Clipboard Snooping Isn’t Just an iOS IssueDownload Case Study
I think everyone has probably been following the news about TikTok and data security lately. One of the ways the video-sharing app – or any app you install – can seize your data is by accessing the copy-and-paste clipboard function on your tablet or smartphone and capturing your content.
This type of data extraction is not new. Researchers Talal Haj Bakry and Tommy Mysk already reported on this problem on iOS back in March 2020. I’ve known about this for many years and a lot of malware does this in the background. But I think we underestimate just how aggressive the data collecting can get.
iOS 14 beta has a banner to confirm when you paste from another device (eg copy on a Mac and paste on iPhone)
Seems to be bugging out and showing with every keystroke in TikTok pic.twitter.com/aFKNfZnpyb
— Jeremy Burge (@jeremyburge) June 24, 2020
Here’s a video showing how aggressive TikTok is at capturing data from someone typing a message on the platform.
With iOS 14, Apple announced that it will notify their users when the foreground app tries to read their clipboard. This has generated a lot of news coverage, which has finally woken the public up to the risk of allowing apps access to their clipboards.
Clipboard access is not just an iOS problem
The news headlines may make it sound like clipboard access is only an iOS problem, but it’s not. The risk is the same on Android devices. Regardless of the operating system on your tablet or phone, if you’re copy-and-pasting sensitive personal or corporate information, they could be extracted and uploaded to a server without your knowledge.
The positive news is that Android has taken steps to limit data leakage as well. Starting with Android 10, apps can only access your device’s clipboard only if they are an input method editor (IME) or if they are in the foreground with focus. But you need to take further steps to ensure your organization is secure.
How do I protect my organization against clipboard snooping?
As mentioned above, this is not a new problem. Here at Lookout we’ve identified and protected against the risk for a number of years. First in our consumer app, and then in 2016, we became the first mobile security vendor to deliver a Mobile App Reputation Service (MARS) in an enterprise product to enable organizations to manage mobile risks. With this capability, you can minimize risk by limiting the types of apps your employees use and what capabilities and permissions they use, including access to clipboards.
We don’t offer the exact same capability in Lookout Personal, but if you want to see for yourself how our console helps you figure out which apps on your phone or tablet are accessing functionalities such as your camera, microphone, location and contacts on Android, you should check out our app on the Google Play Store. It’s one of the Lookout Premium features, which I’m happy to provide the upgrade to you for free. I can also connect you with one of my colleagues at Lookout to provide more information on how you can protect your organization from clipboard snooping and other mobile risks on iOS and Android with our Enterprise Mobile Endpoint Security product.
Thanks for taking the time to read my blog. Please stay safe and healthy! You can contact me directly on LinkedIn to get the free Lookout Personal upgrade or to learn more about our enterprise solutions.
Here’s a screenshot of what the backend of our Personal app looks like to help you figure out which apps have what access.