To most iOS users, pasteboard is simply part of the way to copy and paste data from one place to another.
You take a picture, fancy sharing it with friends, and your phone uses the pasteboard to move the image to the desired app.
Now an app developer called Mysk has discovered pasteboard’s dark side – malicious apps could exploit it to work out a user’s location even when that user has locked down app location sharing.
The weakness here is caused by the fact that, unless GPS permissions were refused, images taken with the embedded camera app on iPhones and iPads are saved with embedded GPS metadata recording where each was taken.
In the simplest scenario, an iPhone user would take a photo, copy it between apps using the pasteboard, from which a malicious app could extract location metadata while comparing it with timestamps to determine whether it was current or taken in the past.
Images taken from third-party web sources could be filtered out by comparing aspects of an image’s metadata with the device’s hardware and software properties to detect differences.
Although a malicious app should only be able to access pasteboard data while active, Mysk’s bypass was to write a demo app, KlipboardSpy, paired to a foreground widget visible in Today View, to prove the hack worked under real-world conditions. Moreover:
As the pasteboard is designed to store all types of data, the exploit is not only restricted to leaking location information. By gathering all these types of content, a malicious app can covertly build a rich profile for each user, and what it can do with this content is limitless.
That’s not only location data, then, but potentially anything the user has copied into pasteboard, including passwords and bank details.
Is this a bug or a feature?
There was a time when the ability to siphon GPS location history from smartphone images would have sounded of marginal use to a surveillance app. These days, however, image- and data-sharing has exploded, as any visit to social media will attest.
And yet when Mysk reported the issue to Apple, the response was muted:
We submitted this article and source code to Apple on January 2, 2020. After analyzing the submission, Apple informed us that they don’t see an issue with this vulnerability.
Arguably, Apple is correct because the pasteboard is working exactly as intended – it allows users to exchange data within and between applications while the latter are in the foreground.
That is, while it’s true that data can be slurped from the pasteboard in theory, that hypothetical downside is outweighed by the certainty that people need to access copy-and-paste on a daily basis.
Mysk’s view is that Apple could protect the iOS pasteboard by integrating it inside its permissions system, allowing users to grant access one app at a time, or by limiting the time apps can access it to the copy-and-paste action.
Currently, this is a theoretical weakness that, as far as anyone knows, has never been exploited. It’s likely that Apple will patch up this risk at some point as the permissions system inside iOS evolves.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast.
Starlisa Black Photography
So if I am understanding correctly, turning off location for Photos in settings should eliminate this problem? I just noticed we now have a third choice under location on photos and cameras, to “ask each time” when sharing photos.
Paul Ducklin
As far as I can see, there are several levels (not all covered by this issue) of location-leakage relating to photos, including the following.
There’s location info saved as extra data inside an image itself (for which the camera app needs location access to get the info to save on the first place). If you send someone an image with this geolocation data in it, they know where it was taken, regardless of whether you email it, airdrop it, USB it or share it via a file locker service. (Geolocation info doesn’t always matter because the image may locate itself anyway, e.g. if it is a photo of you with Stonehenge in the background.)
There’s also the issue of the app you are using to upload an image – if that app has geolocation access turned on, it knows where you were when you uploaded the file, which is the same as your location if you snapped-and-uploaded in one go.
And there’s the issue of what an online service does with any data it gets hold of, including geodata – does it keep the data to itself by default or do you have to edit a setting for that?
As for apps, including camera and photos, “ask every time” reduces the risk if making mistakes; while turning location off altogether basically prevents mistakes (but makes it a hassle to turn geolocation on and then back off every time you do want to record where a picture was taken).
My advice: if in doubt, turn location services off entirely. On an iPhone go to: Settings > Privacy > Location Services.