How Malicious Apps Can Simply Conceal Copying Clipboard Knowledge on Android 14
Have you ever ever copied delicate info to your clipboard, reminiscent of passwords, bank card numbers, messages, or personally figuring out info? In that case, this knowledge can stay within the clipboard in your system for varied quantities of time. Do you belief the clipboard and the apps that entry its knowledge? This text will discover the Android Clipboard Supervisor and show why it wants higher safety for the info you copy.
How Accessing Clipboard Knowledge Works
The final merchandise you copied on Android will get saved in a major clip. Each software might retailer some textual content info utilizing the code beneath:
val clipboard: ClipboardManager? =
ContextCompat.getSystemService(this, ClipboardManager::class.java)
val clip = ClipData.newPlainText("", textual content)
clipboard?.setPrimaryClip(clip)Right here is how any software might learn it:
val clipboard: ClipboardManager? =
ContextCompat.getSystemService(this, ClipboardManager::class.java)
clipboard.primaryClip?.getItemAt(0)?.textual content.toString()It is a world variable with get and set strategies, nothing sophisticated. When one thing is copied to the clipboard, it stays till a brand new worth overrides it or a tool reset happens. Are there any restrictions on this course of?
Earlier than Android 12
For a very long time, the reply was “No.” Earlier than Android 12, apps might entry your clipboard knowledge with out your information and even learn it within the background, permitting promoting SDKs to assemble details about your pursuits and exercise throughout a number of apps, particularly when you shared a hyperlink with your folks or partner.
After Android 12
The issue was relevant not just for Android however for iOS as properly. Apple first proposed, if not an entire answer, at the least one thing that makes customers conscious of the issue. In iOS 14, a small view signifies {that a} explicit software is studying your clipboard knowledge.
In Android 12, Google adopted the identical method and launched an identical mechanism one 12 months later: a small view is displayed on the backside of the display screen:
Check out the code, and you’ll see a easy toast (which needs to be recognizable to all Android builders) is being drawn:
Binder.withCleanCallingIdentity(() -> {
attempt {
CharSequence callingAppLabel = mPm.getApplicationLabel(
mPm.getApplicationInfoAsUser(callingPackage, 0, userId));
String message =
getContext().getString(R.string.pasted_from_clipboard, callingAppLabel);
Slog.i(TAG, message);
Toast toastToShow;
if (SafetyProtectionUtils.shouldShowSafetyProtectionResources(getContext())) {
Drawable safetyProtectionIcon = getContext()
.getDrawable(R.drawable.ic_safety_protection);
toastToShow = Toast.makeCustomToastWithIcon(getContext(),
UiThread.get().getLooper(), message,
Toast.LENGTH_SHORT, safetyProtectionIcon);
} else {
toastToShow = Toast.makeText(
getContext(), UiThread.get().getLooper(), message,
Toast.LENGTH_SHORT);
}
toastToShow.present();
} catch (PackageManager.NameNotFoundException e) {
}
});Additionally, right here within the code is a listing of exceptions for displaying the notification:
if (clipboard.primaryClip == null) {
return;
}
if (Settings.Safe.getInt(getContext().getContentResolver(),
Settings.Safe.CLIPBOARD_SHOW_ACCESS_NOTIFICATIONS,
(mShowAccessNotifications ? 1 : 0)) == 0) {
return;
}
if (UserHandle.isSameApp(uid, clipboard.primaryClipUid)) {
return;
}
if (isDefaultIme(userId, callingPackage)) {
return;
}
if (mContentCaptureInternal != null
&& mContentCaptureInternal.isContentCaptureServiceForUser(uid, userId)) {
return;
}
if (mAutofillInternal != null
&& mAutofillInternal.isAugmentedAutofillServiceForUser(uid, userId)) {
return;
}
if (mPm.checkPermission(Manifest.permission.SUPPRESS_CLIPBOARD_ACCESS_NOTIFICATION,
callingPackage) == PackageManager.PERMISSION_GRANTED) {
return;
}
if (clipboard.mNotifiedUids.get(uid)) {
return;
}Solely system apps have entry to the Manifest.permission.SUPPRESS_CLIPBOARD_ACCESS_NOTIFICATION permission. Identical story with altering Settings.Safe.CLIPBOARD_SHOW_ACCESS_NOTIFICATIONS. Nevertheless, system apps on Android units embody preinstalled third-party apps. Therefore, these apps might simply bypass the measure.
Nevertheless, the measure labored on Android and iOS for all the opposite apps. Proper after the replace to Android 12, I seen that a lot of my apps have been amassing the clipboard worth, however they stopped doing that a short while after.
Is there a manner of bypassing the mechanism? On the floor, all the pieces seems to be safe: A service manages the creation of a toast notification and communicates with different apps by way of an inter-process communication (IPC) mechanism known as Binder. There is no such thing as a manner of canceling or altering a toast drawn by one other software. However can one thing be drawn on high of that?
Due to the Android safety system, the reply remains to be “No.” All of the views an app attracts will probably be underneath system views by default. Until the appliance has one permission.
The SYSTEM_ALERT_WINDOW Permission
The SYSTEM_ALERT_WINDOW permission permits apps to get drawn on high of different apps. Listed here are some examples:
- Caller functions: A name is available in, and a view of the caller app is drawn on high of the opposite apps, so you’re notified in regards to the name and will reply.
- Fb chat heads: A small view pops up when a brand new message is in a chat. It’s drawn on high of all the pieces you might have on the display screen.
- Telegram video messages: A circle will get drawn on high of the app screens, and it doesn’t go away if you collapse the appliance; the video will proceed taking part in.
You want to grant permission from a separate part of the App Information display screen.
The reason is fairly terrifying if you consider it.
Some malware was (and possibly nonetheless is) utilizing this permission to overdraw their screens whereas a banking app was being launched after which steal credentials that the consumer typed into pretend views.
Making an attempt to overdraw slightly toast utilizing SYSTEM_ALERT_WINDOW is like utilizing a sledgehammer to crack nuts. However nonetheless, many individuals use the pop-over options of messaging apps like Fb and Telegram, in addition to video apps like YouTube. Let’s verify what occurs when an app has this permission and tries to attract one thing on high of the unique toast.
Obscuring the Toast Notification
You probably have permission, the final thought is straightforward: use a LayoutInflater to “inflate” (create an object throughout the code) any view. After that, the “inflated” view will get handed to the WindowManager (liable for drawing the home windows). The next code completes the job: It’ll draw a translucent view with a format outlined within the dummy_view.xml file.
val windowManager: WindowManager =
applicationContext.getSystemService(WINDOW_SERVICE) as WindowManager
val params = WindowManager.LayoutParams()
params.format = PixelFormat.TRANSLUCENT
params.sort = WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY
if (Construct.VERSION.SDK_INT >= Construct.VERSION_CODES.R) {
params.isFitInsetsIgnoringVisibility = true
}
params.flags = (WindowManager.LayoutParams.FLAG_KEEP_SCREEN_ON
or WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE
or WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE)
val view = LayoutInflater.from(applicationContext).inflate(R.format.dummy_view, null)
windowManager.addView(view, params)Let’s draw a small white rectangle on the toast.
Regardless of the looks of a translucent white rectangle, the underlying message stays seen. The just about clear look occurs as a result of a required parameter for the WindowManager, sort, ought to at the least be TYPE_APPLICATION_OVERLAY. That is the minimal sort for drawing on high; others are for system or caller apps. The documentation explains, “The system might change the place, measurement, or visibility of those home windows at anytime to cut back visible litter to the consumer and likewise handle assets.”
As soon as once more, Android has outsmarted us by making the view semi-transparent. Nevertheless, let’s take one other have a look at the difficulty at hand: We’ve got a semi-transparent window. How can we make it much less clear? The plain and simple answer is to attract further home windows on high of it. Let’s add two extra white rectangles on high of the present window:
It labored. ???? Three layers make the preliminary toast barely seen, however we are able to add extra if wanted. With minor changes, we are able to make it seem like an actual toast. Due to Android and its open-source code – we might reproduce the habits shortly:
In consequence, it’s doable to overdraw a toast both with a special toast or with some other view. Utterly hiding the unique toast can forestall the consumer from being notified of clipboard actions. Any software with the SYSTEM_ALERT_WINDOW permission can learn clipboard knowledge with out notifying the consumer. We’ve got verified this on the newest model of Android 14.
It’s value mentioning that some distributors have already addressed this problem and don’t enable overdrawing system toasts. For instance, this particular methodology doesn’t work on the newest Samsung units with the newest variations of One UI. You possibly can verify if you’re susceptible by launching the demo we’ve got ready for you beneath.
Learn how to Forestall Apps from Stealing Clipboard Knowledge on Your Android Machine
- Take away the SYSTEM_ALERT_WINDOW permission from as many functions as you’ll be able to. Regardless of our humorous demonstration, granting this permission could be harmful, so solely give it to apps you belief.
- To guard your clipboard knowledge, keep away from utilizing units with Android 11 and older variations. Replace to the newest Android model if doable. If not, think about using AOSP-based ROMs on Android 12+ (e.g., Lineage OS), that are generally used to increase the lifespan of units.
- At any time when doable, chorus from copying delicate info.
- Bear in mind that giants of the promoting market should still have entry to your Android clipboard knowledge with out your information.
Demo Utility
We’ve ready a easy software that permits you to see this methodology in motion. You should utilize it to verify in case your Android system is susceptible to the assault. The demo applies to units working Android 12 and newer. The source code is open and out there so that you can evaluation.
Conclusion
With info safety (like some other safety), discovering the correct steadiness between security and comfort is essential. Setting the measures too tight might push customers away out of your product, and the identical consequence can happen with none measures. The clipboard device isn’t any exception. From the privateness and safety viewpoint, a greater mechanism on Android would have at the least an identical mechanism as in browsers: JavaScript code that launched inside browsers (not extensions for them) can have entry to the clipboard knowledge if, and provided that, a user-triggered motion has occurred.
Google carried out a easy measure in Android to maintain customers from transferring in direction of iOS. They’ve restricted entry to silently studying clipboard values for all different apps however have preserved it for themselves. Their entry to your clipboard permits them to have a priceless supply of knowledge for focused ads and to keep up their market place.
To remain up to date with the newest in Android system fingerprinting, you’ll be able to star, comply with, or fork our production-grade library on GitHub. You probably have any questions, be happy to e mail us at oss@fingerprint.com. In case you’re concerned with becoming a member of our staff, you could find extra info on our careers page.