LinkedIn And Reddit Apps Caught Copying Clipboard Content Without Permission
Smartphones have put a lot of power into our hands, literally, but they have also exposed potential security and privacy violations in things we've been taking for granted on desktops. Things like asking permission to use certain hardware and software capabilities were almost an alien concept on desktop operating systems until Android and iOS showed how those can be easily abused, like how some mobile apps have been discovered to be reading clipboard content even when not in use.
Clipboards these days were extremely powerful compared to their predecessors from decades or even years back. They can store not just text but sometimes even images and allow you to copy that data around even after you've copied new things. Some even let you sync clipboard content across supported devices, easily sharing text between a computer and a smartphone, for example.
Because of its rather simple nature, however, some take it for granted how it can easily be open for abuse. For example, both the LinkedIn and Reddit iOS apps were discovered to be copying and pasting text from the iOS clipboard even when they weren't running in the foreground. Worse, because of Apple's clipboard syncing feature, those apps have access to what is in a Mac's clipboard as well.
Clipboards these days can be used to hold all sorts of information, including sensitive ones. People tend to copy even passwords and OTPs to paste on a login form and apps that access the clipboard, especially from the background, can have access to those, too, and associate it with whatever app or website is currently being used. LinkedIn's VP of Engineering assures that the app only used that to verify what was being typed in the app versus what's in the clipboard but will soon fix that in a future update.
Hi @DonCubed. Appreciate you raising this. We've traced this to a code path that only does an equality check between the clipboard contents and the currently typed content in a text box. We don't store or transmit the clipboard contents.
— Erran Berger (@eberger45) July 3, 2020
It might not be an isolated incident, however, and only Linked and Reddit have been caught red-handed for now. It will hopefully push Google, Apple, and other platform developers to put more safeguards even around seemingly simple features like clipboards.