iOS security duo Mysk has confirmed that a problem that allowed popular iPhone and iPad apps to snoop around your iOS clipboard has not been fixed in iOS 13.4.
In a blog post on March 10 Mysk detailed the following revelation:
This article provides an investigation of some popular apps that frequently access the pasteboard without user consent. These apps range from popular games and social networking apps to news apps of major news organizations. We found that many apps quietly read any text found in the pasteboard every time the app is opened. Text left in the pasteboard could be as simple as a shopping list, or could be something more sensitive: passwords, account numbers, etc.
Your iOS clipboard, also known as the pasteboard, is where information you copy and paste is stored whilst you’re using. As such it could include any information you might copy or paste such as a phone number, a message from a friend, a password or a credit card number.
We have explored popular and top apps available on the App Store and observed their behavior using the standard Apple development tools. The results show that many apps frequently access the pasteboard and read its content without user consent, albeit only text-based data.
We caught up with Mysk following the release of iOS 13.4, and they confirmed that the issue has not been solved within iOS by Apple. Say stated that testing had revealed that Apple hadn’t changed anything to minimize the risk of snooping, not even blocking widgets from accessing the clipboard. Whilst this is disconcerting, some other developers have picked up on the issue and are working from their end to solve it.
In a tweet, developer 10percent stated to a confused user who asked about snooping the following:
We take privacy seriously & understand your concern regarding access to your phone’s clipboard. We’ve determined this behavior is being initiated by software from one of our vendors. We do not track the contents & we are working with them to disable this functionality entirely.
Mysk also stated that “we know for sure” that Google’s Mobile Ad SDK is one of the libraries causing issues. Until recently, Google stated that this was used to help developers debug the integration of the SDK into their apps, Google fixed this in version 7.44.0, released last year.
As mentioned, guilty apps included TikTok, as well as ABC News, CBS News, CNBC, Fox News, New York Times, Reuters, WSJ, 8 Ball Pool, and more. You can read the full initial report here. Mysk concluded its research by stating that “many popular apps read the text content of the pasteboard” but that it was unclear what was being done with that data, and that Apple must act.