Hardcore test: 41 out of 50 mainstream apps are "peeking" at your clipboard

30 seconds quick read

1. Before the official version of Apple iOS 14 is released, domestic and foreign App developers are already worried, mainly because iOS 14 has added a security reminder function. Once an App reads the clipboard, a notification will appear on the top of the iPhone: "App A copied from App B". This update by Apple is to let users know which apps may be tracking their information.

2. So, to what extent will the clipboard leak personal information? Under what circumstances is it most likely to leak personal information? The reporter of IT Times tested the Apple and Android versions of 50 apps, and the results were unexpected.

Please send me your phone number and delivery address.

Can you lend me your video membership account and password?

Please send me the card to which the money will be transferred, the issuing bank and the ID number at the same time.

After exchanging these private information, it is often accompanied by the action of copying and pasting. Have you ever calculated how many times you copy and paste on your mobile phone every day? I never thought that this common action may quietly leak our privacy.

Apple's iOS 14 has already caused a stir over privacy protection abroad.

According to foreign media reports, after some users upgraded to iOS 14, the system kept prompting ByteDance's short video app TikTok to obtain the clipboard. At the same time, Google Chrome browser, news apps CNN, Google News and Starbucks were all found by netizens to read the user's clipboard when using iOS 14.

In response, the relevant person in charge of TikTok said that an updated version has been submitted to the App Store and the feature has been removed to eliminate confusion. Accessing the clipboard is to combat the phenomenon of some users repeatedly posting meaningless spam comments and malicious comments. He also emphasized that this feature will not access any content on the user's clipboard.

So, will domestic mainstream apps also have nowhere to hide under Apple’s new system?

01

Test 50 mainstream apps

Only 9 are not actively reading the clipboard

After upgrading to the iOS14 beta version, an IT Times reporter tested 50 mainstream apps, covering e-commerce, social networking, video, music, finance, life, travel and other fields. The results showed that only 9 apps did not trigger the reminder to copy the clipboard, namely WeChat, Gome, Amazon China, Zhihu, Flush, Meituan Takeout, Dingdong Maicai, Ctrip and Didi Chuxing.

Map: Feng Chengjie, IT Times

That is to say, when you copy and paste in any app on your iPhone, when you open the other 41 apps, they may read it first without the user's knowledge.

What is terrifying is that before iOS14, users were unaware of this behavior and Apple condoned it.

So, will Apple automatically identify sensitive information and help users block it?

The reporter of IT Times copied a piece of related information in the iPhone's built-in memo at one time, including sensitive information such as name, phone number, home address and ID number, and pasted it in the memo. But when the reporter opened these 50 apps one by one, the security prompt "such and such app copied from the memo" still appeared. After multiple tests, it was found that the results were the same as the above test, and 82% of the apps would read the clipboard.

"Apple did not provide security prompts or filter clipboard content before iOS 14, and it is unclear whether it will be filtered before the official release of iOS 14." An enterprise security service provider pointed out, "As long as the information is copied and pasted by the user, the App can almost read it, such as text, pictures, basic file information, etc."

For apps, the clipboard is a very good tool. For example, after the links of Taobao and Douyin were rejected by WeChat, they used passwords, QR codes, etc. to achieve the jump. Douyin and Taobao will first identify, and those with their own special logos will be uploaded to the cloud to match related videos or products, and the results will be returned to the user. If there is no corresponding result, the user will not perceive this behavior.

02

Secondary pasting is the biggest risk

"The second paste is the biggest risk." Qu Zilong, founder of the private Internet security organization Network Blade, pointed out that the biggest potential risk of the clipboard is not the first copy and paste. In daily life, most of the content copied and pasted for the first time is for the convenience of users to provide information to the App. The real risk is that after the user copies the content and pastes it into application A, the copied content is not recycled. When opening application B, the content can still be obtained, thus causing the risk of leakage of sensitive information.

It is worth mentioning that the above test results were obtained in a double-paste test environment. The IT Times reporter first completed the copy and paste actions in the Memo App, and then opened 50 apps to check whether there were any security alerts.

At the same time, the reporter of IT Times conducted multiple paste tests and found that on iPhones running the iOS 14 beta version, basically, after 20 cross-app pastes, the copied content will become invalid and can no longer be pasted. But the number of times is slightly different each time, so it can be inferred that it may be related to time. Every once in a while, the iPhone will clear the clipboard.

When it comes to recycling sensitive information, banking apps do a good job. After copying and pasting a bank card account number and then logging into a banking app, many banks will display a prompt: "Do you need to transfer money to your bank card (account)?" This function is available at the Industrial and Commercial Bank of China, China Merchants Bank, Postal Savings Bank of China, Pudong Development Bank, Shanghai Bank, etc.

Fortunately, once you complete the cancellation or transfer at one bank, this prompt will no longer appear when you log in to other bank apps.

03

Xiaomi's iOS 14 rival

Take a look at the Android apps under the mask

Xiaomi MIUI 12 system has upgraded the privacy protection function. This function is more effective than the reminder in iOS 14 and is considered by the mobile phone industry to be the nemesis of rogue software.

As long as the App retrieves user personal information, this Xiaomi function will issue a reminder and return a "blank pass", which to a certain extent solves the problem of "not being allowed to use the app if permission is not given".

[[332041]]

Therefore, the "IT Times" reporter used Xiaomi's privacy function to test the Android versions of the above 50 apps. Only 11 apps did not actively read the clipboard, namely WeChat, Gome, Amazon China, Zhihu, WeBank, Ele.me, Meituan Takeout, Dingdong Maicai, 58 Daojia, Ctrip and Didi Chuxing.

The fact that there are slightly more Android apps that do not actively read than Apple apps does not mean that Android is safer than Apple, because the number of reads is very shocking. Some Android apps even read the clipboard 20 times within two minutes.

From the comparative tests between Apple and Android, it can be seen that reading the user's clipboard is a very common behavior in China.

"It depends on whether there is actual infringement, and whether the App uploads and retains the user's personal information after reading the clipboard," said Qu Zilong. This is equivalent to the collection of personal information.

So how do we define infringement? According to Article 3, Point 1 of the “Method for Identifying Illegal and Irregular Collection and Use of Personal Information by Apps”, collecting personal information before obtaining the user’s consent can be considered as “collecting and using personal information without the user’s consent”; Article 4, Points 1 and 3 point out that if the type of personal information collected is irrelevant to the existing business functions, and the frequency of collecting personal information exceeds the actual needs of the business functions, it can be considered as “violating the principle of necessity”.

The clipboard of Apple system has always been considered safer than that of Android system. Because on iPhone, when you copy a new content, it will directly overwrite the previously copied content. However, Android phones will keep more content on the clipboard, so you can often view the clipboard history in places such as input methods.

Recently, Android phone manufacturers have also begun to realize the information security issues of the clipboard, and many Android phone manufacturers have launched the function of clearing the clipboard in a few seconds.

From this we can see that domestic mobile phone manufacturers are already taking the lead in purifying the problematic ecosystem of apps that excessively request information. The purpose of Apple’s update this time is not only to remind users who is tracking me, but also to warn developers.

In addition to paying attention to the increasingly stringent domestic regulations on the collection and use of personal information, Chinese apps going overseas also need to pay attention to user privacy protection. After the European Union introduced the most stringent privacy regulation in history, the General Data Protection Regulation (GDPR) in 2018, the United States also introduced the very strict California Consumer Privacy Act (CCPA) this year.

In February this year, two foreign iOS developers issued a warning that due to a vulnerability in Apple and Android phones, dozens of mainstream apps frequently access clipboard contents. Although this move does not cause much harm, it may be exploited by hackers.

So, under what circumstances is the clipboard prone to information leakage and at risk of being abused by hackers or rogue apps?

Several white hats and security experts pointed out to the IT Times reporter that copying and pasting account + password, name + ID number + home address + phone number and other related combinations of information at one time on an Apple phone, or copying or continuously copying the related information at one time on an Android phone, is valuable for the "peek" app.

If it is just a password, then the App will only get a meaningless string of characters. In addition, the phone is not jailbroken and the App is installed through official channels, so there is no need to worry too much.