
TikTok app to stop accessing user clipboards after being caught in the act - shadykiller
https://www.macrumors.com/2020/06/25/tiktok-clipboard-access-ios-14-caught/
======
zkid18
Great to see another layer of transparency in ios14.

Bit I wonder why everyone talking about one specific app? I see a huge bias
towards TikTok in headlines

"iOS 14 caught TikTok and other apps spying on the clipboard" [0]

"iOS 14 beta shows apps like TikTok still spy on your iPhone" [1]

There a bunch of apps like VICE, Google News, WSJ that has been caught doing
exactly the same. [2]

I may find the explanation why TikTok did that. In China WeChat blocks direct
links to their competitors. So apps like Taobao or Douyin have to find a
workaround for deeplinks. When you want to share the video from Douyin with a
friend in WeChat, Douyin generates the following message.

在东京刚毕业入职三个月的职场小白 搬家找房 坚持更新#日本vlog #东京
[https://v.douyin.com/J8ceMYY/](https://v.douyin.com/J8ceMYY/)
复制此链接，打开【抖音短视频】，直接观看视频！

In WeChat the link is not clickbale. To see the content user has to copy full
text and go to the Douyin. The app will read the clipboard and perform the
transition to the video. On the link below you can find the video -
explanation [3]

Probably they had re-use some code in TikTok. Definitely they need to be more
accurate towards data safety but I don't think they really made a pipeline for
spying using clipboard.

There is a lot of buzz around TikTok these days, but I want to get an answer
from other apps as well.

[0] [https://bgr.com/2020/06/26/ios-14-beta-privacy-features-
tikt...](https://bgr.com/2020/06/26/ios-14-beta-privacy-features-tiktok-
spying-clipboard-data/)

[1] [https://mashable.com/article/iphone-ios-14-privacy-
clipboard...](https://mashable.com/article/iphone-ios-14-privacy-clipboard-
apple-apps/)

[2]
[https://www.youtube.com/watch?v=pRSWdtoUAjo](https://www.youtube.com/watch?v=pRSWdtoUAjo)

[3]
[https://twitter.com/kidrulit/status/1277629462721384448](https://twitter.com/kidrulit/status/1277629462721384448)

~~~
thewindow
Just because other apps do that is no excuse for bad behaviour. Almost all
apps get flack for bad behaviour. Tiktok is the newest popular thing on the
block and it is expected to be widely covered. Honestly it is okay to discuss
the bar behaviours of an app without blaming other apps.

~~~
benologist
Being "caught" reading the clipboard is not an indictment that you are doing
something wrong. It's very good that it is no longer occurring invisibly in
the background, but so far what we have seen appears to be frivolous usage
rather than malicious.

------
rdlecler1
The security implications of allowing communications on a platform that is
subject to the absolute control of a foreign government, seems like a very
very bad idea. That can be a lesson learned the easy way or the hard way.

~~~
systemvoltage
I honestly think we give Chinese apps too much equal footing. In about 5-8
years, when China has insane surveillance network around the world (they
already have), this comment is going to sound the most sensible thing to do -
blanket ban any application developed and served by the CCP or similar
government.

People teeter-totter about righteousness and freedom of choice, but IMO we
need to stop feeding the CCP with more power/$$$/influence ... NOW ... Freedom
of choice is great when there is fairness and democratic values built in, when
the government isn't on some Han-supremacy drug and expansionist motives.

Someone will inevitably respond with whataboutism and smear American companies
into the mix as if they're expressing their understanding of hypocracy and
one-sidedness. It is _supposed_ to be one-sided. The west offered two-way
street which China declined to walk on. So, now all bets are off. Equivalency
with the western apps/services/goods is no longer a valid counter argument.

On fair, just, and rational grounds - I am a progressive. In unfair, unjust
and irrational waters - I am a conservative.

~~~
jquery
The CCP has already shown they’re willing to abuse TikTok to stir unrest in
the USA, you aren’t even making a theoretical argument. I’m a lot more worried
about China than Russia, when it comes to bad behavior by state actors.

~~~
godelski
This is why I'm always confused my privacy arguments. When someone says that
they want privacy the responses go like:

reference Goebbels: "I have nothing to hide, so I'm not worried"

Downplay: "They only read my emails and everything I write to sell me stuff
better. Sometimes I need stuff. They're helping me!" As if it can only be used
to sell and nothing else.

World revolves around self: "Well ads don't affect me." Like it doesn't matter
that everyone else is affected even if you aren't.

Completely ignoring the fact that if someone can manipulate you to buy stuff
they might be able to use it to manipulate you do do other things. I mean we
have political ads. And Coke ads aren't there to sell you coke (they are there
to make you feel better about your purchase). Frankly, to me it doesn't even
matter if no one has done that yet (I'm aware of the clear evidence that
people have) but that we're giving people the ability to do this in mass and
in very precise ways. That just leads to a potential turn in democracy. "Just
educating people" doesn't solve the problem either. Ads are still effective on
smart people. So the question is "are the benefits ~~profits~~ worth the
cost?" It is reasonable to think "yes", but I'm a resounding "no."

Yes, we use political ads to "manipulate democracy" and the like, but a mass
statewide commercial is a very different thing than an individualized ad
targeted to a specific person. At least to me these are very different (and we
still have regulations on what you can say in political ads). Where do we draw
the line? We talk about data a lot here and what we can model with it. What
will ads look like in 20-50 years if we don't draw a line in privacy and
technology continues to become more powerful? I think individualized ads will
look very different. We do need to determine what level of individualization
we can target with an ad, and I don't see much of that happening.

~~~
jquery
Excellent comment, you changed my thinking on the issue. I feel like liberal,
educated democracies are focused on the wrong problems. It’s only going to get
harder to change course the longer we keep sailing in this direction of a
laissez faire, anything-goes approach to software.

Apple’s infamous walled garden solves this problem to some extent, but
introduces others because it lacks due process, leading to corruption where
money can solve any problem, and so apps like Tiktok get to abuse their trust
with impunity.

~~~
godelski
As I see it, democracy is unstable. I like living in a democratic system (yes,
a democratically elected republic is still a democratic system). But we have
to recognize that it is unstable and democracies work under the pretense that
the keys to power are distributed and frequently moving hands (by elective
processes). So the danger to democracy is the collection of keys, or the
consolidation of power. Power consolidation DOES have benefits after all. I
mean a benevolent dictator is probably the best form of government, the issue
is that if the next dictator isn't benevolent (or how long until that). The
same is with democracy. We keep power distributed so that when a malevolent
(or even just non-benevolent) ruler comes into power they aren't able to do
much. Essentially as long as we don't let corruption fill the majority of
roles with power, we're fine. They have to spend a lot of time and resources
consolidating that power.

Essentially this is what "turnkey tyranny" is: the point at which power is
consolidated to such a degree that a malevolent ruler would have the power of
a tyrant.

So it has never been about having something to hide or that people aren't
using a power malevolently. It is the potential for abuse and that given
enough time a power is likely to be abused. Distribution makes it more
difficult (but does not eliminate) to abuse power.

With HN's love for federated systems, which essentially operate under similar
principles, I'm surprised this is not a more popular concept. The only
difference is that we're talking about government officials instead of Moxie.

~~~
jquery
All governments are unstable. The best we can hope for is they do the most
good for the longest amount of time. The better a government does, the more
its population tends to assume that it’s impossible for their government to
fail, and they don’t guard against it, instead choosing convenience (and
properly federated government is the opposite of convenient).

------
numair
Most of the anti-TikTok comments that have emerged recently are beyond
hysterical. We are arguing about China using this app as a primary nexus of
intelligence gathering, in a world where they already have the US government’s
entire OPM database?[1]

A lot of apps are doing the stupid clipboard detection thing. As others have
commented, there’s reasons for this that range from spam detection to link
shortening. It’s lousy, I agree, but this has been a very common thing in a
pre-iOS 14 world.

1:
[https://en.m.wikipedia.org/wiki/Office_of_Personnel_Manageme...](https://en.m.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach)

~~~
abledon
whats an OPM database? this??
[https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3245162/](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3245162/)

~~~
numair
Thought the OPM hack was common knowledge, guess not. I added a link!

------
annoyingnoob
Too little, too late. Already forced the family to uninstall it and its gone
forever. Wish the kids could understand that its spyware with access to a lot
of toxic social media.

~~~
nsxwolf
My Daughter: "Dad let me install TikTok!"

Me: "No. It is Chinese spyware."

My Daughter: "<so and so from school> has TikTok!"

Me: "<so and so> is a Chinese asset!"

My Daughter: "No she's not!"

Every day.

~~~
vulcan01
In my experience it is a lot easier to tell your friends that you don't have
any social media, rather than saying that you don't have a specific social
media app/account/thing. Why? It's harder to understand why someone wouldn't
install TikTok when they already have Snapchat/Instagram/everything else.

(I'm a high school student, abstaining from social media other than HN.)

Edit: Have you tried explaining to your daughter why TikTok is Chinese
spyware?

~~~
Gatsky
HN is social media?

~~~
criddell
I think it is, at least as much as Reddit is as well. And before that Digg and
Slashdot.

------
nickthegreek
I'm happy that ios14 is adding more transparency on whats apps are accessing
like this clipboard situation. I'd love to see more of these, like camera roll
and mic access.

~~~
natch
iOS 14 has a new workflow that lets the user give an app access to a photo or
selected photos without the app getting access to any of their other photos.
Big privacy improvement on that front at least. I don't know about mic access.

------
Calvin02
This is so ridiculous. Google Maps accesses the clipboard. Try it out: copy an
address and open maps.

So do Facebook and Instagram, I’m sure.

The level of paranoia in the Valley is astounding.

~~~
wycy
Google Maps has a clear use case for accessing the clipboard. If Tok Tok only
accessed the clipboard on launch to check for a Tik Tok URL, that might be one
thing, but there's no clear reason Tik Tok would need access to the clipboard
literally every 3 keystrokes.

~~~
ebg13
> _Google Maps has a clear use case for accessing the clipboard._

I don't think it does. Neither application should "access" the clipboard.

~~~
aetch
Google maps detects copied addresses and lets you route to them in one click.

~~~
ebg13
> _Google maps detects copied addresses and lets you route to them in one
> click._

Routing to copied addresses is not a clear use case for letting something spy
on everything the user copies, because we already have an invocation for
handing clipboard contents to software exactly when the user desires it. It's
called the "paste" command.

At some point engineers need to stop doing things just because they can.

------
wuunderbar
Can someone answer why iOS even allows the ability to read the clipboard
buffer in the first place? Just seems like poor privacy and security design.

~~~
MuffinFlavored
so that if you switch from app A to app B, it can check your clipboard buffer
for if you have a URL pasted into it and load that URL in the context of the
app

example: if you copied twitter://foo/tweet/bar or
[https://twitter.com/foo/tweet/bar](https://twitter.com/foo/tweet/bar), it
checks your clipboard and loads that tweet instantly

at least that's what i read over on reddit about this on r/apple

~~~
ebg13
Except that letting apps randomly pull from the clipboard, where you might
have copied passwords, bank account numbers, or any other sensitive
information, is such an obviously unsafe idea that the person who suggested it
should have been immediately sent to special privacy consciousness training.

For what? To save one "send to app" or "paste"?

At least reserve that functionality exclusively for the operating system on
the grounds of "TRUST YOU? HAHAHAHAHA".

------
grecy
I recently made the change in Firefox on macOS to stop websites from accessing
the clipboard [1], and now pasting into Facebook is completely broken.

I wonder if they've been checking out my clipboard contents.

[1] [https://www.ghacks.net/2014/01/08/block-websites-reading-
mod...](https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-
clipboard-contents-firefox/)

~~~
gruez
>I recently made the change in Firefox on macOS to stop websites from
accessing the clipboard

I don't think you needed to do that. I searched around and wasn't able to find
any proof of concept that was able to steal clipboard data from firefox. see:
[https://news.ycombinator.com/item?id=23635488](https://news.ycombinator.com/item?id=23635488)

------
dagav
When I installed TikTok, my phone's battery life shortened by 2-3x. That's
suspicious enough for me to stay far away from it

------
jb775
Apple manually reviews the code of every app update. Why aren't they blocking
this functionality from getting released in the first place?

I feel like every time I submit an app update I get questioned about why my
app needs access to $xyz feature.

~~~
ebg13
> _manually_

Do you really think so?

------
chrisshroba
An interesting reddit comment by someone who uncovered many more shady data
collection practices by Tik Tok:
[https://www.reddit.com/r/videos/comments/fxgi06/not_new_news...](https://www.reddit.com/r/videos/comments/fxgi06/not_new_news_but_tbh_if_you_have_tiktiok_just_get/fmuko1m/)

------
jp42
Just wanted to inform audience here that TikTok is blocked in China. [1]

[1]
[https://en.wikipedia.org/wiki/List_of_websites_blocked_in_ma...](https://en.wikipedia.org/wiki/List_of_websites_blocked_in_mainland_China)

~~~
apta
Interesting, is this more proof that the Chinese gov't is using it as a spying
app?

~~~
chillacy
It's probably more because tik tok and douyin have different content policies,
having to police tik tok content as strictly as domestic content would stifle
tik tok's growth outside the GFW.

------
feross
Duplicate of:
[https://news.ycombinator.com/item?id=23653562](https://news.ycombinator.com/item?id=23653562)

------
brightball
Stuff like this is why I prefer a reactive web interface over a mobile app.

It seems like unless you need direct access to the camera or it’s a game a web
version should be fine.

------
hnick
I'm starting to think these devices need to provide examples when throwing up
the permissions prompt. Worst case examples of what this permission can enable
so that app developers might at least try to limit their requests.

------
racl101
Good on Apple. This and backwards compatibility, make a compelling case for
iOS.

------
toohotatopic
Why do phones need the clipboard at all? There is a 'share with'
infrastructure. Why not explicitly send copied data to the desired app
directly instead of storing it in a central place?

~~~
gruez
That works for sharing an article or a post, but how do you quote a portion of
a post?

~~~
parliament32
On Android, you can happily select some text then hit Share (same menu as Copy
and Cut).

~~~
gruez
That pattern is mainly used to open an app to a specific activity. eg. opening
google search to a particular search phrase, or opening the dialer to a
particular phone number. I can't see it working for when you're writing a
email, and want to include a link/quote/image.

~~~
parliament32
But that's exactly what I just did. Highlighted some text in a news article
and Share'd to my email client, it dropped the text in, quoted, to the body of
an email with the link to the article under it.

------
thewindow
Tim tok has no business snooping into by clipboard. It is bad behaviour
irrespective of if it was nefarious or not. No need to justify this by
bringing up behaviour of apps.

------
qserasera
Too little too late. They should be barred from US markets however there may
be worse actors out there that borderline criminals could call ‘industry
standard’.

------
techntoke
TikTok also is violating COPPA. Any underage child that signs up with a Google
Account, you can clearly see from the Google account settings that they are
collecting email addresses and other personal information. I believe Google
and other app store providers should just remove them.

------
bradley195
Is it possible for apps to read photos (not just metadata)?

------
knodi
Ya, little fucking late to back track that now.

------
xchip
It looks like apps can spy as much as they want and that it has little
implications for the perpetrators... "ooops sorry! now let's carry on"

------
chvid
Hotels.com and a host of others did the same thing, indicating that this is
not particular nefarious.

However we keep talking about TikTok.

Why is that?

~~~
swalsh
Because Tik Tok takes data collection to a whole new level. It uses this, and
every other trick in the book. And that matters because it's not clear that
this data will be constrained to the activities of sending me extremely
targeted advertising. Now we can have a reasonable debate about that, but this
has a new level of concern.

As a Chinese app, how do I know the Chinese government will not use me as an
unknowing participant in a future cyberwar? One thing Tik Tok does is collect
a pretty exhaustive list apps installed on my phone. That could be used for
identifying vulnerabilities they could potentially exploit.

------
jacknews
but what's next?

------
gcbw3
maybe i do not know how clipboard works, but the message "<active app> pasted
from <inactive app>" is the worst possible label.

Also funny how every app shows it. Guess IOS14 will be known by non technical
users as "the cookie-law iphone version" and everything will continue as
usual.

------
prodpo
Tiktok has a lot of money. They can control speculator, then control America,
then everyone.

------
jeffbee
This is just an overblown yellow-peril panic, right? How does any app paste?
By "accessing the user clipboards". How does the chrome omnibox do "text you
copied"? By "accessing the user clipboards".

~~~
freeone3000
Normal apps wait until the user attempts to perform a paste action to access
the clipboard, instead of accessing the clipboard every two seconds.

~~~
jeffbee
Malice or just stupidity? I can imagine a dozen different reasons a program
might access the clipboard in a loop, all of which reduce to "we are bad
programmers".

~~~
thewindow
Not all of them reduce to bad programmers. It could be either of malice or
stupidity. In this age when data is valuable, it is better to be safe and
assume malice.

