Clipboard suggestion: mask based on content patterns (OTP/CC/JWT/seed/secret)#2491
Open
dsremo wants to merge 1 commit into
Open
Clipboard suggestion: mask based on content patterns (OTP/CC/JWT/seed/secret)#2491dsremo wants to merge 1 commit into
dsremo wants to merge 1 commit into
Conversation
…atterns
Currently isClipSensitive() only returns true when the target input field
declares inputType=textPassword (or the OS-side ClipDescription sensitivity
flag is set). That leaves OTPs, credit-card numbers, BIP-39 seed phrases,
JWTs, etc. visible in plaintext on the suggestion strip whenever the user
is pasting into a normal text field (chat composer, email body, search bar) -
which is the most common shoulder-surf risk.
This patch extends isClipSensitive() to additionally inspect the clipboard
content itself and mask the suggestion if it matches any of:
- OTP: standalone 4-8 digit run (whole-string)
- Credit card: 13-19 digit run with optional spaces/dashes
- JWT: eyJ...\.<base64url>\.<base64url>
- Long hex: hex string >=32 chars (SHA-256, API tokens, hex keys)
- BIP-39-style seed phrase: 12-24 lowercase 3-8 char words
- Secret keywords: password, passwd, secret, api_key, access_token,
bearer, private_key, ssh-rsa, ssh-ed25519, PEM private key block
The masking only affects the visible suggestion strip text; the actual
paste still uses the real content via latinIME.onTextInput(content). 5000
char ceiling on the regex scan to avoid pathological clipboard payloads.
No new permissions, no UI changes, no settings - this is a pure
defense-in-depth tightening of an existing privacy-sensitive code path.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
isClipSensitive()currently only returnstruewhen the target input field declaresinputType=textPasswordor the OS-sideClipDescriptionsensitivity flag is set. That leaves OTPs, credit-card numbers, BIP-39 seed phrases, JWTs, and PEM private keys visible in plaintext on the suggestion strip whenever the user is pasting into a normal text field (chat composer, email body, search bar) — which is the most common shoulder-surf risk in practice.This PR extends
isClipSensitive()to additionally inspect the clipboard content itself, returningtrue(and therefore masking the visible suggestion to***...***) if the content matches any of:P_OTPP_CREDIT_CARDP_JWTeyJ…\.<base64url>\.<base64url>P_LONG_HEXP_SEED_PHRASEP_SECRET_KEYWORDpassword,passwd,secret,api_key,access_token,bearer,private_key,ssh-rsa,ssh-ed25519, PEM private key blockBehavior
latinIME.onTextInput(content.toString())— so functionality is unchanged for the user, they just don't see a 6-digit OTP rendered in 18pt next to whoever might be looking over their shoulder.***instead of the value for ~3 minutes of clipboard freshness", false negatives mean the value is visible.Files touched
app/src/main/java/helium314/keyboard/latin/ClipboardHistoryManager.kt(+25 / −1)Tested
Built and installed on Android 16 (
HeliBoard_3.9-debug.apk). Verified manually with sample clipboard contents matching each pattern.Notes
No new permissions. No new strings (the existing
*-repeat path is reused). No settings — this is pure defense-in-depth on an existing privacy-sensitive code path. If you'd prefer this gated behind a setting, happy to add one.