• General
  • Is clipboard editor a threat for security?

Android 13 introduced a feature called Clipboard Editor. When you copy text to the clipboard, a popup appears:
https://i.imgur.com/kuKoJDy.png

This means that when you copy passwords or PIN codes from the password manager, the popup appears and discloses the clipboard contents. I found no way to disable the feature. Is there a solution for this?

Edit: fixed the attached image link

Excellent point!
However, using the system clipboard is fundamentally unsecure for things like passwords.

I was mainly worried about someone looking over the shoulder and seeing short passwords like 4-digit PIN codes.
It is true that the system clipboard is not that secure. When I copy an important password I often clear the clipboard by copying some random text on the screen to overwrite the clipboard. I don't know if there's a better way.

3 months later

Sometimes there is no choice. There should be an option to disable the clipboard preview pop-up.

Apps themselves can make it so when you copy something from them, the content in that pop-up is not shown, not something that should be handled by the OS imo.

    matchboxbananasynergy

    There should be an option to turn it off. Neither the app, nor the OS, can really know if it's sensitive content. Especially if it's mixed content.

    Relying on apps to mask what the OS is forcing onto the screen, is not a good security practice.
    Some apps may do it, like Yubico Auth... but andOTP is a very popular app that does not mask.

    In my opinion, it's not a feature I would need anyway. If I want to see the clipboard contents, the keyboard app should do it, not a System Level program that I can't disable like SystemUI (13).

      adb shell appops set com.android.systemui READ_CLIPBOARD ignore

      I hate to use ADB because it's so adamantly recommended against but no other choice.

        Graphite This is something that exists across the board in Android 13, and app developers are aware of it. If their apps deal with sensitive content, they should censor that content; they have the ability to do so.

        The thing with removing functionality like it is that some people will like it, some people won't.

        Hell, people made a ruckus over a clock font and wanted the change reverted. When it was reverted, people started complaining that the new one was better the whole time. You can't win.

        Graphite I hate to use ADB because it's so adamantly recommended against but no other choice.

        If that works for you and you absolutely must not have that UI on your device, feel free to use it, but as you're aware we don't recommend it, or endorse that others do this.

          matchboxbananasynergy

          I understand. It's a personal choice.

          I do like it when apps can know what and when they are moving sensitive content to mask it for Android 13. But I don't like relying on the app devs for this. It happens a lot, Google makes a change that breaks something or exposes something and app devs have to work extra to keep up, or just say that their app doesn't support 13 yet.
          For this clipboard thing though... only password managers and OTP auth apps can every really be certain. But there are other situations where sensitive content is mixed and the app isn't ONLY for codes/passwords.

          matchboxbananasynergy people made a ruckus over a clock font and wanted the change reverted

          Yeah, that's why I say to make it an "option" to disable. What GrapheneOS has done with the Android Connectivity Checks is a perfect example. I used to have to use a similar secure settings change to edit that system config value so it wouldn't call back to gstatic. I understood that I was just being a privacy nerd and willing to use ADB or whatever. Most users don't care.
          But GrapheneOS did it. Made it an option to disable connectivity checks. :) It was one of the top reasons I switched to GOS.