A new privacy feature in Apple iOS 14 sheds light on TikTok’s practice of reading iPhone users’ cut-and-paste data, even though the company said in March it would stop.
Apple added a new banner alert to iOS 14 that lets users know if a mobile app is pasting from the clipboard and thus able to read to a user’s cut-and-paste data.
The alert is the result of an investigation by German software engineer Tommy Mysk in February, which discovered that any cut-and-paste data temporarily stored to an iPhone or iPad’s memory can be accessed by all apps installed on the specific device, even malicious ones.
In the current iOS beta, the alert—which appears as a banner across the top of the device screen–appears anytime a paste operation happens. Soon after this release, TikTok users began reporting that the app appears to be constantly reading users’ clipboards, even though officials told the U.K. publication The Telegraph in March that they would end this practice “within weeks.”
However, several other news outlets and users reported this week after the iOS 14 update that TikTok is still snooping, with the privacy banner showing up repeatedly on user screens when the app is running.
In response, TikTok told The Telegraph that the app is not collecting data from the clipboard, but rather is triggering the iOS privacy banner through a custom system that identifies repetitive spam behavior. The company said it would correct this problem in a future update.
Apple’s exposure of this continued practice has not only irked beta users but also concerned them about TikTok copying personal data without permission, according to reports as well as user comments on Twitter. At the same time, TikTok users applauded Apple for exposing the practice.
“Hey @tiktok_us, why do you paste from my clipboard every time I type a LETTER in your comment box?” wrote TikTok user, actor and podcast host @MaxelAmador on Twitter. “Shout out to iOS 14 for shining a light on this HUGE invasion of privacy.”
“Nothing short of frightening how apps will scrape what’s yours,” wrote pediatric gastroenterologist Bryan Vartabedian in a tweet that linked to an article about TikTok’s clipboard-copying behavior.
Indeed, when Mysk uncovered what he believed was an iOS clipboard vulnerability earlier this year, he also created a rogue proof-of-concept (PoC) app called KlipboardSpy and an iOS widget named KlipSpyWidget to show how any app installed on an iOS device can act maliciously and access clipboard data and use it to spy or steal sensitive personal information.
To illustrate his point, he demonstrated how photos taken by a device’s camera that contain time and GPS metadata that could be used to pinpoint a user’s location.
“A user may unwittingly expose their precise location to apps by simply copying a photo taken by the built-in Camera app to the general pasteboard,” the developer wrote in a technical blog post at the time.
BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.