add support for only allowing explicit pasting of the clipboard

[thestinger]

We can add a toggle for disabling API-based clipboard access by the focused app. Instead, we can add a paste button to the keyboard app. Ideally, the context menus in apps would be a system UI with app extensions, but that's not how this was designed.

Android already only allows clipboard access for the app that's in focus and the keyboard (so that it can act as a clipboard manager) but this isn't ideal.

[githupper]

Having the toggle would be great. Is your consideration a globally applied toggle or per app basis?

[2br-2b]

I think something like that is important. The clipboard can leak your location and/or passwords, and as we've seen with iOS, is often accessed unnecessarily; however, I think it may be necessary/useful for some apps to access your clipboard in the background. For example, browsers like Fennec and Vanadium access your clipboard in the background to suggest opening links you've copied. Maybe if there were a way to toggle this on an app-by-app basis, that would be more useful.

[Oymate]

My suggession is to have two clipboard for compatibility, allow apps to access a blank clipboard(focused) When long pressed and pressed cut, copy or paste take that to the blank clipboard and instantly copy it to the main clipboard, then wipe the medium clipboard. This way even other focused app can't access clipboard.

[thestinger]

@Oymate That would make it a lot more complex and wouldn't help with privacy. The long press interface is under the control of apps which is the issue. The entire issue is that they access the clipboard via an API instead of it being implemented by the system UI. More complexity via another layer won't address the issue.

[secretmango]

The clipboard being the storage for everything, passwords, location, links, names, being open to any app to read is pretty horrible. This issue cant just be closed, if you say "we dont have the capacities, if someone implements it we can look at it" thats genuine, but just closing? This is security sensitive.

[thestinger]

The clipboard is already only readable by the focused app, not every app. I'm not sure what you're talking about when you say the issue is closed. This issue is not closed.

[secretmango]

@thestinger ok it was a duplicate. Is there a way to delete the clipboard or the last entry in the preinstalled AOSP keyboard? Because then it can actually be secure if only the foreground app can access the clipboard content, even though actively pasting it only through a trusted open source keyboard app is better imo.

[escape0707]

Let's consider an edge case. In some countries people need VPN to circumvent government censorship, and to setup a VPN, they often need to copy the config data (say, wireguard config) from the VPN provider's website and let their open source VPN client import it.

(Why not a dedicated app per VPN provider? Because that kind of VPN can easily get blocked in those countries. If you want open source security, latest anti-censorship protocol, you need to use open source VPN clients dedicated to anti-censorship and use VPN providers that supports those usage. Say, shadowsocks or xray or smth. But just think of a wireguard config at this moment.)

Then, if you have to use apps like WeChat or Alipay in your daily life, and they co-op with the government to try to expose any citizens' VPN usage, they are willing to read your clipboard more often. By reading and uploading your v2ray/xray/wireguard config, they can more easily claim "crime" of you or figure out your online identity. So this is a serious risk and human rights problem for the Chinese mainland and Iranian people. Maybe Russians, too.

Android 12 alerts users when reading of the clipboard has already happened, but this won't protect the person who already got spied on. You can't rely on people exposing these apps' behavior and ask Google Play to take them down either, because they will ship the app outside of Play store but still force people to use them in their daily life for, say, public transport and paying bills of water and electricity.

So, I want to ask what do GrapheneOS developers think is the correct approach for Android (and GrapheneOS) to adopt and protect users privacy and data security? iOS 16.1 has been seen per app clipboard access control back and got praised by some users that I know to be living in those countries. Since GrapheneOS doesn't think that is a good approach, closed several other related issues, and this issue has been opened for 3 years, what can a GrapheneOS user use to protect themselves at this moment?

Thank you in advance for reading this post.

[thestinger]

Android already disabled reading the clipboard for anything but the keyboard and focused app.

[escape0707]

Android already disabled reading the clipboard for anything but the keyboard and focused app.

I also used this argument to defense Android's permission model yesterday (against an iOS user, who would have thought). But since WeChat is an Instant Message app by itself, if you slipped and switched to it by accident and happened to be in a typing state before (probably 80% of the case), that sensitive data or even just some hate speech or copied links to banned websites are still risking leakage to the government. Thus, I felt not that confident defending yesterday, considering the status quo.

What's worse is that you can't expect average users to always remember to clear their clipboard before switching back to apps like WeChat, LINE, or Instagram every time.

For example, there is a Chinese app called Taobao, which is basically an eBay clone. It has a normal feature in disguise as they read your clipboard in case you copied an item link from your browser or IM app, and auto-open the link for you (After Android 12, maybe only after you start typing and searching for items with the search bar). But this is still useful as a spying method to monitor user clipboard whenever they (Taobao) have the chance.

So, in conclusion, I'm wondering what can Android and GrapheneOS do to protect users when they cannot trust the "focused app" but are still forced to use them.

[secretmango]

Yes very true. As far as I know the standard Clipboard only has one entry, and this entry never disappearing. I personally use FlorisBoards internal clipboard, which is saved in the app container and only actively "moved out" when pasted.

The clipboard is also shared via KDE Connect, when enabled, and with the work profile. Meanwhile the "copy cut paste" buttons when highlighting text are exactly interacting with that one clipboard system and nothing else. So system integration of this bad concept is very high.

FlorisBoard has the best method for me, but no idea how this would be implemented in GrapheneOS. It would need to be audited and preinstalled, I think the AOSP keyboard is unusable but yeah ... Another methos would simply be to block the "read clipboard" permission of apps, and have it opt-in as a permission

[escape0707]

this entry never disappearing

Note that in Android 13, clipboard got cleared after one hour.

[secretmango]

@escape0707 thanks for the heads up. Better than nothing, but still kinda arbitrary. This is not really a security measurement, moreso a "dont mess it up completely" thing. Its totally fair that I dont want Telegram or even proprietary Software pasting my clipboard as if the long-press dialog was not existant. There simply is no reason for that

[escape0707]

Today I just noticed that an app called Bilibili read my clipboard at launch and prompted the notification bubble, without me changing my cursor to any text input field. So "focused" means not only typing into that app but moving it to the foreground? Or maybe that app is just malicious and tricked the OS into thinking it got input focus? Either way, I can't say the current model is secure and private at all.

[secretmango]

@escape0707 Android is a single-window OS, so one app in the foreground. Foreground is "the app is showing" afaik.

This is an entirely useless security, as its way too loose. I can understand implementing a new solution for that is work, but poorly its needed.

For the time being, you may want to use FlorisBoard and its internal clipboard as it does exactly that.

1. Enable the internal clipboard
2. Enable syncing from system clipboard, disable syncing to system clipboard
3. Change the toolbar to "clipboard actions" or how its called, instead of the thing before. Set the other one as secondary toolbar.

tadaa! And it is actually usable, unlike the AOSP keyboard. But as I said, its not updated since some time.

[thestinger]

Android is a single-window OS

No, it isn't. It has split screen and free form window management support.

Foreground is "the app is showing" afaik.

No, it's the selected app. Switching to an app on the desktop focuses it the same way. The concept of focusing does not work differently on Windows/macOS/ChromeOS vs.Android.

[thestinger]

Today I just noticed that an app called Bilibili read my clipboard at launch and prompted the notification bubble, without me changing my cursor to any text input field. So "focused" means not only typing into that app but moving it to the foreground? Or maybe that app is just malicious and tricked the OS into thinking it got input focus? Either way, I can't say the current model is secure and private at all.

No, focused means the actively selected app. Only 1 app can be focused. It does not have to do with starting input.

[escape0707]

No, focused means the actively selected app. Only 1 app can be focused. It does not have to do with starting input.

Thanks for the explanation. I think when people are forced to use some untrustworthy app on their Android phone, they basically get no clipboard privacy protection against government dictatorship for now...

[thestinger]

Replaced with https://github.com/GrapheneOS/os-issue-tracker/issues/2917.