Wednesday, April 29, 2015

Clearing the Android Clipboard on Samsung GS5 Running Lollipop

clear clipboard

Clear clipboard… get it? HA!

Since I started using crazy long, unmemorable passwords for just about everything, I started using KeePass on my Galaxy S5.  The problem is, when you copy a password to the clipboard to fill in a password field, Android holds that password in the clipboard. Even worse, the clipboard actually holds multiple items!  This means simply hitting “paste” will populate any field with the password you are trying to keep secret.  It also means those copied passwords (multiple passwords) are being stored on your Android clipboard.

http://keepass.info/images/icons/keepass_256x256.pngKeePass has a setting that allows you to set the time that Android should keep the password on the clipboard (settings: “Clipboard Timeout” with options 30 seconds, 1 minute, 5 minutes, and never), but the setting doesn’t seem to do anything (it simply doesn’t work).  My GS5 running Lollipop will keep a password on the clipboard indefinitely, even though I have “1 minute” selected in the KeePass settings (and have tried all the other options as well).

Supposedly Lollipop has implemented new API functionality that allows programs to copy/paste a password without using the clipboard.  I learned this from a post about 1Password which stated:

In Lollipop, 1Password can fill your information directly, without using the clipboard. Therefore, it isn’t possible for a third party to obtain your passwords by snooping on what 1Password’s doing.

The problem is, KeePass doesn’t seem to have implemented this “cool feature” yet, and my password is left hanging on the clipboard (to be accessed by malware, a user, or a clipboard manager).

In researching this issue, most posts on the topic say that you can simply long press in a text field to access the options “paste” and “clipboard” (or something similar), but on my device, this is not the case.  When I long press in a text field, I only get the “paste” option (thus, no option to clear my clipboard).

Other posts state that you can access the clipboard via an icon on your keyboard, however, the Google Keyboard has no such icon or accessibility (there is no button that gets you from the Google Keyboard to the clipboard).

If I switch to the Samsung Keyboard (which I hate), I can long press the second button to the left of the space bar (which can be assigned several different options), and one of the options is an icon of a clipboard.  Pressing this button does in fact gain me access to the clipboard (and quite a long and disturbing list of things stored there, including 10 or so passwords!).  WTF?!

So… I guess the problem is that the Google Keyboard ignores clipboard access functionality.  In order to access (and clear) your clipboard, you need to use a NON-Google keyboard, or a clipboard management app.

Obviously the best solution would be if KeePass just started using the Lollipop API that allowed for “non-clipboard” copied password storage… not to mention actually clearing the copied password after a certain amount of time like it’s supposed to.

No comments: