Maybank explains why iOS 14 pushes privacy alert when using the M2U and MAE apps

The latest Apple iOS 14 has several new privacy features which alerts you if there’s suspicious behaviour on your iPhone. iOS 14 will let you know if an app is accessing your clipboard, camera or even the microphone by showing a pop-up notification or with orange and green dot indicators.

When Maybank introduced its new MAE app, it appears that the app automatically pastes the contents of your clipboard the moment you launch it. This also happens on the older M2U app as shown in the screenshot below. Users can replicate this issue by copying a random text and then launch the app to see the pop-up privacy alert message. For example, if you have a copied a text from WhatsApp, it will show “M2U MY pasted from WhatsApp”.

On the surface, it appears to be a security concern as users might have copied a sensitive line of text or password from another app, and suddenly it gets pasted onto M2U. While it is ok for banking apps to accept copy and paste functionality, the actual pasting of information should only take place when the user does it, not immediately when the app loads for the first time.

We have reached out to Maybank and they assured that both MAE and M2U apps do not retrieve or store users’ existing information that are stored in their clipboard without permission. Maybank says it is working to resolve the issue as soon as possible.

The bank also mentioned that the iOS 14 privacy alert feature was triggered by a Google tool that’s used in the app to track the source of download. Below is the statement from a Maybank spokesperson:

We would like to assure our customers that both the MAE and Maybank2u apps do not retrieve or store  the users’ existing information in the clipboard without the  users’ permission.

The clipboard notification appears due to the nature of  a Google tool used in the apps, which helps us identify the origin of the download e.g. from a paid digital advertisement or from owned social media platforms. The Google tool also helps to detect the type of device accessing the ad/post to direct it to the correct App Store (iOS or Android) for the app download.

The new iOS 14 automatically flags the nature of this tool as a potential security concern, but we would like to reiterate that no information is stored by either the MAE or Maybank2u app without the users’ permission.

However, we understand that users who receive the clipboard notification may be concerned and we are working to resolve the issue as soon as possible

Maybank apps aren’t the first to encounter such issues. When iOS 14 was released, several apps were exposed for having privacy intrusion-like behaviour including TikTok, Reddit and LinkedIn. Even Instagram was flagged for accessing the camera when a user is casually browsing the feed. Eventually, most of them have clarified that it was a bug and have fixed the issue in their next app update.

Related reading