Smartphones have put a lot of power into our hands, literally, but they have also exposed potential security and privacy violations in things we’ve been taking for granted on desktops. Things like asking permission to use certain hardware and software capabilities were almost an alien concept on desktop operating systems until Android and iOS showed how those can be easily abused, like how some mobile apps have been discovered to be reading clipboard content even when not in use.
Clipboards these days were extremely powerful compared to their predecessors from decades or even years back. They can store not just text but sometimes even images and allow you to copy that data around even after you’ve copied new things. Some even let you sync clipboard content across supported devices, easily sharing text between a computer and a smartphone, for example.
Because of its rather simple nature, however, some take it for granted how it can easily be open for abuse. For example, both the LinkedIn and Reddit iOS apps were discovered to be copying and pasting text from the iOS clipboard even when they weren’t running in the foreground. Worse, because of Apple’s clipboard syncing feature, those apps have access to what is in a Mac’s clipboard as well.
Clipboards these days can be used to hold all sorts of information, including sensitive ones. People tend to copy even passwords and OTPs to paste on a login form and apps that access the clipboard, especially from the background, can have access to those, too, and associate it with whatever app or website is currently being used. LinkedIn’s VP of Engineering assures that the app only used that to verify what was being typed in the app versus what’s in the clipboard but will soon fix that in a future update.
It might not be an isolated incident, however, and only Linked and Reddit have been caught red-handed for now. It will hopefully push Google, Apple, and other platform developers to put more safeguards even around seemingly simple features like clipboards.