Home > Code, iOS, Security > iOS Pasteboard Security

iOS Pasteboard Security

September 25th, 2014 Leave a comment Go to comments

There’s been a lot of chatter on the internet lately about the security of webviews embedded in 3rd party applications. Basically that application has full access to what you are typing in to that webview, so if you’re navigated to another website or anything and enter a password, that password could be read.

I think an interesting factor in iOS 8 that enhances security in a more subtle matter are the action extensions. Action extensions allow apps like 1Password/Last Pass etc to perform small actions. In particular for password managers: insert password data into Safari (and other apps that allow it). This allows people to use a variety of passwords and still easily access them for authentication, which is great for security on its own, but there’s more to it than that.

The previous strategy these apps used was you would enter the application, choose the password you wanted and copy it to the pasteboard. You could then paste it into whatever application you needed that password in. This data would have to be in the general pasteboard to be used/shared between apps, and most people simply paste the password and forget what’s in their pasteboard. This also means every app they open afterwards has access to the plaintext version of this password (and a nice shiny identifier that a com.agilebits.onepassword has an existing UIPasteboard as well). At least as far as I can tell.

I start out by going to 1Password and copying a password.

I next compile and run my app, using a simple println/NSLog on the UIPasteBoard in my AppDelegate, and my password is revealed. The code looks like this:
(In Swift for …fun?)

var pasteBoard = UIPasteboard.generalPasteboard()
println(pasteBoard.items)

The result:
[{
"public.utf8-plain-text" = <My_Password_Here_In_Plaintext>;
}, {
"com.agilebits.onepassword" = <Random_Numbers_Here>;
}]

Apparently you have to use the public.utf8-plain-text UTI for your pasteboard data if you want it accessible in Notes/Mail etc, according to Erica Sadun.

Doing some basic filtering on that data to exclude obviously too-long passwords, URLs, etc you could come up with some decent options for passwords to try again later.

I would love to hear if my thoughts here are wrong (perhaps debugging allows for extra access? or something else along those lines).

Edit:

It seems 1Password has a setting to clear your clipboard between 30 seconds and 3 minutes later, with the default being never. LastPass will let you manually clear it, but doesn’t seem to contain the same auto-clearing option.

Categories: Code, iOS, Security Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.