
Apple Suddenly Catches TikTok Secretly Spying on Millions of iPhone Users - dsr12
https://www.forbes.com/sites/zakdoffman/2020/06/26/warning-apple-suddenly-catches-tiktok-secretly-spying-on-millions-of-iphone-users/
======
vulcan01
Previous discussion:
[https://news.ycombinator.com/item?id=23634138](https://news.ycombinator.com/item?id=23634138)

------
personjerry
They also caught like 20 other popular apps doing the same thing including
NYTimes, Google News, and even Google Chrome. Instead of highlighting all of
those, the article chooses to play on the "evil chinese" theme, for more
sensationalist headlines. Appalling, in my opinion.

~~~
bobobob420
"evil chinese theme" LOL. It is much more dangerous for the Chinese government
to have access to more data on users than NYT or other corporations. In the
previously article written by the author he says "TikTok stands out, though,
given its much wider security concerns."

"Sensationalist Headline". Headline of article: "Beware If You Use TikTok On
Your iPhone: Here’s Why You Should Now Worry—New Security Report".

Much wow, so much sensationalism in this title. Snooping for passwords and
personal data on the clipboard, I guess we should not worry about TikTok. That
is why the DOD banned it's use on their bases, they banned all other apps
right?

~~~
bitwize
Singling out TikTok with unfounded Yellow Peril insinuations is an alt-right
scare tactic to appeal to sinophobia. The Chinese aren't really doing anything
Western corporations don't do, and in many ways, technologically and socially,
China is ahead of the USA. You do not see Chinese police, for instance,
arresting or murdering people because of the color of their skin.

Naomi Wu is stunning and brave. Brought to you by Tencent.

~~~
jasonhansel
> You do not see Chinese police, for instance, arresting or murdering people
> because of the color of their skin.

You also don't--at present--see the US government deporting over a million
people to concentration camps because of their ethnicity and religious
beliefs.

~~~
Fricken
And yet America has way more people per capita in prison than China. If I
recall there were some protests recently that were related to the skin colour
of those America prefers to lock up.

------
jiggawatts
There's a good Reddit post starting with: "So I can personally weigh in on
this. I reverse-engineered the app, and feel confident in stating that I have
a very strong understanding for how the app operates" Ref:
[https://www.reddit.com/r/videos/comments/fxgi06/not_new_news...](https://www.reddit.com/r/videos/comments/fxgi06/not_new_news_but_tbh_if_you_have_tiktiok_just_get/fmuko1m/)

There's also some analysis whitepapers posted here:
[https://penetrum.com/research](https://penetrum.com/research)

To play devil's advocate, a lot of this might be overblown. Chat apps like
this have to battle fake accounts, spammers, and API scraping of all sorts.
This is typically implemented via fingerprinting the mobile devices in a way
that is difficult to fake or emulate. You'd _want_ to do this by collecting as
much data as possible, and also obfuscating the method with which it is done.

However, obviously, this can be done moderately securely, by hashing the
inputs with something like SHA512 prior to forwarding them on to the central
servers.

So a lot of the outrage may be valid, but mis-directed. You don't have to be
_spying_ on purpose, it's enough to add anti-spoofing features into your app
and be _sloppy_ about it. You'd still want to keep your methods _secret_ , and
you certainly wouldn't want to own up to sloppy work.

Combine the incompetence, secrecy, and the face-saving culture of asians, and
you end up with something that at first glance looks like spying, because it
kinda-sorta is.

------
deepGem
"The most acute issue with this vulnerability is Apple’s universal clipboard
functionality, which means that anything I copy on my Mac or iPad can be read
by my iPhone, and vice versa. So, if TikTok is active on your phone while you
work, the app can basically read anything and everything you copy on another
device: Passwords, work documents, sensitive emails, financial information.
Anything."

Ok, with such a vulnerability, I wonder how Apple has let all these apps snoop
on clipboard data for so long. They go after Hey like right away, and they
have let such a gaping security hole slide through for such a long time.

~~~
mindfulhack
Apple are definitely doing some good things. In Catalina they revealed to me
that Backup and sync from Google.app was spying on my Downloads folder on my
Mac - something it has no business doing, and which I never intended to be
happening on my computer. macOS now prompts for permission when an app tries
to read a major directory area without you directing first asking it to.

But Apple are a corporation. They only do enough privacy things to support
their particular business model. That explains their baffling inconsistencies.

Ultimately, Apple can't be trusted if you truly value your privacy. I'm
planning a move to Linux, which is easier than ever to use these days. Linux
Mint, Elementary OS, Ubuntu...it's lookin' good.

------
reactspa
What I find odd:

\- why was iOS allowing it in the first place?

\- why does an app have access to the clipboard unless copy/paste is
deliberately invoked from within the app by the user? (my clipboard often
contains highly sensitive info)

~~~
kstrauser
There are legitimate user-centric reasons for doing this:

\- I have an app, Parcel, that upon launch sees if I have something resembling
a tracking number in my clipboard. If I do, it asks if I want to track that
package.

\- A popular Reddit client, Apollo, looks for Reddit URLs in the clipboard. If
it finds one, it asks if you want to open that conversation in the app.

Sure, both of those apps work fine without that feature. Those are definitely
nice conveniences, though, and they’re designed to make my life as the user
just a little easier. So, there _are_ genuinely useful reasons for an app to
do this. There’s zero legit reason for TikTok to check every 30 seconds that
don’t involve spyware.

I want a dialog box: “Allow this app to access your clipboard?”, just like you
get for access to location services, photos, the camera and mic, etc. Then I
can let well-behaved apps do that for my benefit, and can tell creeper apps
like TikTok to mind their own damn business.

~~~
inetknght
> _There are legitimate user-centric reasons for doing this_

This trope is dragged out often. The answer is no. No, these are not
legitimate use cases.

Just like Cambridge Analytica wasn't a legitimate use case, neither is polling
a clipboard for changes.

An application should be _told_ of changes. If there were a permission dialog
to allow the user to opt-in the application to being told instead of requiring
the user to explicitly paste, then maybe. Only maybe. But allowing any (third
party) application to see the communication between two (first party)
applications is completely unacceptable.

~~~
scubbo
Can you elaborate on why not? More specifically, what is illegitimate about
those use cases? Do you deny that users would want these features?

I will readily concede that the infrastructure and tools that enable those
use-cases _also_ potentially enable exploits - but what is that you know about
users that I don't which leads you to believe that these _use-cases_ are not
legitimate?

------
justicezyx
According to what I learned from friends who work at tiktok, the parent
company are planning to formally sever the business tie with tiktok. Although
the technology team is assumed to still share the same infrastructure
(networking storage compute etc.). I never was a web or mobile app developer
and my friends are not either, and I never used tiktok so have no idea how the
client side technology going to be structure.

PS: Tiktok and the purely algorithm driven content consumption is absolutely
going to be a super mind washing machine that I will never going to touch, and
will teach my kids to stay away as well.

~~~
ikeyany
Don't algorithms dictate what content shows up on HN?

~~~
justicezyx
Really?

I always assumed HN just operate on user voting. And the first batch showing
on front-page is handed picked, which I think it's necessary...

------
azinman2
It’d be nice if someone disassembled tiktok to figure out what happens with
this information. We can all speculate, tiktok can release a statement, but
only the binary can give the truth for this proprietary app.

------
TheSpiceIsLife
The last paragraph:

> _All iPhone users should update to the latest version of TikTok as soon as
> it’s released—and given it is actively reading your clipboard, you might
> want to bear that in mind while using the app ahead of that update._

Is immediately followed by this bit about the author of the article:

 _Zak Doffman

I am the Founder/CEO of Digital Barriers—developing advanced surveillance
solutions for defence, national security and counter-terrorism. I write about
the intersection of geopolitics and cybersecurity, and analyze breaking
security and surveillance stories. Contact me at zakd@me.com._

Zak developers spy-ware.

~~~
chvid
This is some guy ... Here is his twitter feed:

[https://twitter.com/UKZak](https://twitter.com/UKZak)

Pinned tweeet: China Has Weaponized The Smartphone: Here’s Why You Should Be
Concerned

And this is his company:

[https://www.digitalbarriers.com](https://www.digitalbarriers.com)

With some scary looking UK police officers carrying machine guns on the front
page ...

Why does this guy get to write hyperbolic articles for the FT?

------
justinclift
> The most acute issue with this vulnerability is Apple’s universal clipboard
> functionality, which means that anything I copy on my Mac or iPad can be
> read by my iPhone, and vice versa.

Didn't know that was a thing. What an extraordinary security hole that is, and
excellent MiTM password catching opportunity for Apple.

Does anyone know if it can be disabled programmatically? Otherwise LastPass
(etc) are effectively getting backed up directly by Apple. :(

~~~
ThePowerOfFuet
Why are you even putting passwords in the clipboard? On iOS and macOS
passwords can (and should!) be filled by password manager extensions, which
don't use the clipboard.

~~~
theklr
Unfortunately there’s still “trash” apps that don’t utilize the feature. I
wish Apple pushed on this as much as they did with their sign with Apple
policy.

