Security News > 2020 > February > Apple’s iOS pasteboard leaks location data to spy apps

Apple’s iOS pasteboard leaks location data to spy apps
2020-02-26 16:28

Now an app developer called Mysk has discovered pasteboard's dark side - malicious apps could exploit it to work out a user's location even when that user has locked down app location sharing.

In the simplest scenario, an iPhone user would take a photo, copy it between apps using the pasteboard, from which a malicious app could extract location metadata while comparing it with timestamps to determine whether it was current or taken in the past.

Although a malicious app should only be able to access pasteboard data while active, Mysk's bypass was to write a demo app, KlipboardSpy, paired to a foreground widget visible in Today View, to prove the hack worked under real-world conditions.

Arguably, Apple is correct because the pasteboard is working exactly as intended - it allows users to exchange data within and between applications while the latter are in the foreground.

Mysk's view is that Apple could protect the iOS pasteboard by integrating it inside its permissions system, allowing users to grant access one app at a time, or by limiting the time apps can access it to the copy-and-paste action.


News URL

https://nakedsecurity.sophos.com/2020/02/26/apples-ios-pasteboard-leaks-location-data-to-spy-apps/