Security: Using the clipboard on iOS devices

iLuke
edited December 1969 in iOS
Copy, Paste, etc.
Hi!

I have one question on the clipboard behavior on iOS devices.

On a Mac, I've configured 1P so that any item copied in the clipboard will be removed after 30 seconds.

There does not seem to be any similar control on 1PT, maybe because this is not supported by the underlying iOS.

So my question is: when I copy a password to the clipboard in 1PT to paste it in Safari, is it possible for any other App to copy that value from the clipboard without my consent (i.e. without me explicitly using the Paste functionality)?

Currently my "workflow" is: I copy a password in 1PT (I'm on iPad so the Lookup bookmarklet does not work), paste it in Safari, then select some other text in Safari and copy to the clipboard (so that my password is pushed out from the clipboard itself).

I would be interested to know your take on this.

Thanks for any insight!
Cheers.

Comments

  • Apologies if this has been asked before, I did try and search through the forums but found nothing useful...

    I'm using 1password for iPhone, and when I copy a password, is there a way to set a limit on how long the password will stay in the copy buffer? It seems a bit of a security hole to me when I can copy the password, which I will paste within seconds to log into whatever account I need to, but then days later the password is still in the buffer, and I can quite easily paste it into the notes app, and it displays the full password.
  • bswins
    edited May 2011

    Apologies if this has been asked before, I did try and search through the forums but found nothing useful...

    I'm using 1password for iPhone, and when I copy a password, is there a way to set a limit on how long the password will stay in the copy buffer? It seems a bit of a security hole to me when I can copy the password, which I will paste within seconds to log into whatever account I need to, but then days later the password is still in the buffer, and I can quite easily paste it into the notes app, and it displays the full password.


    Hello cheekymuppet and welcome to the Forums!

    As far as I know, iOS does not have a specific API allowing for clearing the clipboard's contents. Your issue was discussed last summer in this thread: Question Clipboard Security on iOS Devices?. At that time, you had to manually copy something else in order to push the copied password out of the clipboard memory buffer. I just searched Apple's iOS' forum looking to see if any new functionality came with the various iOS updates pushed since last July, but it appears that nothing regarding clearing the clipboard cache has been added.

    Personally, I use the workaround mentioned in that conversation...

    I copy a password in 1PT (I'm on iPad so the Lookup bookmarklet does not work), paste it in Safari, then select some other text in Safari and copy to the clipboard (so that my password is pushed out from the clipboard itself).


    I know it's a pain, but until Apple allows apps a way to to it, you'll have to be vigilant and use the copy/paste/copy something else procedure.

    Brandt

    FYI:
    To test, I copied some data from 1P Pro on my iPhone and attempted 3 options for clearing the data. I'm not surprised, but none of these methods cleared the clipboard data:

    1. Cleared Safari's cache (didn't expect this to work, but tried it to be sure)
    2. Turned iPhone off and on again as you have tried...a soft reset.
    3. Performed a hard reset by simultaneously holding down the Home button and the Power/Sleep button.
  • thightower
    thightower
    Community Member
    Yes copy something else is the best bet in my opinion I have had items stay in my clipboard for days no kidding (when I forgot to purge them and only realized it after I pasted something). There really needs to be a way to clear the clipboard in my opinion. As well as so many of you.
  • khad
    khad
    1Password Alumni
    edited May 2011
    It is true. This is a limitation we face in iOS development.

    Short of manually copying something else into the clipboard to overwrite the data already in it, there is not a simple way to address this. Even if we added a mechanism for this within the app, once it is backgrounded there is no way to access the clipboard. 1Password is not able to execute code in the background. There are seven different background APIs but none are currently used by 1Password and none grant access to the clipboard:

    1. Background audio
    2. Voice over IP
    3. Background location
    4. Push notifications
    5. Local notifications
    6. Task finishing
    7. Fast app switching

    So even if we added such code, you would need to expend about as much effort switching back to 1Password to have the clipboard cleared as you would simply copying something else from the app you are in to overwrite the clipboard.

    Please note that I am not saying the following is "the solution," but I do take solace in the fact that I use strong, unique passwords created by 1Password's built-in Strong Password Generator. If you find x4Ai#9Y*qX2k^fDw8>JBQEPr<oy7}z=p%3s82g$j9HvT6Fd[Ru in my clipboard, what are you going to do with it? If you're smart, you will double-press the Home button and try the most recently used apps, but even that is no guarantee you will "strike it rich" and requires you to have physical access to my device in the first place. You would also need to know my iOS device passcode in order to get beyond the lovely background on my lock screen.

    Best practice: copy something else to the clipboard. Part of your username from the same form in which you are pasting the password is most convenient. Even just one letter is sufficient — preferable even to copying the entire username.

    Reality: good luck obtaining my iPhone, cracking my device passcode, obtaining anything from my clipboard, and knowing what to do with it.

    It's not the best answer, but I hope it helps until we can do more with the clipboard in iOS while 1Password is backgrounded.

    Please let me know if you have any additional questions or concerns. We are always here to help!
  • BlaydRunner
    BlaydRunner
    Community Member
    Hi Guys:

    This is a little item that's been nagging at me for a bit. I have a 30 minute default set for the 1 Password master password on my Apple iTouch (iOS 4.3) and a five minute default for an inactive 1Password session. However, I am concerned about a problem that occurs following a typical session on my device. Example: I start a new session and 1). enter the four digit pw to boot the actual 1Password app; 2) once 1Password opens, I click on a specific item or account that I'd like to unlock; since all of my logins and accounts have been further protected by 1Pass's master password I am compelled to 3) enter the correct 1Password "master" password to gain access to the un/pw fields for any login request. 4) I then copy the long password that is revealed after my successful response to the "master" password challenge, and 5) finally, paste said account password into the correct access field. That's all fine and good. But, here's the problem: even though I have carefully set the time limit defaults mentioned above (30 minutes for my Master Password and five minutes default for any specific 1Password session), the particular account's copied password remains in my clipboard long after the account is closed and I've turned off my device. Why? Keep in mind that neither the 1Pass app, the specific account I've visited nor the iTouch device are any longer live. This is after I've closed everything—even a day or so after the fact. What gives?
  • bswins
    edited June 2011
    Hello BlaydRunner and welcome to the Forums!

    Your question has been brought up in the Forums before, so take comfort in knowing that you are not alone with your concerns. I have merged your post with the appropriate thread.

    Unfortunately, "what gives?" comes down to one word: Apple

    Apple does not allow application interaction with the clipboard on iOS devices when an app is not running. So, there is no way for 1Password to initiate a clipboard wipe while it is in the background. No other app can initiate it either. As a matter of fact, Apple's own apps cannot do it.

    If you want to clear current clipboard data on an iOS device, you must copy something else to it (i.e., replace the current data with new data) Review the comments in this thread for more detail.

    Please pay particular attention to Khad's post directly above yours. For me, his comments put the potential security risk into the proper perspective.

    I'm sorry I do not have better news for you at this time.

    Cheers!

    Brandt
  • BlaydRunner
    BlaydRunner
    Community Member

    Hi Guys:

    This is a little item that's been nagging at me for a bit. I have a 30 minute default set for the 1 Password master password on my Apple iTouch (iOS 4.3) and a five minute default for an inactive 1Password session. However, I am concerned about a problem that occurs following a typical session on my device. Example: I start a new session and 1). enter the four digit pw to boot the actual 1Password app; 2) once 1Password opens, I click on a specific item or account that I'd like to unlock; since all of my logins and accounts have been further protected by 1Pass's master password I am compelled to 3) enter the correct 1Password "master" password to gain access to the un/pw fields for any login request. 4) I then copy the long password that is revealed after my successful response to the "master" password challenge, and 5) finally, paste said account password into the correct access field. That's all fine and good. But, here's the problem: even though I have carefully set the time limit defaults mentioned above (30 minutes for my Master Password and five minutes default for any specific 1Password session), the particular account's copied password remains in my clipboard long after the account is closed and I've turned off my device. Why? Keep in mind that neither the 1Pass app, the specific account I've visited nor the iTouch device are any longer live. This is after I've closed everything—even a day or so after the fact. What gives?
  • Hey BlaydRunner,

    Did you mean to add a comment? If so, please try again. :)
This discussion has been closed.