In a growing trend for acquiring personal data for third party benefits, as described by surveillance capitalism, apps have been stealing the contents of your device’s accessible working memory*, the clipboard.
In March 2020, two developers posted their research showing how some mobile apps have been configured to read the contents of an iOS device’s clipboard without requiring any user consent. According to news published at the weekend, the bug/feature is still present. It means apps including TikTok able to access anything that resides on the clipboard, which can include passwords and other sensitive information if you use a password manager. It can also include activities that occurred on other devices nearby if you use multiple Apple devices that can communicate with one another. Windows 10 devices have a similar feature: clipboard synchronisation. And it is assumed that Android devices have the same vulnerability because it is a universal method. It’s a sensible approach, engineering-wise, because it means each app only needs to be able to communicate with a universal clipboard, either to send or receive data. For example, when I receive a ‘one-time password’ (OTP) as a text message to my phone, a message pops up on my Mac giving me the option to paste it into the text box of the website requesting the OTP.
There are times when you want an app to have access to the clipboard because it saves you having to type things manually. A clipboard acts as a form of digital working memory*, creating short cuts to help you complete a task more quickly. However, it came as a surprise to me that apps can query the contents of the clipboard without requiring any human intervention. There is absolutely no reason for an app to be accessing your clipboard unless you want to copy/paste some data between two apps. It is another example of the growing field of surveillance capitalism, where technology is used to extract personal data for the benefit of third parties and not the person the data relates to. The worry is that a lot of data may be in your clipboard. The default behaviour is to use it to copy/paste items. We don’t typically think about then deleting the content from the clipboard and data may still be stored there until the device is restarted, depending on settings. Devices are increasingly put into a ‘sleep’ state rather than shut down overnight meaning data could linger long after completion of the action the data was needed for.
Apparently, the next release of iOS doesn’t prevent this from happening but does now flag up when it happens.
- Popular iPhone and iPad Apps Snooping on the Pasteboard, by Talal Haj Bakry and Tommy Mysk, published 10 March 2020
- TikTok and 53 other iOS apps still snoop your sensitive clipboard data, by Ars Technica, published 27 June 2020
- The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, by Shoshana Zuboff, published 2019
- How long does Windows keep your clipboard for?, Quora question answered May 2019
* You could argue that RAM (random access memory) is a device’s digital working memory. Put simply, the clipboard is a function that enables the copy/paste transfer of data between apps. Data placed in RAM via the clipboard is accessible by any app with access to the clipboard function.
Declaration: Links to books on Amazon contain affiliate links. I will receive a small percentage of the sale if the book is purchased via this link.