TikTok and 53 other iOS apps still spy on your sensitive clipboard data

In March, researchers uncovered a haunting privacy snapshot of more than four dozen iOS apps, including TikTok, the Chinese-owned video-sharing and social media phenomenon that has swept the Internet. Despite the fact that TikTok promised to curb the practice, it continues to access some of the most confidential data from Apple users, which may include passwords, crypto wallet addresses, account reset links, and personal messages. Another 53 applications identified in March have also not been stopped.

The invasion of privacy is the result of applications repeatedly reading any text that resides on the clipboard, that computers and other devices use to store data that has been cut or copied from things like password managers and email programs. Without a clear reason to do so, researchers Talal Haj Bakry and Tommy Mysk discovered, the apps deliberately called an iOS programming interface that retrieves text from users’ clipboards.

Universal snooping

In many cases, covert reading is not limited to data stored on the local device. In the event that the iPhone or iPad uses the same Apple ID as other Apple devices and is approximately 10 feet from each other, they all share a universal clipboard, meaning that the contents can be copied from the app from a device and paste into an app running on a separate device.

That leaves open the possibility for an app on an iPhone to read sensitive data on the clipboards of other connected devices. This could include bitcoin addresses, passwords, or email messages that are temporarily stored on the clipboard of a nearby Mac or iPad. Despite running on a separate device, iOS apps can easily read the confidential data stored on the other machines.

“It is very, very dangerous,” Mysk said in an interview on Friday, referring to apps’ indiscriminate reading of clipboard data. “These applications are reading clipboards, and there is no reason to do so. An application that has a text field for entering text has no reason to read the text from the clipboard. “

The following video shows the universal reading of the clipboard:

Back in the news

While Haj Bakry and Mysk published their research in March, invasive apps hit the headlines again this week with the iOS 14 developer beta release. A novel feature that Apple added provides a banner warning every time an app reads the clipboard content. As large numbers of people began testing the beta version, they quickly came to appreciate how many applications participate in the practice and how often they do so.

This YouTube video, which has accumulated more than 87,000 views since it was published on Tuesday, shows a small sample of the applications that activate the new warning.

TikTok in the spotlight

Recent headlines have focused particular attention on TikTok, largely due to its massive active user base (reportedly 800 million, with an estimated 104 million iOS installations in the first half of 2018 alone, so which is the most downloaded application for that period).

TikTok’s continued espionage has received additional scrutiny for other reasons. When he was called in March, the video-sharing provider told British publication The Telegraph that he would end the practice in the coming weeks. Mysk said the app never stopped monitoring. Additionally, a Twitter thread on Wednesday revealed that the clipboard read occurred every time a user entered a punctuation mark or touched the space bar while writing a comment. That means the clipboard reading can happen every second or so, a much more aggressive pace than that documented in the March investigation, which found that monitoring occurred when the app was opened or reopened.

Play:
1. Have something on your clipboard. For example, copying text from Notes or a website
2. Open TikTok and start typing in any text field.
3. Learn from iOS 14 beta every time an application “hits”, but in this case I did not request it and none of that text appears in the user interface

– Jeremy Burge (@jeremyburge) June 24, 2020

In a statement, TikTok representatives wrote:

After the beta release of iOS14 on June 22, users saw notifications while using a number of popular apps. For TikTok, this was triggered by a feature designed to identify repetitive and unwanted behavior. We have already sent an updated version of the application to the App Store eliminating the antispam function to eliminate any possible confusion.

TikTok is committed to protecting the privacy of users and being transparent about how our application works. We look forward to welcoming external experts to our Transparency Center later this year.

In the background, a spokesperson said that TikTok for Android never implemented the antispam feature.

I sent follow-up questions asking (1) if the Android version of TikTok was monitoring clipboards for some other reason, (2) if any clipboard text was loaded from the device, and (3) why TikTok did not remove monitoring as promised. in March. The spokesman has not yet responded. This post will be updated if a reply comes later.

Not just TikTok

Overall, the researchers found that the following iOS apps were reading users’ clipboard data every time the app was opened without a clear reason to do so:

News

• ABC News – com.abcnews.ABCNews
• Al Jazeera English – ajenglishiphone
• CBC News – ca.cbc.CBCNews
• CBS News – com.H443NM7F8H.CBSNews
• CNBC – com.nbcuni.cnbc.cnbcrtipad
• Fox News – com.foxnews.foxnews
• Breaking news – com.particlenews.newsbreak
• New York Times – com.nytimes.NYTimes
• NPR – org.npr.nprnews
• ntv Nachrichten – de.n-tv.n-tvmobil
• Reuters – com.thomsonreuters.Reuters
• Russia today – com.rt.RTNewsEnglish
• Stern Nachrichten – de.grunerundjahr.sternneu
• The Economist – com.economist.lamarr
• The Huffington Post – com.huffingtonpost.HuffingtonPost
• The Wall Street Journal – com.dowjones.WSJ.ipad
• Vice News – com.vice.news.VICE-News

Games

• 8 ball pool™ – com.miniclip.8ballpoolmult
• ASTONISHMENT!!! – com.amaze.game
• Bejeweled – com.ea.ios.bejeweledskies
• Block Puzzle –Game.BlockPuzzle
• Classic bejeweled – com.popcap.ios.Bej3
• Classic Bejeweled HD –com.popcap.ios.Bej3HD
• FlipTheGun – com.playgendary.flipgun
• Fruit Ninja – com.halfbrick.FruitNinjaLite
• Golf Masters – com.playgendary.sportmasterstwo
• Alphabet soup – com.candywriter.apollo7
• Nikki love – com.elex.nikki
• My emma – com.crazylabs.myemma
• Plants vs. Zombies ™ Heroes – com.ea.ios.pvzheroes
• Pooking – Billiards City – com.pool.club.billiards.city
• PUBG Mobile – com.tencent.ig
• Tomb of the mask – com.happymagenta.fromcore
• Grave of the mask: color – com.happymagenta.totm2
• Total Party Kill – com.adventureislands.totalpartykill
• Marbling – com.hydro.dipping

Social networks

• Tik Tok – com.zhiliaoapp.musically
• Talk – totalk.gofeiyu.com
• Tok – com.SimpleDate.Tok
• Truecaller – com.truesoftware.TrueCallerOther
• Viber – com.viber
• Weibo – com.sina.weibo
• Zoosk – com.zoosk.Zoosk

Other

• 10% happier: meditation –com.changecollective.tenpercenthappier
• 5-0 Radio Police Scanner – com.smartestapple.50radiofree
• Accuweather – com.yourcompany.TestWithCustomTabs
• AliExpress shopping app – com.alibaba.iAliexpress
• Bed bath and beyond – com.digby.bedbathbeyond
• Dazn – com.dazn.theApp
• Hotels.com – com.hotels.HotelsNearMe
• Hotel tonight – com.hoteltonight.prod
• Oversupply – com.overstock.app
• Pigment – Coloring book for adults – com.pixite.pigment
• Recolor Coloring Book to Color – com.sumoing.ReColor
• Sky Ticket – de.sky.skyonline
• The meteorological network – com.theweathernetwork.weathereyeiphone

Shortly after the report was released, 10% happier: Meditation and Hotel Tonight promised to stop the behavior and quickly followed suit. TikTik also promised to stop, but never has, Mysk said. None of the other apps has stopped, either, he said.

Reading the clipboard well done

In some cases, reading the clipboard can make applications much more useful. The UPS iPhone application, for example, extracts text from the clipboard and, in case the text matches the characteristics of a tracking number, the application asks the user to track the corresponding package. Google Chrome also extracts text and, in case it is a URL, it will ask the user to search for it. Pixelmator photo editor reads data only if it is an image. If so, Pixelmator will ask the user to open it for editing. In all three cases, reading data has a clear use case and is transparent.

TikTok and the other offensive apps, by contrast, access the clipboard without a clear reason and no indication that they are doing so. For many applications, it is difficult to see a legitimate performance or usage reason for access. Mysk said Apple plans to credit its investigation and that of Haj Bakry as a catalyst for the new clipboard notification put on iOS 14.

The clipboard that Haj Bakry and Mysk read reported raises concerns that are likely to extend to those using Android and possibly other operating systems. Mysk said that reading the clipboard in Android apps is “even worse” than in iOS because the operating system APIs are much more forgiving. Up to version 10, for example, Android allowed applications running in the background to read the clipboard. IOS apps, by contrast, can read or query clipboards only when they are active.

Mysk said Apple’s notification feature is a good start, but ultimately Apple and Google should do more. One possibility is to make access to the clipboard a standard permission, as access to a microphone or camera is now. Another possibility is to require application developers to accurately reveal what clipboard data is accessed and what the application does with it.

For now, users should keep in mind that any information stored on the clipboard, even though it is not visible to the naked eye, can be regularly visited by applications that in many cases are not even locally installed on the device. When in doubt, delete the data from the clipboard by copying a harmless character, word, or other data.