"Tor Browser (Fenix) has pasted data from clipboard" at every start
I would like to report an issue that, apparently, impacts user privacy. Or at least is perceived as a privacy issue.
I installed Tor Browser from Play Store and is always up to date. Since my device's upgrade to Android 12, the OS is now toasting (i.e. displaying a toast notification) every time an app accesses the clipboard programmatically.
Every time I start Tor Browser and open the keyboard, a toast appears saying "Tor Browser has pasted data from clipboard" as in the screenshot.
Note that the toast appears quickly so it took me a few attempts to make a working screenshot. And at least screenshots aren't blocked by Fenix.
Note that the keyboard in use is Gboard. I don't paste anything to let that toast appear, when I display the keyboard it appears.
I tried to understand better by taking a look at the source code (I am a sw engineer myself), looking for usages of ClipboardManager
, which should be the component in use.
I found that the service is used for bookmark and history management. The culprit method should be setPrimaryClipData
, as Android shows a notification on the first invocation of the method, and unless the data being pasted is from the very same app.
I believe this should be fixed because, while the feature can believed to be innocent, and all the source code is available for review, a privacy-serious application doesn't very well match with automagically pasting clipboard data without the user's intentional interaction.
References: