Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday June 28 2020, @09:48PM   Printer-friendly
from the subverting-clippy dept.

Apple's iOS 14 beta added a feature that reveals each time an application copies text from the clipboard. A recent article in Ars Technica brought renewed focus to an issue we previously reported in February. This story includes a list of apps from the researcher's blog post.

TikTok and 53 other iOS apps still snoop your sensitive clipboard data:

In March, researchers uncovered a troubling privacy grab by more than four dozen iOS apps including TikTok, the Chinese-owned social media and video-sharing phenomenon that has taken the Internet by storm. Despite TikTok vowing to curb the practice, it continues to access some of Apple users' most sensitive data, which can include passwords, cryptocurrency wallet addresses, account-reset links, and personal messages. Another 53 apps identified in March haven't stopped either.

The privacy invasion is the result of the apps repeatedly reading any text that happens to reside in clipboards, which computers and other devices use to store data that has been cut or copied from things like password managers and email programs. With no clear reason for doing so, researchers Talal Haj Bakry and Tommy Mysk found, the apps deliberately called an iOS programming interface that retrieves text from users' clipboards.

[...] In many cases, the covert reading isn't limited to data stored on the local device. In the event the iPhone or iPad uses the same Apple ID as other Apple devices and are within roughly 10 feet of each other, all of them share a universal clipboard, meaning contents can be copied from the app of one device and pasted into an app running on a separate device.

That leaves open the possibility that an app on an iPhone will read sensitive data on the clipboards of other connected devices. This could include bitcoin addresses, passwords, or email messages that are temporarily stored on the clipboard of a nearby Mac or iPad. Despite running on a separate device, the iOS apps can easily read the sensitive data stored on the other machines.

[...] TikTok's continued snooping has gotten extra scrutiny for other reasons. When called out in March, the video-sharing provider told UK publication The Telegraph it would end the practice in the coming weeks. Mysk said that the app never stopped the monitoring. What's more, a Wednesday Twitter thread revealed that the clipboard reading occurred each time a user entered a punctuation mark or tapped the space bar while composing a comment. That means the clipboard reading can happen every second or so, a much more aggressive pace than documented in the March research, which found monitoring happened when the app was opened or reopened.

A tweet by Jeremy Burge gives an example of how this can be reproduced:

To reproduce:
1. Have something on your clipboard. Eg copy some text from Notes or a website
2. Open TikTok and start typing in any text field
3. You learn from iOS 14 beta each time an app "pastes" - but in this instance I didn't request it, and none of that text appears in UI

— Jeremy Burge (@jeremyburge) June 24, 2020

Here is the list of apps (emphasis retained from original) from a researcher's blog post:

List of Apps

This section summarizes the list of apps that snoop on the pasteboard every time the app is opened. The apps are listed alphabetically in the following format:

  • App Name — BundleID

News

  • ABC News — com.abcnews.ABCNews
  • Al Jazeera English — ajenglishiphone
  • CBC News — ca.cbc.CBCNews
  • CBS News — com.H443NM7F8H.CBSNews
  • CNBC — com.nbcuni.cnbc.cnbcrtipad
  • Fox News — com.foxnews.foxnews
  • News Break — com.particlenews.newsbreak
  • New York Times — com.nytimes.NYTimes
  • NPR — org.npr.nprnews
  • ntv Nachrichten — de.n-tv.n-tvmobil
  • Reuters — com.thomsonreuters.Reuters
  • Russia Today — com.rt.RTNewsEnglish
  • Stern Nachrichten — de.grunerundjahr.sternneu
  • The Economist — com.economist.lamarr
  • The Huffington Post — com.huffingtonpost.HuffingtonPost
  • The Wall Street Journal — com.dowjones.WSJ.ipad
  • Vice News — com.vice.news.VICE-News

Games

  • 8 Ball Pool™ — com.miniclip.8ballpoolmult
  • AMAZE!!! — com.amaze.game
  • Bejeweled — com.ea.ios.bejeweledskies
  • Block Puzzle — Game.BlockPuzzle
  • Classic Bejeweled  com.popcap.ios.Bej3
  • Classic Bejeweled HD — com.popcap.ios.Bej3HD
  • FlipTheGun — com.playgendary.flipgun
  • Fruit Ninja — com.halfbrick.FruitNinjaLite
  • Golfmasters — com.playgendary.sportmasterstwo
  • Letter Soup — com.candywriter.apollo7
  • Love Nikki — com.elex.nikki
  • My Emma — com.crazylabs.myemma
  • Plants vs. Zombies™ Heroes — com.ea.ios.pvzheroes 
  • Pooking – Billiards City — com.pool.club.billiards.city
  • PUBG Mobile — com.tencent.ig
  • Tomb of the Mask — com.happymagenta.fromcore
  • Tomb of the Mask: Color — com.happymagenta.totm2
  • Total Party Kill — com.adventureislands.totalpartykill
  • Watermarbling — com.hydro.dipping

Social Networking

  • TikTok — com.zhiliaoapp.musically
  • ToTalk — totalk.gofeiyu.com
  • Tok — com.SimpleDate.Tok
  • Truecaller — com.truesoftware.TrueCallerOther
  • Viber — com.viber
  • Weibo — com.sina.weibo
  • Zoosk — com.zoosk.Zoosk

Other

  • 10% Happier: Meditation —com.changecollective.tenpercenthappier
  • 5-0 Radio Police Scanner — com.smartestapple.50radiofree
  • Accuweather — com.yourcompany.TestWithCustomTabs
  • AliExpress Shopping App — com.alibaba.iAliexpress
  • Bed Bath & Beyond — com.digby.bedbathbeyond
  • Dazn — com.dazn.theApp
  • Hotels.com — com.hotels.HotelsNearMe
  • Hotel Tonight — com.hoteltonight.prod
  • Overstock — com.overstock.app
  • Pigment – Adult Coloring Book — com.pixite.pigment
  • Recolor Coloring Book to Color — com.sumoing.ReColor
  • Sky Ticket — de.sky.skyonline
  • The Weather Network — com.theweathernetwork.weathereyeiphone

Note: the list is not meant to be exhaustive. The researchers surveyed a selection of popular apps. Given how many were found, it is likely there are many more.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Funny) by Anonymous Coward on Sunday June 28 2020, @10:44PM (2 children)

    by Anonymous Coward on Sunday June 28 2020, @10:44PM (#1013875)

    I have the secure Android system.

    Starting Score:    0  points
    Moderation   +3  
       Funny=3, Total=3
    Extra 'Funny' Modifier   0  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Monday June 29 2020, @01:50AM (1 child)

    by Anonymous Coward on Monday June 29 2020, @01:50AM (#1013935)
    • (Score: 0) by Anonymous Coward on Monday June 29 2020, @04:30AM

      by Anonymous Coward on Monday June 29 2020, @04:30AM (#1013976)

      Your sarcasm detector must be malfunctioning today.