SHEIN, a clothes shopping app for Android that has over 100 million downloads on Google Play, was sending sensitive clipboard content to a remote server.
SHEIN is a Singapore-based Chinese online fashion retailer shipping products across 150 countries. It is valued at $100 billion, and in 2022, it became the world’s largest fashion retailer.
The risky app behavior was discovered by Microsoft threat researchers and reported to Google, while SHEIN’s developers removed the clipboard data retrieval function from the application with an update released in May 2022.
Microsoft says that it has discovered no indications of malicious intent. However, the app’s behavior was still introducing unnecessary risk to users and wasn’t needed to deliver the core functionality of the shopping app.
“Even if SHEIN’s clipboard behavior involved no malicious intent, this example case highlights the risks that installed applications can pose, including those that are highly popular and obtained from the platform’s official app store.”– Microsoft
App Coding Mistake
Microsoft researchers Dimitrios Valsamaras and Michael Peck analyzed SHEIN app version 7.9.2 using static and dynamic analysis tools and techniques, focusing on code accessing clipboard contents.
The clipboard is a temporary storage area on operating systems that holds the contents of copied data such as text, images, passwords, etc. As such, it can contain sensitive information.
The analysts found that SHEIN contains code that reads the contents of the device clipboard upon the app’s launch and when the user interacts with the app.
If specific characters are found in the clipboard, like “$” and “://”, the app sends the clipboard contents to a remote server at “https://api-service[.]shein[.]com/marketing/tinyurl/phrase.”
The researchers confirmed this risky behavior on an Android 9 test device they used for capturing the associated requests using the Burp Proxy tool.
Valsamaras told RestorePrivacy that the app’s developer hasn’t specified the reason for using the particular characters as triggers for clipboard data siphoning. However, he noted that the case doesn’t appear malicious but rather a bug due to inheriting a class that had the specific code.
Still, this case goes to show that if an app wants to access the clipboard and exfiltrate its contents to an external server, there are little obstacles in place to prevent it.
Also, even if SHEIN’s case does not appear to be the result of malicious intentions, any unecessary data exchange increases the likelihood of man-in-the-middle breaches, or a rogue employee of the company taking advantage of that data stored in private servers.
Starting in Android 10, Google introduced clipboard access restrictions for applications running in the background.
However, since the SHEIN app demonstrated the risky behavior while running in the foreground, these protections wouldn’t have prevented the data access.
On Android 12, Google added a notification to inform users when an app accessed the clipboard for the first time.
Android 13, currently the latest version of Google’s mobile OS, periodically wipes all clipboard contents to prevent unauthorized access to sensitive data.
Users are advised to avoid using copy-paste for highly sensitive information if possible, which writes this data on the clipboard, and consider removing apps that access that space despite it not being crucial for their functionality.