From the defender view: an app registers a clipboard listener or calls ClipboardManager getters; the app is (a) foreground, (b) the default IME, or (c) abusing legacy paths. Shortly after each clipboard change, the app reads the primary clip repeatedly, optionally persists content (local file/DB) and/or exfiltrates it. We correlate: listener/clip-access → privilege/foreground confirmation → bursty reads → local write and/or network egress within a tight window.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | android:logcat | ClipboardManager (addOnPrimaryClipChangedListener|getPrimaryClip|getPrimaryClipDescription) invoked by |
| Process Access (DC0035) | android:logcat | Activity/Process state change (mFocusedApp, onResume/onPause) identifying |
| Application Log Content (DC0038) | android:logcat | Default IME active or bound to |
| File Creation (DC0039) | android:logcat | CREATE/WRITE to app-writable DB/file path indicating clipboard dump (e.g., clipboard.db, clip_*.txt) |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max time between clip access → persist/exfil (e.g., 5–45s). |
| MinReadBurst | Minimum reads per clipboard change to flag harvesting (e.g., ≥2). |
| PersistPathRegex | Regex for files/DBs used to stash clipboard content in app container. |
| ExfilDomainAllowlist | Allowlisted domains to suppress false positives for analytics SDKs. |
| ForegroundRequired | Require foreground unless app is the default IME (true/false). |
| UserContext | Work Profile/Developer Mode/Doze to scope alerts. |
From the defender view: an app accesses UIPasteboard contents, sometimes repeatedly, including in background or immediately after another app copies sensitive text. iOS 14+ shows user notifications when pasting cross-app; unified logs reflect pasteboard access, notification, and optional subsequent persistence/exfil. We correlate: pasteboard access → optional cross-app notification → local write (cache/DB) and/or network egress within a short window.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | iOS:unifiedlog | UIPasteboard read (general/string/data) by |
| System Notifications (DC0117) | iOS:unifiedlog | \"has pasted from\" cross-app paste notification text containing source app name |
| File Creation (DC0039) | iOS:unifiedlog | CREATE/WRITE of clipboard dump artifacts in container (clipboard.db, clip_*.txt, caches) |
| Process Access (DC0035) | iOS:unifiedlog | Foreground/background transition for |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max time between pasteboard access → persist/exfil (e.g., 5–60s). |
| MinReadBurst | Minimum reads within window to flag harvesting (e.g., ≥2). |
| PersistPathRegex | Regex for paste dumps in app container. |
| ExfilDomainAllowlist | Allowlisted analytics/CDN endpoints. |
| ForegroundRequired | Require foreground state for benign use; flag background reads. |
| UserContext | Work profile/MDM policy state to scope alerts. |