This year’s WWDC saw Apple lean heavily on privacy. It touted all new features and initiatives that would protect and give a better idea on how companies are using your data. But a new privacy feature might have inadvertently exposed that Apple’s privacy messaging might just be smoke and mirrors.
iOS 14 will now alert you when an application accesses your clipboard – basically, the place where you store anything you want to cut/copy and paste somewhere else. And there are legitimate reasons why you want to access the clipboard: for example, copying a password from your password manager to an app.
However, instead of being helpful, the new alert has revealed that a lot of third-party developers are suddenly accessing your clipboard for no reason, and without you interacting with a text input field. For example, a video from Ryan Jones shows after copying a photo from iMessage, applications like AccuWeather, Fox News, Vice News, the New York Times and even Google Chrome suddenly “pasted” the image with no interaction from the user.
An even scarier video comes from Jeremy Burge from Emojipedia. He found that TikTok was “pasting” content whilst he was typing. It is unclear if the content is reading his clipboard, or is logging his keystrokes. That being said, TechGeek has been able to independently verify and reproduce this via a third party who is running iOS 14.
Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification pic.twitter.com/OSXP43t5SZ
— Jeremy Burge (@jeremyburge) June 24, 2020
We have contacted TikTok about the tweet, and asked them several questions including why does the app need access to a person’s clipboard and if the data is being used for any purpose (for example: analytics, advertising, and diagnostic/debugging support).
A TikTok spokesperson said:
Following the beta release of iOS14 on June 22, users saw notifications while using a number of popular apps.
For TikTok, this was triggered by a feature designed to identify repetitive, spammy behavior. We have already submitted an updated version of the app to the App Store removing the anti-spam feature to eliminate any potential confusion.
TikTok is committed to protecting users’ privacy and being transparent about how our app works.
It was brought up in March – but now we know it’s even worse
This issue was brought to everyone’s attention back in March by Talal Haj Bakry and Tommy Mysk, who observed that a lot of popular apps “frequently access the [clipboard] and read its content without user consent” but also noted, in an interview with iMore, that it seemed that some of the apps they tested were only interested in listening for text.
“The exploit works with all data types such as text, photos, or PDF documents. Surprisingly, the apps we tested only chose to read text, but ignore other data types such as photos or PDF documents. In other words, all the apps we listed in our blog are only interested in reading text from the clipboard,” they said.
Apps named in Bakry and Mysk’s report included The Wall Street Journal, the New York Times, Fox News, Fruit Ninja, Plants vs Zombies Heroes, Viber, Truecaller, and DAZN.
TikTok was also named in the list as well; and had made assurances in the press that they would remove it. According to the Telegraph’s Laurence Dodds, the issue noted above was a separate feature to the one that was removed after being named in Bakry and Mysk’s report.
The company now says this was a separate feature – but has not yet said how long it has been in place, nor whether it collected any personal data. See our full story here: https://t.co/a5ITTSERSz
— Laurence Dodds (@LFDodds) June 25, 2020
Bakry and Mysk also reported this to Apple back in January and even wrote a proof of concept to show how unrestricted the access is to someone’s clipboard (widgets can even read the clipboard’s content too). Apple told the developers they did not see this as a security vulnerability, despite evidence on the contrary.
It might not be for evil intent, but we don’t know
Just because you see the notification does not necessarily mean the application is secretly sending back your data for advertising or tracking. For example, any iOS application built on the Flutter framework will also receive this notification because of a recent addition where it would check the clipboard contents to determine if it needed to display the paste button. An issue has been raised and people are working to resolve this issue.
Apple even has a new API that will let you determine (without reading the actual contents of the clipboard) if it has something to paste or not. Unfortunately, it only exists for iOS 14 and above.
In addition, some applications have been built to read the clipboard and enact some sort of action to make it more convenient for people. For example, the Deliveries app reads the clipboard to see if it is a valid package tracking number or URL and prompt you if you want to include it in your tracking list. Apollo, the Reddit client, will automatically go to that post if you have a Reddit URL in your clipboard.
But, unless the application source code is publicly available, we just do not know. There are many illegitimate and malicious reasons why someone would want to read your clipboard as there are legitimate ones. What’s even worse is that this is being done in the shadows right now – until iOS 14 comes out later this year (most likely October).
And even then, whilst being notified about it is a start, it’s not enough. Your clipboard can contain a lot of sensitive information – if you’re using a password manager, it could contain your password. Users should be able to control who has access to the clipboard, and be advised why the app needs access to the clipboard outside of a text field.
I guess the only good thing that this has finally come out of the shadows and app developers are shamed into doing something.