[HN Gopher] Popular iPhone and iPad Apps Snooping on the Pasteboard ___________________________________________________________________ Popular iPhone and iPad Apps Snooping on the Pasteboard Author : clairity Score : 34 points Date : 2020-03-13 18:28 UTC (4 hours ago) (HTM) web link (www.mysk.blog) (TXT) w3m dump (www.mysk.blog) | brundolf wrote: | > Apps on iOS and iPadOS have unrestricted access to the system- | wide general pasteboard, also referred to as the clipboard. | | Yikes. This is horrible, and really it's unacceptable given | Apple's privacy rhetoric. Even the web doesn't have this | vulnerability. And it's easy to fix, too! Why in the world should | an app be able to see the clipboard? It should only see the text | I enter into its fields (via pasting or otherwise). | katsura wrote: | Browsers use it to help you with the copied links. When you | click into the URL bar they offer you to jump to the previously | copied link right away. | lazyjones wrote: | Is there a MacOS utility that clears the pasteboard N minutes | after its last content change? | diebeforei485 wrote: | As web browsers have gotten more privacy-aware, native apps have | fallen behind. This is just another example of that. | | Recent versions of Chrome show a prompt when websites do this in | javascript. | deadmutex wrote: | > Recent versions of Chrome show a prompt when websites do this | in javascript. | | Yep, and here is the spec for others who might be wondering | about how it works: | | https://developers.google.com/web/updates/2018/03/clipboarda... | stereo wrote: | Some apps use this to offer to open an URL in the app. | | "Your clipboard contains a link to a $localnewspaper article, do | you want to open it?" | acwan93 wrote: | I really hope we don't start getting into a parade of dialogs | going "X app requests permission to use Y". | | I get why it's important from a privacy-perspective, but most | people aren't going to care. They'll just mash the "Allow" button | until they get what they want. | ThePowerOfFuet wrote: | And that's fine -- but it still empowers people who do care. | brundolf wrote: | I don't see why this even _needs_ a dialog. What legitimate | reason is there for an app to see my clipboard without me | pasting anything? | acwan93 wrote: | Exactly. Obscuring the pasteboard or something along those | lines is unfortunately the solution. | shoyer wrote: | Google Maps does this (at least on iOS), and it's actually | pretty convenient. As soon as I click on the search bar, I | can immediately click on my copied text to go there without | doing the "tap and hold" dance. | brundolf wrote: | Maybe the iOS keyboard itself needs a "just tap" paste | button? That would seem generally-useful. | jws wrote: | The app might be implementing the paste function. The most | common use case of copying and pasting text could probably be | hidden inside the standard text fields, but consider images, | sounds, or custom data types. The app needs to grab these off | the clipboard and do something with them and will be | triggering the action from some custom user interface | element. Even for text, a terminal emulator or word processor | is not going to be using a standard text field as the target. | | Most apps could probably live happily with there being an | entitlement for 'unsecured clipboard access' to enable | anything but text into a text field. | brundolf wrote: | The OS could provide a dedicated button of its own for | pasting images, etc. It could be recognizable and standard | and apps could embed it as needed. | | The key is that apps shouldn't have silent, _arbitrary_ | clipboard access. The user should have to do an action for | the clipboard 's contents to be transferred. The only way | to prevent abuse is for a system-provided widget to be the | one making the actual API call. | | Another option would be to provide apps an API call that | opens a system "paste dialog", asking the user, "Paste X | into this app?". This would have the added bonus of giving | the user a preview of what they have in their clipboard | before actually performing the paste. It could even show a | history of the last several copied items in case they want | to paste one of those instead, which would be a genuine | productivity-booster. ___________________________________________________________________ (page generated 2020-03-13 23:00 UTC)