Should the Copy / Paste function be allowed or not in Mobile Apps from Security / Secure Coding perspective ?

State bank of Pakistan has recently drafted a guideline for Payment focused Mobile Apps and nearly all FinTechs are now moving towards its adherence, which is a good step. Ultimately, we would be having more Secure apps from Development Point of View. It should be appreciated. However, we would like to highlight one small thing, which we have observed, if left, could bring the infamous Cobra Effect.?

The source document of State bank for Mobile?Apps is hosted @ https://www.sbp.org.pk/psd/2022/C1-Annex.pdf/

Under section Secure Coding,Page 9, Input and Output Handling.?

"Clipboard / Copy Paste function SHALL BE DISABLED for Sensitive Data."

The discussion is that the following bits of information comes under Sensitive Data.?

• Passwords
• IBANs / Account numbers to be used in payments

We went ahead and confirmed the definition of Sensitive Data from GitBook for Mobile App, a document, which is referred to by Mobile Application Developers as well as Mobile Application Security Engineers.

https://mobile-security.gitbook.io/mobile-security-testing-guide/overview/0x04b-mobile-app-security-testing#identifying-sensitive-data

It mentions clearly that, the terms Sensitive Data does have elements of data related to Passwords / User Credentials and IBAN details

So it's established, that the User Credentials do come under the definition of Sensitive Data.

Problem:

Now from a user functionality perspective, and making good passwords, it's a good practice to use Password Managers. That way, a normal user's password would be strong, harder to crack and remember.

Shorter passwords, which are usually proper nouns and suffixes/prefixes with numbers are not good, but they are easier to crack and remember.?

Once people start using Password Managers, it makes perfect sense to them to be able to Copy Password from Password Manager and then paste them into Mobile Apps. Disabling them to be copied / pasted in-app, defeats the purpose of using Password Managers.?

Also, IBANs are quite harmless and they are passed on Chat messages, and disabling them to be copied and pasted in App would add more hindrance to the user experience.?

However, once the passwords / IBANs are copied and pasted from the clipboard to the App, we would agree with SBP guidelines, that that information should then be forcefully FLUSHED from the (transient/resident) clipboard / memory.

Possible Solution:

We do think, that SBP Guideline should define what comes under Sensitive data and that it needs to be elaborated further to cover the use of Password Managers. It should specifically

• allow copy / paste of passwords in the Mobile Apps and
• flushing of sensitive data (be them passwords / IBANs and other types of data) from the transient / resident memory after the work / transaction is done

Now, for Password Manager and its implementation of copy-paste, do go through the article of Troy Hunt given as reference here to know more as to why we are saying this. Notice the date, that is it was written in 2017, and we are in 2022.?

https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/

See the section entitled, "Let them paste Password", which highlights the essence of this article.?

Also, for those who don't know Troy Hunt, let us share a bit about him. He is the MVP of Microsoft, who has founded, (https://haveibeenpwned.com), a Website, which hosts the BREACHED Database of Credentials and lets you know, if your account social account, (examples are Dropbox, One Drive, GMAIL, Hotmail, Yahoo, Flickr, etcetera) has been part of some breach or not. Clearly, it could be said, that he is one of the authorities on Password Management, Usage, and Development Guidelines.

Taking another reference from GitBook, which is used during the Static and Dynamic Analysis of Mobile App assessment, it mentions clearly that disallowing Clipboard for Password vulnerabilities is not a valid solution to the problem.

https://mobile-security.gitbook.io/mobile-security-testing-guide/overview/0x04b-mobile-app-security-testing#clipboard

Still here, reading and enjoying this article?

If this article has triggered a curiousness or something for you to think about it, we would be waiting for your comments. We had a small session with State Bank's personnel, and even they have agreed to this problem, it's solution, and we will hope the see the second version Mobile App Security Guideline, which will hopefully be addressing this issue. Once again, for our readers, we would like to summarize the problem and it's solution

Problem is Mobile Security Guideline (version 1) says, that Sensitive data should be disallowed to be present in Clipboard

Possible solution, particularly for Passwords and IBANs, since they do come under Sensitive Data are

• elaborate the definitions of Sensitive data, as to which data comes under Sensitive Data
• allow copying / pasting of Passwords in FinTech Apps, in order for people to use Secure, Stronger Passwords and move towards Password Managers
• and to flush the contents of Clipboard, after the work (login / transaction) is done