Apple - How to secure macOS's clipboard?
No security for data that is in one of the system clipboards is possible by design. This appears to be changing with 2020 features in publicly announced betas where Apple potentially will notify us each time an app copies content out of the clipboard. Some very common apps appear to be abusing the privilege and even if your password manager clears the contents quickly, this could easily be abused to steal keystrokes and passwords or other sensitive data.
The macOS clipboard is a public billboard open to all processes. Clipboard is the mechanism to let all apps read / modify shared data.
Practically you can Either restrict your set of apps installed to those you trust with the data you put in the clipboard or don't restrict sensitive content by never placing it into the clipboard so that the least trusted app only gets data you can permit it to see / log / capture / exfiltrate.
From here, the rabbit hole for developers and security minded people using macOS begins with an overview of secure text input options within programs to prevent key loggers in addition to pasteboard snoopers from grabbing secure input:
- Technical Note TN2150: Using Secure Event Input Fairly
- insecure keyboard entry - a blog post by Daniel Jalkut
- How secure is “Secure Keyboard Entry” in Mac OS X's Terminal?
- https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-ios-apps-still-snoop-your-sensitive-clipboard-data/
There are some things you can do, however, to mitigate this. Freely available and trustworthy software can show you event taps, key loggers, exfiltration and just communication attempts so you can catch a program that might do things you don’t expect.
- https://objective-see.com/products/reikey.html
- https://objective-see.com/products/lulu.html
ReiKey and LuLu are two I would start with to secure yourself and thereby your clipboard contents.
Any process with sufficient permissions can read your clipboard at any time, and you can't easily prevent this. Security is always a trade-off with usability, and this is the choice that most (but not all) OSes take when implementing the clipboard.
Some apps that store sensitive data (e.g. 1Password) implement a timeout such that any information you copy out of that application is cleared from the clipboard a short time later. If you'd like to do something like that globally, you could look at the answers to this previous question for ideas.