Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.[1]
On Android, applications can use the ClipboardManager.OnPrimaryClipChangedListener() API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).[2][3]
On iOS, this can be accomplished by accessing the UIPasteboard.general.string field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read "application_name has pasted from Messages" when the text was pasted in a different application.[4]
| ID | Name | Description |
|---|---|---|
| S1079 | BOULDSPY | |
| S0421 | GolfSpy | |
| S0295 | RCSAndroid |
RCSAndroid can monitor clipboard content.[7] |
| S0297 | XcodeGhost |
XcodeGhost can read and write data in the user’s clipboard.[8] |
| ID | Mitigation | Description |
|---|---|---|
| M1006 | Use Recent OS Version |
Android 10 introduced changes to prevent applications from accessing clipboard data if they are not in the foreground or set as the device’s default IME.[3] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0041 | Application Vetting | API Calls |
Application vetting services could detect usage of standard clipboard APIs. |