UK Edition
Few people are aware that when they copy text on their smartphone, it could actually be snooped on by every other app on their phone before they even hit "paste".
But that is the surprising security loophole exposed this month by researchers who caught dozens of popular iPhone apps, including TikTok, HotelTonight and Bejeweled, accessing users' clipboards every time they were opened on screen.
If a user were to switch to such an app just before or just after pasting something sensitive, it would immediately be intercepted without their knowledge or consent. Many people copy and paste passwords between apps, for example, or bank account details.
Now two of the apps – HotelTonight, owned by Airbnb, and Ten Percent Happier, a meditation aid – have told the Telegraph that they have disabled clipboard-reading in their latest updates.
Tiktok said that it would do so in the next few weeks, while Popcap, the maker of mobile games including Bejewelled, Fruit Ninja and Plants vs Zombies Heroes, said it would do the same, though did not say when.
All those apps traced the behaviour to software tools developed by Apptimize, a product testing firm, and Google. The two companies gave detailed explanations of why they do it, vowing that they never accessed any private information through the clipboard.
But Tencent, the Chinese tech giant behind the "battle royale" game PUBG Mobile, refused to give any reason for its clipboard-reading. Other cases of clipboard-reading remain unexplained.
The loophole that allows this practice remains open on both iPhones and Android phones, and developers fear that it could be exploited to steal sensitive information including passwords, identity numbers and personal emails.
"A malicious app could use this and go completely undetected," said Talal Haj Bakry, a veteran iPhone developer who conducted the research with his associate Tommy Mysk. "We haven't found a real world example of this, but the doorway is wide open."
What's in your clipboard?
Security experts have worried for years about clipboard-reading, because smartphone users routinely put extremely private information in their clipboards.
"Our mobile app users copy passwords to their clipboards for many reasons," said a spokesman for Zoho Vault, a password manager app which lets people generate and store multiple unique login details. "These are business-critical and any vulnerability or loophole could harm our users monetarily and non-monetarily."
To highlight the issue, Haj Bakry and Mysk tested numerous iPhone apps, focusing on those that accessed the clipboard every time they were brought up on screen rather than only when first booted up.
Some had an obvious reason to do so: Google Search reads the clipboard to make it easier to search for copied text, while delivery apps read it to check for tracking numbers. Others had no such clear rationale.
Why it's really happening
Inquiries by the Telegraph revealed that much of the clipboard reading was actually being done by widely-used third-party tools called software development kits, or SDKs, which app makers had integrated into their code.
HotelTonight and Ten Percent use the Apptimize SDK, which reads the clipboard on iPhones and Android phones. TikTok and Popcap's games use outdated versions of Google's mobile advertising SDK, which previously did the same on iPhones only (newer versions do not).
The two SDKs do this for a very narrow purpose: to scan for unique codes which app makers sometimes use to unlock special development features on their own devices. Both companies were adamant that no personal data would ever be sent back to their servers, because their software checks the codes on users' devices and ignores anything that is not a valid code.
Haj Bakry believes that the apps he tested are probably not dangerous. His real concern is how the sweeping permissions granted to app makers could be abused.
Both Apple's iOS operating system and Google's Android let apps read the clipboard whenever they are on screen and in use. Older versions of Android let them read it at any time while running in the background.
Many Android users were angry about the change because it curtailed the use of clipboard manager apps, which let users retain multiple items in their clipboards for later use.
However, data from Counterpoint Research suggests only 25pc of handsets will be upgraded to Android 10, the latest version, by September, potentially leaving more than 1.8bn phones exposed.
Smartphone giants won't budge
Although neither Apple nor Google were willing to comment, Apple did respond privately to Haj Bakry and Mysk back in February, denying any vulnerability.
The company said that it clears clipboard data automatically after one hour, allows app makers to set their own expiry times and would not allow a malicious app to get past its security staff.
Password managers contacted by the Telegraph, including LastPass, 1Password, Roboform and Dashlane, all said they impose expiry times of between 15 seconds and five minutes.
But Haj Bakry fears this may not be enough against determined attackers. Research suggests that people switch apps about every minute on average, while some apps – such as iOS widgets and apps on older Android phones – can read the clipboard continuously in the background.
App makers fear for their users
Some app companies described this broad, routine access as being fundamentally necessary to the ability to copy and paste. It is unclear which other operating systems offer the same access.
Yet password manager makers remain concerned enough to have built specific tools to protect their users, letting them extract their login details without copying and pasting.
"This is why we have worked so hard to reduce use of the clipboard," said Jeffrey Goldberg, "chief defender against the dark arts" at 1Password. "App stores attempt to block malicious apps, but that doesn't mean they will catch everything."
Zoho and 1Password said they considered the issue a danger to their users. Zoho, LastPass and Ten Percent Happier also said it would be safer if automatic clipboard access were restricted to apps that have gained users' consent, if technically feasible.
That is Haj Bakry's preferred solution. "You can deny access to your camera, your photos, your microphone," he said. "We think the clipboard [should] get the same treatment."