Skip to main content

Your iPhone’s normal copy-paste function could leak sensitive data

KlipboardSpy: How malicious apps steal your location data from the clipboard on iPhone and iPad

Update, June 23, 2020: As of Apple’s 2020 Worldwide Developer Conference, the bug reported here appears to be fixed. Tommy Mysk told Digital Trends that Apple has patched the problem according to his recommendations: by adding an alert when an app has read their clipboard. Apple did not respond to a request for comment.

Original text:
Two software developers, one based in Canada and the other in Germany, say they’ve discovered a flaw in the copy-paste system of Apple’s iOS that could leave iPhone and iPad users’ information vulnerable.

Right now, Apple assumes that when you copy information from an app, the next app you open will be where you want to paste that information. As such, Apple gives the active app that is running in the foreground of your phone access to the operating system’s “pasteboard,” which is essentially short-term memory for all the stuff you’ve copied.

The problem, as outlined by Tommy Mysk and Talal Haj Bakry, is that people get distracted, and open up apps in before pating that information in the desired app. Maybe they get a notification, or maybe they suddenly remember something else they’re supposed to do and forget about what they’ve just copied (attention spans are notoriously short these days).

You #CopyPaste a lot on your iPhone and iPad?
Well, we documented how a malicious app can steal your private data from the clipboard.@Apple doesn’t think it’s a problem!

What do you think?

Read the full article at

— Mysk (@mysk_co) February 24, 2020

Mysk and Bakry maintain that every single app a user opens on an iPhone will have access to your pasteboard, and can even write or rewrite on it. This also applies to any widgets that Apple users have running in their “Today View” panels on their phones or iPads — those can also see your pasteboard.

“It can read anything I have in the pasteboard: Photos, PDFs, texts, passwords, and whatever data type you can copy,” Mysk told Digital Trends. “This revelation was shocking to me. It was the reason that pushed me to write a demo app, document the work, and send it to Apple.”

Testing their theory

Mysk and Bakry wrote an app called Klipboard Spy to demonstrate the function. They demonstrated how copying a photo made the photo’s metadata available to Klipboard Spy, including the location where the photo was taken.

If you copy-paste a password, or someone’s bank account number, or any sort of vulnerable personal information, other apps might be able to see this information — apps that you might not necessarily want to have that access. A malicious actor, with enough speed, could theoretically rewrite that bank account information saved in the operating system and reroute the money to a different account.

Let’s say, hypothetically, that there’s a popular app with some shady connections to a certain foreign government on your phone, and on the way between copying a picture and sending that picture to your friend, you open up this other app — that app would be able to see where you’ve been via that photo’s metadata.

This also applies to what’s called the “Universal Clipboard,” which Mysk clarified is a shared pasteboard that is accessible to all Apple devices that use the same Apple ID. If you have a malicious app running in the foreground of your phone and copy-paste something on your computer, the app can see what you’re pasting onto your computer.

The latest version of iPadOS allows a user to set their widget panel to be always visible. This means it’s always active and those apps can see your copy-pastes on all your devices that are linked to your Apple ID. “If you have a malicious widget on top of your Today View, it will always be able to read the pasteboard every time you quit an app,” Mysk said.

“I cannot understand why a widget should have access to the pasteboard. I’m sure there are good scenarios, but as a security expert, I wouldn’t allow it to begin with — at least, not without informing the user,” Mysk said.

Apple responds

Apple did not respond to a request for comment, but according to Mysk, he sent in an official notice on January 2 to Apple saying that he and his partner Haj Bakry had found this flaw. Apple responded on February 6 and, according to Mysk, said that their assessment had concluded there were no risks and supplied a few solutions. Mysk wouldn’t reveal details of the exchange with Apple, but he thought their ideas were paltry at best.

“We presented multiple examples of functioning methods to set up the environment for any attacker to abuse the data,” Mysk said. They provided remedies that are sloppy and don’t fix the issue.”

The problem is that the settings that enable this data leakiness are often the default settings that most users don’t know about, or don’t bother changing, Mysk said. “Why should we not shift the policy from ‘trusting developers’ to ‘user controls it all?” he asked.

For example, he continued, a user can disable the Universal Clipboard, if they know how. “But it is activated by default and most users don’t bother to disable it,” he added.

The good news is a person can mitigate a lot of this simply by disabling locations on photos and being fastidious about what apps are open. But Mysk wanted Apple to take more responsibility.

He pointed to the fact that Apple has changed its permissions for contacts and photos; it used to be that all apps on your phone had default access to these apps, but now a user has to actively give permission. Mysk said he wants to see similar permissions for the pasteboard, as well as a visual indicator for whenever an app can see the pasteboard, similar to the location arrow a user will see when an app is using your location.

Editors' Recommendations

Maya Shwayder
I'm a multimedia journalist currently based in New England. I previously worked for DW News/Deutsche Welle as an anchor and…
Apple is adding a brand new app to your iPhone with iOS 17
Journal app for iOS 17.

Apple is adding a new first-party app called Journal with the introduction of iOS 17, the company announced today during WWDC 2023. Journal is, as its name simply states, a new place for iPhone users to keep track of their daily activities, log their emotional health, and jot down anything else that they want to write about.

Apple has continued to lean into its first-party health and wellness iOS apps with things like Fitness, Sleep, and Breathe, and now Journal will be joining their ranks as the company's first attempt at an app that focuses on mental well-being.

Read more
I put the iPhone’s Dynamic Island on my Pixel 7 Pro — and I can’t go back
The expanded DynamicSpot Dynamic Island at the top of the Pixel 7 Pro.

The Apple iPhone 14 Pro got a big refresh last year, and key to that was a new selfie camera design with a pill-shaped cutout. Only, this is no normal hole -- it's the home of a new feature, the oddly-named "Dynamic Island." It's a notification bubble that lives behind the selfie camera that displays information like music tracks, timers, and anything else you need to know, but don't need a full screen for. If you're playing music on Spotify, it'll display the track name and controls. If someone calls you, it'll show the person's contact information. Waiting for an Uber? It'll show you how far away it is. It's even tied into the Face ID unlock process. It's a great use of the selfie camera — and one with a bright future.

At least, that's what we thought. The Dynamic Island has had a tough start, as app support was extremely limited, meaning it didn't live up to Apple's promises. This persisted for a number of months before the Dynamic Island finally got what it needed to live up to its hype.

Read more
I finally found an Android phone that makes me want to ditch my iPhone
Someone holding the Motorola Edge Plus 2023.

The iPhone 14 Pro is an incredible smartphone. It's been my phone of choice for the last few months — and there's very little I dislike about it. The size is perfect, it's ridiculously fast, the display looks great ... I could go on and on. Simply put, it's a phone that's done everything I've asked of it, and it's given me very little reason to look for a new go-to smartphone.

But that's starting to change. I recently wrapped up my review of the Motorola Edge Plus (2023), and the more I sit back and reflect on my time with the Android phone, I've started to realize something. I barely touched my iPhone while reviewing the Edge Plus, and even now that the review is published, I still find myself grabbing for the Motorola handset over the iPhone.
The Edge Plus feels like it was made just for me

Read more