Serious privacy concerns with Rever… WTF is going on?
I have become highly alarmed by something which I noticed when running Rever this morning, on my way into work… Rever is automatically obtaining the contents of my clipboard and pasting them into their app…
This takes some explaining and some knowledge of the Apple iOS and OS X ecosystems to understand, so I’ll try to explain as best as I can – what I saw this morning…
First, take a look at this screen grab which I have just taken:
See the notice at the top of the screen? It’s part of Apple’s recent privacy improvements within iOS 14.x – if you paste into an app, from a ‘shared clipboard’, then it tells you the source of the content.
Let’s step back a second and explain what I mean by a shared clipboard… If you are an Apple user, and have multiple devices under the same iCloud account, then one of the things which they offer you between the devices is a shared, common clipboard. – This makes taking content from one device super simple, you can copy from the MacBook and paste on your iPhone. When you’re using this feature, you only have one clipboard across all of the devices, and content is shared between them automatically.
So, what’s up with this? My Rever app, on my iPhone, without me asking it to paste anything, found my shared clipboard content, and pasted it automatically into the Rever app. – WTF?
Imagine this: I’ve just been internet banking on my desktop machine, and have copied (for my own benefit and use) my bank account details. I finish using my desktop, shut it down and leave work to ride home. I open Rever, and all of a sudden, I see a notice saying that it’s Pasted content from my desktop machine – INTO REVER.
WTF? – Again… (it bears repeating).
So, likewise, I might have copied passwords, a sensitive document, a photo, anything. – What is Rever doing obtaining the contents of my clipboard for its use, automatically, without asking me, and without me taking any action to try to paste into it?
This happens each and ever time I shift focus into the Rever app.
You get the same paste notification regardless of the source… Here I’ve just copied content from my Notes app, and literally just opened Rever up, while it’s loading it’s obtained my clipboard contents (for what?), and it’s used it…
Honestly, do you trust an app vendor to take, without permission, whatever content you hold on whatever clipboard you might have – at any time? – I certainly do not, and I believe this is a serious breech of privacy on my device, and I want to know exactly what they have been doing with my private clipboard content and information.
I have sent them an email this afternoon asking them to please explain. – I will update this page with any response I get from them.
From: Chris Wiltshire [mailto:firstname.lastname@example.org]Sent: Thursday, October 15, 2020, 3:05 PMTo: email@example.comSubject: Serious concern over iOS app automatically pasting from shared clipboard
Hi, – Pls forward on to your CISO.
I have some serious privacy and security concerns over what has become apparent with a recent iOS update, that Rever is ‘AUTO-PASTING’ from my clipboard when the app takes focus. In some cases, where my iPhone’s clipboard is sourced from my shared Mac-OS environment, there is a potential for you to grab the contents of the clipboard from my MacBook Pro.
This content could contain ANYTHING, including banking details, credit card numbers, password content – anything.
So this leads me to ask you, formally please; to account for:
– what you are doing in your app with pasted clipboard content?
– does this information stay locally on the device or are you ever sending this information out to one of your servers?
If you are unsure of what I’m talking about, the following image ought to make this clear.
I am a Privacy Officer in my professional employment. I understand perfectly the concern that this type of behaviour can cause. While I am a long term fan and user (and Premium customer) of Rever, I am giving you the opportunity to respond properly and appropriately to this request for information, before I raise my concerns with Apple (I am an Apple Developer too and have access to their relevant support channels).
Please do not brush this off, please ensure that this is addressed properly.
Thank you, regards,
I received the following response from Rever on 20th Oct 2020. To which I sent the following reply back…..
From: Chris Wiltshire [mailto:firstname.lastname@example.org]Sent: Tuesday, October 20, 2020, 12:12 PMTo: Bjorn BredesonSubject: Serious concern over iOS app automatically pasting from shared clipboard
My response back to you:
“The iOS clipboard is often used as a convenient mechanism to store/share internal data”
That is bad, inappropriate and lazy programming, it is inappropriate at any time to change or access the contents of my clipboard without me initiating it, and it is particularly inappropriate for you to be taking content from it without my knowledge / permission.
This iOS banner shows when a program takes content from it, and uses the iOS Paste functions programmatically. – That is the entire purpose of the displayed banner, to alert users to potentially unwarranted use of the user’s potentially private clipboard content. I do not accept the comments which your head developer has sent back through you as being an appropriate justification for access, and use of my private clipboard content.
“as such, REVER is only retrieving a specific type of clipboard-“REVER-Ride” to be specific-and is never reading from the general clipboard”
It is untrue that your UIPasteboard call only retrieved a specific type of clipboard content in this case. – I have proven that is untrue by showing you that my textual clipboard content was taken and used in the screenshots which I supplied, I do not have, own or run any BMW Connected App, and so I dispute that the captured use of my Rever App has anything what-so-ever to do with that type of clipboard content.
You may have made that change now, in your next release, to first check the meta-data for type, and only paste it if it is that type, but your current usage is obtaining all types of clipboard content, pasting it, and then, perhaps, potentially filtering it by type? These are important distinctions. – That is NOT the same as the comment which you’ve provided back to me in your response. – Your lead developer is NOT being 100% truthful to you in their account of what has been occurring.
Yes, I am aware that iOS provides meta data accessor methods for the clipboard, which will provide insight to your app about the nature of the contents of my clipboard without giving over to the app, any potentially private details of the clipboard contents. It should be clearly noted that use of those meta-data based functions DO NOT trigger the user banner as I’ve captured and shown to you.
I asked you to provide me with an account of what exactly your app had been doing with the data obtained from my clipboard. You have failed to account for where my private clipboard information was taken to, and for what purpose.
Even if the banner was being shown due to a component of your software, and even if this was Google Ads related, this does not provide a reasonable account of the above. It is especially irrelevant because, as a Pro Member, I do not have any of the Google Ad content coming through to me.
Am I to understand that you had enabled Google to both track my usage of your app, (potentially obtain details of my location (through the GPS permissions which I’ve granted to Rever [not google])), and that you’ve been inadvertently sharing my clipboard content with Google, through their outdated and poor use of the UIPasteboard functions in an inappropriate way? To me it makes no difference if you were doing it within your own code, or if you were allowing an external library to make those same calls through your app. – In a number of ways, ignorantly allowing an external library to do this is worse.
This is not good enough, neither is your response, please account for what information you have taken off my device, where it has been sent to, and for what purpose you understood you were collecting it?
From: Bjorn BredesonSent: Tuesday, October 20, 2020, 3:29 AMTo: Chris WiltshireSubject: Serious concern over iOS app automatically pasting from shared clipboard
Hey Chris,This was the response from our head developer:
REVER takes user privacy and security very seriously. The iOS clipboard is often used as a convenient mechanism to store/share internal data. REVER only uses the clipboard in one instance, to receive ride data from the BMW Connected App (one of our partners.) iOS has the concept of a “type” in the clipboard (UIPasteboard) and, as such, REVER is only retrieving a specific type of clipboard-“REVER-Ride” to be specific-and is never reading from the general clipboard.
There are three dependencies in REVER that also use UIPasteboard; Apptentive (a rating technology), Facebook and Google Ads. Upon review, we found an update to Google Ads that addresses this issue and have created a new build. The next release of REVER will include this update to Google Ads and no longer present OS messages related to the clipboard. Thanks for your note and for being a REVER Pro member!Thanks,