As I reported on June 23, Apple has fixed a serious problem in iOS 14, due in the fall, where apps can secretly access the clipboard on users’ devices. Once the new OS is released, users will be warned whenever an app reads the last thing copied to the clipboard. As I warned earlier this year, this is more than a theoretical risk for users, with countless apps already caught abusing their privacy in this way.
Worryingly, one of the apps caught snooping by security researchers Talal Haj Bakry and Tommy Mysk was China’s TikTok. Given other security concerns raised about the app, as well as broader worries given its Chinese origins, this became a headline issue. At the time, TikTok owner Bytedance told me the problem related to the use of an outdated Google advertising SDK that was being replaced.
Well, maybe not. With the release of the new clipboard warning in the beta version of iOS 14, now with developers, TikTok seems to have been caught abusing the clipboard in a quite extraordinary way. So it seems that TikTok didn’t stop this invasive practice back in April as promised after all.
Worse, the excuse has now changed.
According to TikTok, the issue is now “triggered by a feature designed to identify repetitive, spammy behavior,” and has told me that it has “already submitted an updated version of the app to the App Store removing the anti-spam feature to eliminate any potential confusion.” In other words: We’ve been caught doing something we shouldn’t, we’ve rushed out a fix.
TikTok also told me that the platform “is committed to protecting users' privacy and being transparent about how our app works." No comment on that one. TikTok added that it “looks forward to welcoming outside experts to our Transparency Center later this year.”
When I covered the original TikTok clipboard issue, the company was adamant it was not their problem and related to an outdated library in their app. “The clipboard access issues,” a spokesperson told me, “showed up due to third-party SDKs, in our case an older version Google Ads SDK, so we do not get access to the information through this (presumably they do but we cannot speak to that). We are in the processes of updating so that the third-party SDK will no longer have access.”
TikTok assured me it was being fixed and questioned coverage that suggested this was an issue. “It’s a Google Ads SDK issue,” they assured again in a later email, “so we need to make the change in which version of that SDK we use. TikTok does not get access to the data, but we are updating regardless to resolve it.”
Now Apple’s welcome iOS 14 security and privacy changes have caught them red-handed still doing something they shouldn’t. Something they said was fixed. TikTok isn’t alone—other apps will now need to change deliberate or inadvertent clipboard access. But TikTok is the highest profile and most totemic of the apps caught out, given its prior coverage and wider issues.
The most acute issue with this vulnerability is Apple’s universal clipboard functionality, which means that anything I copy on my Mac or iPad can be read by my iPhone, and vice versa. So, if TikTok is active on your phone while you work, the app can basically read anything and everything you copy on another device: Passwords, work documents, sensitive emails, financial information. Anything.
Earlier in the year, when TikTok was first exposed, the security researchers acknowledged that there was no way to tell what the app might be doing with user data, and its abuse was lost in the mix of many others. Now it’s feeling different. iOS users can relax, knowing that Apple’s latest safeguard will force TikTok to make the change, which in itself shows how critical a fix this has been. For Android users, though, there is no word yet as to whether this is an issue for them as well.
“Apple dismissed the risks that we highlighted and explained that iOS already had mechanisms to counter all of the risks,” the researchers told me earlier this week. “But the mechanisms that Apple provided were not effective to protect user privacy.” Following their initial report, they explained, “there was a tremendous public interaction with the topic—not only iOS users, but also Android users demand more restriction and transparency about the apps that use the system-wide clipboard.”
Apple originally dismissed the clipboard vulnerability as an issue, and only provided a fix after significant media coverage of the security research. This latest news shows just how important a fix that will be.
All iPhone users should update to the latest version of TikTok as soon as it’s released—and given it is actively reading your clipboard, you might want to bear that in mind while using the app ahead of that update.
Source: Paper.li
Σχόλια