Apple's iOS 14 beta added a feature that reveals each time an application copies text from the clipboard. A recent article in Ars Technica brought renewed focus to an issue we previously reported in February. This story includes a list of apps from the researcher's blog post.
TikTok and 53 other iOS apps still snoop your sensitive clipboard data:
In March, researchers uncovered a troubling privacy grab by more than four dozen iOS apps including TikTok, the Chinese-owned social media and video-sharing phenomenon that has taken the Internet by storm. Despite TikTok vowing to curb the practice, it continues to access some of Apple users' most sensitive data, which can include passwords, cryptocurrency wallet addresses, account-reset links, and personal messages. Another 53 apps identified in March haven't stopped either.
The privacy invasion is the result of the apps repeatedly reading any text that happens to reside in clipboards, which computers and other devices use to store data that has been cut or copied from things like password managers and email programs. With no clear reason for doing so, researchers Talal Haj Bakry and Tommy Mysk found, the apps deliberately called an iOS programming interface that retrieves text from users' clipboards.
[...] In many cases, the covert reading isn't limited to data stored on the local device. In the event the iPhone or iPad uses the same Apple ID as other Apple devices and are within roughly 10 feet of each other, all of them share a universal clipboard, meaning contents can be copied from the app of one device and pasted into an app running on a separate device.
That leaves open the possibility that an app on an iPhone will read sensitive data on the clipboards of other connected devices. This could include bitcoin addresses, passwords, or email messages that are temporarily stored on the clipboard of a nearby Mac or iPad. Despite running on a separate device, the iOS apps can easily read the sensitive data stored on the other machines.
[...] TikTok's continued snooping has gotten extra scrutiny for other reasons. When called out in March, the video-sharing provider told UK publication The Telegraph it would end the practice in the coming weeks. Mysk said that the app never stopped the monitoring. What's more, a Wednesday Twitter thread revealed that the clipboard reading occurred each time a user entered a punctuation mark or tapped the space bar while composing a comment. That means the clipboard reading can happen every second or so, a much more aggressive pace than documented in the March research, which found monitoring happened when the app was opened or reopened.
A tweet by Jeremy Burge gives an example of how this can be reproduced:
To reproduce:
1. Have something on your clipboard. Eg copy some text from Notes or a website
2. Open TikTok and start typing in any text field
3. You learn from iOS 14 beta each time an app "pastes" - but in this instance I didn't request it, and none of that text appears in UI— Jeremy Burge (@jeremyburge) June 24, 2020
Here is the list of apps (emphasis retained from original) from a researcher's blog post:
List of Apps
This section summarizes the list of apps that snoop on the pasteboard every time the app is opened. The apps are listed alphabetically in the following format:
- App Name — BundleID
News
- ABC News — com.abcnews.ABCNews
- Al Jazeera English — ajenglishiphone
- CBC News — ca.cbc.CBCNews
- CBS News — com.H443NM7F8H.CBSNews
- CNBC — com.nbcuni.cnbc.cnbcrtipad
- Fox News — com.foxnews.foxnews
- News Break — com.particlenews.newsbreak
- New York Times — com.nytimes.NYTimes
- NPR — org.npr.nprnews
- ntv Nachrichten — de.n-tv.n-tvmobil
- Reuters — com.thomsonreuters.Reuters
- Russia Today — com.rt.RTNewsEnglish
- Stern Nachrichten — de.grunerundjahr.sternneu
- The Economist — com.economist.lamarr
- The Huffington Post — com.huffingtonpost.HuffingtonPost
- The Wall Street Journal — com.dowjones.WSJ.ipad
- Vice News — com.vice.news.VICE-News
Games
- 8 Ball Pool™ — com.miniclip.8ballpoolmult
- AMAZE!!! — com.amaze.game
- Bejeweled — com.ea.ios.bejeweledskies
- Block Puzzle — Game.BlockPuzzle
- Classic Bejeweled — com.popcap.ios.Bej3
- Classic Bejeweled HD — com.popcap.ios.Bej3HD
- FlipTheGun — com.playgendary.flipgun
- Fruit Ninja — com.halfbrick.FruitNinjaLite
- Golfmasters — com.playgendary.sportmasterstwo
- Letter Soup — com.candywriter.apollo7
- Love Nikki — com.elex.nikki
- My Emma — com.crazylabs.myemma
- Plants vs. Zombies™ Heroes — com.ea.ios.pvzheroes
- Pooking – Billiards City — com.pool.club.billiards.city
- PUBG Mobile — com.tencent.ig
- Tomb of the Mask — com.happymagenta.fromcore
- Tomb of the Mask: Color — com.happymagenta.totm2
- Total Party Kill — com.adventureislands.totalpartykill
- Watermarbling — com.hydro.dipping
Social Networking
- TikTok — com.zhiliaoapp.musically
- ToTalk — totalk.gofeiyu.com
- Tok — com.SimpleDate.Tok
- Truecaller — com.truesoftware.TrueCallerOther
- Viber — com.viber
- Weibo — com.sina.weibo
- Zoosk — com.zoosk.Zoosk
Other
- 10% Happier: Meditation —com.changecollective.tenpercenthappier
- 5-0 Radio Police Scanner — com.smartestapple.50radiofree
- Accuweather — com.yourcompany.TestWithCustomTabs
- AliExpress Shopping App — com.alibaba.iAliexpress
- Bed Bath & Beyond — com.digby.bedbathbeyond
- Dazn — com.dazn.theApp
- Hotels.com — com.hotels.HotelsNearMe
- Hotel Tonight — com.hoteltonight.prod
- Overstock — com.overstock.app
- Pigment – Adult Coloring Book — com.pixite.pigment
- Recolor Coloring Book to Color — com.sumoing.ReColor
- Sky Ticket — de.sky.skyonline
- The Weather Network — com.theweathernetwork.weathereyeiphone
Note: the list is not meant to be exhaustive. The researchers surveyed a selection of popular apps. Given how many were found, it is likely there are many more.
Related Stories
Apple Takes Heat Over 'Vulnerable' iOS Cut-and-Paste Data:
Any cut-and-paste data temporarily stored to an iPhone or iPad's memory can be accessed by all apps installed on the specific device – even malicious ones. That data can then reveal private information such as a user's GPS coordinates, passwords, banking data or a spreadsheet copied into an email.
Shedding light onto the potential harm of this scenario is German software engineer, Tommy Mysk, who is trying to raise awareness around what he believes is an Apple vulnerability. To illustrate his concerns, Mysk created a rogue proof-of-concept (PoC) app called KlipboardSpy and an iOS widget named KlipSpyWidget.
Both are designed to illustrate how any app installed on an iOS device can act maliciously and access clipboard data and use it to spy or steal sensitive personal information. To highlight and demonstrate his concerns, Mysk told Threatpost he focused on photos taken by a device's camera that contain time and GPS metadata that could be used to pinpoint a user.
"A user may unwittingly expose their precise location to apps by simply copying a photo taken by the built-in Camera app to the general pasteboard," the developer wrote in a technical blog post outlining his research on Monday.
"Through the GPS coordinates contained in the embedded image properties, any app used by the user after copying such a photo to the pasteboard can read the location information stored in the image properties, and accurately infer a user's precise location. This can happen completely transparently and without user consent," he wrote.
Apple, in response to his research, said it didn't consider its implementation of cut-and-paste as a vulnerability, rather a basic function of most operating systems and applications that run on them, Mysk told Threatpsot[sic].
Apple did not return Threatpost's request for comment for this story.
Reddit and LinkedIn stop copying iPhone clipboards:
Reddit and LinkedIn are changing their apps to prevent them from looking at the Apple iPhone clipboard.
In a developer trial of the latest update to the phone's operating system, iOS 14, users are notified whenever an app accesses the device's copied text.
The notification exposed frequent scanning of the clipboard by apps that many users thought should not need to do so.
The two firms follow TikTok in changing their apps amid the criticism.
[...] In research published in March, Talal Haj Bakry and Tommy Mysk identified dozens of apps which they said had accessed the clipboard.
At the time Apple said it did not think it was a vulnerability.
There are legitimate reasons why an app needs clipboard access - for example, in order to share a website address with a message platform, or to grab a password from a password manager and paste it into a password-protected service.
Related:
Reddit says it's fixing code in its iOS app that copied clipboard contents
Apple iOS 14 Alerts Reveal Reddit App Is Reading User Clipboard Data
Reddit promises to stop accessing user clipboards after being exposed by iOS 14
Previously:
(2020-06-28) TikTok and 53 Other iOS Apps Still Snoop Your Sensitive Clipboard Data
(2020-02-27) Apple Takes Heat Over 'Vulnerable' iOS Cut-and-Paste Data
[20200803_012617 UTC UTC Update 2:]
tl;dr version: Trump threatened to ban TikTok. Then Microsoft said it was in talks to buy TikTok. Then Microsoft said the talks were in doubt after Trump's threats. Now, Microsoft is "continuing discussions."
Microsoft to continue discussions on TikTok purchase after talking to Donald Trump:
After reports US President Donald Trump is considering an order to force Beijing-based tech company ByteDance to divest ownership of popular social-video app TikTok, Microsoft has announced it will be "continuing discussion" on a potential purchase of TikTok after a conversation between Microsoft CEO Satya Nadella and the President.
"Microsoft fully appreciates the importance of addressing the President's concerns," said Microsoft, in a statement. "It is committed to acquiring TikTok subject to a complete security review and providing proper economic benefits to the United States, including the United States Treasury.
[20200802_144217 UTC Update 1; added:]
Microsoft pauses talks on TikTok US deal - reports:
A possible sale of Chinese-owned TikTok's US operations to Microsoft is reportedly on hold after Donald Trump vowed to ban the video-sharing app.
A sale was thought close to agreement, but was put in doubt after the US president's warning on Friday.
The Wall Street Journal said Microsoft had now paused talks despite TikTok owner ByteDance making last ditch efforts to win White House support.
It comes amid criticism of Mr Trump's threat as an attack on free speech.
[...] Late on Friday, Mr Trump told reporters aboard Air Force One: "As far as TikTok is concerned we're banning them from the United States."
[Original story follows.--martyb]
TikTok: Trump says he will ban Chinese video app in the US
President Donald Trump has announced he is banning the Chinese-owned video-sharing app TikTok in the US.
He told reporters he could sign an executive order as early as Saturday.
US security officials have expressed concern that the app, owned by Chinese firm ByteDance, could be used to collect the personal data of Americans.
[...] Microsoft has reportedly been in talks to buy the app from ByteDance, but Mr Trump appeared to cast doubt that such a deal would be allowed to go through. If the deal went ahead reports say it would involve ByteDance shedding TikTok's US operations.
From The Verge:
President Trump has signed a new executive order which will block all transactions with Bytedance, TikTok's parent corporation, in an effort to "address the national emergency with respect to the information and communication technology supply chain."
The move comes after months of escalating tensions, which saw Secretary of State Mike Pompeo and others at the White House warn that TikTok presented a national security threat because of its Chinese ownership. Microsoft is currently in talks to acquire portions of the app, aimed to be complete by September 15th.
A parallel order banned transactions with WeChat, a popular texting app in China that maintains a small user base in the US.
[...] The executive branch has the power to levy sanctions against individuals and corporations by placing them on the "entity list," as the US did against Huawei and ZTE last year. But such sanctions are typically put in place by the Commerce Department rather than the White House, and subject to a specific rule-making procedure that seems to have been short-circuited by the surprise executive order.
See also: Tencent stock plummets after Trump announces plan to ban WeChat in the US
Previously:
(2020-08-01) President Trump Threatens TikTok Ban, Microsoft Considers Buying TikTok's U.S. Operations[Updated 2]
(2020-07-07) Reddit and LinkedIn Stop Copying iPhone Clipboard Contents
(2020-06-30) India Bans TikTok, WeChat, and Other Chinese-Owned Apps
(2020-06-28) TikTok and 53 Other iOS Apps Still Snoop Your Sensitive Clipboard Data
(2019-12-27) Investigation Claims United Arab Emirates Uses The ToTok App To Spy
(2019-10-26) Lawmakers Ask US Intelligence to Assess If TikTok is a Security Threat
TikTok plans to sue Trump administration over US ban
TikTok plans to sue the Trump administration over its executive order banning transactions between U.S. companies and the popular video-sharing app as well as its Chinese parent company, ByteDance.
"Even though we strongly disagree with the Administration's concerns, for nearly a year we have sought to engage in good faith to provide a constructive solution," a TikTok spokesperson told The Hill. "What we encountered instead was a lack of due process as the Administration paid no attention to facts and tried to insert itself into negotiations between private businesses," the spokesperson continued. "To ensure that the rule of law is not discarded and that our company and users are treated fairly, we have no choice but to challenge the Executive Order through the judicial system," the spokesperson added.
Also at NYT and Business Insider.
Previously: Bytedance: The World's Most Valuable Startup
Lawmakers Ask US Intelligence to Assess If TikTok is a Security Threat
TikTok and 53 Other iOS Apps Still Snoop Your Sensitive Clipboard Data
India Bans TikTok, WeChat, and Other Chinese-Owned Apps
President Trump Threatens TikTok Ban, Microsoft Considers Buying TikTok's U.S. Operations[Updated 2]
TikTok: Trump Will Prohibit Transactions with Bytedance Beginning September 20
US will ban WeChat and TikTok downloads on Sunday
The Commerce Department plans to restrict access to TikTok and WeChat on Sunday as the Trump administration's executive orders against the two apps are set to take effect.
The Department said Friday that as of Sunday, any moves to distribute or maintain WeChat or TikTok on an app store will be prohibited. Apple and Google didn't immediately respond to requests for comment.
While users who have already downloaded the apps may be able to continue using the software, the restrictions mean updated versions of the apps cannot be downloaded.
The restrictions targeting WeChat are more extensive. Beginning Sunday, it will be illegal to host or transfer internet traffic associated with WeChat, the Department said in a release. The same will be true for TikTok as of Nov. 12, it said. (The Trump administration is currently weighing a proposal involving ByteDance, TikTok's Chinese parent, and Oracle, designed to resolve the administration's national security concerns related to TikTok; the deadline for a deal is Nov. 12.)
(Score: 3, Funny) by Anonymous Coward on Sunday June 28 2020, @10:44PM (2 children)
I have the secure Android system.
(Score: 0) by Anonymous Coward on Monday June 29 2020, @01:50AM (1 child)
Same difference: https://www.xda-developers.com/stop-apps-reading-android-clipboard/ [xda-developers.com]
(Score: 0) by Anonymous Coward on Monday June 29 2020, @04:30AM
Your sarcasm detector must be malfunctioning today.
(Score: 3, Funny) by fustakrakich on Sunday June 28 2020, @10:49PM
-
Filter error: Comment too short.
La politica e i criminali sono la stessa cosa..
(Score: 5, Insightful) by Arik on Sunday June 28 2020, @11:05PM (4 children)
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Monday June 29 2020, @04:30AM
It is against our business model therefore you are literally Hitler.
(Score: 2) by ilsa on Monday June 29 2020, @03:17PM (2 children)
Literally every mutlitasking operating system on the planet operates like this. Windows, MacOS, Linux, Android, iOS... If it has a GUI with clipboard functionality, then all application have access to said clipboard.
That was the whole *point* of having a clipboard. And that clipboard has worked well for literally decades. Please correct me if I am wrong, but it's only been in recent times where companies decided that it was not only possible, but acceptable to weaponize it.
That being said, you're not wrong, and it looks like Apple is taking the first steps to do exactly this. I hope Google and everyone else follows suit ASAP.
(Score: 2) by Arik on Tuesday June 30 2020, @12:27AM (1 child)
Linux does not possess this brain damage, actually, but then again it's not an OS either.
Regardless, "we've always done it this way" and "this is retarded" are not mutually exclusive notions.
"That was the whole *point* of having a clipboard."
I disagreed completely.
The point to the clipboard is not to give applications access to system memory. It's to give the user control, via system commands, to be able to manipulate data from various sources to various destinations.
And ideally that's how it should be implemented. Bottom level hooks that allow the /user/ to copy data to or from any application, without allowing the application to distinguish the result from manual entry; and certainly without any ability for the app to initiate such a transfer.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Tuesday June 30 2020, @04:16AM
Got some citations, because in my experience, the clipboard in Linux is exactly like this, and even worse in X.
(Score: -1, Troll) by Anonymous Coward on Sunday June 28 2020, @11:06PM (2 children)
No just how fucking stupid are Apple users?
(Score: 3, Interesting) by anubi on Monday June 29 2020, @04:25AM
Since the paradigms have shifted to where the end user is no longer privy to the schematics and source code of our stuff, we are ALL ignorant.
Business and government are slowly but surely training us to sign blank checks and agree to lengthy documents. Often without reading them.
Yet if we start doing this stuff to a business, no one will take it seriously,. You know, stuff like printing my own agreement on the back of payment checks which consider deposit of the check as agreement to my terms.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by ilsa on Monday June 29 2020, @03:18PM
Says the guy who can't figure out how to use the 'login' button.
Enjoy your vodka, Russian Troll.
(Score: 2) by ilsa on Monday June 29 2020, @03:07PM (1 child)
Okay I was fully expecting the list to be full of sketchy no-name apps, but the list has big names from major corporations that really should know better. Well, I suppose I'm not TOTALLY surprised that EA apps are pulling this stunt... It is EA after all... But all those major news apps? The Weather Network?
This is incredibly disconcerting and all these companies deserve to be castigated over this. Not cool at all...
(Score: 2) by EvilSS on Monday June 29 2020, @07:13PM
Now what the news and weather apps are doing with it.... That's a damn good question.