And what happens when there's a vulnerability in that SDK and every app using it for "their flow" is suddenly vulnerable to attackers scraping sensitive data from the pasteboard of their users? Or what if one of the dozen other SDKs you bundle in your app includes malicious code that takes advantage of the fact you already enabled the pasteboard API for another SDK?
As a developer, I sympathize with you, but as a user, you can get bent. I appreciate that Apple makes it difficult for you to use potentially dangerous APIs with large risk surfaces, and forces you to ask me for permission to take that risk. It's why I continue to buy Apple products and will never switch to Android as long as it's owned by a user-hostile advertising company.
A vulnerability in your SDK that lets a malicious actor control when something is read from the pasteboard. Or a bug in your code that forgets to place the route on the clipboard and ends up reading the previous item from the clipboard and attempting to load it on your server (i.e. sending user clipboard data to your server). And besides, beyond the issue of risk mitigation or code security, there's also that of trust - why should I trust that you're only using clipboard access for the claimed purpose, and why should I trust you implemented and tested your code correctly?
It's addressed by Apple's permission prompt that allows me to select the "ask every time" option. You're right that it's a black box after that in terms of whether or not the app puts a new item on my clipboard and then reads it (why would it need to do that?), but at least I know that if I have something sensitive at the top of my clipboard then I can decline the prompt.
That's not to mention that my concern is fundamentally addressed by gating clipboard access behind a prompt in the first place. That is, I always have the option to decline the permission entirely.
Thanks for this thread. It's disheartening that SLSA and dependency-driven attacks aren't clear to the general development populace, but you've done a good job of explaining the threat even assuming the best of intentions (which I sure don't) out of app developers themselves.
It's a layered set of problems, and the answer is high walls.
you might be missing a key piece of my particular scenario, and it’s that the thing I’m reading from your clipboard is something I put there from my website. The only thing that’s being exposed is something akin to path variable.
The purpose of which is navigating to a particular part of the app on its first ever launch.
If universal links worked on the first install none of this theoretical discussion would be necessary.
No, I understood that this was your intention. I'm trying to explain that even if you have the best of intentions, there is a risk you introduce a bug where your website _doesn't_ put something on the clipboard, so then when your app tries to read it, it instead reads whatever unrelated data is on the top of the user's clipboard. And if your app tries to append this value to a URL, then you are effectively sending clipboard data to your server, i.e. risking worst case scenarios like user passwords showing up in your server logs.
If you can put arbitrary data on the clipboard from your website, and then read it in your app, without my interaction, that allows for a variety of potential exploits.
So you're popping the latest value from the user's clipboard, crossing your fingers and hoping that it's the value you just copied from your site (and that there are no bugs in your code or some intricacies of the user agent that caused that copy to fail), and then sending the value to your server by appending it to your URL. Surely you see the risk here?
No, I’m looking in the clipboard for a valid path in my app and routing to it found and discarding if not. All routing is local to the client app and nothing is sent to the server.
If we’re taking hundreds of thousands of clients and it works 99% of the time, then the risk of it not working in that 1% of cases is acceptable to our product team. Worst cast scenario is that it fails, the user tries again, and no clipboard is needed on the second attempt because universal links work now that app is installed.
This value in the clipboard might be something like: /path-to-experience?id=something
As a developer, I sympathize with you, but as a user, you can get bent. I appreciate that Apple makes it difficult for you to use potentially dangerous APIs with large risk surfaces, and forces you to ask me for permission to take that risk. It's why I continue to buy Apple products and will never switch to Android as long as it's owned by a user-hostile advertising company.