Apple’s approach of making privacy one of its main selling points isn’t new, but it’s come to the forefront again with the ongoing iOS clipboard saga.
What this does is alert the user when an app tries to copy clipboard information. Something, it turns out, apps appear to do constantly.
TikTok was the first of these to cause a stir:
Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification pic.twitter.com/OSXP43t5SZ
— Jeremy Burge (@jeremyburge) June 24, 2020
The company — owned by the Chinese firm, Bytedance — fixed this snooping in an update on June 27, three days after it was first brought to the public’s attention. In a statement, TikTok said it was originally copying the iOS clipboard in order to “identify repetitive, spammy behaviour.”
But this was only the start.
Over the following days, rafts of companies have had to apologize and resolve to fix their iOS clipboard-copying apps. This includes Reddit:
UPDATE: Seems like Reddit is capturing the clipboard on each keystroke as well 😕
Seeing the notification come up just as much. pic.twitter.com/nzbElmRG2a
— Don 𝘧𝘳𝘰𝘮 urspace.io (@DonCubed) July 2, 2020
After this, the company resolved to fix the issue, telling The Verge that it was due “a codepath in the post composer that checks for URLs in the pasteboard and then suggests a post title based on the text contents of the URL.” They reiterated saying that Reddit doesn’t “store or send the pasteboard contents” anywhere.
Around this time, the same Twitter user (@DonCubed) claimed their next big scalp: Microsoft-owned LinkedIn.
LinkedIn is copying the contents of my clipboard every keystroke. IOS 14 allows users to see each paste notification.
I’m on an IPad Pro and it’s copying from the clipboard of my MacBook Pro.
Tik tok just got called out for this exact reason. pic.twitter.com/l6NIT8ixEF
— Don 𝘧𝘳𝘰𝘮 urspace.io (@DonCubed) July 2, 2020
Erran Berger — VP Engineering, Consumer Products at LinkedIn — got involved to say the company doesn’t “store or transmit the clipboard contents.” Effectively, acknowledging the issue, but saying “WE DIDN’T MEAN TO SOZ.”
These apps snooping on the iOS clipboard are just the tip of the iceberg though. Over the weekend the Weather Network pulled its code from the App Store in order to deal with the issue properly.
And while there are plenty of companies being vocal about this issue, there are plenty that are staying quiet — and those are the ones we know about.
But why is copying information from the iOS clipboard bad?
Before we go on, we should clarify exactly why apps copying iOS clipboard data isn’t good practice.
Firstly, we need to acknowledge that copying data from the clipboard isn’t shady in itself. For example, a web browser automatically suggesting you visit a website in your clipboard. Or copying a confirmation code from one app and it automatically appearing in another. These are examples of the mechanism working as it should: making the user experience slick and useful — as long as that data isn’t stored anywhere and is only used locally, of course.
The problem is apps that have no discernible need to be checking your clipboard, doing so constantly and consistently.
Jake Moore, Cybersecurity Specialist at ESET, told me the most damaging impact of this iOS clipboard copying would be “passwords or bank details” being accessed — especially from a password manager. This could be even more dangerous if the password manager doesn’t have two-factor authentication enabled.
In other words, “in the wrong hands, any type of snooping around on the clipboard could be quite damaging.”
Now, apps might not be scooping up clipboard data purposefully (for example, the LinkedIn copying was supposedly due to the app doing an “equality check”), but they are still taking your information without your knowledge.
And that’s not on.
And why does this saga reflect well on Apple?
Apps copying user info from clipboards isn’t new. In fact, Mysk published an expose about it in February (after telling Apple about it the month before).
What’s refreshing is a major tech company actually putting its money where its mouth is and implementing a user-centric policy. And, even better, app developers are having to change alongside it. So fair-fucking-play, Apple.
But it does make you ponder about Android.
Google’s mobile OS is far more open about API access and has a… looser approach to privacy. This has improved with Android 10, but if clipboard copying is happening on iOS, then you can guarantee it’s occurring on Android too — and most likely in a worse fashion. Every single day Google is quiet about this, Apple is winning a privacy victory, which is exactly what it wants.
Confronting things like iOS clipboard snooping is refreshing, but let’s not forget it’s a business tactic. Privacy is another way of Apple differentiating itself from Android. It’s a product.
But, as far as products go, it’s a pretty fucking good one.
Published July 6, 2020 — 10:28 UTC