Though the latest version of Apple’s iPhone operating system iOS 14 has only been made available as a developer beta, it is already making waves for a new security feature—alerting users when the text they copy onto the Apple clipboard is accessed by other apps.
While this may come as a shock, it has long been the case: When you copy text in iOS 14, it is temporarily stored in a clipboard. Many apps have access to this clipboard, whether text was entered into it while using that app or not. Now, Jeremy Burge, Chief Emoji Officer at Emojipedia, has demonstrated how popular short-video-sharing app TikTok accesses the contents of your clipboard when the app is open.
Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification pic.twitter.com/OSXP43t5SZ
— Jeremy Burge (@jeremyburge) June 24, 2020
“In the case of TikTok, why it needs to check the clipboard (and trigger the alert it is being 'pasted') after every 1-3 keystrokes is odd. It CAN be explained as a potential bad implementation of a framework. Or something more nefarious. No way to know, that I can see?” he added.
With iOS 14, such behaviour will trigger a notification every time it happens—one that might be annoying for some users as it can tend to obscure the URL field. However, it is a useful one in that it reveals the extent of clipboard monitoring on iOS.
Worryingly, this behaviour has been documented not just in TikTok but by a host of other apps. In March, developers Talal Haj Bakry and Tommy Mysk published the results of their investigation into clipboard snooping by over iOS 50 apps.
Original research about app access to clipboard data. It's not just TikTok, by a long shot https://t.co/81CPwRPrWm pic.twitter.com/BXNKq8CkZP
— Jeremy Burge (@jeremyburge) June 25, 2020
“This article provides an investigation of some popular apps that frequently access the pasteboard without user consent. These apps range from popular games and social networking apps, to news apps of major news organizations. We found that many apps quietly read any text found in the pasteboard every time the app is opened. Text left in the pasteboard could be as simple as a shopping list, or could be something more sensitive: passwords, account numbers, etc,” the developers wrote in the post.
The apps included popular games like Bejeweled, Fruit Ninja, PUBG Mobile and Plants vs Zombies Heroes, as well as apps like TikTok, Viber, Weibo and Truecaller, besides a plethora of news apps.
Following this, TheTelegraph reported on March 30 that TikTok said they would disable clipboard-reading in their latest update (as did the developers of Bejewelled, Fruit Ninja and Plants vs Zombies Heroes). However, the video by Burge suggests that this was not done by TikTok.
The Telegraph found that apps that read users’ clipboards did so using third-party SDKs like Apptimize and one developed by Google. In addition, it noted that the loophole that allows this practice “remains open on both iPhones and Android phones”.
According to the Android 10 changelog, access to the clipboard is restricted to the app that has been granted focus (key input) or to the default input method editor (like the keyboard). “Unless your app is the default input method editor (IME) or is the app that currently has focus, your app cannot access clipboard data on Android 10 or higher.”
While clipboard snooping behaviour can be frightening, it is not necessary that apps are doing this maliciously. Some apps, like delivery apps, use text pasted in clipboards to identify tracking numbers. However, the danger arises when apps abuse this permission.
For example, users who paste their passwords or other sensitive information onto their clipboards could be unknowingly given the data to third-party apps. However, the reporter who covered the story for The Telegraph said that both TikTok and Google said that no user data was being sent off the device.
Hard to confirm it for sure, but FWIW both TikTok and Google (whose SDK it was in this case, according to TikTok) said on the record that no user data was ever sent off device. Supposedly it's just not the way the SDK(s) work. Take that as you will!
— Laurence Dodds (@LFDodds) June 25, 2020
With iOS 14 making a greater push towards enhancing user privacy, there are now calls for Google to do the same. The develop who raised keylog snooping in iOS has called on Google to follow in Apple’s footsteps and notify users when apps access the clipboard.
How great it would be if @Google follow in @Apple's footsteps by alerting #Android users when an app accesses the clipboard.
— Mysk (@mysk_co) June 23, 2020
Data privacy is a right for everyone!#WWDC #iOS14
pic.twitter.com/o6vZzQqO8a
TikTok had over 200 million users in India by the end of 2019. Amid the escalating tensions between India and China after soldiers from either side clashed along the Line of Actual Control in Ladakh, calls to boycott the app due to its Chinese ownership have been mounting.
