Clipboard snooping still rife across many popular iOS apps
The clipboard-snooping antics of apps isn't limited to just TikTok, as it has been discovered over 50 apps that were found to be accessing data from the iOS clipboard in March were continuing the practice months later.
Apple's Universal Clipboard works across iPhone and Mac
As part of the new features arriving in iOS 14 and iPadOS 14 this fall, Apple included a number of measures designed to help increase the privacy of user data. One of those features will alert users to whenever an app attempts to access the clipboard, in order to educate users of the types of apps that can potentially access their data.
The feature prompted reports referencing allegations uncovered in March that apps like TikTok frequently accessed the clipboard and grabbed content, even when the app was put in the background. TikTok has since publicly relented, claiming it was a spam-reduction feature that was triggering the mechanism, and that it had been removed in an updated version of the app submitted for App Store approval.
However, while TikTok is the highest-profile app that was caught out back in March, other apps found to be doing the same thing at the time are continuing the practice. In a report by Ars Technica, 54 from a collection of 56 found by researchers Tommy Mysk and Talal Haj Bakry were still reading the clipboard.
The list of apps includes many popular titles, including social apps like Weibo and Zoosk, news apps including NPR and Fox News, games such as Fruit Ninja and three different versions of Bejeweled, and others such as Accuweather and Hotels.com.
Only two apps had altered their behavior, with 10% Happier: Meditation and Hotel Tonight doing so shortly after the original report circulated. While TikTok had promised action at the time, it failed to make any changes that stopped the snooping.
The clipboard is intended to be a way for users to provide apps with data for use in an intended way, though its real functionality isn't always as users may intend it. Apps have the ability to pull data stored in a clipboard, which means there is the possibility it could be accessing data not intended for use by it if it conducts such snooping.
With the addition of the Universal Clipboard across the Apple ecosystem, such apps offer the further risk of pulling data from the clipboard that wasn't even added from the device it is installed on. For example, text copied on a Mac could be read by a clipboard-snooping app on an iPhone.
"It's very, very dangerous," said Mysk on Friday. "These apps are reading clipboards, and there's no reason to do this. An app that doesn't have a text field to enter text has no reason to read clipboard text."
Mysk added the work by the researchers is being credited for the creation of the iOS 14 clipboard notification feature.
Apple's Universal Clipboard works across iPhone and Mac
As part of the new features arriving in iOS 14 and iPadOS 14 this fall, Apple included a number of measures designed to help increase the privacy of user data. One of those features will alert users to whenever an app attempts to access the clipboard, in order to educate users of the types of apps that can potentially access their data.
The feature prompted reports referencing allegations uncovered in March that apps like TikTok frequently accessed the clipboard and grabbed content, even when the app was put in the background. TikTok has since publicly relented, claiming it was a spam-reduction feature that was triggering the mechanism, and that it had been removed in an updated version of the app submitted for App Store approval.
However, while TikTok is the highest-profile app that was caught out back in March, other apps found to be doing the same thing at the time are continuing the practice. In a report by Ars Technica, 54 from a collection of 56 found by researchers Tommy Mysk and Talal Haj Bakry were still reading the clipboard.
The list of apps includes many popular titles, including social apps like Weibo and Zoosk, news apps including NPR and Fox News, games such as Fruit Ninja and three different versions of Bejeweled, and others such as Accuweather and Hotels.com.
Only two apps had altered their behavior, with 10% Happier: Meditation and Hotel Tonight doing so shortly after the original report circulated. While TikTok had promised action at the time, it failed to make any changes that stopped the snooping.
The clipboard is intended to be a way for users to provide apps with data for use in an intended way, though its real functionality isn't always as users may intend it. Apps have the ability to pull data stored in a clipboard, which means there is the possibility it could be accessing data not intended for use by it if it conducts such snooping.
With the addition of the Universal Clipboard across the Apple ecosystem, such apps offer the further risk of pulling data from the clipboard that wasn't even added from the device it is installed on. For example, text copied on a Mac could be read by a clipboard-snooping app on an iPhone.
"It's very, very dangerous," said Mysk on Friday. "These apps are reading clipboards, and there's no reason to do this. An app that doesn't have a text field to enter text has no reason to read clipboard text."
Mysk added the work by the researchers is being credited for the creation of the iOS 14 clipboard notification feature.
Comments
Fruit Ninja!
Deleted.
Why am I not surprised.
https://9to5mac.com/2020/06/25/tiktok-to-stop-reading-user-clipboards-after-being-exposed-by-ios-14-privacy-feature/
Seems that Google News does it too.
GoogleGuy incoming!
From the ArsTechnica's article on the same snooping, and found under the subsection "Clipboard reading done right". (That means it benefits you in case you're confused):
"...in the event it’s a URL, (Google) will prompt the user to browse to it".
https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-ios-apps-still-snoop-your-sensitive-clipboard-data/
As for Android and iOS ability to browse a user's clipboard Android is far more permissive than iOS. It's only been in the past few weeks that Google has signaled a similar change is coming to Android's clipboard manager, I'm guessing in the next full-Android version? I'm not running that beta so not certain. Anyway Apple is currently much more privacy-centric on this than Android which is to be expected.
https://www.boredpanda.com/tik-tok-reverse-engineered-data-information-collecting/
I agree. There's really no reason for an app to need access to the clipboard until the user decides to paste the contents (just as is done with drag&drop). Maybe Apple determined that there's very little chance that someone would copy and paste sensitive information from app to app?
It seems to me that it would be trivial to add a timed lock to the clipboard giving the app access to the clipboard after the user invokes a paste, and then locking read access after so many seconds.
I don't use Google products, Twitter or Facebook.
I limit my Third Party apps on my iPhone/iPad/ATV/AppleWatch/MacBook to the bare minimum. The ones I've used, I've emailed to see if they are stealing my data...most said no, and some were offended I had asked.
I try to use only Apple native apps for everything.
I try to use Safari/Duck Duck Go to access the interwebs.
Oh well...
I think in general Apple does have our backs. The problem is there are a thousand little holes in the dam and new features that add convenience also add potential risks so it’s a never-ending game of whackamole.
Not Maybe.
That doesn't seem logical. A user could easily copy sensitive information in one app, paste it, and then seconds later move on a totally different app that reads the clipboard without any user interaction.
And yeah, Universal Copy and Paste between iOS and macOS devices already work this way...the synced clipboard contents expire after some time. In fact I've found that the original clipboard contents come back after the expiration, which is also a bit strange.
Is there any reason why an app should be able to do this on its own?
That's NOT a kind of 'benefit' I want! Geez.
One would think. Seems like common sense... like how you'd think it should have worked all along. This should be one of the biggest security stories of the decade (or more). And it wasn't the first time this has been mentioned, either.