85

Via Hacker News, I came across a Tweet implying that Facebook's iOS app routinely reads and transmits all content from the user's pasteboard.

Leaving aside whether Facebook's app genuinely does this (which is a separate question), is this possible? I had always naively assumed that an app couldn't access what was on my clipboard unless I explicitly chose to "Paste" into a native text view. Is that assumption wrong? What is the security model for the content of the clipboard on the two major phone OSes? (Or what are the security models, if it's handled differently between iOS and Android?)

Mark Amery
  • 1,777
  • 2
  • 13
  • 19
  • 16
    This is true for not just mobile devices, but also desktop OSes. For example, Windows has an event, WM_CLIPBOARDUPDATE, that any application can register for. As far as I can tell, most OSes are not designed to protect the clipboard from casual monitoring. – phyrfox Dec 30 '17 at 15:47
  • 4
    For that matter, can any open website read my clipboard? – Eric Duminil Jan 01 '18 at 00:15
  • 3
    @EricDuminil Did a quick [search](https://stackoverflow.com/questions/6413036/get-current-clipboard-content), and it looks like IE can request clipboard contents with a popup for user's permission. It also appears that old versions of flash could read clipboard contents, but that has since been fixed/removed – phflack Jan 01 '18 at 05:53
  • 3
    @EricDuminil The web browser can read your clipboard (obviously), but the web *site* cannot. However, web *extensions* may be able to, so you should always take care to make sure your installed extensions are not spying on you. – phyrfox Jan 01 '18 at 09:02
  • 4
    This is why I prefer using password managers that don't copy text to the clipboard, but rather [use a separate keyboard](https://keepass2android.codeplex.com) with access to my credentials. – Peter Majeed Jan 01 '18 at 15:57
  • 2
    This is a fantastic question. This kind of security should be known to all, not just the experts. – insidesin Jan 02 '18 at 03:39

3 Answers3

88

Android

Prior to Android 10 any app could freely register listeners to receive the clipboard contents whenever they changed.

As of Android 10, only the current app with focus and any app set as the input method editor (i.e. the keyboard app) can read the clipboard. Previously common methods of creating background services that would listen to changes to the clipboard are no longer possible and background applications that used to rely on clipboard data must now implement workarounds where they receive the focus at least momentarily before they are able to read the clipboard.

Additionally in Android 12 or later it is possible to enable a feature which alerts the user (in the form of a toast) whenever clipboard content is read by an app.

iOS

As confirmed in the comments by user 11684, even Apple allows apps to read your clipboard (though only while they are in the foreground). Here is the link to the documentation that returns the data of the clipboard.

Update in iOS 14: Beta version of iOS 14, reportedly, has a feature which alerts the users whenever any app reads the data from the clipboard.

Kryomaani
  • 123
  • 2
pri
  • 4,438
  • 24
  • 31
  • 7
    Worth noting that this does not require any permission to be granted - any app can do this. There's a very good writeup about the issue here: https://github.com/grepx/android-clipboard-security – Jonas Czech Dec 31 '17 at 06:37
  • Do they have access to all my clipboard history or just the current clipboard entry and is this true for screenshots in the clipboard? Can they read my screenshots in my clipboard? – Skiddie Hunter Jan 10 '19 at 10:42
  • iOS 9, FB was spying constantly in the clipboard to find "links" to present option to share with friend etc, even when it was in the background – chefarov Mar 25 '20 at 15:06
  • 1
    It is also worth noting that [since Android 10, only focused apps or the chosen keyboard app can read clipboard at any time](https://developer.android.com/about/versions/10/privacy/changes#clipboard-data), so a service running in background listening to changes on the clipboard hasn't been possible in a good while. – Kryomaani Jun 21 '22 at 05:01
7

It is definitely possible for an app to check the clipboard content anytime.

Example: copy a link, then open Chrome. It will offer the link in the search bar (‘goto link you copied’). If you copy something that is not a link, it will not make that offer. This proves that it checks the clipboard without explicit user action.

Mark Amery
  • 1,777
  • 2
  • 13
  • 19
Aganju
  • 351
  • 2
  • 7
1

In iOS 14, iOS now displays a system notification alert whenever an app reads from the clipboard.

App1 pasted from App2

enter image description here

This caused many privacy-focused stories to be written in the summer of 2020 as various apps were "caught" reading clipboard data during the iOS 14 beta:

pk_
  • 113
  • 4