, designed to stop people spamming comments. TikTok has since said it has updated its app to remove the feature, but developers were quick to point out just how primitive this was as an anti-spam feature, and how strange it was that a company worth billions couldn't hire developers to do it correctly.
This is very interesting. An app maker with more than 800 million active users isn’t able to hire experts to fix this primitive anti-spam “logic” or perform decent security auditing that would figure such a thing out... not to mention that we caught them using HTTP earlier 🤦🏽♂️ https://t.co/bW7InLj24dThis is very interesting. An app maker with more than 800 million active users isn’t able to hire experts to fix this primitive anti-spam “logic” or perform decent security auditing that would figure such a thing out... not to mention that we caught them using HTTP earlier 🤦🏽♂️ https://t.co/bW7InLj24d— Mysk 🇨🇦🇩🇪 (@mysk_co) July 4, 2020July 4, 2020
LinkedIn for their part said that the feature was caused by a bug, but the feature was rooted in code that has been around since 2014.
A software bug is an error, flaw or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways.
The code that @LinkedIn blamed for reading the clipboard doesn't classify as a "bug"https://t.co/AXxSnf4Lq1A software bug is an error, flaw or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways.
The code that @LinkedIn blamed for reading the clipboard doesn't classify as a "bug"https://t.co/AXxSnf4Lq1— Mysk 🇨🇦🇩🇪 (@mysk_co) July 4, 2020July 4, 2020
Another big wrinkle is that it's hard to tell with what's happening to this data. We spoke to Mysk about the issue, and they noted that it could range from the data being totally ignored to conspiracies about data going to servers. There's no clear way to check what an app does with the data it reads on a clipboard, save for asking the developer themselves.
The sad thing is that there are plenty of legitimate reasons why an app would want to see the contents of your clipboard, a phone app searching for a copied phone number, or a web app searching for a URL. What about a courier app searching for a copied tracking number, or a banking app automatically picking up a copied IBAN. With these new iOS 14 notifications, all clipboard reading seems to be the same, so how should people respond?
Apple has essentially given users a tool to determine whether or not they want a certain app to read their clipboard. As noted, this is a built-in feature of iOS and can be used by apps for all sorts of convenient and decidedly not malicious means. As these last few weeks have proven, many more people, users, and developers are waking up to this issue. So, if you're using an app in iOS 14 (the beta, or the public release when it becomes available), and you see it reading your clipboard, take note of a couple of things:
- What app am I using?
- Have I just copied any information relevant to what I'm doing right now?
- Does it make sense that the app checked my clipboard at this particular juncture?
- Would I be comfortable with this app reading the contents of my clipboard?
Plenty of developers will respond if questioned about this issue, so hop onto Twitter, or alert your favorite news outlet to the issue to try and get a response. As we've seen, developers might well be able to offer a clear, coherent explanation as to why this is happening, or they might thank you for raising the issue and try to fix it.
If you find you're not happy with the response, or you don't get one at all, then you might want to think about the balance between wanting to use a particular app, and not wanting the app to read your clipboard. There are some solutions that can be created using Shortcuts, for example, an iOS Shortcut that could clear your clipboard when you open a certain app, but these are more technical.
Apple and Mysk have done a fine job bringing this issue to our attention, but from here on out, raising awareness of the issue with developers will be the surest way to bring results.
Get the best of iMore in your inbox, every day!
Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.
Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9
I think the whole clipboard is backwards. Why doesn't it work like other clipboards. The clipboard is part of the OS, not the app. The user copies and pastes, not the app. There is never a reason for the app to read the clipboard, rather, the app is written to by the clipboard where the app accepts such data. There does not need to be an API for the app to read from the clipboard. Or at least, the user should be in control of turning that capability off. I would NEVER want an app reading that data, especially without my knowledge. It makes one question what other bad privacy decisions Apple has made.
Said that well. I agree. There is no reason for any app to read my clipboard. It needs to accept data from the clipboard WHEN I INSTRUCT IT TOO. Keep in mind that the way things like Lastpass transfer information is by putting it on the clipboard so you can paste it in the PW field. No reason anything needs to see that outside of my initiating Paste.