Voitova says there are a few reasons why app developers may be collecting clipboard data. One of these reasons is for ad tracking purposes. “From an iOS perspective, I imagine there are quite a lot of apps that access the clipboard,” says Aidan Fitzpatrick, founder of app data firm Reincubate. “I imagine there are quite a lot of apps that abuse what’s on the clipboard to boost engagement in their app or learn more about you.”
Apps from game developer Popcap and Airbnb’s HotelTonight app, which had both been seen capturing clipboard data, told The Telegraph that it had traced the behavior back to tools from Google and product-testing firm Apptimize, which both have third-party vendor libraries. This hints that the clipboard copying is unintentional on the app developer’s side and could just be a side effect of lazy coding.
Many app developers take advantage of third-party app libraries to improve their apps, for example. It’s sometimes why unintentional clipboard-copying can occur. “The libraries inside the app gather the same permissions as the application itself, but developers often don’t read the code of third-party libraries,” explains Voitova. “A developer might have really good intentions, but some libraries that they use can misuse permissions to do something bad.”
There are, of course, also legitimate user experience reasons for why an app might want to access your clipboard without your permission. A delivery app, for example, might want to automatically paste a tracking number into the text field upon opening the app. But for the apps which are maliciously capturing clipboard data or using the microphone, these privacy notifications and light indicators could get them to change their dodgy behavior.
The iOS 14 privacy notifications, for example, have already pushed TikTok, LinkedIn, Reddit, and Instagram to announce that they will code out the bug or stop the behavior altogether. Vice admitted that its Vice News app, which was flagged by Haj Bakry and Mysk, that it didn’t even know their apps were accessing the clipboard until the iOS 14 beta was released.
Still, it’s wise to remember that most permissions abuse happens on Google’s Android operating system. Last year, researchers from the International Computer Science Institute found that up to 1,325 Android apps were gathering data, despite the researchers’ apps denying them permission to access that data. But whether Google decides to implement privacy notifications, however, is a different story. The company has not said whether it intends to implement a similar feature in the future, but recent versions of Android have been giving users more information about the data that apps collect.
Maximilian Golla, a security researcher at the Max Planck Institute for Security and Privacy says that the business model on Android is different from iOS. “I wonder whether the app developers really want to change this, or Google really wants to implement such a feature, because they depend on this kind of tracking,” he thinks. “Google makes its money from Google AdSense, and I would be surprised if Google implements such a tracking notification.”