Striking A Balance: Renati 13.2 Clipboard Feature Returns

The latest update of Renati 13.2 has re-enabled the Clipboard as an opt-in feature. This was one of our most highly requested features since the launch of our security and privacy focused OS, Renati. In this article, we explore the reasons behind our initial implementation of a stringent policy and our rationale for reinstating it now.

First, how does a clipboard work? When a user attempts a device specific "Ctrl-C" operation (long select and copy on Android™), the contents of what is being copied is stored in-memory. This memory store is accessible to all applications that request it (Paste operation); the method of access is determined by the version of the Android OS, more on that later.

The security flaw should be immediately apparent. If you copy sensitive data, that data is now accessible to any other application. Further, the copied information, as it is un-encrypted and in-memory can be extracted from the device via cold chip-offs, a hardware based forensic extraction method that can read contents of all data that is in memory. Here is a brief video showing how this works: Phone Data Recovery - Chip-off Recovery Method.

You may be thinking, so what is the big deal? Some application or a forensic hacker may see the contents of my clipboard. What can they possibly do with that information? Well, to answer that question, let's look at just two examples of how clipboard information has been exploited in the wild.

First, in August of 2021, an Android banking trojan called S.O.V.A was used to steal crypto assets from unsuspecting users:

The bot sets up an event listener, designed to notify the malware whenever some new data is saved in the clipboard. If the string of data is potentially a cryptocurrency wallet address, S.O.V.A. substitutes it with a valid address for the corresponding cryptocurrency. ¹

This type of threat however was mitigated as of Android 10, which introduced a security feature that prevented an app from accessing the contents of the clipboard unless it was on the foreground, or it was set as the default input method editor (IME). ²

One would think that this is sufficient security until we look at our second example. We have the case of the SHEIN app, the popular (over 100 million downloads) Chinese online retailer which was caught exfiltrating clipboard data to remote servers. It was doing it while the app was in the foreground³:

Good news however, as of Android 12, users could be notified when the clipboard is being accessed:

When an app calls getPrimaryClip() to access clip data from a different app for the first time, a toast message notifies the user of this clipboard access. ⁴

This too was not foolproof, as clipboard metadata was still accessible to all apps without a toast message:

Your app might call getPrimaryClipDescription() to receive information about the current data that's on the clipboard. When your app calls this method, the system doesn't show a toast message. ⁴

And so, in the interest of maintaining absolute security, even in the case of cold chip-offs, Renati was built to restrict access to all clipboard features.

The progressive improvements in Android clipboard security along with consistent demand for the clipboard feature, the development team went to work to see how we could bring back this feature while maintaining the same guarantee of security.

First, we made the feature opt-in; users would have to acknowledge the inherent risks associated with the use of clipboards before enabling it. Second, we limited the clipboard size to one item at a time. Even in the event of a cold-chip off, the most that an attacker would be able to garner is the last copied item on the clipboard. Moving forward we are looking to introduce an auto-delete feature to the clipboard that would add an even additional layer of security to items held in memory.

As of February 2024, we are proud to announce, we have reinstated the clipboard. All devices updated to Renati 13.2 can turn on this feature from their settings → security screen. All newly setup devices will be prompted to optinally turn on this feature as part of the setup wizard.

Renati goes the extra mile when it comes to mobile security. While we tirelessly strive to uphold the utmost privacy and safety standards for your data, this blog demonstrates the need for vigilance, even in the seemingly simple function like the clipboard. Your confidence in Renati to safeguard your information is our highest priority.

1. https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions
2. https://developer.android.com/about/versions/10/privacy/changes
3. https://thehackernews.com/2023/03/sheins-android-app-caught-transmitting.html
4. https://developer.android.com/about/versions/12/behavior-changes-all

1. https://www.microsoft.com/en-us/security/blog/2023/03/06/protecting-android-clipboard-content-from-unintended-exposure
2. https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html
3. https://security.googleblog.com/2022/10/google-pixel-7-and-pixel-7-pro-next.html