Warning: Apple suddenly catches TikTok secretly spying on millions of iPhone users


Like me reported On June 23, Apple fixed a serious problem in iOS 14, due to fall, where apps can secretly access the clipboard on users’ devices. Once the new operating system launches, users will be warned every time an application reads the latest copy on the clipboard. Like me warned Earlier this year, this is more than a theoretical risk to users, with countless apps already trapped abusing their privacy in this way.

It is worrying that one of the applications caught snooping by security researchers Talal Haj Bakry and Tommy Mysk It was the TikTok from China. Given other security concerns raised about the app, as well as broader concerns due to its Chinese origins, this became a major issue. At the time, the owner of TikTok, Bytedance, told me that the problem was related to the use of an outdated Google Advertising SDK that was being replaced.

Well maybe not. With the release of the new clipboard warning in the iOS 14 beta, now with the developers, TikTok seems to have been caught abusing the clipboard in quite a remarkable way. So it appears that TikTok didn’t stop this invasive practice in April as promised after all.

Worse yet, the excuse has now changed.

According to the TelegraphTikTok now says the problem is caused by “a feature designed to identify repetitive and unwanted behavior”, and has claimed that “it has already submitted an updated version of the app to the App Store by removing the anti-spam feature to remove any potential confusion. ” Let me translate that for you: we have been caught doing something we shouldn’t have, we have removed a patch.

TikTok also said that the platform “is committed to protecting user privacy and being transparent about how our application works.” There are no comments about it.

When I covered the original TikTok clipboard issue, the company insisted that it was not their problem and was related to an outdated library in their application. “Clipboard access issues,” a spokesperson told me, “appeared due to third-party SDKs, in our case an earlier version of the Google Ads SDK, so we don’t have access to information through this (presumably what They do, but we can’t talk to that.) We are in the update processes so that the third-party SDK no longer has access. ”

TikTok assured me that it was being fixed and questioned the coverage that suggested this was a problem. “It is a problem of the Google Ads SDK,” they assured again in a subsequent email, “so we must make the change in the version of that SDK that we use.” TikTok does not have access to the data, but we are independently updating to resolve it. “

Now, Apple’s welcome iOS 14 security and privacy changes have surprised them red-handed, still doing something they shouldn’t. Something they said was fixed. TikTok is not alone: ​​Other applications will now need to change access to the clipboard deliberately or inadvertently. But TikTok is the highest profile and most totemic of trapped apps, given its previous coverage and broader issues.

The most serious problem with this vulnerability is the universal functionality of Apple’s clipboard, which means that anything you copy on my Mac or iPad can be read by my iPhone, and vice versa. So if TikTok is active on your phone while you work, the app can basically read anything and everything you copy on another device: passwords, work documents, confidential emails, financial information. Anything.

Earlier this year, when TikTok was first exposed, security researchers acknowledged that there was no way of knowing what the app might be doing with user data, and its abuse was lost in combination with many others. Now it feels different. IOS users can relax, knowing that Apple’s latest protection will force TikTok to make the switch, which in itself shows how critical this solution has been. However, for Android users, it is not yet known if this is also a problem for them.

“Apple ruled out the risks we highlighted and explained that iOS already had mechanisms to counter all risks,” the researchers told me earlier this week. “But the mechanisms Apple provided were not effective in protecting user privacy.” After their initial report, they explained, “There was tremendous public interaction with the topic, not only iOS users, but also Android users are demanding more restrictions and transparency on apps that use the system-wide clipboard.”

Apple originally ruled out the clipboard vulnerability as an issue, and only provided a solution after significant media coverage of the security investigation. This latest news shows how important a solution will be.

All iPhone users should update to the latest version of TikTok as soon as it launches, and since you are actively reading your clipboard, you may want to keep that in mind when using the app prior to that update.

TikTok has been contacted for any comment on this story.

.