Two computer researchers have found that doing copy and paste on the iPhone is very dangerous and endangers personal data
Iphones are “inherently secure” smartphones. Or maybe not: two independent cybersecurity researchers, Talal Haj Bakry and Tommy Mysk, have shown that even doing a trivial copy and paste on an iPhone could lead to a data leak. And not only on iPhone, but also on all devices connected to the same Apple ID.
Apple denies the problem, but at the same time proposes solutions, which the two researchers believe are insufficient to protect data and privacy. Among the information that can be stolen between a copy and paste is a bit of everything, including the user’s location. And it’s no use Apple preventing installed apps from accessing the device’s location: the “trick” invented by Bakry and Mysk is as smart as it is simple and effective. And, what’s more, it works on all iPhones which, as a result, are all at risk. The two researchers not only hypothesized the method of stealing user data, but also developed a small app that can actually do it.
The problem with copy-paste on iPhone
Apple assumes that when you copy information from an app, the one you open next will be the one you want to paste that information into. Therefore, Apple gives the active app in the foreground of your phone access to the operating system’s “pasteboard,” which is essentially a short-term memory where the information you copied is parked. The problem, though, is that the “paste” operation doesn’t always immediately follow the “copy” one: very often the user unknowingly keeps the information in memory and does something else, before pasting it into another app.
In this juncture a third, malicious app could access the pasteboard and steal the copied data. And if by chance the object initially copied is a photograph taken with the camera, among the information copied/stolen there may also be the GPS location recorded in the photo’s metadata. According to the two researchers, moreover, every single running app or widget that is placed in the “Today” view of the iPhone can access this information.
How serious is the problem
But, and this is even more serious, a well-developed app can not only read this confidential information: it can also modify it. This also applies to the so-called “Universal Clipboard,” which is a shared pasteboard accessible by all Apple devices using the same Apple ID. Which means that, via a hacked device, you can access data copied to another, uncompromised device. And that multiplies the problem.
The problem really exists
That’s the theory, but what about the practice? It’s the same: Mysk and Makry developed a simple app with the sole purpose of testing whether the mechanism works. And it works perfectly: the app managed to steal data about the device’s location while copy-pasting a photo. If you copy and paste a password, bank account number or any other type of vulnerable personal information, the app manages to access it in both read and write mode. At this point, if we copy an IBAN from an email message to make a wire transfer through the bank’s app, for example, the malicious app could change that IBAN in the transition between copy and paste and have us send the money to another bank account.
Apple responds
The two researchers notified Apple of this problem, but the Cupertino company downplayed it, “We’ve presented numerous examples of methods to abuse data,” said Mysk, “They’ve provided remedies that are sloppy and don’t solve the problem. Instead, according to Mysk and Bakry, Apple should take these risks very seriously.