Important info about iOS 14, clipboard data & privacy notifications

You may have heard about the privacy improvements Apple has put into its iOS 14 Beta and impacts of this. Essentially Apple has introduced new privacy notifications to users when an app accesses a device’s clipboard. You can read more about these new functionalities at https://www.cnbc.com/2020/07/10/apple-ios-14-privacy-improvements-visual-notifications.html

So for the first time, if you’re using this new version of iOS, and an app you’re using accesses your clipboard, you’ll get a notification from Apple. This sounds alarming, however in some cases it’s nothing to worry about - ie: an app that accesses your clipboard data is typically not storing it or copying it or making any record from it and it has been common practice for purposes of improving user experience or debugging.

Multiple apps - including Linked in, Tik Tok, New York Times - have triggered these notifications on the new iOS (you can read more about this here https://www.infoq.com/news/2020/07/ios-clipboard-bug/) and the reason we’re bringing it up is that one of our customers reported they’d received the notification for the Xinja app.

Firstly, to reassure you, the content of your clipboard is NOT stored or shared externally by our application or by any of the libraries we are using. No data is disclosed as a result of this.

The cause in Xinja’s case is one of the external libraries we are using. The Xinja platform itself does not capture or read the content of the clipboard without your permission.

However one of the libraries we recently introduced and that will allow us to send application notifications occasionally looks for a special token placed by the user on the device’s clipboard for troubleshooting purposes. If the content of the clipboard does not match the expected format of the token, the data is ignored and immediately discarded.
What the library is looking for is a long, encoded string and so the chances of the clipboard containing that is extremely unlikely (virtually zero) unless it came from the Xinja app itself. An example of the code (that we’ve rescrambled but you get the gist) is below:
OTQ2YjEwMjVlMTI5NDQ0NDAzNDEyNjc1MzY2YTFhNTYxYzBlMWI0ZjIzMDAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTA=

Whilst the process does not present any risk for customers, the approach used by the library is not best practice. We have already identified a workaround to stop this from occurring and this will go out in our next release(20.7.1) shortly. The supplier themselves are aware and they’re also working on resolving the issue on their side and removing the functionality from their library. Also worth saying that we will continue monitoring for any other instances of clipboard reading, and will prioritise removing them immediately.

Incidentally, misuse of clipboard data would have been picked up in our third party library security audit prior to implementation, and/or one of our regular security audits / penetration tests since. In this case we don’t believe it to be a misuse, however we do feel that this particular troubleshooting capability provided by the third party library does not belong in our app which is why we’re disabling it.

So, if you are using iOS 14 beta and have received such a notification from Apple, this is why.

However, we’ll be releasing a new version (20.7.1) of our app shortly, and once installed, you won’t receive any more of these notifications.

JB (aka @xinjasecure)

10 Likes