Android Q Will Kill Clipboard Manager Apps in the Name of Privacy

Bolstering privacy is one of the primary focuses for Google in Android Q, the latest version of its mobile operating system, and that may spell trouble for some of your favorite apps. From a report: In Android Q, Google has restricted access to clipboard data as previously rumored, which means most apps that currently aim to manage that data won't work anymore. Having an app that sits in the background and collects clipboard data can be a handy way to recall past snippets of data. However, that same mechanism could be used for malicious intent. Google's playing it safe by restricting access to clipboard data to input method editors (you might know those as keyboards). Foreground apps that have focus will also be able to access the clipboard, but background apps won't.

Re:Have other os's done this yet?

[BringsApples]

This App needs access to the following:

Add/Remove Contacts
Make & receive phone calls and texts
Storage
Wifi
Bluetooth
Multimedia
View Network State
Automatically start at boot
Read Phone State and Identity
Write Contact Data
Modify/Delete SD Card Contents
Access to Clipboard

Whoa, that last one is just too much!

Pie Broke Keepass2 Keyboard

Pie update broke Keepass2 keyboard, so I have to use the clipboard. Not cool. Now Q will break that. Nothing like breaking the security of a password manager for security reasons.

Hey, Google! How about asking THE USER for permission. "Background Clipboard Access?" Why would a have need that!?

Google's permission controls were great, when they finally got enabled. But they didn't make them granular enough up front (why does an app need permission to "make & receive phone calls" just to get to the unique device ID!?). Then, with each new update, they make them more and more restrictive, without a USER workaround.

Pretty much the new Android norm. Screw the user. We'll decide what you want, and you'll have no options. Thanks Apple...err Google.

Re:If Google took Android security seriously

[Solandri]

If Google took Android security seriously, they'd add a lot more permissions, and they'd make default permission setting "lie to the app and tell it that it has the permission it requested, and then just let it fail silently / return all zeros."

That is in fact what Android has done since Marshmallow (version 6.0, released 2015). When you install an app, it has no permissions unless the user explicitly grants them. Marshmallow had a somewhat clumsy app permission settings interface. But later versions pop up a dialog asking whether or not you want to grant a permission the first time an app tries to do something needing that permission. If you don't grant it, the OS lets the app proceed as if it has permission, and it will either fail silently and work, or return all zeros and crash. Depends on how the author coded the app.

The only major permission that's allowed by default and cannot be blocked is network access. Probably because giving the user control of that turns ad-driven apps into free apps (at least that's what happens when I deny network permission to apps on my rooted Android phone). Clipboard access is currently allowed, but apparently that's going away (TFA doesn't make clear if it's going to be prohibited entirely, or become user-selectable with Q).

Re:If Google took Android security seriously

[tepples]

Need contacts? Either get the real ones or a fake empty list. Or possibly get some edited set.

Would all apps on a given phone share the same "edited set"?

Need location? Either get the real location, or just get a static location defined by the user.

If this were to transpire, then movie streaming apps would quickly become exclusive to iOS, as streaming providers would have no way to verify that the user of an Android device is physically in a country (or a digital single market confederation) where the provider has licensed the movie.

Need the network? Either get it, or tell the app that you're offline.

"To continue using this feature, connect to the Internet. For advanced offline capability, subscribe to Offline Pack next time you're online."

Re:If Google took Android security seriously

[MightyMartian]

There's a usability issue. Even Microsoft conceals a lot of permissions from most users. The whole notion of the Windows Power User was to open it up for those who had the capability. Android does have a lot of fine-grained permissions opened up now, but they're something you are going to have to dig for, because, let's be honest here, most users would probably screw things up royally if they went around monkeying with permission settings.

Re:If Google took Android security seriously

[MightyMartian]

It's going to be pretty trivial to write an app in any operating system that can test what is capable of accessing and "nag" you. I could write a Powershell or Bash script in about five minutes that would alert a user "Hey, you need to open write access to C:\WINDOWS or /etc".

Re: If Google took Android security seriously

[jrumney]

What they are currently missing is an "always ask" permission. You can either grant it permanently or deny it permanently (you can change the permissions deep within settings, but it isn't trivial to do, and there isn't an option to ask again). Even if the app doesn't make sense to use without a permission, I might still like to know when it is using the permission, especially if it is accessing my mic, camera or location.

Re:Have other os's done this yet?

[BringsApples]

Except that it's not a joke. I'm pointing out the absurdity in the situation.

Re:Have other os's done this yet?

[thegarbz]

That last one really IS to much as now you have an app that can intercept your password manager.