Any cut-and-paste data temporarily stored to an iPhone or iPad’s memory can be accessed by all apps - malicious or not - installed on a device.
According to a Threatpost article, that data can then reveal private information such as a user’s GPS coordinates, passwords, banking data or a spreadsheet copied into an email. A German software engineer, Tommy Mysk, is trying to raise awareness on what he believes is an Apple vulnerability. Mysk created a rogue proof-of-concept (PoC) app called KlipboardSpy and an iOS widget named KlipSpyWidget, which demonstrate how any app installed on an iOS device can act maliciously and access clipboard data and use it to spy or steal sensitive personal information.
Mysk told Threatpost he focused on photos taken by a device’s camera that contain time and GPS metadata that could be used to pinpoint a user. In a blog published by Mysk, he says, "Once a user grants the Camera app access to the location services, which normally happens when the user opens the Camera app for the first time, the Camera app adds precise GPS information to every photo the app takes. GPS information is part of the image metadata that iOS and iPadOS store in every photo. Developers can read these properties using the Image I/O Framework API CGImageSourceCopyProperties. Thus, it is a trivial task for developers to extract GPS information from a photo. The aforementioned facts lay the ground for a potential exploit of precise location information that can be utilized by unauthorized apps."
In addition, Mysk says he considers this leak very critical as it gives away precise location information without user’s consent. "Exposing such precise location information can be life-threatening in some parts of our world. Having said that, unrestricted access to the pasteboard can lead to other personal data breaches," the blog says.
Apple told Mysk that it didn’t consider its implementation of cut-and-paste as a vulnerability, rather a basic function of most operating systems and applications that run on them, Mysk told Threatpost.
Chris Hazelton, Director of Security Solutions at Lookout, told Security Magazine that, "Copy/paste is the fastest way to share data between apps on a mobile device - this data may be sensitive (e.g., proprietary info, client info) and could be considered a breach of company data. iOS devices are used in nearly every boardroom and are carried by world leaders of countries and companies around the globe."
Allowing any app on an iOS device to read the clipboard creates a data leakage risk, notes Hazelton. "Users could perceive this as the result of Apple prioritizing the user experience over data security. While Apple approves almost every app that runs iOS, except those side-loaded by users, there is a risk from apps that don’t break developer rules but have access to clipboard data, and see key data shared between executives, politicians and journalists,” he adds.
