Why it is better to be careful when copying a password on iPhone – La Stampa


Bank data, passwords, personal photos, private messages: these are just some of the information that we copy and paste daily to our Android and iOS smartphones to transfer them from one application to another, regardless of the fact that someone can see them. Yet there are those who read, record and remember them. These are dozens of applications that run on our device and have access to the clipboard, the portion of memory that retains the copied elements, for the functionality provided by the use of the app itself or to reuse that information for commercial purposes. The problem has been addressed by Apple, which from the next iOS update (to version 14, expected for September 2020), will inform the user whenever an app has stolen the information we have copied.

Here is the new iOS 14, so the iPhone will change

It all started with the discoveries of researcher Tommy Mysk, who in an interview with Ars Technica in March had indicated a list of 53 apps that, for various reasons, take advantage of the content of the clipboard, without the user being aware of it. The problem, the researcher points out, is also extended to multiple devices, in the case of iOS. The iPhone operating system in fact integrates the notepad sharing function – the clipboard – which thus allows you to copy and paste information on a phone to synchronize it with all compatible devices owned by the same user. The function is especially used especially for sharing codes, passwords, emails or Bitcoin wallet addresses. “A [caratteristica] really dangerous – Mysk defines it – There is no reason why apps read notepad. An app that does not have a text field has no reason to read what we copy. ”

The reference is precisely to those services that have no specific reason to read what has been copied, without the user’s knowledge. These include news apps from Fox News, The New York Times and the Wall Street Journal, or the Fruit Ninja, Playerunknowns’s Battleground and Bejeweled games. But Viber, Weibo, Zoosk, AccuWeather and DAZN are added to the list reported by Ars Technica.

But the first concerns date back to the end of June, when several users noticed this behavior in Tik Tok, one of the most appreciated social networks by young people, which has an estimated base of 800 million accounts. In several videos shared on YouTube and Twitter it shows how the app collects the information contained in the notebook “every three presses of a button”, highlights a user on Twitter. The release of the beta version of iOS 14 allowed the observation of the phenomenon, which signaled the activity of the app on the notepad at almost every button pressed by the user while commenting on a video.

In accordance to reported from the Telegraph at the end of June, Tik Tok has however released an update with which it has disabled the function. The justification, the company says, derives from an anti-spam function, which makes use of the control of the user’s clipboard to prevent this from pasting the same comment several times.

“We have already released an updated version of the app on the Store [di Apple, ndr] in which the anti-spam function has been removed, so as to eliminate any possible confusion “, said a company spokesman. “TikTok is committed to protecting user privacy and being transparent about how our app works.”

However, several months had to pass between the release of the update and the first promise to remove the function. In fact, TikTok was already mentioned in the Mysk report since March, but it seems that the final decision came only after the announcement of iOS 14, which made the app’s aggressive behavior evident, with a practically continuous copy-paste.

What to do
Although it can be assumed that this is a feature created only to acquire user information, that an app can access its notebook is an extremely useful function in some cases. A typical example is that of tracking a parcel: when we receive a message with the tracking code of our shipment and enter the conveyor app, many services automatically ask us if we want to use the string of numbers on the clipboard. Similarly, some services make use of this check to retrieve the code sent during the two-factor authentication process, and which typically serves to ascertain that the user who is connecting to an account is actually the owner even if he knows the password.

But it is precisely with passwords that the greatest risk arises. The most prudent from the point of view of their IT security now make increasingly extensive use of password managers: small software that contains an archive of all user access codes, protected by a single very robust password. Generally, the user who uses them copies the access key when he needs it and then pastes it in the appropriate text box in the service he wants to access. In the case of iOS, however, this key remains stored until another text is copied. Any app with automatic notebook reading capability could then store it, even if it doesn’t know what it refers to or for which account.

A solution is offered directly from the settings of the most common password managers, from which it is generally possible to enable the cancellation of the notepad after a period of time determined by the user. If you have copied a password, it will be deleted after the set time has elapsed. In any case, any app launched in that period could still acquire it silently (in the photo, a screen of the settings of KeePass for iOS).

Source link


Please enter your comment!
Please enter your name here