SOPA Images/LightRocket via Getty Images
A few questions for Apple today, following the revelation by security researchers that the clipboard on iPhones and iPads can be accessed by any apps on those devices—even rogue ones—without the user being aware. For Apple, this is simply the functionality working as planned. But the researchers point out that a malicious actor could use the loophole to craft an app that “steals” copied data. And where that data includes photos taken on the device, this will include the user’s location.
“We submitted this to Apple on January 2, 2020,” researchers Talal Haj Bakry and Tommy Mysk explain in their disclosure. “After analyzing the submission, Apple informed us that they don’t see an issue with this vulnerability.”
The researchers included a proof of concept video in their post, with an illustrative app (KlipboardSpy) and widget (KlipSpyWidget) to show the “flaw” in action. “How malicious apps steal your location data from the clipboard on iPhone and iPad,” is how the video has been tagged.
“iOS and iPadOS apps have unrestricted access to the systemwide general pasteboard,” the disclosure warns. “Through the GPS coordinates contained in the embedded image properties, any app used by the user after copying such a photo to the pasteboard can read the location information stored in the image properties, and accurately infer a user’s precise location. This can happen completely transparently and without user consent.”
From Apple’s perspective, the risk is more hypothetical than alarming because iOS restricts the paste function to active foreground apps. The researchers’ response to this defense was to create a widget for the Today View to monitor for copied data. Again, theoretically, such a widget could be spoofed with a quasi-useful function.
“There are other techniques a malicious app can implement in order to increase the likelihood the app can read the pasteboard,” the researchers explain. “A widget placed on top of the Today View can read the pasteboard every time the user swipes to the Today View, hence expanding the vulnerability window. On iPadOS, a user can configure the Today View to be always visible on the home screen, allowing malicious app widgets more time and frequency to access the pasteboard.”
To address the flaw, however hypothetical the risk might seem, the researchers suggest denying apps “unrestricted access to the pasteboard without user’s consent.” The enhanced privacy settings in the latest versions of iOS could include a setting to grant clipboard access by app. Or, as an alternative, restricting clipboard access to “when the user actively performs a paste operation.”
Apple’s useful cross-platform functionality, where data copied on one device—say a Mac—can be pasted onto another, theoretically makes the issue worse.
As with many such “vulnerabilities,” the researchers have identified a potential security hole, not one that has been actively exploited. But, with state sponsored threat groups and organized criminal networks attacking operating systems as a matter of routine, any potential flaw provides a starting point for an exploit. It would not be a huge surprise if this is addressed by Apple in a future release.
Apple was approached for any comments on this story.