Apple iPhones and iPads are reportedly vulnerable to snooping attacks by third-party apps. The vulnerability is said to exist in iOS’ clipboard, which is accessible to all applications installed on an iPhone or iPad.
Researchers Talal Haj Bakry and Tommy Mysk, in their blog post, claimed that iOS users may unknowingly expose their precise location even by simply copying a photo taken using the native camera app to the pasteboard, aka clipboard. The snooping vulnerability claim was made based upon iOS and iPadOS apps having unrestricted access to the system-wide clipboard.
“Through the GPS coordinates contained in the embedded image properties, any app used by the user after copying such a photo to the pasteboard can read the location information stored in the image properties, and accurately infer a user’s precise location. This can happen completely transparently and without user consent,” the duo stated in their blog post.
The researchers also published a video where they created a sample app called KlipboardSpy and an iOS widget called KlipSpyWidget to demonstrate the vulnerability. The video shows how data can be accessed by third-party apps via the systemwide general pasteboard.
Bakry and Mysk submitted their research to Apple on January 2, 2020. The company post-investigation said it does not see any issue in apps having access to the clipboard. One
of Apple’s policies also states that “iOS and iPad operating system are designed to allow apps to read the pasteboard only when apps are active in the foreground.” The duo also stated that malicious apps can have access to data as long as the widget is visible in the ‘Today’ view.Both the researchers suggested that Apple should not have allowed unrestricted access to the pasteboard without user consent. “As the pasteboard is designed to store all types of data, the exploit is not only restricted to leaking location information. By gathering all these types of content, a malicious app can covertly build a rich profile for each user, and what it can do with this content is limitless,” the blog post read.