
Reddit and LinkedIn apps also caught copying and pasting clipboard contents - DesertDweller
https://www.privateinternetaccess.com/blog/reddit-and-linkedin-apps-also-caught-copying-and-pasting-clipboard-contents/?aff=202007B
======
dang
[https://news.ycombinator.com/item?id=23716451](https://news.ycombinator.com/item?id=23716451)

Related re TikTok:

[https://news.ycombinator.com/item?id=23634138](https://news.ycombinator.com/item?id=23634138)

[https://news.ycombinator.com/item?id=23691190](https://news.ycombinator.com/item?id=23691190)

------
mulmen
I’m a stubborn person. Sometimes to a fault. It’s a blessing and a curse.

The incessant “install our app” messages on Reddit are a major turn off and
one of the reasons I use Reddit so little. There’s no reason Reddit can’t work
just fine in a browser. The only reason to encourage the app so much is if it
benefits _Reddit_. At that point our relationship becomes adversarial and
there’s no reason to continue.

Nothing here is surprising. The app was clearly user hostile and doing
something nasty, now we just know what it was doing.

~~~
thinkingkong
I still browse to [https://old.reddit.com](https://old.reddit.com)

It's actually still so much better to pinch and zoom on the old site. The new
one is super janky and totally broken on mobile. The app is just a pain to use
anyway.

~~~
dmix
And on desktop auto-redirects to old.reddit.com are a must addon:

[https://addons.mozilla.org/en-CA/firefox/addon/old-reddit-
re...](https://addons.mozilla.org/en-CA/firefox/addon/old-reddit-redirect/)

[https://chrome.google.com/webstore/detail/old-reddit-
redirec...](https://chrome.google.com/webstore/detail/old-reddit-
redirect/dneaehbmnbhcippjikoajpoabadpodje)

~~~
jedberg
If you’re logged in to Reddit these aren’t necessary. There is in an option in
the user prefs to always use old Reddit.

~~~
ljm
Even when I set that I still get redirected to the new version. I guess I've
just learned to cope with the new design and all the stuff being added into it
that make it even worse.

This whole obsession with reducing information density and making more space
for ads and huge 'cards' or pictures is pretty much a UX anti-pattern as far
as I'm concerned. It's like how 'minimalism' is considered a rich-person's
hobby because everything's spacious and clean, rather than small and cosy. Web
minimalism takes up more space to do less, while tending to cost a lot more in
terms of bandwidth used.

------
crazygringo
So since this is so pervasive... curious if anyone has actual facts as to
whether this is:

1) A common UX pattern to detect relevant clipboard links in the app (e.g.
open a reddit link automatically) -- many apps do this type of thing (e.g.
Photoshop will use the dimensions of a clipboard image when creating a new
image), but nobody's pointed out specific such functionality in LinkedIn (or
reddit)

2) A third-party library (analytics, advertising) which does this
automatically, which the app developers (LinkedIn, Reddit, etc.) weren't even
aware of. If so, why though -- is there some particular analytics, tracking or
fingerprinting reason? I'm having a hard time thinking of any particularly
good one

3) Something else, like a common text editor library that checks the clipboard
by default for some legitimate reason like preparing for formatting, images,
etc., that is maybe just lazily coded (checking clipboard on every keystroke,
rather than just a paste command)

I'm just curious if anyone has _facts_. Because there's a world of difference
between good intent, questionable intent, bad intent, and lazy intent.

~~~
blondin
#3 for linkedin. if fact they applied a quick fix that you can check yourself
here:
[https://github.com/linkedin/Hakawai/commit/c3f89585c097863c2...](https://github.com/linkedin/Hakawai/commit/c3f89585c097863c2017beb2a1774df21ad42da4)

also looking at what they were trying to do in the first place -- check if
contents was pasted... and whether the text would be autocorrected?! -- it all
looks to me like apple has a bad, or not well understood, clipboard API.

apple needs to set guidelines around the clipboard API.

------
aboringusername
Stop using apps.

Seriously. Stop.

Apps allow far deeper and richer access to various data structures than what
should be allowed; this has been proven time and again since mobile OS
existed, I think both Apple and Google are to blame for ever allowing
developers to freely access whatever they wanted, whenever they wanted, to
upload it to any server, without any transparency or oversight (and that's a
huge problem on Android, still).

If you can, use the browser (the new Firefox for Android is quite good), which
at least limits your exposure to these third parties accessing information
they should not.

old.reddit works okay in the browser, I am not so sure about LinkedIn as I
don't use it. These days I just rely on using TOR for things like email,
Protonmail has a .onion address which is a nice bonus.

I carry very few apps on my device, and I make an effort to exclusively use
those found on f-droid, open source, not many permissions.

It's the biggest perk of Android; you can use any store you like, and most
APKs install absolutely fine. Disable Play Services and various other tweaks
and you're okay.

~~~
bathtub365
It's really sad that the Web, full of terrible JavaScript and tracking, is
being pitched as the safer alternative to applications. Keep in mind that
unless you somehow run a version of a Web application locally, every
interaction with it is traceable. Advertising parasites have eaten the world.

~~~
rohan1024
>every action with website is traceable.

Traceable but not the kind of access an app has. Traceability can be spoofed
not the data that app is reading from your device. No website is ever going to
ask your contacts permission to proceed further while their are tonne of apps
that won't let you use app if you reject that permission.

For example, GPay in India needs freaking location permission. God knows what
it does with that data.

~~~
bathtub365
Websites request access to my location data constantly. They also likely have
some semblance of where I am even before they ask due to IP geolocation. If
I'm using an offline application this transaction wouldn't be happening.

My point isn't that either apps or the Web are better. It's a more fundamental
issue of software I use constantly talking to systems I don't control. It just
so happens that the Web only exists if I accept that this will happen.
Applications can exist even if I don't.

------
ihattendorf
Isn't this used to detect if you have a reddit link in your clipboard and
prompt you to open it?

Not saying they should do that (probably should be a one-time "open link from
clipboard" button instead).

~~~
renewiltord
Feels like perhaps some sort of intent-based subscription would be good. I
quite like the feature of prompting for clipboard stuff since copy and paste
is awful on iOS.

------
hakcermani
Its great that Apple has finally put this permission / reporting in place with
iOS14. The reason it is happening is simple - it was possible to do so with
the platform with no checks. Similar to how blanket permissions for contacts
still allows apps to read all the contact info, including birthdays and notes
etc. Apple is reportedly very privacy conscious but it takes 14 iOS releases
to figure out apps are accesing your clipboard. Duh !

------
WA
How is this even legal? They could copy my passwords, credit card or whatever
and send it to places I’d never know.

~~~
robin_reala
It’s not legal assuming they do any processing of that data and you’re in the
EU. There they need to have a legal basis to do that, the most common of which
is consent. Unless you’ve given that they’re not allowed to process personal
information, and that includes info they’ve randomly grabbed that they don’t
know is personal or not.

~~~
Silhouette
It's not just an EU/GDPR issue in this case. The clipboard could contain any
data, including health information, financial records, legally privileged
discussions... Even in places like the US that have much less legal protection
for privacy and personal data, processing some sensitive classes of data is
still likely to be restricted by law.

------
Reedx
An engineer at LinkedIn says, "We've traced this to a code path that only does
an equality check between the clipboard contents and the currently typed
content in a text box. We don't store or transmit the clipboard contents."[1]

Why? What is the reason for doing that check?

1\.
[https://twitter.com/eberger45/status/1278843576638570496](https://twitter.com/eberger45/status/1278843576638570496)

~~~
bencollier49
I think the suggestion is that it's an anti-spamming measure, in as much as
spambots use the paste-from-clipboard functionality.

I've no idea if that is remotely valid as an excuse.

------
jraph
All these apps could as well be using the clipboard content with good intent
(no pun intended). But who knows apart from their respective developers?

In 2020 it's still not a given that we should be allowed to review and read
shit that's running on our machines, to at least check this kind of things.
It's okay to be surrounded with black boxes everywhere that one cannot study
if they wanted to.

It's still not considered as a disrespectful and weird practice to not provide
the source code with software being distributed. And people are not told they
should expect software to come with everything possible to inspect what it
does, to the community or themself can review it.

If someone is not providing the source code because they fear that something
bad will be discovered about it, or that the user will change something to
better fit their needs, well something is wrong and is working against the
user, especially if the software is gratis anyway. Providing source code could
allow users to remove ads? Right, downloading, running and looking at ads is
not something many users want to do, even if you consider that ads are
legitimate.

Give me the code already or I won't run your software because I can trust you
on doing the right things and on fully help me out, otherwise you would not
have problem providing the code.

A case could be made for paid apps: obviously, making the code available could
endanger the business model. But at the end of the day, the community and I
cannot check that the app isn't doing anything shady if it is sold without its
source code.

Would I mind if an open source app read my clipboard content? No, because I
can check that it's doing something useful for me. These useful features are
simply not available to proprietary software without the risk of feeling
creepy.

Have you noticed how we are mistrustful against our everyday apps and relying
operating system developers to cover our asses with complicated permission
systems to compensate? This feel this is very wrong, doesn't it?

(permission systems would be also useful in a world where every think is open
source, though, that would be a defense against attacks. But that would not be
a defense against legitimate software!)

------
jedberg
If you're looking for a mobile optimized reddit website, so you can skip the
app, check out [https://i.reddit.com](https://i.reddit.com)

It still works.

~~~
mft_
I’ve found it breaks down surprisingly often (iPhone XR, Safari) which I can
only assume is the site’s fault. I’d assumed it was a gradual neglect (or
subtlety forced attrition?) intended to push people towards the new mobile
site and/or the Reddit app. It’s bad enough that I stopped using it
altogether; for me, the new mobile site is now more usable.

------
kergonath
Sweet, other apps to add to my "never use" list.

~~~
bob1029
You may find it more expedient to maintain a "ok to use" list. The number of
apps I am willing to install on my personal android or iOS devices is
somewhere between 5 and 10. Most of them are productivity tools from vendors I
trust with my most sensitive IP.

~~~
kergonath
Yeah. The thing is, though, that whilst I was entirely unsurprised by TikTok
doing that, I would not have expected it from Microsoft. It looks a lot like a
dodgy framework that found its way across way too many applications, in which
case trusting the app's developper is probably not enough.

------
putlake
AliExpress does this too. When you are looking at a product and want to share
it, one of the share options is AliExpress code. It copies a message to your
clipboard, which is this:

To view 【US $21.83 40％ Off | 10 Pcs KN95 Face Masks Dust Respirator KN95 Mouth
Masks Adaptable Against Pollution Breathable Mask Filter (not for medical
use)】 on AliExpress with code #_qsrSbGW#, copy the whole sentence and open the
app.

------
pmontra
I started using open source apps and limited the closed source ones to
Google's (which can do what it wants with my phone anyway), WhatsApp (or I
won't be in touch with anybody), Messenger Lite (I can almost uninstall it,
it's a desert here), car sharing, banks.

------
dmix
This should result in automatically kicked off the app stores... They do it
for other privacy violations and abusing APIs. This sounds like a good
candidate.

------
factchecker01
Is this a problem with Apple clipboard as we so many apps this is happening
with

~~~
CamJN
No, the reason these articles keep popping up recently is that iOS added a
visible notification that it was happening. Both android and iOS apps have
done this for ages: [https://www.howtogeek.com/680147/psa-all-apps-can-read-
your-...](https://www.howtogeek.com/680147/psa-all-apps-can-read-your-iphone-
and-android-clipboard/)

------
buboard
Most apps are being installed for access to notifications. Apple is
incentivizing this behavior by refusing to implement browser notifs. The sad
state of the web in 2020 is only matched by the irony of these companies being
more profitable than ever.

------
ddevault
Google and Apple have _massively_ dropped the ball with their app stores,
especially Google. They're straight-up malware distributors, plain and simple.
They need to reign in this crap to achieve even a modicum of respectability.

~~~
asadlionpk
I think it's unfair to put the blame on Apple for this. It's these apps that
are finding _any_ loophole they can to track users.

~~~
ddevault
Apple tolerates a great deal of apps tracking users. Tracking users is not
against the app store's terms of use. Cell phones have been made into data
mining devices thanks entirely to Apple and Google. They _can_ stop it, and
they choose not to. The stores ought to have a much stronger focus on review
and keeping vendors in line and much less focus on wringing money and data out
of consumers. Apple spends their time strong-arming developers into adding
microtransactions and other anti-consumer features in the name of their
already astronomical bottom line.

~~~
asadlionpk
I think there needs to be a balance. Too many restrictions are also user-
hostile. The only sure way to stop all tracking is just close down the app
store and the entire 3rd party ecosystem.

------
ipnon
Uninstalled

------
lawn
If you really want to use the Reddit app, consider the Boost app instead. It
does everything so much better.

~~~
sjroot
Or Apollo if you are on iOS.

~~~
jedberg
Apollo monitors the clipboard too. For the same reason. To detect reddit
links.

------
shaggyfrog
No love for these spying apps, but pretty sure PIA should not be throwing
stones after climbing into bed with Kape. Or maybe this is part of a PR
strategy?

~~~
arshbot
It absolutely is, but they just picked up a tweet. At least you can trust
their motivations are to get back on the good side of privacy minded folks.

~~~
shaggyfrog
I can trust their motivations because... why? They want to make more money?

