Security researchers have discovered a huge security flaw on iPhones and iPads that allows apps installed on the devices to access the clipboard, including malicious apps, without the user's knowledge.
Copy and Paste with caution
A video demo, released by researchers at Mysk, draws attention to the issue that allows any iOS or iPadOS app to silently read any confidential information from the clipboard even if the app doesn't include any copy-and-paste functionality. This paves the way for rogue apps to obtain sensitive information such as your location, regardless of the permissions allowed to the app.
In the video, the developers create a dummy app called KlipboardSpy that simply prints out the information retrieved from the clipboard, which is where your matter (text, images etc) goes on your device when you Copy something to Paste later.
When the user copies an image, the app can immediately see the content as well as the picture's metadata including the location where the photo was taken. Things take a turn for the worse when the demo shows that even installed widgets have access to data copied to the clipboard.
How real is the risk?
As a matter of fact, the clipboard is designed to be silently readable by any app as many of them have features based on that information which the app uses to prompt actions for the user. For example, when you copy an image to the clipboard, a social media app can detect it and offer to attach it to the message in the compose window.
However, this does pose as a serious security risk if a malicious app or widget were to use this loophole to acquire personal data like Passwords, location, images, and any other copied data by posing to be something else without the user ever noticing.
What should Apple do?
The folks at Mysk said they brought the security issue to Apple's attention but the tech giant refused to deem it as a security concern. This has led many to argue that perhaps Apple should take this issue more seriously and offer toggles in the iOS and iPadOS privacy settings to the user to allow apps access to the clipboard, as it does for system services such as Location, Contacts, Bluetooth, and more.
While the user has to explicitly open an app in order to give it access to the clipboard, iPadOS widgets simply sit on the home screen, so it probably would make sense for iOS to enforce tighter controls on widgets specifically.
