Apple prides itself on protecting its users’ privacy and personal information. Not only does the company go out of its way to tout its commitment to privacy, but it also frequently uses that position to differentiate itself from its competition. That’s especially true when it comes to companies like Google and Facebook, who take different positions on privacy.
That’s why it may come as a surprise to many of us that our iOS devices have a very real privacy vulnerability that’s just sitting there waiting to be taken advantage of. Even more surprisingly, Apple apparently has no intention of fixing it.
The flaw is due to what might seem like a very benign feature: copy and paste. In fact, most of us use copy and paste on a daily basis without thinking about it. We certainly don’t imagine that the information we copy could be intercepted by hackers. Apparently it can.
That’s because iOS clipboard is available to any app on your device, which means that when you copy information, whether text or photos, that information is available to any app that might want to access it.
A pair of security researchers pointed out the vulnerability on January 2, 2020, submitting it to Apple for review. Specifically, their research concluded that:
A user may unwittingly expose their precise location to apps by simply copying a photo taken by the built-in Camera app to the general pasteboard. Through the GPS coordinates contained in the embedded image properties, any app used by the user after copying such a photo to the pasteboard can read the location information stored in the image properties, and accurately infer a user’s precise location. This can happen completely transparently and without user consent.
For its part, Apple’s position seems to be that this is less of a bug, and more of a loophole that can’t actually be manipulated. In fact, according to the researchers, Apple’s response was that it was no big deal.
Except that those researches then created an app widget that constantly looks for information added to the clipboard and then “pastes” it within the app. That means that it can intercept any information you might copy to the clipboard. Most of the time that’s probably benign information, but it’s not out of the realm of possibility that you might copy something more sensitive like an address, a login, or a password.
In the case of photos, that includes embedded metadata like your location. Location data is especially concerning since it gives away your most personal information: where you are right now.
Apple takes great pains to ensure malicious apps don’t make it into the App store, but the problem is that there’s nothing malicious about reading the clipboard. That means that an app that takes advantage of this exploit isn’t going to get flagged since Apple sees it as just operating normally.
Of course, as far as we know, no one has ever taken advantage of this vulnerability. That doesn’t mean that no one will ever try.
Still, it’s a reminder that while Apple obviously has a strong privacy record overall, it’s worth mentioning that the company could allow users to control whether copied photos include metadata, or whether location access should be restricted without user consent.
It’s up to you to be aware of how different devices and apps are using your information. At the very least, it’s a good reminder that it’s best to always download apps from developers you trust.