The iOS clipboard conundrum

The iOS clipboard conundrum

Megan Barker by Megan Barker on

Correction

After this article was published on June 30, 2020, it was pointed out by a keen-eyed user (thank you!) that 1Password for iOS 7.6 does still copy to the clipboard automatically (without your consent) at certain times.

  • When you edit a Login item, the new password is copied to the clipboard.
  • When you create a new Login item, the new password is copied to the clipboard.

These automatic behaviors will cease with the next release – 1Password for iOS 7.6.1. My sincerest apologies for the error and any confusion it has caused.

It was back in March when researchers discovered that a popular video-sharing service was accessing users’ iOS clipboard contents without permission. Apple vowed to address the problem.

At last week’s WWDC 2020, Apple made good on their promise with the release of the iOS 14 developer beta which, among other great security enhancements, notifies you when an application accesses your clipboard.

It’s now been revealed that a number of other apps (53, to be precise) access the iOS clipboard without consent.

This has sparked a lot of conversation, questions, and concern from our customers, and I’d love the chance to address the issue.

What this means

It’s important to remember that nothing has really changed – this clipboard “scraping” has happened for some time. The only difference is that, with the release of iOS 14, you’ll know when it happens. And knowledge is power. Now that companies have been (and will be) called out for their behavior, those with legitimate business models will be far less likely to engage in such practices.

Now, I know why you’re really here, so let’s get to the goods.

First, 1Password never copies data to the clipboard without a specific request from you. In other words, your secure 1Password data will never make it to the clipboard unless you tap Copy, or have Auto-Copy One-Time Passwords turned on.

What’s more, when you autofill 1Password items on an iOS device, 1Password uses the Password AutoFill service, which is built into the framework of iOS. Password AutoFill allows the system itself to pull data from 1Password so there is no interaction with the clipboard (except to copy one-time passwords, when necessary).

What you can do

If you haven’t yet set up AutoFill on your iOS device (and this post has been wholly confusing thus far), that’s my first recommendation.

If you already use 1Password via AutoFill, and you want extra insurance for the odd time you need to copy and paste, turn on Clear Clipboard in 1Password Security settings. That will clear your iOS clipboard of any 1Password data 90 seconds after it’s copied.

You can learn even more about 1Password AutoFill security on the 1Password Support website.

In the end

We love that Apple has remained committed to its stance on user privacy, which it called a “fundamental human right”. We certainly don’t disagree.

1Password will remain committed to our foundation – your security. Part of that commitment is constant development, which does include ways to further reduce the need for people to copy passwords (and other secrets) to the clipboard. We have a staunch belief that you – and only you – should be in control of your information. “Private by design” is not just marketing-speak – it’s how 1Password was built, and how it will stay.

Security Scribbler

Megan Barker - Security Scribbler Megan Barker - Security Scribbler

Tweet about this post