What’s the current state of clipboard snooping exposures on iOS 15 or newer devices? Can apps still snoop on passwords stored in the clipboard? I know that since June '16 Codebook has had a feature to clear the clipboard but apps like Tiktkk (misspelled intentionally) could snoop on the clipboard every few seconds.
Is clipboard snooping still a valid threat since I used Codebook’s “Copy to Clipboard” feature quite a lot. It it any worse on latest Android 12/13 devices?
I have owned copies of Codebook on both iOS and Android for several years now but only started thinking about clipboard snooping since Tiktkk was discovered doing this in earlier releases. China- based Apps are increasingly popular and seem to be the biggest perpetrators of this form of attack.
Can Zetetic advise on the current state of this attack and how can I use Codebook in a more secure way? Should I stop using the Copy to Clipboard feature completely on iOS and/or Android?
Hi @yunamc
Thank you for your support of Codebook and for posting to the discuss forum with this question.
As you mentioned, Codebook has a feature to clear the clipboard after 2 minutes to avoid accidentally pasting data copied to the clipboard from Codebook unintentionally.
Codebook copies the data from within Codebook (for example when copying a password using the copy menu item from the context menu) to the Universal clipboard. This is necessary to make it available for pasting into other applications. Starting with iOS 14, Apple started showing a banner when another application accessed data on the clipboard (without the user explicitly pasting it).
Here’s a screenshot of an example application I wrote which reads the clipboard running on an iOS 15.4 device:
Even though the banner appears, the application is still able to read the Universal clipboard contents.
In iOS 16.x Apple went one step further and now presents a privacy prompt which intervenes when another application tries to read the Universal clipboard to ask you if you’d like to allow it. Here’s a screenshot of the same example application running on iOS 16.2 simulator:
If you select not to allow the application to paste, then it won’t be able to read the contents of the Universal clipboard.
Starting in Android 13, Android OS added a popup displaying the copied value when first copying it (Codebook explicitly masks this when displayed).
Codebook for iOS and Codebook for Android both have nice Password AutoFill implementations:
Codebook for iOS Password AutoFill
Codebook for Android Password AutoFill
Password AutoFill bypasses the need to use the Universal clipboard at all and is very convenient – if you haven’t tried that out yet, we’d recommend giving it a shot.
Micah, this is by far the best response I have ever gotten from any Tech and is exactly what i was looking for! Thanks!
Absolutely. Glad I could help and thank you for the kind words.
Please feel free to reach out again if you have any further questions, issues, or feedback.
Happy Holidays!