Popular apps like TikTok are snooping on your iPhone clipboard
Many popular iOS and iPadOS apps appear to be snooping on device clipboards, according to new research, although there isn't currently any evidence of abuse.
TikTok is one of about 50 apps found to snoop on the iOS clipboard without a user's knowledge.
Apps on iOS or iPadOS generally have unrestricted access to data copied or cut into the systemwide keyboard. Apple, for its part, has said that this is intended behavior. But a pair of iOS developers have discovered that apps may be reading this data without user knowledge every time the app is open.
In a blog post, developers Tommy Mysk and Talal Haj Bakry name a list of about 50 apps that read the contents of the iOS clipboard every time they're open without a user's knowledge. The list includes popular apps like TikTok, Accuweather, Truecaller, Overstock and a slew of news publications.
The developers, who used Xcode and Xcode Command line to analyze the behavior of apps, also published a proof-of-concept video demonstrating the apparent loophole.
To be clear, the research doesn't suggest that these apps are doing anything malicious with the data, or even exfiltrating it. They're just reading it. But that fact alone leaves a door open to potential abuse.
While data stored in the clipboard is typically fairly benign, the method could be used to read sensitive copied information such as credit card numbers or plaintext passwords. If a user copies an image in their camera roll, it could also include metadata with specific locations or coordinates, though the apps the developers analyzed only looked at text.
This isn't the first time that Mysk and Bakry have looked into clipboard vulnerabilities. In February, the duo submitted their research into clipboard location data to Apple.
Reportedly, the Cupertino tech titan told them that they didn't see an issue with the behavior, because only apps in the foreground could read the clipboard. Mysk and Bakry then created a widget that showed apps can access the clipboard in the Today View. They also showed that the flaw could be used to read text copied on a Mac via the Universal Clipboard.
There could be non-malicious reasons why this clipboard-reading is occurring. The developers told Forbes that it might be due to a legacy library reading the pasteboard, and that some developers may not be aware that this is happening.
Mysk and Bakry argue that Apple should act to close the vulnerability because it would be fairly trivial to create malicious code that exfiltrates this data covertly.
The vulnerability becomes more worrisome given the security and privacy concerns of some of the apps, such as TikTok.
In April 2019, the Indian government urged Apple to remove TikTok from the India App Store over child safety concerns. While the app was restored within a week, TikTok is under scrutiny in other parts of the world, too. The U.S., for example, has opened a national security review of the app, The New York Times reported.
TikTok is one of about 50 apps found to snoop on the iOS clipboard without a user's knowledge.
Apps on iOS or iPadOS generally have unrestricted access to data copied or cut into the systemwide keyboard. Apple, for its part, has said that this is intended behavior. But a pair of iOS developers have discovered that apps may be reading this data without user knowledge every time the app is open.
In a blog post, developers Tommy Mysk and Talal Haj Bakry name a list of about 50 apps that read the contents of the iOS clipboard every time they're open without a user's knowledge. The list includes popular apps like TikTok, Accuweather, Truecaller, Overstock and a slew of news publications.
The developers, who used Xcode and Xcode Command line to analyze the behavior of apps, also published a proof-of-concept video demonstrating the apparent loophole.
To be clear, the research doesn't suggest that these apps are doing anything malicious with the data, or even exfiltrating it. They're just reading it. But that fact alone leaves a door open to potential abuse.
While data stored in the clipboard is typically fairly benign, the method could be used to read sensitive copied information such as credit card numbers or plaintext passwords. If a user copies an image in their camera roll, it could also include metadata with specific locations or coordinates, though the apps the developers analyzed only looked at text.
This isn't the first time that Mysk and Bakry have looked into clipboard vulnerabilities. In February, the duo submitted their research into clipboard location data to Apple.
Reportedly, the Cupertino tech titan told them that they didn't see an issue with the behavior, because only apps in the foreground could read the clipboard. Mysk and Bakry then created a widget that showed apps can access the clipboard in the Today View. They also showed that the flaw could be used to read text copied on a Mac via the Universal Clipboard.
There could be non-malicious reasons why this clipboard-reading is occurring. The developers told Forbes that it might be due to a legacy library reading the pasteboard, and that some developers may not be aware that this is happening.
Mysk and Bakry argue that Apple should act to close the vulnerability because it would be fairly trivial to create malicious code that exfiltrates this data covertly.
The vulnerability becomes more worrisome given the security and privacy concerns of some of the apps, such as TikTok.
In April 2019, the Indian government urged Apple to remove TikTok from the India App Store over child safety concerns. While the app was restored within a week, TikTok is under scrutiny in other parts of the world, too. The U.S., for example, has opened a national security review of the app, The New York Times reported.
Comments
I don't know that there's any way to prevent this; if you let the clipboard past text between apps then both apps will have automatically have access to it.
1Password for Mac will clear the clipboard automatically a few minutes after you copy text from the app. Unfortunately because of the limited multitasking available in iOS there's no way for the iPhone/iPad apps to do this.
This is really @#$% sloppy by Apple. Apps shouldn’t be authorized to read the clipboard, unless you paste something. I’ve used clipboard to copy to passwords (infrequently) and cell phone numbers (frequently).
Re: “Apple, for its part, has said that this is intended behavior. “
Or, I don't know if there would be a way to limit such reading to only be doable when the user actually initiates some kind of paste command. In other words, when the app wants to read the clipboard, the app has to 'request' via some kind of user interaction. For example, only when the system-wide paste is initiated by the user, or via some kind of visual element the developer puts in the app, but on the system level is under user-control and initiation.
I'm not a developer, so just throwing stuff out there in theory.