Photo by Pathum Danthanarayana on Unsplash
Android apps are reading your clipboard – here's how you can stop them
You've probably already seen the scary alert (that's possibly why you're here), but in case you haven't, it looks something like this:
NewAppIJustDownloaded pasted from your clipboard
Sometimes it happens during a flow where it's possibly convenient and expected (e.g. you just copied a multi-factor auth code and it would be convenient if the app pasted it for you), and other times, it's when you open the app for the first time and it absolutely is not necessary.
Why am I seeing this warning?
You're seeing this warning because you're on Android version 13 or higher, and because "Show clipboard access" is enabled in your privacy settings. This privacy alert is enabled by default.
In the below screenshot, you can see where this setting can be toggled off if you'd rather not know about every time an app accesses your clipboard (not recommended, I like to leave it on):
It's important to note that this doesn't mean that prior to Android 13 apps couldn't read our clipboard, it just means they did it without us knowing about it.
Disabling clipboard read permissions
Currently, there doesn't appear to be a way to disable clipboard access via the Android Privacy settings as a regular Android user. I would love to be wrong about this, so if it is actually possible, please let me know in the comments.
You can, however, do it by remotely executing scripts via ADB shell, but this requires downloading the Android platform tools so you can have access to the adb
executable. It also requires you to enable USB debugging on your Android device so you can access your device with these tools. I'm going to go over this here.
Installing the tools and preparing your device
Before you can disable apps from accessing your keyboard, you'll need to download the right tools and configure the device:
Install the Android platform tools
Enable USB debugging on your Android device
Execute the command
adb devices
in your terminal to make sure ADB can connect to your device
If you can run the following script:
adb devices
And you see something like this:
$ adb devices
List of devices attached
ABC123XYZ456 device
You're ready to proceed.
If there is an error executing the adb
command, it's likely you don't have the tool installed, or it's not on your path (i.e. your command prompt doesn't know where to find it). If you see an error like this, this is the case:
command not found: adb
You'll need to install the Android platform tools somewhere accessible in your path.
If, however, you don't see that error and the list is empty, it's possible you haven't enabled USB debugging on your device. Here's some example output for that:
$ adb devices
List of devices attached
You'll need to enable USB debugging on your Android device.
Seeing which apps have clipboard read access
Once you've got the Android platform tools installed and you can run adb
and see your device, you should be able to proceed.
Run the following script to see which apps have access to read your clipboard data:
#!/bin/bash
echo "";
echo " 👁️🗨️ The following apps have access to read your clipboard data";
echo "";
adb shell cmd appops query-op --user 0 READ_CLIPBOARD allowThen, run the following command to see which apps have this permission:
You should see a list of package names that looks something like this:
👁️🗨️ The following apps have access to read your clipboard data
com.google.android.as
com.google.android.apps.messaging
com.google.android.dialer
com.android.chrome
com.google.android.calendar
com.google.android.inputmethod.latin
com.google.android.gm
com.android.systemui
In the above snippet I've only listed some packages, but your list should be much more comprehensive and include apps you've downloaded. In that list, you should see the offending app.
If you don't know an app package name, just Google "app com.whatever.package.name
" and see what comes up—one of the first hits should be the Google Play Store listing. Alternatively you could install this app I built called AboutApps that shows you all your installed apps, allowing you to search by package name (you’ll need to build it yourself). Here’s a screenshot of the app’s UI:
Are all these apps reading my clipboard?
Short answer: probably not. If you haven't seen the alert that says that they are, then we should be able to trust that they aren't since Android would tell us when they do. So why are they showing up in this list? It's likely that they are writing to the clipboard.
On my device, there are a lot of apps listed here, including apps I've developed that I know first hand that don't read the clipboard. Apps appear to be listed even if they just write to your clipboard.
For example, one app I developed called Canned Replies (package name com.tinaciousdesign.cannedreplies
) is a productivity tool that allows you to quickly copy messages so you can paste them wherever you need them. You enter your frequently-sent messages (canned replies) in the app, and you tap one when you're ready to send it. It gets copied to your clipboard when you tap it. In order to allow you to quickly paste it somewhere else, I need to copy it first. The app only writes to your clipboard but is still listed in this list as an app that reads your clipboard. You can safely revoke the app's access to reading your clipboard data (explained below) and it will still function since it does not read your clipboard data.
I suspect that accessing the ClipboardManager class or querying for context.getSystemService("clipboard")
is enough to have it show up in this list. This is the relevant code that is making Canned Replies show up in the list:
fun copyText(text: String?, clipboardKey: String, context: Context) {
val clipboardManager = context.getSystemService(Context.CLIPBOARD_SERVICE) as ClipboardManager
val clipData = ClipData.newPlainText(clipboardKey, text)
clipboardManager.setPrimaryClip(clipData)
}
Many apps need to query this service in order to copy data to your clipboard, which can happen when apps enable common functionality like the ability to copy content to your clipboard so you can share it more easily.
If an app is listed and they haven't been doing anything creepy, it's probably safe to ignore it. Alternatively, you can revoke its permissions (see below) and it should continue to behave as expected, which is the case with Canned Replies.
With Android 13+'s new clipboard read alerts as described here, you should be aware of which apps are accessing the clipboard anyway. If you're on Android 10+ you should be able to trust that apps will only be able to try to read your clipboard while they're foregrounded according to the privacy changes in Android 10 -> Limited access to clipboard data.
Revoking clipboard read access from an app manually
You can prevent one of the apps listed from accessing the clipboard by running the following command against the package. Let's say we want to prevent the Shopify Shop app from accessing our clipboard data, which is an app, from my experience, that reads your clipboard on startup, we can do so by running the following command:
adb shell cmd appops set com.shopify.arrive READ_CLIPBOARD ignore
We can also do that for LinkedIn (another app I've experienced this from):
adb shell cmd appops set com.linkedin.android READ_CLIPBOARD ignore
And TikTok (allegedly, according to people on the internet that are not myself as I have not installed this app to test it):
adb shell cmd appops set com.zhiliaoapp.musically READ_CLIPBOARD ignore
Revoking clipboard read access from an app with a script
If manually revoking packages one by one sounds tedious, you can do so with the following script, which prompts you to paste a list of app packages as input. When you’re done, press Ctrl+D to let it proceed.
#!/bin/bash
echo "";
echo ' 🤷🏻♀️ Clipboard permissions before script:'
echo "";
adb shell cmd appops query-op --user 0 READ_CLIPBOARD allow
echo "";
echo ' 💥 Paste a list of package names you would like to remove clipboard read permissions for and press Ctrl+D when done:'
echo "";
TARGET_APPS=()
while IFS= read -r line
do
# Add each non-empty line to TARGET_APPS array
[[ -n "$line" ]] && TARGET_APPS+=("$line")
done
for target_app in "${TARGET_APPS[@]}"
do
echo "";
echo "⏳ Attempting to remove READ_CLIPBOARD permissions from app: $target_app"
adb shell cmd appops set $target_app READ_CLIPBOARD ignore
done
echo "";
echo ' ✅ Clipboard permissions after script:'
echo "";
adb shell cmd appops query-op --user 0 READ_CLIPBOARD allow
This produces the following output:
./clipboard_permissions_deny.sh
🤷🏻♀️ Clipboard permissions before script:
# ...
💥 Paste a list of package names you would like to remove clipboard read permissions for and press Ctrl+D when done:
com.shopify.arrive
com.linkedin.android
^D
⏳ Attempting to remove READ_CLIPBOARD permissions from app: com.shopify.arrive
⏳ Attempting to remove READ_CLIPBOARD permissions from app: com.linkedin.android
✅ Clipboard permissions after script:
# ...
What you can do as an Android developer
Are you developing for Android, and is your Android app currently warning users that it's reading their clipboard data? Are you using any libraries? If so, do you know if any of these libraries need to read the clipboard for their functionality? If so, one way you can avoid scaring your users is by warning them ahead of time before you attempt to access the clipboard data with getPrimaryClip(). If you don't know of any libraries you're using that require this functionality, it would be a good idea to look into why it's happening so that you don't lose the trust of your privacy-conscious users.
Get these scripts
You can get these scripts and any other Android-related privacy scripts I decide to add from this Github repository.
The Github repository will have up-to-date scripts while these ones inlined in the article might become out of date.
You can clone the project and run the scripts from the project’s directory.
git clone https://github.com/tinacious/android-privacy-scripts.git