hngopher.com

       [HN Gopher] Popular iPhone and iPad Apps Snooping on the Pasteboard
       ___________________________________________________________________
        
       Popular iPhone and iPad Apps Snooping on the Pasteboard
        
       Author : clairity
       Score  : 34 points
       Date   : 2020-03-13 18:28 UTC (4 hours ago)
        
 (HTM) web link (www.mysk.blog)
 (TXT) w3m dump (www.mysk.blog)
        
       | brundolf wrote:
       | > Apps on iOS and iPadOS have unrestricted access to the system-
       | wide general pasteboard, also referred to as the clipboard.
       | 
       | Yikes. This is horrible, and really it's unacceptable given
       | Apple's privacy rhetoric. Even the web doesn't have this
       | vulnerability. And it's easy to fix, too! Why in the world should
       | an app be able to see the clipboard? It should only see the text
       | I enter into its fields (via pasting or otherwise).
        
         | katsura wrote:
         | Browsers use it to help you with the copied links. When you
         | click into the URL bar they offer you to jump to the previously
         | copied link right away.
        
       | lazyjones wrote:
       | Is there a MacOS utility that clears the pasteboard N minutes
       | after its last content change?
        
       | diebeforei485 wrote:
       | As web browsers have gotten more privacy-aware, native apps have
       | fallen behind. This is just another example of that.
       | 
       | Recent versions of Chrome show a prompt when websites do this in
       | javascript.
        
         | deadmutex wrote:
         | > Recent versions of Chrome show a prompt when websites do this
         | in javascript.
         | 
         | Yep, and here is the spec for others who might be wondering
         | about how it works:
         | 
         | https://developers.google.com/web/updates/2018/03/clipboarda...
        
       | stereo wrote:
       | Some apps use this to offer to open an URL in the app.
       | 
       | "Your clipboard contains a link to a $localnewspaper article, do
       | you want to open it?"
        
       | acwan93 wrote:
       | I really hope we don't start getting into a parade of dialogs
       | going "X app requests permission to use Y".
       | 
       | I get why it's important from a privacy-perspective, but most
       | people aren't going to care. They'll just mash the "Allow" button
       | until they get what they want.
        
         | ThePowerOfFuet wrote:
         | And that's fine -- but it still empowers people who do care.
        
         | brundolf wrote:
         | I don't see why this even _needs_ a dialog. What legitimate
         | reason is there for an app to see my clipboard without me
         | pasting anything?
        
           | acwan93 wrote:
           | Exactly. Obscuring the pasteboard or something along those
           | lines is unfortunately the solution.
        
           | shoyer wrote:
           | Google Maps does this (at least on iOS), and it's actually
           | pretty convenient. As soon as I click on the search bar, I
           | can immediately click on my copied text to go there without
           | doing the "tap and hold" dance.
        
             | brundolf wrote:
             | Maybe the iOS keyboard itself needs a "just tap" paste
             | button? That would seem generally-useful.
        
           | jws wrote:
           | The app might be implementing the paste function. The most
           | common use case of copying and pasting text could probably be
           | hidden inside the standard text fields, but consider images,
           | sounds, or custom data types. The app needs to grab these off
           | the clipboard and do something with them and will be
           | triggering the action from some custom user interface
           | element. Even for text, a terminal emulator or word processor
           | is not going to be using a standard text field as the target.
           | 
           | Most apps could probably live happily with there being an
           | entitlement for 'unsecured clipboard access' to enable
           | anything but text into a text field.
        
             | brundolf wrote:
             | The OS could provide a dedicated button of its own for
             | pasting images, etc. It could be recognizable and standard
             | and apps could embed it as needed.
             | 
             | The key is that apps shouldn't have silent, _arbitrary_
             | clipboard access. The user should have to do an action for
             | the clipboard 's contents to be transferred. The only way
             | to prevent abuse is for a system-provided widget to be the
             | one making the actual API call.
             | 
             | Another option would be to provide apps an API call that
             | opens a system "paste dialog", asking the user, "Paste X
             | into this app?". This would have the added bonus of giving
             | the user a preview of what they have in their clipboard
             | before actually performing the paste. It could even show a
             | history of the last several copied items in case they want
             | to paste one of those instead, which would be a genuine
             | productivity-booster.
        
       ___________________________________________________________________
       (page generated 2020-03-13 23:00 UTC)