| Does it really come as a surprise that apps are exploiting the clipboard? TLDR: Drag and drop sensitive stuff. If necessary, copy only part of sensitive information, enter the rest manually. The amount of usability obstacles in the name of security is getting ridiculous. For example, when I got a new company mac, I had to enter my keychain access password and grant access to folders countless times - and I still have to do that after one week of using it occasionally. Similarly annoying are the cookie questions. In the beginning, I found it interesting and tried to reduce the number of cookies as much as possible - now I just click what ever button brings me to the site fastest (or don't click a button at all, if it is still possible to scroll and see about half of the page on mobile). Don't you also feel some kind of fatigue? Now please do not cripple the clipboard the same way. By the way: Qubes OS takes an interesting approach here. Similar to suggestions by some of the commenters. [1] Don't get me wrong: I am extremely sensible to security - but also to usability. I want to use my daily-driver system conveniently and it should "just work" and I want to trust it fully [2]. I do not just install any trash app, simply because there is one available. On the desktop: 1. Only applications from the official repos get installed. I may install other open source software occasionally. So yes, the trust lies with the distro. 2. Other software (potentially untrusted or good to be isolated) like banking or tax software or zoom get a proot environment or a new user profile. 3. Most software can be run in the browser anyway and it is actually quite a nice sandboxing tech. Web apps can not simply read the clipboard. [3] 4. Clear cookies on browser exit. I have a whitelist for about two or three sites to keep the state for convenience. 5. Browser extension that manages and fills passwords on request(!). No need to copy-paste around. [4] 6. If I need passwords elsewhere, I use drag and drop. I believe this is extremely convenient and very secure. That works 90% of the time, otherwise, I copy only part of the sensitive information and enter the rest manually. On mobile: 1. Same goes for app installation: open-source only from F-Droid. 2. Other apps get put in a work profile and disabled when not used. [5] No trash like games and social media. 3. Do not copy paste sensitive information, but use IME apps (keyboard apps that actually "type" passwords). Personally, I like KeePassDX and sometimes use KDE Connect. [6] Accounts: 1. I own several domains and mobile numbers, all companies that want my info get different data. 2. Fill in bogus information if possible. I may have gone overboard with this :-D But I don't even care about MFA that much at this point... And it is an interesting experiment to see what company leaks data. [1] https://www.qubes-os.org/doc/how-to-copy-and-paste-text/
[2] Kubuntu fanboy here and Android still on version 8 though because of ROM customization
[3] https://developer.mozilla.org/en-US/docs/Web/API/Clipboard/r...
[4] https://github.com/adrium/easypass
[5] https://f-droid.org/en/packages/net.typeblog.shelter/
[6] https://www.keepassdx.com/ and https://f-droid.org/en/packages/org.kde.kdeconnect_tp/
And I wrote a KeePass plugin to convert the passwords: https://github.com/adrium/KeepassPfpConverter |
Did you not setup Touch ID?