Do any Windows freeware apps habitually access the private contents of the clipboard upon mere invocation of the app?

On 06 Jul 2020 22:59:00 GMT, Stéphane CARPENTIER wrote:

Why are you only concerned by the clipboard ?

Hi Stephane,

You seem to be able to handle technical detail, so it's a pleasure to
discuss this problem set with you.

That's especially true given you're the only one who seems to _understand_
the problem set (perhaps along with J.O. Aho with his most recent response
to the same post you're responding to above)... hence what you ask of me is
important.

The simple answer is inherent in the opening post:
o TikTok got caught doing it; so I wondered what Linux programs do it.

The more complex answer in inherent in the timeline of new details:
o Apple iOS implemented popup notifications when it happens again

Where, that caught TikTok (again), along with Reddit, Linked-In, et al.
o So that's why the thread was UPDATED with further new details this week

In addition, after getting a **** ton of bogus answers on this (and other)
OS threads from people who _still_ don't seem to comprehend what you
understood from the very start... I dug into what Android does & did,
where, since at least Android 6, we've had control of app clipboard
permissions obtained as easily as simply installing an app, e.g.,

o *Private Clipboard helps mimic Android 10's clipboard privacy on older Android devices*
https://www.xda-developers.com/private-clipboard-mimic-android-10-privacy/
"In Android versions prior to Android 10, every single app could read the
contents of your clipboard. And this was accomplished without needing to
grant any runtime permission to any app..."

"Android Q/Android 10 would finally block background clip reading.
But if you are on an older release of Android, you can mimic the
same functionality with this Private Clipboard app."
https://forum.xda-developers.com/android/apps-games/app-private-clipboard-t3964055
https://labs.xda-developers.com/store/app/net.easyjoin.privateclipboard

Note that you can do the same thing, apparently, as private clipboard does,
simply by connecting your Android device to Linux, Mac, Windows, over adb
on USB, and then you can issue commands to *control* what apps have
clipboard access (as described in gory detail in a prior post to you
minutes ago).

In summary, for clipboard access, the two operating systems doing something
about it are clearly iOS and Android, where what iOS is doing is
essentially two things (AFAICT):
1. Notifying the user whenever an app maliciously reads the clipboard, and,
2. Allowing the user to _control_ whether they want that app to have it.

On Android, it seems the "notification" isn't there yet (is it?); but it
seems the ability to allow the user control over the setting was always
there (within some range of "always", e.g., Android 6+), and, it's
apparently more easily accessible to the normal user in Android 10.
o *Clipboard not accessible from background app with Android 10 SDK upgrade*
https://stackoverflow.com/questions/58727690/clipboard-not-accessible-from-background-app-with-android-10-sdk-upgrade

It seems both Linux & Windows, so far, don't have/need/want it yet.

Do you know which
application is using you mic or your camera ?

Yes, of course.
o At least for Android I think I have full & complete knowledge.

Particularly since I turn _off_ mic & camera permissions for all apps that
request it, and only turn it back on, ad hoc, if/when I need it.

In fact, I turned off _all_ possible permissions, and fully documented it:
o *My experiment turning all Android app permissions off*
https://groups.google.com/forum/#!topic/comp.mobile.android/FKjvRYbqgIw
--
Every thread should add to the value of our permanent Usenet archive.

John,

Rudy,
please stop replying to Arlen - I know it's hard.

It is. He blabbers so much stupidity that its rather hard not to try to
correct him.

Replying to him serves little or no purpose; he's incapable of absorbing
the point[s] you're trying to make.

Although I do not know if that is true, it is rather obvious that he doesn't
respond to questions, remarks or suggestions in his direction.

so only see his output when someone does a public reply to him

Hmmm... My newsgroup reader currently also supresses the replies to a
supressed post (and so on). I do not see such branches unless I disable
the display-blocking for them.

But, point taken. And by the way, my apologies. I would get irritated by
it too.

Regards,
Rudy Wieser

On 07 Jul 2020 11:37:03 GMT, Stéphane CARPENTIER wrote:

The MAC address randomisation is only useful when you move without VPN.

Hi Stephane,

warning: details follow, where I address all your stated concerns, I hope

It's a pleasure discussing this with you since, unlike most who posted, you
can handle details (as can I). Most simply think the entire thread is no
more detailed than the Subject line (which is why they repeatedly and
endlessly told us what everyone knew since the dawn of computers, for
example - which simply wasted more than half this thread on their lack of
ability to comprehend what the thread topic was actually about).

Agreed on VPN...

You maybe don't remember how many threads Marek Novotny and I had which
created scripts (almost exclusively by Marek, where I tested them for the
team) improving the geolocated randomization of six thousand VPN servers in
the past on this newsgroup.

If you want, I can dig up a few representative a.o.l threads where we
tested to death killswitches, VPN geolocation scripts, & VPN randomization
years ago, where my point is that randomization of everything is useful,
e.g., I even randomize my (Windows) system timezone, as shown in this post:
o Script to randomize the system timezone to help foil fingerprinting
https://groups.google.com/d/msg/alt.msdos.batch/0EE2VwfKwYc/fjh7tvLpAAAJ

It seems the mobile devices are ahead of Linux, on these defaults.

Because it's pointless on desktop, and pointless on laptop if you use
your phone as a wifi source. So, Linux can put it in place easily, but
there is no real need by default outside mobile devices.

I don't disagree now that I know more about what the mobile devices are
doing, where, you may note I'm all over the Android & iOS newsgroups on how
to improve privacy (e.g., I've virtually eliminated Google-anything on my
Android devices, without needing to be rooted).

You can have full functionality on Android _without_ Google if you just
take some risks of deleting, disabling, and blocking Google's background
and system processes.

I have so many threads on this topic that pointing to just one would be
insufficient, but here's just one to give you the idea of the scope:
o *Does anyone know how the PHONE ties to CONTACTS tiies to SMS on Android
9 Pie?*
https://groups.google.com/forum/#!topic/comp.mobile.android/EvXtsP9radE

In that case, for example, I eliminate the default sqlite contacts db,.
which, I realize, almost nobody on the planet does, but they also don't
know what I know, which is that Google uploads that specific file without
you knowing it (most people can't fathom that concept, which is why they
don't do the things I do to get around that privacy hole in Android).

Do you really believe it's an improvement to be required to read the log
to be able to access the clipboard ?

No. No. No.

Nobody said that, nobody implied that, and nobody should infer that.

All I was saying was that Android, since Android 6, has had the capability
to deny read permission on an app-by-app basis, but it was a bitch (as you
noted).

What _is_ an improvement though, is that in iOS 14 and in Android 10
(reputedly), the user has app-by-app control that is _easy_ so that the
_user_ decides which apps have clipboard read permission.

I couldn't get it to work on Android 10 when I tried yesterday, but I
didn't try for more than a minute or two as I was in the middle of
researching it.

Luckily, on iOS 14 (currently in beta), the user is _notified_ whenever an
app accesses their clipboard, which is a boon to detection of which apps do
it (since some clearly have no business accessing the clipboard at all,
even less so constantly).

OK, I'm French and maybe I don't know what a clipboard is. It's possible
we don't speak of the same thing. For me, the clipboard is the thing used
to copy/paste information between applications.

If I'm wrong, I'd like an explanation.

I think on Apple they call it a "pasteboard" & "clipboard" concurrently:

o *Apple Suddenly Confirms Hidden Problem Impacting All iPhone, iPad Users*
https://www.forbes.com/sites/zakdoffman/2020/06/23/apple-ios14-release-iphone-11-pro-update-ipad-upgrade-security
"Apple should include a privacy setting, app by app, enabling or
disabling access to the _clipboard_. And, at the very least, it should
flash a notification on screen when an app does access the _clipboard_,
to prevent apps from exploiting the _pasteboard_, the researchers said
back in February, Apple must act!"

On Android, they mostly just call it a "clipboard", I think:
o *Limited access to clipboard data*
https://developer.android.com/about/versions/10/privacy/changes
"Unless your app is the default input method editor (IME) or is the app
that currently has focus, your app cannot access clipboard data on
Android 10 or higher."

It's important to realize the detail that it's the OPERATING SYTEM
developer who needs to act first, and only after the OS is fixed, can the
user have this privacy against malicious clipboard access.

It's also important to notice the detail that both Android & iOS developers
did act, and both implemented solutions in the operating system, which are
the kinds of things I was asking here, about Linux.

My key question was why is it desperately needed in mobile devices, but not
on desktop operating system, where the answer from most here is
(essentially) that there is simply no malicious code on the Linux operating
system - and there never will be malicious code on Linux ('cuz it's open
source).

[Yes, I know I'm taking it slightly out of context; but that's essentially
Peter's claim, for example.]

If I'm right, I really don't understand what concerned you so much with
the clipboard. It's not a keylogger. If you tell me that Android and iOS
don't manage a real clipboard but are using the central logs for the
purpose, there is a real concern. But they are not far in advance of
Linux, they are garbage which needs fast improvement.

Thank you for asking as I think almost nobody on this thread understands
the problem set, where you clearly understood the most. Most think they
read the subject line and then they understand the problem set - but
EVERYTHING they post proves that they don't understand the issue.

So I thank you for saying that you're a bit confused, as we must be talking
about different things if you're confused about the danger, which I admit
must be my mistake that I didn't explain it well.

If you read why everyone is upset with Linked-In, Reddit, and TikTok, and
if you read the developers' statements that they will _remove_ the
clipboard reading, the problem is clearly stated in those references
(previously provided, but here's just one more to read to get the idea):
o *Apple iOS 14 Alerts Reveal Reddit App Is Reading User Clipboard Data*
https://www.forbes.com/sites/daveywinder/2020/07/05/reddit-latest-to-get-caught-by-apple-ios-14-clipboard-data-copying-alerts-iphone-privacy/

*The _simplest_ clarification I can give is that apps that have no*
*business in reading the clipboard, are constantly reading the clipboard.*

It's far worse than that, of course, but that's the gist of the problem
set.

The only reason Reddit, Linked-In, and TikTok (among others) are removing
the code is that they got caught.

The only reason they got caught (at least recently), was that iOS 14 beta
now tells the user whenever an app is reading their clipboard without their
knowledge, nor consent.

This thread was just to ask about this same problem set on Linux.

Why do you put your password on you clipboard ? There is better ways
than that. Either you know your password or you put it in a serious
password manager. Putting your password in your clipboard is bad.

Hmmmmmmmm.... people do a lot of things that you and I might not do. On
Apple, for example, you can copy something on your Mac, which will show up
in the clipboard of your iPhone (apparently), which then the malicious apps
can vacuum up.

People cut and paste a _lot_ of things, where I think anyone who focuses
_just_ on passwords misses the point.

It's sort of like having a miscreant kid in the neighborhood who steals
people's packages left on their doorstep, one of which might be, oh, say,
electronics, and then asking why people allow electronics packages on their
doorstep.

The "password" part is just one kind of "package" that the miscreant
steals, where anyone who asks "why do people allow electronics packages to
be left on their doorstep" is missing the point, IMHO.

The point is that the miscreant is stealing the packages.

From what I see it's more far behind. And for the restriction, it's as I
said. You don't grant it the right at each need, which would be very
difficult.

Usenet is a flat text-only communication so I think we agree for the most
part, where I think it goes this way in terms of sophistication:
1. iOS 14 beta seems to be best for notifying users & allowing control.
2. Android 10 seems to be ok for allowing control and inadequate for
notifying users.
3. Android 6 to 9 seems to be barely adequate for allowing control &
totally inadequate for notifying users
4. Linux/Windows seem to be stuck in the Stone Age in terms of notifying
users and allowing control.

The argument most posted, so far, for _why_ Linux doesn't do what the
latest iOS and Android do, is that Linux apps are never malicious, which,
if true, is good enough for me.

As the Spartans would say to "If Linux doesn't need it...", my reply is:
o If

I don't know how Android and iOS are managing their clipboards, but
unless I have not the same definition, only what you copy must be
available in it. If the clipboard grant to access to anything else, it's
bad, and I understand your concern. But in this case, their philosophy
is garbage and they lack far behind Linux.

Again, I think we're just talking about different aspects of the clipboard.

Think about it in terms of a kid stealing packages left on people's
doorstep, who shouldn't be stealing those packages.

On Linux, in this thread, most people said there are no kids stealing those
packages, so you don't need anything to tell you that it's happening.

OK.

But on iOS, we _clearly_ know there _are_ kids stealing those packages
(e.g., Reddit, LinkedIn, TikTok, and about 50 others, to date).

And on Android, we clearly know that in Android 10, you have to explicitly
allow that kid to take that package off your doorstep.

Notice the problem is not that the package is on the doorstep (i.e., it's
not what you pasted into the clipboard or why you did it); the problem is
that the miscreant kid is stealing those packages off your doorstep, when
he has no right to do so.

These miscreant apps are reading your clipboard when they have no rational
reason to do so (and they _all_ admit it, although they try to explain it
away as a "bug").

The important point is that all apps caught to date stealing these packages
from your doorstep have instantly vowed to remove the miscreant code.

That tells you everything you need to know, right there. (IMHO)

The important thing is anyone who wants to can.

Trust me Stephane, I _know_ all the platitudes on Open Source.

What irks me is when someone seriously suggests, in effect, _everyone_ who
cares about privacy must read all the open source code of all the open
source apps on their system.

It's just a ridiculous suggestion and as such, is patently unhelpful.

Most of the comments in this thread just wasted everyone's time, e.g., how
many freaking people claimed any app "can" read our clipboard? What the
heck did they think they were telling us? I can see someone mentioning it
once, but jesus christ, do you know how many times they said it?

45% of the posts in this thread were that kind of utter garbage, and 45% of
the posts from me were responding to that utter garbage.

It's utter garbage what was suggested (to read the source code).
o It just is.

Your point of view that people who know how to look for such things "can"
(and probably should and likely do) look at the source code is fine.

However, it's something we all knew decades ago, so it only needs to be
stated once and we can move on instead of rehashing it over and over and
over and over (and over) again.

You don't have to rely
on someone you don't trust. You can trust who you want and if you trust
nobody you can check by yourself.

We do not need to rehash this.
o We all knew this decades ago.

It adds no value after the first time it's mentioned.
o Nobody disagrees.

It only has merit when/if someone claims _because_ it's open source, there
is no malicious (or accidental) code that reads the clipboard that doesn't
need to read the clipboard.

That's essentially what has been claimed by Peter, for example.
o Because it's open source, it's looked at, and no malicious code exists.

Even if you trust someone, you can
check by yourself. On Linux, you have the developer who do what he want,
and then you have the package maintainers. So, you have people who knows
their jobs to take care of it.

Understood. We do not need to rehash this over and over (and over) again.
o Because it's linux, if it's looked at, malicious code doesn't exist.

If

Yes, but you seam overtly concerned about it.

Heh heh heh... I'm not in the _least_ worried about it.

Just like I'm not in the least worried that at the 2018 Battle of Khasham,
something like 200 or so of 500 Russian "soldiers" were massacred by we
Americans because they tried a simple "Banzai style" attack against 30
Americans who didn't need to fire a shot in response...

That simply happened.
o It doesn't worry me.

But I'm extremely _interested_ in _how_ that could possibly have happened,
where, Putin claimed that they were not Russian soldiers (despite lots of
now-childless Russian mothers & bereft Russian wives wailing in the weeks
afterward).

Notice it's the same type of "excuse" Putin is providing (i.e., Wagner is a
group of completely private mercenaries whom he has no control over) as
LinkedIn, Reddit, and TikTok provided (i.e., they claimed they were simply
bugs).

In both cases, adults know exactly what is going on.
o In both cases, I'm _interested_ in knowing what is going on.

But I'm not worried about it in either case.

It's the same with Macron & Putin in Libya just this week.
o I'm not at all worried that Libya is split into three factions, where
Macron supports one of the three, while Putin another, and Turkey yet the
third (greatly oversimplified).

Hence, what Macron claims about Putin is true, but what Macron claims about
what he's doing, is bull****...

Just as what Putin claims about Macron is true, but what Putin claims about
what he's doing, is bull****... (he's claiming the PMC did it, for example,
not him).

Notice I'm _interested_ but I'm not in the least concerned.
o All I want to know is what is really going on.

What is really going on isn't going to be resolved by platitudes.
o This thread is, unfortunately, 95% platitudes and 5% progress on
understanding the problems set.

For me, in the clipboard,
you put only information you choose. If have put a keylogger, you have
every information you type on your keyboard for example. If you cant do
anything better, it's good for a spy to access your clipboard, but it
should be his last ressort.

That's not the problem.

The problem is akin to a miscreant kid in the neighborhood stealing
packages that people feel should be left alone on their doorstep.

If they were shipping enriched uranium, like that which was made at the
Natanz Nuclear Fuel Enrichment Facility that, just this weekend
mysteriously blew up (heh heh heh), they wouldn't be putting it on their
doorstep.

What we're talking about has nothing, per se, to do with passwords or
keyloggers at all. The Israelis are likely the "keylogger" here, who were
rather clever at planting a bomb _inside_ the super secure facility, and
they widely emailed journalists with well-prepared videos of their action
just moments (mere minutes) after it happened (at 2am Iranian time).

That's a keylogger you should be concerned about if you're an Iraqi bent on
nefarious nuclear hegemony.

All we're talking about here is simply that a miscreant kid in the
neighborhood is stealing, for no good reason, packages casually left on
people's doorsteps.

The point is that people have a right to have packages casually left on
their doorstep that they don't need to worry about a miscreant kid stealing
them.

So please understand that we're talking not about nuclear fuel (i.e.,
passwords) so much as ladies and men's underwear left on the doorstep,
where the point is that app developers have no business reading this
information when they have no business reading it.

The fact that miscreant kids were stealing the packages is the problem,
where now we know they're doing it (on iOS anyway), and their parents
immediately said they will have their miscreant kids stop it.

Same with the app developers (who are akin to the miscreant kid).


In summary, most people feel it's only a problem on iOS and Android, and
not, necessarily, on Linux,

If I know what a clipboard is, I agree with them.

I understand your agreement, where my only reply is... "if".

where, if that's indeed the case, the good news is that clearly both
iOS and Android are doing something about the problem.

If their clipboards aren't limited to the copy information, I'd say,
they really should improve faster.

No. Their clipboards _are_ copy information.

The clipboard is analogous to the "doorstep" where packages are left.

It's good when people are aware that miscreant kids are stealing their
packages which are habitually casually left on their doorstep.

When the parents of the miscreant kids are publicly outed, as Reddit,
LinkedIn and TikTok were, those parents put a stop to it immediately.

My initial question was why wasn't this needed on Linux.
o The (simplified) answer was there are no miscreants coding on Linux.

I understand that point of view, where my key response is... "if".
--
It's a pleasure discussing a topic with someone who can understand it.

Update (based on threads posted today)...

This thread was posted by someone today of what we've discussed prior:
o *TikTok and 32 other iOS apps still snoop your sensitive clipboard data*
https://groups.google.com/forum/#!topic/comp.mobile.android/6YRFPNiRTo0

My global response, which ties the operating systems together, is below.

On Sat, 11 Jul 2020 21:57:29 -0000 (UTC), CrawdaddinCrawdad wrote:

On background, a spokesperson said that TikTok
for Android never implemented the anti-spam feature.

This has been reported & discussed in detail on each of these newsgroups.
o Interestingly, the same topic was considered different by each newsgroup!

iOS:
o *Even more iOS apps caught snooping clipboard contents ...*
https://groups.google.com/forum/#!topic/misc.phone.mobile.iphone/IHVirXnbJF0

Android:
o *What common specific Android apps are known to access the clipboard upon mere invocation & without your permission?*
https://groups.google.com/forum/#!topic/comp.mobile.android/hdNb3BeYm44

Windows:
o *Do any Windows freeware apps habitually access the private contents of the clipboard upon mere invocation of the app?*
https://groups.google.com/forum/#!topic/alt.comp.freeware/AI5SiPSGyaE

Linux:
o *What common specific Linux apps are known to access the clipboard upon mere invocation & without your permission?*
https://groups.google.com/forum/#!topic/alt.os.linux/VmByXYAaJts

For some reasons, it's only considered a big problem, on iOS.
o I'm not quite sure why, but you can read the threads for the detail.

Similar iOS Discussions:
o *Reddit caught red handed by iOS 14 copying the clipboard contents on iOS devices*
https://groups.google.com/forum/#!topic/misc.phone.mobile.iphone/-gvgKjTALvI

o *iOS 14: TikTok seems to have been caught abusing the clipboard in a quite extraordinary way.*
https://groups.google.com/forum/#!topic/misc.phone.mobile.iphone/dRKgQG8jGo8

o *iOS 14 - Linked-In app caught reading the user's clipboard in background (including from other sources)*
https://groups.google.com/forum/#!topic/misc.phone.mobile.iphone/2VZ5a3QsvBc

For whatever reason, the Android folks aren't as worried, where Android has
had the ability, since Android 6, to view & remove clipboard access on an
app-by-app basis:
o *Freeware "App Inspector" by Ubqsoft [free, no ads, GSF independent] lists installed apps & their "secret" permissions [apparently]*
https://groups.google.com/forum/#!topic/comp.mobile.android/3MEPsDCDCSs

And, where, in Android 10, you can set that clipboard access more easily:
o *Those on Android 10... is it worth upgrading from 9 to 10? What are the pitfalls you've experienced & the benefits?*
https://groups.google.com/forum/#!topic/comp.mobile.android/X65cMyzAn-g

In summary, note that each operating systems apparently handles this
clipboard access privacy/security hole quite differently:

A. iOS 14 tells you when it's happening & allows you to block it.
B. Android 6+ can block it; but doesn't tell you when it's happening.
C. Windows, as far as I can tell, has no protections or notification.
D. Linux is completely different - they claim no apps are malicious.

Go figure.
o If you don't believe (or understand) my summary, click on the threads.
--
Each operating system group considers the same problem differently.

UPDATE:

Dateline less than a week ago...

"Laptops running Windows 10 or macOS operate a little differently.
Many apps you install can still access the clipboard whenever they want,
unfortunately, that part is still the same. However, both desktop
operating systems also offer some kind of cloud clipboard feature.

"How-To Geek offers a great rundown on clipboard access"
o *PSA: All Apps Can Read Your iPhone and Android Clipboard*
https://www.howtogeek.com/680147/psa-all-apps-can-read-your-iphone-and-android-clipboard/

"Apple offers a cloud clipboard feature that enables users to copy and
paste across iOS, iPadOS and Mac devices. Apps snooping on the clipboard
can get data from your laptop or tablet too."

"When iOS 14 officially arrives later this year, it will allow apps to
query the clipboard without seeing its data. ... [Browser] apps can use
the new API to ask iOS what's in the clipboard. iOS can then tell the
browser whether it has a URL, text, a picture, or something else.
Plus, the software can do this without revealing what's in the
clipboard. If iOS says a URL is available, the browser can paste it from
the clipboard, triggering the notification and letting the user know
what transpired. If there isn't a URL, the app doesn't access the
clipboard data, the user's information remains secure and iOS doesn't
notify the user."

This article from last week outlines a nice history of how iOS progressed
to capture scores of malware apps (many from well known respected authors)
which accessed the users' clipboard when they had no business doing so:

o *Copy, paste catastrophe: how Apple's iOS 14 disrupted clipboard espionage*
https://mobilesyrup.com/2020/07/23/ios-14-clipboard-apps-snooping/

"In February 2020, German-based developer Tommy Mysk and Toronto-based
developer Talal Haj Bakry shared a blog post explaining how iOS and
iPadOS apps have unrestricted access to the clipboard. The duo
highlighted how this access could lead to security vulnerabilities,
such as exposing users' precise location."

o *Precise Location Information Leaking Through System Pasteboard*
https://www.mysk.blog/2020/02/24/precise-location-information-leaking-through-system-pasteboard/

"Mysk submitted the details to Apple in January, but the company told the
developers it didn't see an issue with the vulnerability. However, with
the release of iOS 14 betas to developers and later the public,
it became clear that Apple did see a problem with clipboard access.

o *iOS 14 will notify users when apps access the clipboard*
https://mobilesyrup.com/2020/06/24/ios-14-new-clipboard-api-notification/

"Apple's latest mobile operating system ushered in two significant
changes for the clipboard; a notification to tell users when apps
accessed clipboard data and a new API that makes the clipboard more
secure."

"Since late June, people have caught over 50 apps abusing clipboard
access."

o *Security researcher finds 53 more iOS apps reading users' clipboard data*
https://mobilesyrup.com/2020/06/28/security-researcher-finds-53-more-ios-apps-reading-users-clipboard-data/
"The apps include Fruit Ninja, the New York Times, PUBG Mobile and Viber"

The article goes on to include Android...

"What about Android users? After reading all this, you may wonder if the
clipboard on your Android phone or Windows PC is safe."

"How-To Geek offers a great rundown on clipboard access"
o *PSA: All Apps Can Read Your iPhone and Android Clipboard*
https://www.howtogeek.com/680147/psa-all-apps-can-read-your-iphone-and-android-clipboard/

"Starting with Android 10, apps need permission to access the clipboard
in the background. Still, while restricting background access to the
clipboard is good, it's no more than what iOS 13 does. Hopefully, Google
follows Apple and implements a similar system to iOS 14 on Android."

"Laptops running Windows 10 or macOS operate a little differently.
Many apps you install can still access the clipboard whenever they want,
unfortunately, that part is still the same. However, both desktop
operating systems also offer some kind of cloud clipboard feature.

macOS has Universal Clipboard, which shares copied data across macOS,
iOS and iPadOS. That means anything you copy will pass through Apple's
servers."

"Windows 10 has a Clipboard history setting that saves a record of
everything you copy and paste. You can access this by tapping Windows+V.

Windows 10 will sync your clipboard history across devices as well if
you enable that setting.

The one saving grace here is websites. Web apps can't automatically
access your clipboard. Users have to paste content manually for a
website to access it."

"Apps that access the clipboard without user consent"
o Firefox
o Google Chrome
o Discord
o Fox News
o The New York Times
o Wall Street Journal
o Bejeweled
o Fruit Ninja
o PUBG Mobile
o Viber
o Weibo
o Zoosk
o AccuWeather
o DAZN
o Overstock
o CBC News
o CBS News
o ABC News
o Al Jazeera English
o CNBC
o News Break
o NPR
o Reuters
o ntv Nachrichten
o Russia Today
o Stern Nachrichten
o Huffington Post
o The Economist
o Vice News
o 8 Ball Pool
o Amaze
o ToTalk
o Tok
o Truecaller
o Block Puzzle
o Classic Bejeweled
o Class Bejeweled HD
o Watermarbling
o Total Party Kill
o Tomb of the Mask
o Tomb of the Mask: Color
o FlipTheGun
o Golfmasters
o Letter Soup
o Love Nikki
o My Emma
o Plants vs. Zombies Heroes
o Pooking
o 10% Happier: Meditation
o AliExpress Shopping App
o Bed Bath
o Hotels.com
o 5-0 Radio Police Scanner
o Hotel Tonight
o Pigment
o Recolor Coloring Book to Color
o Sky Ticket
o Microsoft Teams
o Call of Duty Mobile
o Google News
o McDonald's
o Starbucks
o Wendy's
--
Apps that have no business snooping on your clipboard, shouldn't do it.