In March 2020, researchers uncovered a troubling privacy report that showed more than four dozen iOS apps like TikTok taking the Internet by storm. The report stated that despite TikTok vowing to curb the invasion of privacy practice, it continued to access some of Apple users’ most sensitive data. These data include passwords, crypto-currency, wallet addresses, account-reset links, and personal messages. An additional 53 apps identified in March is also breaching privacy data.
The privacy invasion is the result of the app’s scanning and reading any text that appears on the clipboards. Researchers Talal Haj Bakry and Tommy Mysk found that these apps deliberately called an iOS programming interface that gets text data from users’ clipboards.
However, the retrieving of data isn’t limited to local devices. If a user uses the same Apple ID on the iPhone and the iPad, and both devices are located near and share a universal clipboard, then it leaves a vulnerability for any app on an iPhone to read and retrieve sensitive data on the clipboards of the other connected devices too. This data may include bitcoin addresses, passwords, or email messages that are temporarily stored on the clipboard. Despite information stores in separate devices, iOS apps can easily read the sensitive data stored. “It’s very, very dangerous,” Mysk stated, referring to the apps’ indiscriminate reading of clipboard data. “These apps are reading clipboards, and there’s no reason to do this. An app that doesn’t have a text field to enter text has no reason to read clipboard text.”
While the researchers published their findings in March 2020, the invasive apps made headlines recently again with the developer beta release of iOS 14. A novel feature Apple included in the device props a banner warning every time an app reads any clipboard contents. The recent focus fell on TikTok because of its massive base of active users. The app continued snooping came into scrutiny. When called out in March, the video-sharing platform stated that it would end the breach in privacy practice in the coming weeks. However, researcher Mysk said that the app never stopped the monitoring.
Also, a recent Twitter thread revealed that the clipboard reading occurred every time a TikTok user entered a punctuation mark or tapped the space bar while composing a comment. This meant that the clipboard data breaching could happen anytime and at a much faster pace.
In a statement, TikTok representatives wrote:
‘Following the beta release of iOS14 on June 22, users saw notifications while using several popular apps. For TikTok, this was triggered by a feature designed to identify repetitive, spammy behaviour. We have already submitted an updated version of the app to the App Store, removing the anti-spam feature to eliminate any potential confusion. TikTok is committed to protecting users’ privacy and being transparent about how our app works. We look forward to welcoming outside experts to our Transparency Center later this year.’
Shortly after a report naming a list of apps breaching privacy was published, few of them promised to stop the breach practice and followed it. TikTok also vowed to stop, though it never put an end to it. In some cases, clipboard reading can enhance the functioning of the apps, like the UPS iPhone app, which pulls out text from the clipboard and matches it to a tracking number. The app then prompts the user to track the corresponding package. In contrast to this, TikTok and other offending apps access the clipboard for no particular reason and without any indication.
According to Mysk, the clipboard reading by Android apps is ‘worse’ than iOS because the OS APIs are so much more lenient. Until version 10 of Android, Android allowed apps running in the background to read the text and everything on the clipboard. The iOS apps, in contrast, can read or query clipboards only when the app is active. The researcher said that Apple and Google should do more to protect the privacy of data. One possibility is to give the clipboard access to standard permission, like access to a mic or the camera. Another option is to make the app developers disclose precisely what clipboard data an app is accessing and what it does with it. Also, users should be aware of the data stored in the clipboard as apps can regularly access it.