Author

Topic: Samourai Wallet is accessing to the Clipboard without permission (SOLVED) (Read 236 times)

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Most mobile wallets allow you to paste in an address to send and add a receiving address to your clipboard so you can send it to someone the access itself is not that big a deal. With that I just played with a few wallets on my phone and most of them just took things from the clipboard without asking. So it appears to just be 'the way it's done'

On mobile at least, copying and pasting addresses seems to be the only way to send coins to it if it is located on the same device (if not, well QR codes solve that issue nicely, but then the below still applies).

But on desktop, I always verify that the address I copy is the same as the address listed on the screen. All characters are checked. This at least gives me peace of mind that there is no clipboard malware running amok.
hero member
Activity: 862
Merit: 662
It is checking your clipboard for any stored private keys and then warning you that you have keys on your clipboard and giving you the option to delete them.

Yes i see that on some screenshots on reddit.

Thank you for pointing out the code, I already checked that function and there is nothing suspicious there.

I just want to add that in any case that behavior isn't expected, i mean they do for "security" but without context any access to the clipboard without previous trigger of the users looks suspicious.

I am going to mark the Topic as solved and also close it in some day or two so if someone wants to add something additional it is welcome.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Waiting for your update.

They already reply: https://www.talkimg.com/images/2023/10/28/T7kfl.png

Quote
Hello,

Clipboard access is used for various actions such as pasting in bitcoin addresses, paynyms, signing messages or transactions (have a look under the "Tools" menu), etc.

If you'd like to read the code, please feel free to read through our Gitlab here: https://code.samourai.io/wallet

To be honest I expected a better answer for this, their reply just sounds a generic one, they point to their repository but not the file or line that triggers this behavior.

I don’t know rick looks fake

That generic reply isn't really surprising since support team usually don't know much technical detail and i expect support team can't just ask technical team to directly answer customer question unless it's really important.



Most mobile wallets allow you to paste in an address to send and add a receiving address to your clipboard so you can send it to someone the access itself is not that big a deal. With that I just played with a few wallets on my phone and most of them just took things from the clipboard without asking. So it appears to just be 'the way it's done'

Out of all the things that go on with crypto, things like this are some of the least of my concerns.

In addition, since Android 10 application access to clipboard data is being limited. And i recall some brand or custom ROM even let you further limit clipboard permission.

Limited access to clipboard data

Unless your app is the default input method editor (IME) or is the app that currently has focus, your app cannot access clipboard data on Android 10 or higher.
legendary
Activity: 2268
Merit: 18771
It is checking your clipboard for any stored private keys and then warning you that you have keys on your clipboard and giving you the option to delete them.

Here is the relevant code for doClipboardCheck: https://code.samourai.io/wallet/samourai-wallet-android/-/blob/develop/app/src/main/java/com/samourai/wallet/home/BalanceActivity.kt#L1119

And here is the warning message it displays: https://code.samourai.io/wallet/samourai-wallet-android/-/blob/develop/app/src/main/res/values/strings.xml#L400

You can see from the code that it doesn't use the private key on your clipboard for anything else.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Most mobile wallets allow you to paste in an address to send and add a receiving address to your clipboard so you can send it to someone the access itself is not that big a deal. With that I just played with a few wallets on my phone and most of them just took things from the clipboard without asking. So it appears to just be 'the way it's done'

Out of all the things that go on with crypto, things like this are some of the least of my concerns.

And, I know I have said this before, but I'll put it out there again.

YOUR PHONE IS NOT SECURE. DO NOT KEEP REAL AMOUNTS OF CRYPTO ON IT. YOUR PHONE SHOULD BE TREATED AS A HOT WALLET. ONLY STORE WHAT YOU CAN AFFORD TO LOOSE ON IT.


-Dave
hero member
Activity: 862
Merit: 662
Waiting for your update.

They already reply: https://www.talkimg.com/images/2023/10/28/T7kfl.png

Quote
Hello,

Clipboard access is used for various actions such as pasting in bitcoin addresses, paynyms, signing messages or transactions (have a look under the "Tools" menu), etc.

If you'd like to read the code, please feel free to read through our Gitlab here: https://code.samourai.io/wallet

To be honest I expected a better answer for this, their reply just sounds a generic one, they point to their repository but not the file or line that triggers this behavior.

I don’t know rick looks fake


legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
They stopped using Github several years ago. I believe it was after they were acquired by Microsoft and they started censoring controversial projects and restricting users from sanctioned countries. Their code can be found on their self-hosted GitLab repository https://code.samourai.io/explore/groups

It's weird they never bother update their GitHub to mention location source code has been change and make it read only to prevent people wasting their time by creating new issue on GitHub.

I believe it was after they were acquired by Microsoft
I just found out about this, can you point me to the official announcement regarding this? That sucks if it's true, I thought they're actually spying the clipboard.

Searching on their GitHub issue, i only found out mention they no longer use GitHub at https://github.com/Samourai-Wallet/samourai-wallet-android/issues/351#issuecomment-753413373. I do not find anything on their blog and medium page.
hero member
Activity: 2212
Merit: 670
Signature designer - start @$10 - PM me!
I hope get some good answer from them
Waiting for your update.

I believe it was after they were acquired by Microsoft

I just found out about this, can you point me to the official announcement regarding this? That sucks if it's true, I thought they're actually spying the clipboard. On the other hand, my short search found this news,
News snippet[1]:
Quote
38TB of data accidentally exposed by Microsoft AI researchers ~
  • The backup includes secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.
~


1. https://www.wiz.io/blog/38-terabytes-of-private-data-accidentally-exposed-by-microsoft-ai-researchers
sr. member
Activity: 1680
Merit: 379
Top Crypto Casino
also asking to point in what file of the source code is this action done.
We can say with certainty that the Samourai Wallet software you are using on your phone is closed source considering how their repository has not been updated for ~3 years despite them releasing a lot of newer versions (last release on appstore is on Oct 6, 2023).

They stopped using Github several years ago. I believe it was after they were acquired by Microsoft and they started censoring controversial projects and restricting users from sanctioned countries. Their code can be found on their self-hosted GitLab repository https://code.samourai.io/explore/groups

I haven't reviewed their code but I assume they are accessing the clipboard as soon as the app is launched so users can quickly paste addresses and BTC amounts.
legendary
Activity: 3472
Merit: 10611
also asking to point in what file of the source code is this action done.
We can say with certainty that the Samourai Wallet software you are using on your phone is closed source considering how their repository has not been updated for ~3 years despite them releasing a lot of newer versions (last release on appstore is on Oct 6, 2023).

The source code is hosted elsewhere (https://code.samourai.io/wallet/samourai-wallet-android) and is up to date. Although the github page (https://github.com/Samourai-Wallet/samourai-wallet-android) does not reflect this migration, unfortunately.
We are now one step closer to finding the reason for this odd behavior. The code has many "listeners" watching the clipboard for many different reasons in a a bunch of different places.
hero member
Activity: 862
Merit: 662
In that picture (OP), what is it pasted?

When I saw the notification, I pasted the content of the clipboard in another application and it was a QR that I screenshot from some video (Non-crypto related).

But it can be anything, i usually have some passwords in the clipboard those passwords are in memory for some minute or two... passwordstore an open source password manager.

I already sent them an email asking the purpose of that behavior and also asking to point in what file of the source code is this action done.

I hope get some good answer from them

hero member
Activity: 2212
Merit: 670
Signature designer - start @$10 - PM me!
In that picture (OP), what is it pasted?

they said that samourai alerts you about private keys on the clipboard. But that still looks suspicious
Yes it can obviously recognize privatekeys and they claim to be a security measure. I can't see the point of implementing such security if the warning only appears when the wallet is opened.
I'm a bit skeptical from now on.
hero member
Activity: 862
Merit: 662
This thread should not be on Reputations board. Perhaps wallet software is more suitable.

Ok, i will move it.

About watching your clipboard, that is worrying if an app just watches your clipboard minus prompting it. I thought such apps usually needed permissions to get enabled first?

Searching on google i found this:

https://www.reddit.com/r/Bitcoin/comments/8ivy4t/samourai_wallet_even_checks_your_clipboard_to/

they said that samourai alerts you about private keys on the clipboard. But that still looks suspicious

No, i think that the access to the clipboard doesn't need special permisions.
copper member
Activity: 2128
Merit: 1814
฿itcoin for all, All for ฿itcoin.
In theory it is open source: https://github.com/Samourai-Wallet/samourai-wallet-android i am going to try to check the code. Also i am going to send an email to them.
Is it just me, or most of the activity on the Samourai wallet android repository is from 3 to 4 years ago?
Also, a number of open issues that have not been attended to. Their latest update was just this month, was not tagged in the repository. Last tagged release was on Apr. 16, 2020. I wonder why.

This thread should not be on Reputations board. Perhaps wallet software is more suitable.

About watching your clipboard, that is worrying if an app just watches your clipboard minus prompting it. I thought such apps usually needed permissions to get enabled first?
hero member
Activity: 862
Merit: 662
does it mean it just copied whatever was in your clipboard

The wallet just read the clipboard, i didn't touch anything to trigger that behaivor.

I didn't want to paste anything in that app at that moment.

That notification (APP NAME pasted from your clipboard) only appears when i paste something manually, but its the first time that it appear without me triggering that.

In theory it is open source: https://github.com/Samourai-Wallet/samourai-wallet-android i am going to try to check the code. Also i am going to send an email to them.
copper member
Activity: 1330
Merit: 899
🖤😏
Is it open source? If yes, who audit and reviewed the code? By pasted, does it mean it just copied whatever was in your clipboard or it just accessed the clipboard to be ready for when you want to paste an address to send coins to?

I can't tell why a wallet app which has access to your private key wants to know the content of your clipboard.
hero member
Activity: 862
Merit: 662
Concerns about Samourai Wallet (Access to Clipboard without permission)

Hi guys i just want to let you know that I am deinstalling Samourai wallet from my android device, an also i am moving my utxos from that Seed to my cold wallet

Why?
I just noticed that Samourai wallet is Accessing to the clipboard with permission and without asking and without trigger..

How?
Some days ago I just activate one android option to alert me every time that an APP access to the clipboard, so when i do a long press in the touch to paste some informacion in the clipboard i get an screen notification  "APPNAME pasted from your clipboard".



Almost all Apps work fine without any suspicious activity in this way, BUT i just notice that Samourai Wallet just do that at when you open it check the image:



When that notificacion pops? When I start the samourai wallet for the first time after unlock the pin screen, without doing anything else, that notification appears

What do you thing about this behaivor of that APP ?



Edit:

Looks like they do a clipboard check for your "security". In my Opnion this should be optional and only activated at the user request.

It is checking your clipboard for any stored private keys and then warning you that you have keys on your clipboard and giving you the option to delete them.

Here is the relevant code for doClipboardCheck: https://code.samourai.io/wallet/samourai-wallet-android/-/blob/develop/app/src/main/java/com/samourai/wallet/home/BalanceActivity.kt#L1119

And here is the warning message it displays: https://code.samourai.io/wallet/samourai-wallet-android/-/blob/develop/app/src/main/res/values/strings.xml#L400

You can see from the code that it doesn't use the private key on your clipboard for anything else.
Jump to: