保護DataHogo
Security Encyclopedia/Mobile Security (Advanced)
lowCWE-312A02:2021

Clipboard Exposure

Sensitive data copied to the clipboard (passwords, tokens, card numbers) persists there indefinitely and can be read by any app.

How It Works

The system clipboard is a shared resource accessible by any app. If a user copies a password or OTP from your app, that value stays in the clipboard until replaced. Other apps can read it silently in the background on Android, and iOS warns users when apps access the clipboard.

Vulnerable Code
// BAD: sensitive data stays in clipboard indefinitely
import Clipboard from '@react-native-clipboard/clipboard';

const copyPassword = (password: string) => {
  Clipboard.setString(password); // never cleared
};
Secure Code
// GOOD: clear sensitive clipboard data after a short timeout
import Clipboard from '@react-native-clipboard/clipboard';

const copyPassword = (password: string) => {
  Clipboard.setString(password);
  setTimeout(() => Clipboard.setString(''), 30_000); // clear after 30s
};

Real-World Example

iOS 14 introduced clipboard access notifications after researchers showed that TikTok and dozens of other apps were silently reading clipboard contents every few seconds — including passwords that users had recently copied.

How to Prevent It

  • Clear sensitive clipboard contents after 30-60 seconds using setTimeout
  • Show a visible timer to users indicating when clipboard data will be cleared
  • Avoid copying passwords to clipboard at all — use direct autofill where possible
  • Never copy raw tokens, card numbers, or SSNs to clipboard

Affected Technologies

React Nativeiosandroid

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Deep Link Hijacking

medium

Custom URL schemes without host verification let malicious apps intercept your app's deep links and steal OAuth tokens or sensitive parameters.

CWE-926A01:2021

Screenshot Not Prevented

low

Banking and payment screens without screenshot protection allow sensitive data to be captured by malware or appear in Android's recent apps screen.

CWE-200A02:2021

Certificate Pinning Missing

high

Without certificate pinning, attackers on the same network can intercept your app's HTTPS traffic with a rogue certificate authority.

CWE-295A05:2021

Root/Jailbreak Detection Missing

medium

Running a financial or health app on a rooted or jailbroken device means all security controls can be bypassed by the device owner.

CWE-919A08:2021