Homepage    |    GitHub    |    API    |    FAQ

Joplin doing some spooky Reading of clipboard (spying?)

Joplin 1.4.11
Android 10 (LineageOS 17.1 20210220)

What is this spooky stuff ?

I have been observing that on multiple occasions, Joplin reads the clipboard content if its on the clipboard for a few seconds.

I have denied READ_CLIPBOARD permission to most of apps that i consider spooky but i gave it a few select Joplin being one of them. I was using EDS Lite and copied my password from KeePassDX as EDS Lite doesn't support password managers (?). The environment i created was supposed to be secure and spookiness free (its Big daddy free).
But then, as i was just checking which app accessed clipboard while it contained the password, to my surprise two Open source apps did it besides EDS Lite - Joplin and Fairmail. I will be opening a thread on their forums too.

Can anyone explain why it does that ? I don't have any plugins installed. I use Dropbox with e2ee to sync.
Anyone who knows where the code can be located in the source code ?

We aren't requesting READ_CLIPBOARD permission and as far I know we aren't doing anything with the clipboard. In fact for me, that permission is not even listed. Is it possible you got the app from some strange source? Also your version is quite old - we are at 1.7 now (1.8 pre-release).

Might be one of dependencies.

EDIT
Nope, can't see it anywhere.

I downloaded from official homepage. And READ_CLIPBOARD is hidden. It is only accessible after root. Its actually one of the App Ops with code 29.

What happens if you block it? Does anything break? I suggest you go ahead and do this and if you see any issues let us know.
I have checked the code and can't see anywhere where Joplin reads from the clipboard, there's one place where it writes -- when copying a MD link.

As i am saying, its active by default for all apps. ADBungFu tells about the time it was last accepted or rejected. When an app reads clipboard content, it uses READ_CLIPBOARD and ADBungFu notes the time it (the app in question) last read clipboard.

So unless and until i go out of my way and Paste any content in the app, the app shouldn't read the clipboard because if it does, its called spying. And this is exactly what i noticed with this case and previously too.

When i block it, it simply can't access the clipboard and the only options i get after long pressing a note are Copy, Auto-fill, Search, etc., the default options, but no Paste. If it is allowed, Paste option reappears.

Right, it certainly is inconvenient.
I don't think Joplin itself reads your clipboard, might be react-native on top of which Joplin is built or one of dependencies.

Then the only solution for now is to keep it blocked and allow only when pasting something in Joplin. I do this all the time with WhatsApp but didnt think i would do it to Joplin.

I guess React Native needs to access the clipboard for the text input component? Like you can select some text, long press and select Copy/Paste from the menu.

It might be the case. But, even if it so, if i havent opened the app, it shouldn't do it. It accessed clipboard while i was using other apps and it was open in background.

t accessed clipboard while i was using other apps and it was open in background.

Thats the scary part.

I just greped READ_CLIPBOARD on a mobile build and nothing came up. Can you get any useful information from your debugging app, like what text was copied, or what module was running at that time?

I am not a developer so you would have to guide me.