The data we copy and paste on our phones using the clipboard features can reveal sensitive information about us: our passwords, credit card numbers, notes, conversations, website URLs…the list continues. We trust this feature, believing that the data is secure and shared with the apps only when we post the data into them. But should we trust this feature if dozens of news, gaming, and social media apps are secretly accessing all of our clipboard data?

吨他的数据,我们复制和粘贴使用剪贴板功能,可以揭示我们的敏感信息我们的电话:我们的密码,信用卡号码,笔记,交谈,网站网址...名单继续。 我们信任此功能,认为只有在将数据发布到应用程序中时,数据才是安全的并且可以与应用程序共享。 但是,如果数十个新闻,游戏和社交媒体应用程序正在秘密访问我们的所有剪贴板数据,我们是否应该信任此功能?

At least 53 iOS mobile apps, including TikTok, Reddit, and LinkedIn, are violating users’ privacy by accessing clipboard data when the apps are active.

至少有53个iOS移动应用程序 (包括TikTok, RedditLinkedIn)通过在活动应用程序时访问剪贴板数据来侵犯用户的隐私。

问题概述 (An Overview of the Issue)

In February, German software engineer, Tommy Mysk, shared his research demonstrating an iOS clipboard vulnerability where an iOS device can act maliciously and access clipboard data and use it to spy or steal sensitive personal information. Apple does not limit or require the user to grant explicit permission for an app to access their clipboard data. As a result, any app can access and copy this data when the app is active. Even worse, the apps can also access the Universal Clipboard data of devices sharing the same Apple ID within 10 feet of the user’s phone, such as their MacBook.

2月,德国软件工程师Tommy Mysk分享了他的研究,证明了iOS剪贴板漏洞,其中iOS设备可以恶意行为并访问剪贴板数据并使用它来间谍或窃取敏感的个人信息 。 Apple并没有限制或要求用户授予应用程序访问其剪贴板数据的显式权限。 因此,当任何应用程序处于活动状态时,都可以访问和复制该数据。 更糟糕的是,这些应用程序还可以访问在用户的手机10英尺内共享相同Apple ID的设备 (例如MacBook) 的通用剪贴板数据

The data we copy using the Clipboard feature reveals private information that we may not want to share with every app. This data can range from non-sensitive data, such as copying a word in an article to look up the definition, to sensitive data, such as the website URL revealing health information or even our passwords and credit card data.

我们使用剪贴板功能复制的数据揭示了我们可能不想与每个应用共享的私人信息。 这些数据的范围从非敏感数据(例如在文章中复制单词以查找定义)到敏感数据(例如显示健康信息的网站URL甚至我们的密码和信用卡数据)。

The full extent of how companies have used the data is unknown at this time. LinkedIn (Microsoft), for example, has released a statement assuring users that they do not store or transmit the clipboard data.

目前尚不清楚公司如何使用数据的全部范围。 例如,LinkedIn(Microsoft)已发布声明,确保用户不存储或传输剪贴板数据

At first, Apple didn’t agree that this was a security vulnerability, stating the feature was working as expected. Sure, this is not a security vulnerability in the true definition since we implicitly grant all apps access to our clipboard data. But, it is a privacy violation that Apple shouldn’t ignore.

最初, 苹果不同意这是一个安全漏洞 ,声称该功能按预期运行。 当然,这不是真实定义中的安全漏洞,因为我们隐式授予所有应用访问剪贴板数据的权限。 但是,这是Apple不应忽视的侵犯隐私行为。

为什么剪贴板监听是违反隐私的 (Why Clipboard Snooping is a Privacy Violation)

The collection of all clipboard data isn’t a practice that the user reasonably expects. Why would a user think that the Fox News app or the Weather Network app, for example, would need to collect their bank password they copied from their password manager? They wouldn’t.

收集所有剪贴板数据不是用户合理期望的做法。 例如,为什么用户会认为Fox新闻应用程序或Weather Network应用程序需要收集从密码管理器复制的银行密码? 他们不会。

As required by various privacy laws, including the GDPR and CCPA, mobile apps must provide clear, transparent notice to users that they are collecting or processing personal data. Failure to provide notice doesn’t allow users to make an informed privacy decision whether to use the app, and here lies the privacy violation.

根据包括GDPR和CCPA在内的各种隐私法的要求,移动应用必须向用户提供清晰,透明的通知,告知他们正在收集或处理个人数据。 未提供通知不会使用户做出是否使用该应用程序的知情隐私决定,这就是隐私侵犯。

苹果和利用此问题的应用程序都存在错误 (Both Apple and the Apps Exploiting This Issue are at Fault)

Privacy is one of Apple’s competitive advantages, which is why I’m disappointed that this privacy risk went overlooked, and they didn’t swiftly act when alerted to the issue. Apple should have implemented a control to limit or provide users a choice for which apps can access the clipboard functionality, like the microphone or camera.

隐私是Apple的竞争优势之一,这就是为什么令我失望的是这种隐私风险被忽略了的原因,当他们被警告时,他们并没有Swift采取行动。 Apple应该已经实现了一种控件,以限制或向用户提供可以访问剪贴板功能(例如麦克风或相机)的应用程序的选择。

However, the app owners, not Apple, are ultimately responsible for notifying and obtaining consent from users before collecting their data. The developers deployed unethical and possibly unlawful code into these apps by failing to align to Privacy by Design principles.

但是,应用程序所有者(而不是Apple)最终有责任在收集用户数据之前通知用户并征得他们的同意。 由于未能符合设计隐私原则,开发人员在这些应用程序中部署了不道德甚至可能非法的代码。

这个问题会解决吗? (Will This Issue be Fixed?)

Sort of. Apple announced they are fixing this issue in iOS 14 by deploying a new privacy feature that alerts users when an app copies content from the clipboard.

有点。 苹果宣布将通过部署一项新的隐私保护功能在iOS 14中解决此问题, 该功能可在应用程序从剪贴板复制内容时向用户发出警报

The pop-up notifying the user that an app posted data from another app is confusing and will undoubtedly become annoying. Will the average user not privy to the clipboard snooping issue understand this notice? How long until the users stops notices the pop-up or wishes they would stop seeing it? Providing users an alert that an app is accessing their clipboard data doesn’t give them any control. Therefore, this solution doesn’t resolve the privacy risk.

通知用户该应用程序从另一个应用程序发布数据的弹出窗口令人困惑,并且无疑会变得烦人。 普通用户是否不了解剪贴板侦听问题,是否会了解此通知? 在用户停止看到弹出窗口或希望他们停止看到弹出窗口之前,需要等待多长时间? 向用户提供有关应用程序正在访问其剪贴板数据的警报不会赋予他们任何控制权。 因此,此解决方案不能解决隐私风险。

A picture of the Overstock App with a pop-up reading Overstock pasted from Messages
Naked Security Naked Security

Some companies, such as LinkedIn and Reddit, are fixing their apps to stop automatically accessing and collecting the clipboard data. But users shouldn’t expect this to be consistent across apps.

一些公司,例如LinkedIn和Reddit ,正在修复其应用程序以停止自动访问和收集剪贴板数据。 但是用户不应期望这在应用程序之间保持一致。

iOS用户值得使用基于应用程序的剪贴板隐私控制 (iOS Users Deserve App-Based Clipboard Privacy Controls)

The in-app pop-up notice seems like a pandering fix, especially since Apple didn’t agree at first that this was an issue. iOS 14 is in beta, so I’m hopeful that a better fix is in the works.

应用内弹出通知似乎是一种错误的解决方法,尤其是因为苹果公司最初不同意这是一个问题。 iOS 14是Beta版,因此我希望能有更好的修复方案。

If Apple agrees with the seriousness of this privacy risk, they will provide just-in-time privacy notices, allowing users to approve access to the clipboard upon app download. Apple also needs to add app-based controls in the privacy settings so users can choose which apps can access clipboard data. The clipboard privacy settings should align to that of the microphone or camera, settings familiar to iOS users.

如果Apple同意这种隐私风险的严重性,他们将提供及时的隐私声明,允许用户在下载应用后批准访问剪贴板。 苹果还需要在隐私设置中添加基于应用程序的控件,以便用户可以选择哪些应用程序可以访问剪贴板数据。 剪贴板的隐私设置应与iOS用户熟悉的麦克风或相机的隐私设置保持一致。

The iOS clipboard snooping is an example added to the long history of mobile apps violating users’ privacy by covertly accessing data. Apple has made great strides towards a Privacy by Design operating system, with exciting privacy features coming in iOS 14, but clearly, more work is needed.

iOS剪贴板监听是添加到移动应用程序悠久历史中的一个示例,该应用程序通过秘密访问数据来侵犯用户的隐私。 苹果在“设计隐私”操作系统方面取得了长足的进步,iOS 14中引入了令人兴奋的隐私功能,但显然,还需要做更多的工作。

Users will remain at risk until Apple provides app-based clipboard privacy controls. The only option users have to protect themselves: delete the apps. If they don’t trust an app to access the data they copy, such as passwords, they will have to remove the app from their phone. iOS users deserve a better experience.

在Apple提供基于应用程序的剪贴板隐私控制之前,用户将一直处于危险之中。 用户必须保护自己的唯一选择:删除应用程序。 如果他们不信任某个应用程序访问其复制的数据(例如密码),则他们将不得不从手机中删除该应用程序。 iOS用户应获得更好的体验。

Image for post
UX Para Minas Pretas (UX For Black Women), a Brazilian organization focused on promoting equity of Black women in the tech industry through initiatives of action, empowerment, and knowledge sharing. Silence against systemic racism is not an option. Build the design community you believe in. UX Para Minas Pretas (UX For Black Women),这是一个巴西组织,致力于通过采取行动,赋权和知识共享的举措来促进科技行业中的黑人女性平等。 对系统性种族主义保持沉默是不可行的。 建立您相信的设计社区。

翻译自: https://uxdesign.cc/the-latest-mobile-app-privacy-violation-ios-clipboard-snooping-7b92ff7a9b84


评论将由博主筛选后显示,对所有人可见 | 还能输入1000个字符
©️2020 CSDN 皮肤主题: 深蓝海洋 设计师:CSDN官方博客 返回首页