Apple iPhone and iPad users beware of these harmful apps that can steal your clipboard data
Recently, two developers discovered that a series of apps for iOS silently access the clipboard every time they are launched. The researchers point out that a malicious actor could use the loophole to craft an app that “steals” copied data. And where that data includes photos taken on the device, this will include the user’s location.
Talal Haj Bakry and Tommy Mysk found out that many apps installed on iPhones, including several with millions of downloads from the App Store, actually get access to anything that’s copied to the clipboard, no matter if it’s sensitive data or not.
Apple iOS and iPadOS apps have unrestricted access to the systemwide general pasteboard. A user may unwittingly expose their precise location to apps by simply copying a photo taken by the built-in Camera app to the general pasteboard.
Through the GPS coordinates contained in the embedded image properties, any app used by the user after copying such a photo to the pasteboard can read the location information stored in the image properties, and accurately infer a user’s precise location. This can happen completely transparently and without user consent.
The researchers included a proof of concept video in their post, with an illustrative app (KlipboardSpy) and widget (KlipSpyWidget) to show the “flaw” in action. in the video, you can check how malicious apps steal your location data from the clipboard on iPhone and iPad.
According to the researchers, Apple has designated special permission for accessing GPS information from an Apple device. Apps can only access location information if the user has explicitly granted such access. An average user assumes that apps cannot know their location unless the location services permission is granted. However, an app can infer a user’s location without requesting that from the user by analyzing the geolocation of the user’s IP address.
Several apps made it to the news recently with links to organizations notorious for compromising user privacy. Unfortunately, some of the apps were very popular in some countries. If such malicious apps relied on reading user location from photos left in the pasteboard as described in this article, enough data may have already been harvested to put people’s lives in danger.
Apple is finally resolving this issue with the release of iOS 14, and the preview build that was shipped to developers earlier this week provides us with a closer look at the whole thing. But for now, Apple only warns users that their data is accessed, without actually allowing them to block this from happening.
On the other hand, it’s important to understand that not all apps that do this are evil, and in some cases, accessing the content in the clipboard is actually a key feature. Of course, there are also apps that shouldn’t access clipboard data by any means, so now that the warning is coming to iPhones, the next step for the company is to actually provide the necessary controls to block the whole thing.
Below are the videos posted by the researchers on how apps are stealing data that is being copied by the user in the clipboard.
Below video shows how the app steals location:
For more news on tech and cybersecurity stay tuned at Android Rookies by subscribing to our newsletter from here