It's been a while, so correct me if I'm wrong, but a "Share -> Copy" action doesn't require permissions, does it? That's the conventional way to do this in Apple's own apps and a user should be able to be expected to follow that if they want to copy a link. (Doing otherwise would be nonstandard and surprising to me, regardless.)
Otherwise, accessing UIPasteboard should require permissions. Sorry for Your Flow, but like--the app needs to be transparent about what it's doing, and dirtbags exist, so.
While that works, it's not very user friendly, and that means friction, and friction means churn, and churn means a sad boss. It makes obvious sense to us, but gramma or your luddite uncle have a hard time with that. They need to be redirected (handheld) to where they're going.
It absolutely does, and I'm sure your boss doesn't like to hear it, but falling out of your flow is a pretty small price to pay for somebody else not being able to scrape Grandma's credit card off the pasteboard.
I want my tech-averse relatives to bail out of an app when they see that unless they're hand-held through it and the reasoning is made sufficiently apparent that they can parse it. If they can't, it's not clear enough, and they (and the OS) should default to no.
> _My_ flow, was the same flow shared by anyone else who used Firebase Dynamic Links, Adjust Links, and many others. I'm not alone in this.
No, you're not. And that's good. It's a bad pattern! It's a bad pattern whether one app or a million use it.
> There has to be a common sense compromise on this, like a revokable certificate for access without a prompt.
You seem to think this is the extreme position, and it's not. The extreme position is "you cannot access the pasteboard directly, at all, under any circumstances, and only user-triggered actions through OS-served and unintermediated controls can do so."
You have your compromise already: "ask for permission and be sufficiently clear about why you want it to get people to say yes".
> I completely reject your whole premise.
That's fine. Apple doesn't. That's why I like them. You started this thread with what sounded like a reasonable objection, but you've kept digging to the point where it sounds like you're kind of the reason they're doing it.
While you seem to believe the person you’re arguing with wants that API to do scummy things, it would be more fair to acknowledge that the feature they described is a workaround for the poorly-designed way apps open on first launch. Being able to offer a user an “install and open this in-app” is an incredibly common feature that everyone who has a website and an app wants, and Apple could easily enable this, for instance, by allowing the app to ask the OS to prompt the user for consent “to continue where you left off on the web?” (“Insert Title from Most Recently Used Safari Tab matching this app’s registered website domain here”)
Consent -> OS provides that tab’s URL to the app as though the user had clicked a Universal Link
No Consent -> do nothing
> While you seem to believe the person you’re arguing with wants that API to do scummy things
It doesn't seem like they do believe that, and even if they did, that's not the point.
The point is that allowing this access without explicit user consent enables various "scummy things" that neither Apple nor the user can then stop or easily detect.
It's really not that different from the person at the bank saying, "But you know it's me! Why can't you give me all my money without seeing my ID??!"
No dispute there. My only point was that that commenter doesn't even actually WANT the user's clipboard. What they want is to let the user consent to resuming the activity/state they were doing on the Web in a freshly-downloaded native app. Apple half-assed this with those little metatag-based banner things, which function great (passing the current web URL to the native app with a tap) when you already have the app, but if you don't have the app, or if you want to use a UI other than that persistent banner, the best you can do is send them to the app store and hope they find their own way. This is a poor experience, and the fact that developers resorted to the clipboard method is at Apple's feet because they didn't make any effort to solve the problem, which they could easily do in a secure, consent-asking way.
And what happens when there's a vulnerability in that SDK and every app using it for "their flow" is suddenly vulnerable to attackers scraping sensitive data from the pasteboard of their users? Or what if one of the dozen other SDKs you bundle in your app includes malicious code that takes advantage of the fact you already enabled the pasteboard API for another SDK?
As a developer, I sympathize with you, but as a user, you can get bent. I appreciate that Apple makes it difficult for you to use potentially dangerous APIs with large risk surfaces, and forces you to ask me for permission to take that risk. It's why I continue to buy Apple products and will never switch to Android as long as it's owned by a user-hostile advertising company.
A vulnerability in your SDK that lets a malicious actor control when something is read from the pasteboard. Or a bug in your code that forgets to place the route on the clipboard and ends up reading the previous item from the clipboard and attempting to load it on your server (i.e. sending user clipboard data to your server). And besides, beyond the issue of risk mitigation or code security, there's also that of trust - why should I trust that you're only using clipboard access for the claimed purpose, and why should I trust you implemented and tested your code correctly?
It's addressed by Apple's permission prompt that allows me to select the "ask every time" option. You're right that it's a black box after that in terms of whether or not the app puts a new item on my clipboard and then reads it (why would it need to do that?), but at least I know that if I have something sensitive at the top of my clipboard then I can decline the prompt.
That's not to mention that my concern is fundamentally addressed by gating clipboard access behind a prompt in the first place. That is, I always have the option to decline the permission entirely.
Thanks for this thread. It's disheartening that SLSA and dependency-driven attacks aren't clear to the general development populace, but you've done a good job of explaining the threat even assuming the best of intentions (which I sure don't) out of app developers themselves.
It's a layered set of problems, and the answer is high walls.
you might be missing a key piece of my particular scenario, and it’s that the thing I’m reading from your clipboard is something I put there from my website. The only thing that’s being exposed is something akin to path variable.
The purpose of which is navigating to a particular part of the app on its first ever launch.
If universal links worked on the first install none of this theoretical discussion would be necessary.
No, I understood that this was your intention. I'm trying to explain that even if you have the best of intentions, there is a risk you introduce a bug where your website _doesn't_ put something on the clipboard, so then when your app tries to read it, it instead reads whatever unrelated data is on the top of the user's clipboard. And if your app tries to append this value to a URL, then you are effectively sending clipboard data to your server, i.e. risking worst case scenarios like user passwords showing up in your server logs.
If you can put arbitrary data on the clipboard from your website, and then read it in your app, without my interaction, that allows for a variety of potential exploits.
So you're popping the latest value from the user's clipboard, crossing your fingers and hoping that it's the value you just copied from your site (and that there are no bugs in your code or some intricacies of the user agent that caused that copy to fail), and then sending the value to your server by appending it to your URL. Surely you see the risk here?
No, I’m looking in the clipboard for a valid path in my app and routing to it found and discarding if not. All routing is local to the client app and nothing is sent to the server.
If we’re taking hundreds of thousands of clients and it works 99% of the time, then the risk of it not working in that 1% of cases is acceptable to our product team. Worst cast scenario is that it fails, the user tries again, and no clipboard is needed on the second attempt because universal links work now that app is installed.
This value in the clipboard might be something like: /path-to-experience?id=something
Otherwise, accessing UIPasteboard should require permissions. Sorry for Your Flow, but like--the app needs to be transparent about what it's doing, and dirtbags exist, so.