Skip to content

T1414 Clipboard Data

Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.3

On Android, applications can use the ClipboardManager.OnPrimaryClipChangedListener() API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).41

On iOS, this can be accomplished by accessing the UIPasteboard.general.string field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read “application_name has pasted from Messages” when the text was pasted in a different application.2

Item Value
ID T1414
Tactics TA0035, TA0031
Platforms Android, iOS
Version 3.1
Created 25 October 2017
Last Modified 16 March 2023

Procedure Examples

ID Name Description
S0421 GolfSpy GolfSpy can obtain clipboard contents.6
S0295 RCSAndroid RCSAndroid can monitor clipboard content.7
S0297 XcodeGhost XcodeGhost can read and write data in the user’s clipboard.5


ID Mitigation Description
M1006 Use Recent OS Version Android 10 introduced changes to prevent applications from accessing clipboard data if they are not in the foreground or set as the device’s default IME.1


ID Data Source Data Component
DS0041 Application Vetting API Calls