On iOS Apps Peeking at Your Clipboard Contents

Catalin Cimpanu reporting for ZDNet’s Zero Day:

In a video shared on Twitter, the Urspace developer showed how LinkedIn’s app was reading the clipboard content after every user key press, even accessing the shared clipboard feature that allows iOS apps to read content from a user’s macOS clipboard.

Erran Berger, VP of engineering at LinkedIn:

Appreciate you raising this. We’ve traced this to a code path that only does an equality check between the clipboard contents and the currently typed content in a text box. We don’t store or transmit the clipboard contents.

I know a lot of people are so cynical — justifiably — from never-ending news of privacy disasters that they just assume the worst about all these apps being revealed for looking at the clipboard contents. But I think almost all of this is just sloppy programming, not data collection. Even if you really did want to make an app that steals people’s clipboard contents, there’s absolutely no reason you’d check the clipboard contents this frequently. It’s just sloppy programming. But once revealed, a sloppy implementation like LinkedIn’s looks sketchy as hell.

It’s also the case that there are plenty of good reasons why an app might look at the clipboard without your having performed a manual Paste action. Think about image editors: for as long as I can remember, if you have an image on the clipboard, you can use File → New in MacOS’s built-in Preview app to make a new image with the contents of the clipboard. This does more than just save you the step of manually pasting — the new image is sized exactly right for the clipboard contents. It saves you a bunch of steps, not just one ⌘V. Same thing for podcast clients and RSS readers — if it looks like you have a feed URL on the clipboard, they can save you a few steps when subscribing.

It’s like managing camera and microphone access. Most apps want to access these things for good, honest reasons, but because some don’t, we need OS features to defend against the bad actors. And it winds up adding a bit of unfortunately necessary friction.

Friday, 3 July 2020