Opinion: Clipboard contents must be auto-encrypted and only the receiving app must be able to read them

We have received some disturbing news reports last week as two major apps namely TikTok and Reddit were caught discreetly peeking at the user's clipboard. This is a grave privacy and security concern because many a times the device's clipboard is used for quick copy-pasting of credentials between two apps.

Its a very common scenario these days to copy the username or password from your password manager app and paste it into a browser input field. Another common scenario is when you copy an OTP (One Time Password) from an SMS and paste it to a website's field to validate yourself.

For those few seconds when these credentials are stored on the globally accessible clipboard, any app running in the background can capture and store them. They might even inadvertently send it to their remote server as part of their "usual telemetry and analytics" which people take for granted these days.

But if you think about the opportunity this will give to authors of malicious apps, the consequences are disastrous. To ensure the online safety and privacy of individuals, some protocol should be established for clipboard-sharing by makers of the Android and iOS operating systems.

A typical implementation might involve encrypting the clipboard contents with a random key when the app stores it to clipboard. But decryption of contents shouldn't be possible by all apps, only when the user tries to paste the contents manually into a text-box (by a long press or right-click) should the key be shared with the target app which receives the paste.

I know it won't be easy for operating systems to implement this, a change in both OS and the APIs for GUI interaction will be needed. But going forward, its a great idea to ensure the privacy of users.