Clipboard Harvesting

Description

Reading clipboard contents without user expectation can expose passwords, OTPs, or sensitive text copied from other apps. Background harvesting or sending clipboard data to analytics violates privacy principles.

Examples

Detect Clipboard Access (Android)

rg -n "ClipboardManager|getPrimaryClip|setPrimaryClip" src out

Hook Clipboard Reads

frida -U -f com.example.app -l - --no-pause <<'JS'
Java.perform(function () {
  var CM = Java.use('android.content.ClipboardManager');
  CM.getPrimaryClip.implementation = function () {
    console.log('Clipboard read by app');
    return this.getPrimaryClip.apply(this, arguments);
  };
});
JS

Remediation

Minimise access
- Only read clipboard when explicitly triggered by the user; avoid background reads.
Never log or transmit
- Treat clipboard as sensitive; do not send to analytics or logs.
Platform guidance
- Respect OS privacy warnings; prompt users and explain usage when necessary.

Haxoris Wiki

Clipboard Harvesting

Description

Examples

Detect Clipboard Access (Android)

Hook Clipboard Reads

Remediation