AnySoftKeyboard / AnySoftKeyboard

Android (f/w 2.1+) on screen keyboard for multiple languages.
http://anysoftkeyboard.github.io/
Apache License 2.0
2.88k stars 830 forks source link

Non-persistent clipboard history #3873

Open ghost opened 10 months ago

ghost commented 10 months ago

Steps to reproduce

  1. Copy some text to have a clipboard history
  2. Launch the keyboard settings app and close it
  3. Now check the clipboard history (by long press clipboard icon)

Note: Clipboard also clears when switching keyboard

Expected behaviour

Clipboard history should be there

Actual behaviour

Clipboard is empty, there is nothing to paste

Android OS version: Android 11

DaRealNOX commented 9 months ago

@kik-btaski By “keyboard settings app” do you mean the ASK app itself? I'm just asking to avoid confusion.

@menny / @ASK-Team I'm on Android 14 / One UI 6.0 and I can only notice the behavior that the history is lost in the following cases, namely when...

  1. the ASK system process is ended manually or automatically (requires root rights).
  2. the mobile phone is restarted.
  3. from ASK to another keyboard (and of course back again) is switched, where you can then determine the situation.

And since it should already be clear from other threads and the explanation there that the clipboard entries are only stored as variables in the ASK program code, this is volatile memory (commonly called RAM). Therefore I don't see this case as an "issue".

The only problem with this is:

Isn't there a certain risk of data leakage when using the RAM (the said volatile memory, where the variables and their values ​​are located) for the ASK clipboard? Especially if data is kept unencrypted there?

After all, at ASK we are talking about a virtual keyboard on which countless and often highly sensitive entries are made every day by countless users around the world. By the way, Troy Hunt sent greetings again just the day before yesterday with a remarkable blog post about data leaks: https://www.troyhunt.com/

I think using persistent storage for ASK's clipboard is a better method, since in Android each app gets its own dedicated area for this persistent storage. Since I'm not an Android developer, I can only rely on statements from the industry or the documentation from Google that this is really the case. So I accept it as "true" in quotation marks and rely on the fact that no app can "read" the files stored by others.

So I looked at the volatile memory documentation, because I already had my fears, and found that it talks about "shared pages" and "non-shared pages". And if I understand correctly, every app can exchange data in RAM with every other app via shared pages or read their data unnoticed.

Therefore, the clipboard entries MUST be encrypted and ideally stored in the persistent memory of the ASK app. (Yes, the Android developers will now say that RAM in Android is also persistent and only unused memory is freed up through the so-called garbage collection of the Android system.)

But beat me to death if I'm wrong. However, I recommend that ASK's programmatic concept regarding the clipboard be reconsidered. Maybe the web pages I've read will help...

Therefore:

Please, dear ASK developers, think quickly and review your current approach. Because if there is a risk of data leakage in ASK, things quickly look bleak with the app. An audit is necessary!

Personally, I would be very affected if ASK had to be scrapped for data protection reasons, as for me the keyboard simply offers what I've always been looking for.

Sorry for half the essay. :D

ghost commented 9 months ago

Yes the app itself. Currently it saves at max 15 clipboard entries

I was trying to implement the persistence but when building the app, it crashes my pc(2 core + 4gb ram + lz4 zram + 10gb hdd swap). 😅May be cause its code size is ~300mb I like ASK app becoz of its key popup look/UI and less memory usage(~50mb).😅

DaRealNOX commented 9 months ago

For me it saves at max 15 entries too, but my entries always get created twice. (Issue posted this moment https://github.com/AnySoftKeyboard/AnySoftKeyboard/issues/3887)

fedora-mahdi commented 9 months ago

@DaRealNOX : regarding privacy issues, do you know how SwiftKey handles clipboard or typing related data ?

This Microsoft proprietary app was shipped as the default clipboard history and management app on my Android device

DaRealNOX commented 9 months ago

@fedora-mahdi

Hello!

First to say:

As you mentioned, the SwiftKey keyboard is >>> proprietary <<<, which means that Microsoft doesn't provide any insight into the source code of its keyboard app (although you could certainly get there through reverse engineering). In any case, what is certain is that it depends on your trust that MS does not misuse any data that has been typed and used with the clipboard. I don't even want to start writing about leaks here.

For as long as I can remember, I have not left this to any multinational corporations or, to put it more generally, "providers". I also don't want to get too political here on Github, as it's not the right place to discuss this sort of thing.

But you should be aware that theoretically EVERY keyboard, software and everything in life offers opportunities for abuse. And MS is pretty high on the “black list”. You shouldn't forget that your phone runs on Google's Android (I'm assuming so at the moment) and therefore Google also has a connection to your privacy with its pre-installed apps. So you can weigh up whether you trust these companies or not.

Not to mention other apps from other “providers”, which may also be pre-installed or you can download them manually. Open source software (OSS) or the respective free version (FOSS), if available, is certainly the first step in ensuring or regaining your privacy.

Btw: LineageOS is a good alternative but needs strong knowledge in rooting your device, installing it and blocking all the unwanted things (and don't forget that every additional installed app potentially compromises your privacy again).

To answer your question specifically about the SwiftKey keyboard:

I don't trust MS. I don't use this keyboard. I therefore don't know how MS handles the clipboard (see "Clipboard" in the Android system apps, so that it's clear what I mean) and its data treated (YOUR data, which belongs to you, no matter who says otherwise!).

So I recommend ASK and revoking access rights for all apps that can access it. And further specifically: Revoke rights of the unwanted apps and "deactivate" them permanently. ;)

PS: Apps that are allowed to hover over others (so-called "background apps") can also inspect your screen content, nowadays even at the speed of light using A.I. And a keyboard itself is such a background app with enormous access rights, so data misuse can quickly escalate. I refer again to Troy Hunt's expertises or to the opinions of other expert security technicians/companies/clubs/etc.

Don't TYPE or COPY-PASTE credentials anymore, use password safes. OSS Bitwarden for example (free private use). And take care of yourself and your data when it comes to security and privacy in general. And: Don't compromise! Period! :D

Ditto89 commented 2 months ago

I'm having exactly the same issue, when launching the settings app and closing it, or after a reboot, too. It would be nice to have persistent storage being used for that... please consider that! I'm still on an Asus ZenFone 4 Max with Android 8.1, so I thought it was an issue with my old model, but it seems newer phones have this same issue... P.S: I'm on ASK version 1.11-r1

DaRealNOX commented 2 months ago

@menny Are you still keeping an eye on this matter? :)