Popular apps like TikTok are snooping on your iPhone clipboard

Posted:
in General Discussion edited March 2020
Many popular iOS and iPadOS apps appear to be snooping on device clipboards, according to new research, although there isn't currently any evidence of abuse.

TikTok is one of about 50 apps found to snoop on the iOS clipboard without a user's knowledge.
TikTok is one of about 50 apps found to snoop on the iOS clipboard without a user's knowledge.


Apps on iOS or iPadOS generally have unrestricted access to data copied or cut into the systemwide keyboard. Apple, for its part, has said that this is intended behavior. But a pair of iOS developers have discovered that apps may be reading this data without user knowledge every time the app is open.

In a blog post, developers Tommy Mysk and Talal Haj Bakry name a list of about 50 apps that read the contents of the iOS clipboard every time they're open without a user's knowledge. The list includes popular apps like TikTok, Accuweather, Truecaller, Overstock and a slew of news publications.

The developers, who used Xcode and Xcode Command line to analyze the behavior of apps, also published a proof-of-concept video demonstrating the apparent loophole.





To be clear, the research doesn't suggest that these apps are doing anything malicious with the data, or even exfiltrating it. They're just reading it. But that fact alone leaves a door open to potential abuse.

While data stored in the clipboard is typically fairly benign, the method could be used to read sensitive copied information such as credit card numbers or plaintext passwords. If a user copies an image in their camera roll, it could also include metadata with specific locations or coordinates, though the apps the developers analyzed only looked at text.

This isn't the first time that Mysk and Bakry have looked into clipboard vulnerabilities. In February, the duo submitted their research into clipboard location data to Apple.

Reportedly, the Cupertino tech titan told them that they didn't see an issue with the behavior, because only apps in the foreground could read the clipboard. Mysk and Bakry then created a widget that showed apps can access the clipboard in the Today View. They also showed that the flaw could be used to read text copied on a Mac via the Universal Clipboard.

There could be non-malicious reasons why this clipboard-reading is occurring. The developers told Forbes that it might be due to a legacy library reading the pasteboard, and that some developers may not be aware that this is happening.

Mysk and Bakry argue that Apple should act to close the vulnerability because it would be fairly trivial to create malicious code that exfiltrates this data covertly.

The vulnerability becomes more worrisome given the security and privacy concerns of some of the apps, such as TikTok.

In April 2019, the Indian government urged Apple to remove TikTok from the India App Store over child safety concerns. While the app was restored within a week, TikTok is under scrutiny in other parts of the world, too. The U.S., for example, has opened a national security review of the app, The New York Times reported.

Comments

  • Reply 1 of 9
    Is there a way to clear the clipboard?
    watto_cobra
  • Reply 2 of 9
    MplsPMplsP Posts: 4,000member
    Is there a way to clear the clipboard?
    Not directly but you can just highlight some random text and select copy to clear out sensitive information.

    I don't know that there's any way to prevent this; if you let the clipboard past text between apps then both apps will have automatically have access to it.

    1Password for Mac will clear the clipboard automatically a few minutes after you copy text from the app. Unfortunately because of the limited multitasking available in iOS  there's no way for the iPhone/iPad  apps to do this.
    edited March 2020 viclauyyc
  • Reply 3 of 9
    seanismorrisseanismorris Posts: 1,624member
    Is there a way to clear the clipboard?
    Copy garbage after performing your normal use.  iOS clipboard only holds only one item.  There are clipboard Apps that hold more.

    This is really @#$% sloppy by Apple.  Apps shouldn’t be authorized to read the clipboard, unless you paste something.  I’ve used clipboard to copy to passwords (infrequently) and cell phone numbers (frequently).

    Re: “Apple, for its part, has said that this is intended behavior. “
    Only if data security isn’t an intended behavior...



  • Reply 4 of 9
    I’ve noticed the UPS app will present a message to the effect of “We notice you copied what appears to be a tracking number. Would you like to attempt to track that number?” when I open the app after copying a tracking number. 

    That ability has simultaneously nagged at me a little and been mildly convenient. 
    bonobobcornchip
  • Reply 5 of 9
    Perfect example of the “thousand grains of sand” data collection method.
    olscgWerkswatto_cobra
  • Reply 6 of 9
    Is there a way to clear the clipboard?
    Yes you can. Use the Shortcuts app. Search the Gallery for the “Clear All Clipboards” shortcut. This will clear the Universal Clipboard.
    edited March 2020 GG1fastasleepviclauyyccornchipstompywatto_cobra
  • Reply 7 of 9
    bonobobbonobob Posts: 392member
    An entire article on working from home, and not a single mention of VPNs. Tsk.
    I’ve noticed the UPS app will present a message to the effect of “We notice you copied what appears to be a tracking number. Would you like to attempt to track that number?” when I open the app after copying a tracking number. 

    That ability has simultaneously nagged at me a little and been mildly convenient. 
    Google Maps, too. If I copy an address, it's displayed right at the top when I tap the Search field.
    cornchipwatto_cobra
  • Reply 8 of 9
    cgWerkscgWerks Posts: 2,952member
    MplsP said:
    I don't know that there's any way to prevent this; if you let the clipboard past text between apps then both apps will have automatically have access to it.
    Hmm, that is a good point, unless Apple could make the call to 'paste' more like camera/mic/location access in terms of having to give permission to apps. At least that would limit it to apps you trust not to abuse it.

    Or, I don't know if there would be a way to limit such reading to only be doable when the user actually initiates some kind of paste command. In other words, when the app wants to read the clipboard, the app has to 'request' via some kind of user interaction. For example, only when the system-wide paste is initiated by the user, or via some kind of visual element the developer puts in the app, but on the system level is under user-control and initiation.

    I'm not a developer, so just throwing stuff out there in theory.
    watto_cobra
  • Reply 9 of 9
    russwrussw Posts: 21member
    Don’t forget the Apple Insider iOS app. It reads the clipboard on every activation. 
Sign In or Register to comment.