Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday July 07 2020, @07:14PM   Printer-friendly
from the just-a-quick-peek dept.

Reddit and LinkedIn stop copying iPhone clipboards:

Reddit and LinkedIn are changing their apps to prevent them from looking at the Apple iPhone clipboard.

In a developer trial of the latest update to the phone's operating system, iOS 14, users are notified whenever an app accesses the device's copied text.

The notification exposed frequent scanning of the clipboard by apps that many users thought should not need to do so.

The two firms follow TikTok in changing their apps amid the criticism.

[...] In research published in March, Talal Haj Bakry and Tommy Mysk identified dozens of apps which they said had accessed the clipboard.

At the time Apple said it did not think it was a vulnerability.

There are legitimate reasons why an app needs clipboard access - for example, in order to share a website address with a message platform, or to grab a password from a password manager and paste it into a password-protected service.

Related:
Reddit says it's fixing code in its iOS app that copied clipboard contents
Apple iOS 14 Alerts Reveal Reddit App Is Reading User Clipboard Data
Reddit promises to stop accessing user clipboards after being exposed by iOS 14

Previously:
(2020-06-28) TikTok and 53 Other iOS Apps Still Snoop Your Sensitive Clipboard Data
(2020-02-27) Apple Takes Heat Over 'Vulnerable' iOS Cut-and-Paste Data


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday July 08 2020, @05:48AM (2 children)

    by Anonymous Coward on Wednesday July 08 2020, @05:48AM (#1018074)

    This sounds like an architectural defect. When I hit ctrl-V, that's coming from the operating system. The browser (or any application) shouldn't even be able to distinguish that the text came from me hitting ctrl-V or typing it directly.

    If there's something like a password cache, that should be a separate API, with separate permissions for access. I'm struggling to even imagine how the clipboard would come into play there, but then I don't develop for those platforms...

    Now I just reviews the Windows API docs, and part of that is that you can monitor the clipboard--but there's nothing about the operation of a clipboard that inherently requires that kind of insecurity. In particular, there's nothing to stand in the way of making *paste* something that the user must initiate from the OS, and the application would simply respond to paste requests or not. It's a bit of a problem if you want to have a paste menu item as opposed to ctrl-V or other externally initiated action though. How are people typically pasting on these devices? I thought menus were passe.

  • (Score: 0) by Anonymous Coward on Wednesday July 08 2020, @02:28PM

    by Anonymous Coward on Wednesday July 08 2020, @02:28PM (#1018206)

    AFAICT on android, most "apps" have that weird sideways triangle share button thing, and copy/paste is only accessible through a long press while the keyboard is open.

  • (Score: 1, Insightful) by Anonymous Coward on Wednesday July 08 2020, @07:15PM

    by Anonymous Coward on Wednesday July 08 2020, @07:15PM (#1018342)

    That's not how it works. Consider for instance that you can copy/paste arbitrary data (such as an image) in different programs and it will behave differently. Or consider various right click context menus that have a paste option - that's functionality implemented by the developer. Many APIs have controls with some built in support for copy paste stuff (like most text boxes) but that support is there to ensure UI consistency and for programmer convenience - nothing to do with security. The developer can override such functionality and it's important that such an override is possible.

    However, obviously applications should only be checking the clipboard when the user demands such behavior in some way or another. So for instance by clicking in a paste context menu item, or by pressing a hotkey for such. The fact that they were arbitrarily scanning the clipboard is almost 100% an indicator of malicious behavior. As a general indicator, the more a company (or person for that matter) virtue signals - the scummier they are. And so this should come as zero surprise from a company like Reddit.