They also caught like 20 other popular apps doing the same thing including NYTimes, Google News, and even Google Chrome. Instead of highlighting all of those, the article chooses to play on the "evil chinese" theme, for more sensationalist headlines. Appalling, in my opinion.
"evil chinese theme" LOL. It is much more dangerous for the Chinese government to have access to more data on users than NYT or other corporations. In the previously article written by the author he says "TikTok stands out, though, given its much wider security concerns."
"Sensationalist Headline". Headline of article: "Beware If You Use TikTok On Your iPhone: Here’s Why You Should Now Worry—New Security Report".
Much wow, so much sensationalism in this title. Snooping for passwords and personal data on the clipboard, I guess we should not worry about TikTok. That is why the DOD banned it's use on their bases, they banned all other apps right?
> It is much more dangerous for the Chinese government to have access to more data
why? if you're not profiting from an industry that competes with a chinese one, or leading the DoD, why would you give a shit that it's chinese instead of your own local, patriotic cops and profiteers spying on you? social media has been full of videos of cops beating protesters up for weeks now. can we please drop the childish illusion that there's one "team america" and we're all on it now?
sure there is no one team america internally in America but externally there is an ever evolving war of multiple countries seeking more gain, through military, digital, and economic means. If you do not believe this, then you are naive. There are actual war battles being fought 24/7 sponsored by governments, land grabs, state sponsored cyber attacks from plenty of countries. So in the case of the Chinese government, where the current leadership has proven countless times they want to enact Mao's plans, it is in America's best interest to be wary of companies that are Chinese. How many times have our governments and corporations been hacking by Chinese backed agents to steal blueprints, plans, and valuable information. There is nothing childish about what is going on GLOBALLY. not everything revolves around internal America politics.
I have no interest in stealing from or fighting chinese people, except to the extent that profiteers in china have a material interest in stealing from me - which is equally true for local american profiteers. I have no desire to drum up Cold War 2.0 hysteria, or be suckered into it by those who do have a material interest in nationalistic competition.
> How many times have our governments and corporations been hacking by Chinese backed agents to steal blueprints, plans, and valuable information
I simply don't give a shit about american companies have their right to collect more ill-gotten, IP based profits in china undercut by people in china doing exactly the same thing. and if you do care about it, you're either an IP profiteer or a sucker. and either way this is incredibly xenophobic. sorry.
"and either way this is incredibly xenophobic. sorry."
ummm derp? what is the point of saying an accusation like that and writing sorry at the end? it is almost like you do not even believe the accusation you are making. My comments are only in regard to authoritarian absolutely crazy Chinese government, I have made no remarks about people who identify with the Chinese race. What a loser you must be to accuse me of that based on my comments against a facist, authoritarian, fucked up government. Oh....sorry.
Sorry I got under your skin! You should take a look at the state of civil liberties at home btw. Fixating on China's sins and ignoring the US' is kinda weird.
and you should spend some time learning that the world does not revolve around the USA. Go make those comments to a Tibetan. You are woefully ignorant of the current geo-political scene with China.
> LOL. It is much more dangerous for the Chinese government to have access to more data on users than NYT or other corporations.
20 years ago this would have been a no-brainer statement.
5 years ago you'd say "Well, yes, through PRISM and many other NSA problems, if a private US corporation has your data, so does the US government. But don't worry, the Government doesn't care about individual citizens, and wouldn't use that maliciously."
In 2020, do you really think that the Trump administration would have any qualms about using any NSA data against their "enemies" (which includes Journalists not bending to the spin of the administration?)
Honestly, the only reason I think it hasn't been done yet is Trump is too stupid to realize all the tools available to his disposal.
If you're a Chinese citizen, you should be more afraid of the Chinese Government, yes.
If you're a US citizen, you should be much much more afraid of the US government.
And as a citizen of neither, I'm afraid of both equally.
Singling out TikTok with unfounded Yellow Peril insinuations is an alt-right scare tactic to appeal to sinophobia. The Chinese aren't really doing anything Western corporations don't do, and in many ways, technologically and socially, China is ahead of the USA. You do not see Chinese police, for instance, arresting or murdering people because of the color of their skin.
Naomi Wu is stunning and brave. Brought to you by Tencent.
> You do not see Chinese police, for instance, arresting or murdering people because of the color of their skin.
You also don't--at present--see the US government deporting over a million people to concentration camps because of their ethnicity and religious beliefs.
And yet America has way more people per capita in prison than China. If I recall there were some protests recently that were related to the skin colour of those America prefers to lock up.
To be fair, they are using the police to arrest and brainwash the Uyghurs... and right now increasing the security apparatus in Hong Kong to remove any dissent...
The difference is, that most Apps does read your clipboard when you start the App to check, if there is some relevant information for that App and part of the reason why is that you can not set default Apps in iOS (in iOS 14 this will be possible for browser and mail). A browser for example does check if you have a URL to offer you to open it. Apollo (a Reddit client) for example does check if you have a Reddit URL in your clipboard to offer you to open it. Or a banking App does read it to offer you to make a transfer to a IBAN you have in your clipboard.
But TikTok did read the clipboard every few keystrokes you did on your keyboard. That’s a huge difference. Of course you can’t say for sure that all the others didn’t do anything crazy with the data from your clipboard but they at least have a valid reason to read it.
It is not only a centre-right source (consider how often FT has anything positive to say about the EU), but also an anglophone one.
Following news in different languages makes it obvious that privately owned news sources are not necessarily any less biased than state sponsored (often simply an epithet?) ones.
(TIL Radio Yerevan's successor not only live streams but offers an english-language front page: https://en.armradio.am )
https://en.wikipedia.org/wiki/List_of_countries_by_largest_h... qualitatively gives a pretty good past performance on who got the bulk of Oceanian two-minutes hate (USSR -> Japan -> China), even though quantitatively it seems off (I think Japan got much less two-minutes hate in the 90s than it did in the 80s)
There's a good Reddit post starting with: "So I can personally weigh in on this. I reverse-engineered the app, and feel confident in stating that I have a very strong understanding for how the app operates" Ref: https://www.reddit.com/r/videos/comments/fxgi06/not_new_news...
To play devil's advocate, a lot of this might be overblown. Chat apps like this have to battle fake accounts, spammers, and API scraping of all sorts. This is typically implemented via fingerprinting the mobile devices in a way that is difficult to fake or emulate. You'd want to do this by collecting as much data as possible, and also obfuscating the method with which it is done.
However, obviously, this can be done moderately securely, by hashing the inputs with something like SHA512 prior to forwarding them on to the central servers.
So a lot of the outrage may be valid, but mis-directed. You don't have to be spying on purpose, it's enough to add anti-spoofing features into your app and be sloppy about it. You'd still want to keep your methods secret, and you certainly wouldn't want to own up to sloppy work.
Combine the incompetence, secrecy, and the face-saving culture of asians, and you end up with something that at first glance looks like spying, because it kinda-sorta is.
"The most acute issue with this vulnerability is Apple’s universal clipboard functionality, which means that anything I copy on my Mac or iPad can be read by my iPhone, and vice versa. So, if TikTok is active on your phone while you work, the app can basically read anything and everything you copy on another device: Passwords, work documents, sensitive emails, financial information. Anything."
Ok, with such a vulnerability, I wonder how Apple has let all these apps snoop on clipboard data for so long. They go after Hey like right away, and they have let such a gaping security hole slide through for such a long time.
Apple are definitely doing some good things. In Catalina they revealed to me that Backup and sync from Google.app was spying on my Downloads folder on my Mac - something it has no business doing, and which I never intended to be happening on my computer. macOS now prompts for permission when an app tries to read a major directory area without you directing first asking it to.
But Apple are a corporation. They only do enough privacy things to support their particular business model. That explains their baffling inconsistencies.
Ultimately, Apple can't be trusted if you truly value your privacy. I'm planning a move to Linux, which is easier than ever to use these days. Linux Mint, Elementary OS, Ubuntu...it's lookin' good.
- why does an app have access to the clipboard unless copy/paste is deliberately invoked from within the app by the user? (my clipboard often contains highly sensitive info)
There are legitimate user-centric reasons for doing this:
- I have an app, Parcel, that upon launch sees if I have something resembling a tracking number in my clipboard. If I do, it asks if I want to track that package.
- A popular Reddit client, Apollo, looks for Reddit URLs in the clipboard. If it finds one, it asks if you want to open that conversation in the app.
Sure, both of those apps work fine without that feature. Those are definitely nice conveniences, though, and they’re designed to make my life as the user just a little easier. So, there are genuinely useful reasons for an app to do this. There’s zero legit reason for TikTok to check every 30 seconds that don’t involve spyware.
I want a dialog box: “Allow this app to access your clipboard?”, just like you get for access to location services, photos, the camera and mic, etc. Then I can let well-behaved apps do that for my benefit, and can tell creeper apps like TikTok to mind their own damn business.
> There are legitimate user-centric reasons for doing this
This trope is dragged out often. The answer is no. No, these are not legitimate use cases.
Just like Cambridge Analytica wasn't a legitimate use case, neither is polling a clipboard for changes.
An application should be told of changes. If there were a permission dialog to allow the user to opt-in the application to being told instead of requiring the user to explicitly paste, then maybe. Only maybe. But allowing any (third party) application to see the communication between two (first party) applications is completely unacceptable.
Can you elaborate on why not? More specifically, what is illegitimate about those use cases? Do you deny that users would want these features?
I will readily concede that the infrastructure and tools that enable those use-cases also potentially enable exploits - but what is that you know about users that I don't which leads you to believe that these use-cases are not legitimate?
You’re speaking for yourself. For me, those are legitimate use cases and I like it when apps use that functionality appropriately. The key is that I want to decide if and when I allow an app to do it. In the case of Parcel, 99% of the time I open the app (as opposed to looking at its widget), it’s to add a new package to track. If I didn’t have something in my clipboard that I wasn’t about to add to it, I probably wouldn’t have opened the app in the first place.
According to what I learned from friends who work at tiktok, the parent company are planning to formally sever the business tie with tiktok. Although the technology team is assumed to still share the same infrastructure (networking storage compute etc.). I never was a web or mobile app developer and my friends are not either, and I never used tiktok so have no idea how the client side technology going to be structure.
PS: Tiktok and the purely algorithm driven content consumption is absolutely going to be a super mind washing machine that I will never going to touch, and will teach my kids to stay away as well.
> absolutely going to be a super mind washing machine
Perhaps; your greater worry should be that kids are prioritising TikTok over other, more important things (like school/sleep)
> will teach my kids to stay away as well
Good luck; it's going to be hard, especially when all their friends will be using it. (Source: I'm a high schooler ;) ) Perhaps an easier path is to teach them to avoid all/most social media. That's what my dad told me to do, and to date I find it a lot easier to say "I'm not on any social media" than "I'm not on TikTok" to my friends.
HN may be social media, and it can be addictive. But the real crack are infinite scrolling algorithmic feeds optimized for engagement. HN doesn't have one of those.
That's an interesting claim. TikTok has been recruiting rapidly in America, and they structure their offers mostly in terms of their non-fungible funny money, marked to a fantastic valuation (I think they told me Bytedance was worth $300bn or something preposterous). I wonder how they would pay out in a severance of TikTok from the parent company.
> they structure their offers mostly in terms of their non-fungible funny money
Any more info on that?
From memory of previous discussion on HN, all shares/options/similar in mainland Chinese companies are (I think?) worthless to foreigners? With something about people only finding that out the hard way when they tried to cash them in.
Tiktok will ipo on an American exchange and effectively become an American company. The proceeds of the ipo will go to bytedance who will also continue to own and run the Chinese version.
It’d be nice if someone disassembled tiktok to figure out what happens with this information. We can all speculate, tiktok can release a statement, but only the binary can give the truth for this proprietary app.
> All iPhone users should update to the latest version of TikTok as soon as it’s released—and given it is actively reading your clipboard, you might want to bear that in mind while using the app ahead of that update.
Is immediately followed by this bit about the author of the article:
Zak Doffman
I am the Founder/CEO of Digital Barriers—developing advanced surveillance solutions for defence, national security and counter-terrorism. I write about the intersection of geopolitics and cybersecurity, and analyze breaking security and surveillance stories. Contact me at zakd@me.com.
> The most acute issue with this vulnerability is Apple’s universal clipboard functionality, which means that anything I copy on my Mac or iPad can be read by my iPhone, and vice versa.
Didn't know that was a thing. What an extraordinary security hole that is, and excellent MiTM password catching opportunity for Apple.
Does anyone know if it can be disabled programmatically? Otherwise LastPass (etc) are effectively getting backed up directly by Apple. :(
Why are you even putting passwords in the clipboard? On iOS and macOS passwords can (and should!) be filled by password manager extensions, which don't use the clipboard.
Unfortunately there’s still “trash” apps that don’t utilize the feature. I wish Apple pushed on this as much as they did with their sign with Apple policy.
There are systems which use passwords stored locally (encrypted) though, and use cut-n-paste from the displayed password into the appropriate field.
This "Apple universal clipboard" functionality sounds incredibly dangerous for things like that, if it can't be disabled.
That being said, I haven't personally used macOS much in years, apart from keeping a project build server ticking over. So, this doesn't affect me personally that I know of. ;)
