I'm trying to determine whether iOS apps could sniff my clipboard, and i haven't proven that they can't; it doesn't seem to be a specific permission that needs to be assigned or can be denied. And thus using 1Password on my iPhone to copy and paste passwords seems to have a bit of a risk to it.
Thanks. I didn't know that, but I don't install FB because of some other stuff I heard they did (like monitor the mic). Likewise messenger. I do access FB, but only from within Firefox, which I use soley for that purpose.
iOS Apps can read your clipboard (But only if the app is open i.e. not in the background, which was possible in earlier iOS versions). I would welcome it if they introduced a permission for clipboard handling.
Personally, I use Workflow to clear my clipboard after pasting a password.
But can apps sniff in what website or app you are using the password? Either for iOS or Android, if the password are just random strings unique for each site and they can't determine that then the attack vector diminishes.
A while back you could query the apps currently active on iOS and there was a big scandal that Twitter was doing it, being reported by the media as a secret vulnerability, which was bullshit since that "vulnerability" was fairly well known already and in use by ad platforms. And at a previous company we used it for more than a year I think, before being in the news. I don't know what happened after that, Apple must have closed that loophole and Android requires a specific permission. But there are always vulnerabilities that developers can exploit and you can't trust the OS on this one.
Plus it really doesn't matter, because when it comes to security, there's also the issue of the mono-culture and user technical stupidity. We know that many people use Gmail, Facebook, Twitter, etc, most of them reusing passwords across services. And logging the user's copy/pasted texts gives you such a specific dictionary that the probability of getting hacked approaches 1 fast.
