I've said this before on similar posts, but I think most clipboard "snooping" is not nefarious, it's boneheaded. Developers get a requirement like "if the user has a URL in their clip board, give them an option to share it with a single click". Then they do a poor job actually implementing this code by sticking it in some delegate the fires way more often than they think and all of a sudden they're "snooping". Not saying there aren't bad actors, just saying we're maybe blowing it out of proportion.
And kudos to Apple for making this stuff more obvious in iOS 14.
And I’ll again ask a question that was misunderstood (my fault): is there a missing API for something common, useful, non-boneheaded and clearly better from a privacy perspective?
For example you can check if clipboard has an URL, and if exists you can use it. Checking part would not trigger privacy alert. Actually it is documented way of doing this.
OP here! I believe Apple is badly letting its users down.
The interaction and security paradigms on iOS being better and different to macOS is something Apple invests heavily in marketing. I'm a technically proficient user, but I didn't know that my iOS clipboard was an open book for each app. Basically: I believe that the average user has an increased expectation of privacy on iOS, and Apple does a lot to cultivate that expectation.
My intuitive belief in how it worked (which turned out to be wrong) is probably close to the system I now advocate for Apple to reform to:
0. Apps cannot access clipboard contents by default,
1. UIPasteboard should be pollable for whether the clipboard has contents on it or not,
2. UIPasteboard should be able to return the type of object on the clipboard so that apps don't incorrectly show e.g. an active "Paste" button when the user has a text input field selected and an image is stored on the clipboard,
3. Apps should only be allowed to access the contents of the clipboard when a user invokes a specific action to paste.
4. Apps which wish to prefetch URLs or other predictable strings (e.g. feed-readers and podcast apps) should present a regex-type pattern for the type of string they expect to be on the clipboard, and then Apple should display the URL in the system keyboard (where the predictive text field / SMS code fetch goes atm).
It's crazy to me that Apple is being applauded for sending privacy alerts for a behaviour they have the power to stop.
1. It does. numberOfItems will tell you how many items are on the pasteboard.
2. It does. contains(pasteboardTypes: [String]) will tell you whether the pasteboard contains items of particular types.
3. Okay, but that's a huge shift from the status quo and breaks quite a few app workflows, especially conveniences the user expects.
4. Yes, this would be the biggest improvement to fix the disruption caused by 3.
Edit: But even with 4, automatic access would still trigger the new iOS 14 warning, unless Apple turns that off if you've queried for a particular pattern. I don't see that happening. I'm guessing devs will just provide their own approval for this feature so the users aren't surprised when they see the pasteboard access warning.
Sorry if I wasn't clear: this should be the ONLY way clipboard contents can be accessed. Saying "it does" work like this tells half the story: developers can do these sensible things to check out the clipboard in a privacy-conscious way, but if apps can choose to access it without doing those things, it's not working as a user might expect it to.
Can you think of any conveniences which are broken by step 3? It's probably just my basic workflows, but I _never_ see any prefetching of clipboard contents with the exception of URLs.
Every OS that I am aware of gives the foreground app unfettered access to the clipboard. Is anyone aware of any counter example?
Given that Android has even allowed background applications to constantly monitor the contents of the clipboard, I don't feel particularly let down by Apple giving me a way to see which apps are accessing the contents of the clipboard without any user interaction on my part.
> Every OS that I am aware of gives the foreground app unfettered access to the clipboard.
The point is not whether or not other OSes do this. The point is:
1. At least some iPhone users would be surprised that Apple allows this on iOS given the emphasis Apple places on privacy.
2. Apple has been aware that apps are abusing this privilege for some time -- at least as long as it took them to develop the new alert to apps abusing the privilege, maybe longer.
3. Apple has seemingly continued to approve apps which are spying on users.
4. I don't believe Apple can make any promises that bad actors have not been able to clandestinely transmit the contents of users' clipboards to their own servers.
Many users, including me, outsource their infosec to Apple because they champion privacy, end-to-end encryption, and things like notifications for apps which are monitoring location.
But there is no good reason for an app like TikTok or LinkedIn to be constantly making a copy of the contents of your clipboard, and Apple is aware that they have been doing it.
I don't dispute that unfettered access to the clipboard is an attractive feature on many devices (not to mention hard to police on macOS given the prevalence of non-App Store apps), but on iOS expectations and messaging are very significantly different.
The second paragraph on Apple's app store review webpage:
> We take responsibility for ensuring that apps are held to a high standard for privacy, security, and content because nothing is more important than maintaining the trust of our users.
Do you consider their actions here -- knowingly approving apps to the store which could, without permission, transmit your clipboard contents anywhere they want -- to be in keeping with that promise?
My biggest complaint is how apps have permissions to “pull” stuff from the device rather than the user getting to “push” only what they deem necessary. Simple example: why does an app need access to all my photos? When I want to share a photo, clicking the share button inside the app should open up a system dialog for me to pick which photos I want to share — and the app should only ever have access to those!
Then you have to deal with the fact that you get a bunch of developers not liking the default implementation that was given to them and complain that they can’t write their own. Everyone starts screaming “walled garden!” and that they’re held back from making ad revenue in someway shape or form.
I think it was a mistake of Apple to allow non-os photo pickers. I've got a big photo library (~100k photos) and custom photo pickers a) take forever to start up, and more importantly, b) mess up the ordering of albums and/or photos which makes it a nightmare to find anything.
> When I want to share a photo, clicking the share button inside the app should open up a system dialog for me to pick which photos I want to share — and the app should only ever have access to those!
That's how it seems to be working in iOS 14 - you get asked if you want to "select more photos" or "keep current selection" and afaict, it looks to the app like your photo library is only those photo you've selected for that app. e.g if I pick "keep current selection" in WhatsApp, it currently only sees one photo in the Recents album, nothing in anything else.
Let people select photos and videos to use in your app without requiring full Photo Library access. Discover how the PHPicker API for iOS and Mac Catalyst ensures privacy while providing your app the features you need.
There’s sometimes a trade-off between privacy and utility and Apple are very good at making tough decisions on users’ behalf. Not perfect, but very good. Clipboard “snooping” could be anywhere between enthusiastic developers providing utility to ZOMG THE DEEP STATE IS SPYING ON ME, and the original article is a bit breathless and eager to stick it to Apple. There are a limited number of Access All Areas passes doled out by iOS and that number is shrinking.
17 comments
[ 0.20 ms ] story [ 44.5 ms ] threadAnd kudos to Apple for making this stuff more obvious in iOS 14.
The interaction and security paradigms on iOS being better and different to macOS is something Apple invests heavily in marketing. I'm a technically proficient user, but I didn't know that my iOS clipboard was an open book for each app. Basically: I believe that the average user has an increased expectation of privacy on iOS, and Apple does a lot to cultivate that expectation.
My intuitive belief in how it worked (which turned out to be wrong) is probably close to the system I now advocate for Apple to reform to:
0. Apps cannot access clipboard contents by default,
1. UIPasteboard should be pollable for whether the clipboard has contents on it or not,
2. UIPasteboard should be able to return the type of object on the clipboard so that apps don't incorrectly show e.g. an active "Paste" button when the user has a text input field selected and an image is stored on the clipboard,
3. Apps should only be allowed to access the contents of the clipboard when a user invokes a specific action to paste.
4. Apps which wish to prefetch URLs or other predictable strings (e.g. feed-readers and podcast apps) should present a regex-type pattern for the type of string they expect to be on the clipboard, and then Apple should display the URL in the system keyboard (where the predictive text field / SMS code fetch goes atm).
It's crazy to me that Apple is being applauded for sending privacy alerts for a behaviour they have the power to stop.
2. It does. contains(pasteboardTypes: [String]) will tell you whether the pasteboard contains items of particular types.
3. Okay, but that's a huge shift from the status quo and breaks quite a few app workflows, especially conveniences the user expects.
4. Yes, this would be the biggest improvement to fix the disruption caused by 3.
Edit: But even with 4, automatic access would still trigger the new iOS 14 warning, unless Apple turns that off if you've queried for a particular pattern. I don't see that happening. I'm guessing devs will just provide their own approval for this feature so the users aren't surprised when they see the pasteboard access warning.
Can you think of any conveniences which are broken by step 3? It's probably just my basic workflows, but I _never_ see any prefetching of clipboard contents with the exception of URLs.
Given that Android has even allowed background applications to constantly monitor the contents of the clipboard, I don't feel particularly let down by Apple giving me a way to see which apps are accessing the contents of the clipboard without any user interaction on my part.
The point is not whether or not other OSes do this. The point is:
1. At least some iPhone users would be surprised that Apple allows this on iOS given the emphasis Apple places on privacy.
2. Apple has been aware that apps are abusing this privilege for some time -- at least as long as it took them to develop the new alert to apps abusing the privilege, maybe longer.
3. Apple has seemingly continued to approve apps which are spying on users.
4. I don't believe Apple can make any promises that bad actors have not been able to clandestinely transmit the contents of users' clipboards to their own servers.
Many users, including me, outsource their infosec to Apple because they champion privacy, end-to-end encryption, and things like notifications for apps which are monitoring location.
But there is no good reason for an app like TikTok or LinkedIn to be constantly making a copy of the contents of your clipboard, and Apple is aware that they have been doing it.
I don't dispute that unfettered access to the clipboard is an attractive feature on many devices (not to mention hard to police on macOS given the prevalence of non-App Store apps), but on iOS expectations and messaging are very significantly different.
The second paragraph on Apple's app store review webpage:
> We take responsibility for ensuring that apps are held to a high standard for privacy, security, and content because nothing is more important than maintaining the trust of our users.
Do you consider their actions here -- knowingly approving apps to the store which could, without permission, transmit your clipboard contents anywhere they want -- to be in keeping with that promise?
That's how it seems to be working in iOS 14 - you get asked if you want to "select more photos" or "keep current selection" and afaict, it looks to the app like your photo library is only those photo you've selected for that app. e.g if I pick "keep current selection" in WhatsApp, it currently only sees one photo in the Recents album, nothing in anything else.
>Meet the new Photos picker
Let people select photos and videos to use in your app without requiring full Photo Library access. Discover how the PHPicker API for iOS and Mac Catalyst ensures privacy while providing your app the features you need.
https://developer.apple.com/videos/play/wwdc2020/10652