The short answer by platform
| Windows | macOS | iPhone | Android | Browsers | |
|---|---|---|---|---|---|
| Any app can read it | Yes, silently | Yes, silently | Yes, with a paste banner since iOS 14 | Restricted since Android 12 | Only with permission |
| You get notified | No | No | Paste banner | Access toast | Permission prompt |
| Background reads blocked | No | No | n/a | Yes since Android 10 | Yes |
Windows and macOS: no notification, no gate
On both Windows and macOS, the clipboard is a shared system resource with no access control beyond being a running process. Any program you launch can call the clipboard API and read whatever is there, whether that is a password you just copied, a one-time code, a wallet address, or a draft message.
On Windows this works through GetClipboardData, a Win32 API that any process can call without elevated privileges or user consent. On macOS the equivalent is NSPasteboard, which any app can read with a single method call. Neither OS shows a notification, requests a permission, or logs the access anywhere visible to you. This is not a bug, it is how both systems were designed, and it remains true today.
iPhone: paste banners since iOS 14
Apple added clipboard notifications in iOS 14, released in September 2020, and the immediate effect was striking. Security researchers Talal Haj Bakry and Tommy Mysk had already documented, in March 2020, that dozens of popular iPhone apps were reading the pasteboard every time they opened. Source (2020)
When iOS 14 shipped the paste banner, it flagged TikTok and 53 other apps reading the clipboard on launch, turning years of invisible behavior into a banner visible to every user. Source (2020)
TikTok was reading the clipboard repeatedly on each launch, not just once, and stopped the behavior in an update shortly after the notifications exposed it. Source (2020)
The paste banner is not a block: apps can still read the clipboard, but you see a brief notification at the top of the screen when they do. That visibility alone was enough to force behavior changes across dozens of apps.
Android: background blocks and access toasts
Android introduced clipboard restrictions in two steps. First, Android 10 (released 2019) added a rule that an app cannot read the clipboard unless it currently has focus or is the default input method, which means any app running in the background is blocked from reading it at all. Source (Android docs)
Second, Android 12 (released 2021) added a visible toast notification, similar in spirit to the iOS paste banner, that reads “[App name] pasted from your clipboard” when a foreground app reads clipboard content that came from a different app. That same Android developer page documents both protections.
These protections did not stop every incident. In March 2023, Microsoft’s security team reported that an older version of the SHEIN Android app, which has over 100 million downloads, was periodically reading the device clipboard and, when the content matched a specific pattern, sending it to a remote server. SHEIN removed the behavior after it was reported. Source (2023)
Browsers: permission required
Web browsers are the strictest platform here. Reading the clipboard from a web page requires using the Async Clipboard API, which is gated behind both a clipboard-read permission that the user must explicitly grant and a user gesture such as a click or keypress. A page cannot silently poll the clipboard in the background, and the permission can be revoked at any time in browser settings. Source (web.dev)
The older document.execCommand(‘paste’) approach is deprecated and blocked in all modern browsers without the same permission gate. For practical purposes, a website cannot read your clipboard without you explicitly allowing it.
What a clipboard manager changes
A clipboard manager is itself an app that reads everything you copy. That is the whole point of it, which is exactly why where it stores that history matters.
Most clipboard managers store your history as plain text on disk or sync it through a server. That means a password you copied last Tuesday, a one-time code, or a private message is sitting readable in a file or on someone else’s server. The convenience of a clipboard history comes with a real surface if the storage is not protected.
Relic keeps history locally and encrypts every item on your device with XChaCha20-Poly1305 and Argon2idbefore anything is saved or synced, so even Relic’s own servers only ever hold ciphertext they cannot read. The Windows desktop client is live today. Other desktop platforms are rolling out. On mobile, Relic is a browse-and-search lens rather than a background recorder, because iOS and Android no longer allow apps to capture the clipboard silently in the background, which is exactly the protection the sections above describe.
Frequently asked questions
Can apps read my clipboard without me knowing?
On Windows and macOS, yes. Any running app can call the clipboard API silently, with no permission prompt and no notification. Mobile is stricter: iOS shows a paste banner since iOS 14, Android 12 shows an access toast, and Android 10 blocks background apps from reading clipboard data entirely. Browsers require a permission and a user gesture.
Why did my iPhone say an app pasted from another app?
That is the paste banner Apple added in iOS 14 in 2020. When any app reads text that originated from a different app, the system shows a brief notification at the top of the screen. It was this same banner that caught TikTok and over 50 other apps reading the clipboard on launch, behavior that had been invisible until that iOS update shipped.
Was TikTok really reading my clipboard?
Yes. In 2020 researchers Talal Haj Bakry and Tommy Mysk found TikTok reading the iOS clipboard repeatedly on launch, not just once. When iOS 14 shipped the paste banner, TikTok was among the apps flagged. It removed the behavior in an update shortly after being caught. The Sophos writeup covers the full list of 54 flagged apps.
Does a clipboard manager make things worse?
A clipboard manager is itself an app that reads everything you copy, so it can see the same sensitive data as any other app. What matters is what it does next. A manager that stores your history in plain text or syncs through a server that can read it widens the risk. Relic encrypts every item on your device before anything is saved or synced, so the server only holds ciphertext.
How can I stop apps from reading my clipboard on Android?
On Android 10 and later, apps running in the background cannot read the clipboard at all. On Android 12 and later, you will see a toast notification when a foreground app reads clipboard content from another app. Beyond that, avoid granting unnecessary permissions and keep apps updated. Using a clipboard manager that encrypts its history locally also limits what any attacker could extract from stored data.