Hacker News new | past | comments | ask | show | jobs | submit login
TikTok app to stop accessing user clipboards after being caught in the act (macrumors.com)
262 points by shadykiller 7 days ago | hide | past | favorite | 149 comments

Great to see another layer of transparency in ios14.

Bit I wonder why everyone talking about one specific app? I see a huge bias towards TikTok in headlines

"iOS 14 caught TikTok and other apps spying on the clipboard" [0]

"iOS 14 beta shows apps like TikTok still spy on your iPhone" [1]

There a bunch of apps like VICE, Google News, WSJ that has been caught doing exactly the same. [2]

I may find the explanation why TikTok did that. In China WeChat blocks direct links to their competitors. So apps like Taobao or Douyin have to find a workaround for deeplinks. When you want to share the video from Douyin with a friend in WeChat, Douyin generates the following message.

在东京刚毕业入职三个月的职场小白 搬家找房 坚持更新#日本vlog #东京 https://v.douyin.com/J8ceMYY/ 复制此链接,打开【抖音短视频】,直接观看视频!

In WeChat the link is not clickbale. To see the content user has to copy full text and go to the Douyin. The app will read the clipboard and perform the transition to the video. On the link below you can find the video - explanation [3]

Probably they had re-use some code in TikTok. Definitely they need to be more accurate towards data safety but I don't think they really made a pipeline for spying using clipboard.

There is a lot of buzz around TikTok these days, but I want to get an answer from other apps as well.

[0] https://bgr.com/2020/06/26/ios-14-beta-privacy-features-tikt...

[1] https://mashable.com/article/iphone-ios-14-privacy-clipboard...

[2] https://www.youtube.com/watch?v=pRSWdtoUAjo

[3] https://twitter.com/kidrulit/status/1277629462721384448

> Bit I wonder why everyone talking about one specific app?

In this particular case, I think it's because the person who apparently discovered it claims that other apps "don't collect anywhere near the same amount of data that TikTok does". [0]

> For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is. It's like comparing a cup of water to the ocean - they just don't compare.

[0] https://www.reddit.com/r/videos/comments/fxgi06/not_new_news...

I went trough this post earlier. Unfortunately the video has been removed for some reason.

> I'm getting a lot of DM's asking me to prove the majority of this with a paper and snippets of the offending code. I have a decent amount of my notes on my other laptop that recently had a motherboard failure and the majority of that data is on the laptop's SSD. It's a macbook pro, so recovering the data isn't exactly super simple. I have some frida scripts that I pushed to my git server as well as some markdown files + conversation logs I've had with exploit devs, but not much else. In order to get everyone the proof they require, I'll likely need to reverse the app all over again which isn't something I have time for right now.

That sounds like "dog ate my homework", but well, sh*t may happens.

> Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

What so special about it?

> Other apps you have installed (I've even seen some I've deleted show up in their analytics payload - maybe using as cached value?)

That interesting indeed. I heard some developers did that as well (Uber-Lift case ?) but it really strange that Android enables that. I'm not an Android dev, but I guess you can retrieve that through PackageManager?

> Everything network-related (ip, local ip, router mac, your mac, wifi access point name)



> Whether or not you're rooted/jailbroken

My bank app does the same as well as plenty of other apps. Again, I mostly iOS guy, so not familiar with Android ecosystem that well.

> They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication

That sucks. Can anyone explain why they do that?

> On top of all of the above, they weren't even using HTTPS for the longest time. They leaked users' email addresses in their HTTP REST API, as well as their secondary emails used for password resets

Bold statement without any facts, tbh.

I don't wanna play devil's advocate and I don't support CCP or a big fan of TikTok.

I really enjoy reading well-made security research that unveil security valuation in Chinese app. [0]

But hardly rely on the posts without clear any data reinforcement

[0] https://citizenlab.ca/2020/05/we-chat-they-watch/

I don't use or like tiktok, but that post also came across as super fishy to me. Lots of it boiled down to "I'm a software engineer, trust me" with a good amount of FUD thrown in (going on about GPS data when the app doesn't even request the Location permission? complaining the app can see your screen resolution?). I'm sure the truth is somewhere in between but tiktok is the beating-horse of the day so you'll see all sorts of cool stuff like mainstream media using an anonymous reddit post as a source.

Exactly. Moreover, r/video doesn't seem the proper place to share the reverse-engineering analysis.

It's hard to trust a self proclaimed computer expert who neither uploads any data to share as evidence, nor backs up any his work anywhere nor syncs to any cloud.

Yeah, this was my exact problem with that comment. They ended it by saying apps like Facebook/Gmail/etc don't collect nearly the same amount of data, but I'm very hard pressed to believe that. I'll believe it when they show a side-by-side comparison of what portions of each category they listed TikTok is accessing/Facebook is accessing, with the accompanying bytecode they claim to have decoded.

Oh, it seems that from Android 11, it became much harder to see the list of installed apps.


Just because other apps do that is no excuse for bad behaviour. Almost all apps get flack for bad behaviour. Tiktok is the newest popular thing on the block and it is expected to be widely covered. Honestly it is okay to discuss the bar behaviours of an app without blaming other apps.

Being "caught" reading the clipboard is not an indictment that you are doing something wrong. It's very good that it is no longer occurring invisibly in the background, but so far what we have seen appears to be frivolous usage rather than malicious.

Smh, a newly registered account.

> Honestly it is okay to discuss the bar behaviours of an app without blaming other apps.

OP explained the reason for doing so, how can we just discuss the problem without checking the cause?

The app for Discord would also make the warning show, though the fix for that was a small one line change.


I think it's probably because they were already in a series of such mess-ups so someone decided to check it with Tik Tok and that went viral. Also, it's a social media app that a lot of people use, so using that as part of the headlines for Media gains eyeballs.

Oh wow, thanks for sharing [2]. That's ludicrous (the consent manufacturing part).

> Bit I wonder why everyone talking about one specific app? I see a huge bias towards TikTok in headlines

1) TikTok is one of the most popular apps and was the second most downloaded last year [0]. Come on, they are at the top. That's why we talk about them.

2) TikTok has been caught in a lot of privacy scandals that appear to be more egregious than other apps.

3) There's a deep seated fear, and evidence, that Chinese companies share their data with their government.

It is all three, but mostly #1.

> [0][1]

These are the same event, why are you posting two instances of the same event like "TikTok is unfairly being targeted?"

> There a bunch of apps like VICE, Google News, WSJ that has been caught doing exactly the same. [2]

People are upset about that too. But frankly, VICE and the WSJ don't have as many downloads as TikTok. Even if you combine their total downloads they don't account for a tenth (<1/10th!!!!) of TikTok's downloads. Frankly I don't understand the logic here. Ignore the top dog just because others are doing the same thing? Just because others do it doesn't make it right and of course we should go after the one that's the biggest.

If you're bigger, people pay more attention to you. That's why TikTok is getting "singled out." BECAUSE TIKTOK IS ONE OF THE MOST POPULAR APPS IN THE WORLD! It doesn't matter what other apps do. That doesn't justify bad behavior. Am I the only one whose mom said "If all your friends jumped off a cliff, would you?"

[0] https://www.visualcapitalist.com/ranked-most-downloaded-apps...

Yeah the bar is high. But unfortunately people seek for short-term rewards and rarely care about their data leakage.

How did the #DeleteFacebook movement impact the companies business? Not that much I believe. The stocks keep rising. Would be interesting to see what will happen to Bytedance product?

> 3) There's a deep seated fear, and evidence, that Chinese companies share their data with their government.

Can you share the evidence of that please? Apparently Bytedance cut Domestic Engineers' Data Access to TikTok [0]

[0] https://en.pingwest.com/a/6875

>> 3) There's a deep seated fear, and evidence, that Chinese companies share their data with their government.

> Can you share the evidence of that please?

Not the parent commenter, but you may find this paper informative/insightful:

"Systematic Government Access to Private-Sector Data in China" (2017) [0]

Not by any means the only source, just happens to be one I read recently.

[0] https://www.oxfordscholarship.com/view/10.1093/oso/978019068...

Obligatory xkcd on bridge jumping:


> In China WeChat blocks direct links to their competitors. So apps like Taobao or Douyin have to find a workaround for deeplinks.

I'm going to start by saying "No they don't." They don't _have_ to do anything. They decided to.

> In WeChat the link is not clickable. To see the content user has to copy full text and go to the Douyin. The app will read the clipboard

They could have chosen to give you a place to put links without snooping your clipboard. That was a decision they made.

> I don't think they really made a pipeline for spying using clipboard.

Does the app spy on the user's clipboard? Yes. QED.

They do it to get around very anti competitive behaviour. WeChat pretty much have monopoly on chat in China so if you want to get into that market I guess you have to come up with some way around it. Though I agree that a button that would activate it would likely have been a better way to do it. Even if they did not do anything nefarious this really makes it look like it was.

Spying on users is a dishonorable way to get around another corporate's anti-competitive behavior. Because it was not the only extremely obvious viable option (I mentioned a clearly honest obvious alternative), we have to conclude that they desire to act dishonorably.

That a big dispute in Sina tech. [0]

[0] https://www.scmp.com/abacus/culture/article/3029309/wechat-s...

> Chinese users have been complaining that WeChat’s practice of blocking certain apps is a huge blow to user experience. But WeChat isn’t the only one doing it. Chinese tech companies constantly add services to their own ecosystems and block services from other companies, leading some tech watchers to say that China’s mobile internet has been split into pieces.

Hope they can fix it one day

> Hope they can fix it one day

Taobao/Douyin/etc could save face today by giving you a place to enter links instead of spying.

While since you talk about bias,

Why every app(facebook,twitter,youtube....) of US is banned by China? But China's company can earn money in America?

Why US government allow this happen? They are huge threat to the safe of America!

The security implications of allowing communications on a platform that is subject to the absolute control of a foreign government, seems like a very very bad idea. That can be a lesson learned the easy way or the hard way.

I honestly think we give Chinese apps too much equal footing. In about 5-8 years, when China has insane surveillance network around the world (they already have), this comment is going to sound the most sensible thing to do - blanket ban any application developed and served by the CCP or similar government.

People teeter-totter about righteousness and freedom of choice, but IMO we need to stop feeding the CCP with more power/$$$/influence ... NOW ... Freedom of choice is great when there is fairness and democratic values built in, when the government isn't on some Han-supremacy drug and expansionist motives.

Someone will inevitably respond with whataboutism and smear American companies into the mix as if they're expressing their understanding of hypocracy and one-sidedness. It is supposed to be one-sided. The west offered two-way street which China declined to walk on. So, now all bets are off. Equivalency with the western apps/services/goods is no longer a valid counter argument.

On fair, just, and rational grounds - I am a progressive. In unfair, unjust and irrational waters - I am a conservative.

The CCP has already shown they’re willing to abuse TikTok to stir unrest in the USA, you aren’t even making a theoretical argument. I’m a lot more worried about China than Russia, when it comes to bad behavior by state actors.

This is why I'm always confused my privacy arguments. When someone says that they want privacy the responses go like:

reference Goebbels: "I have nothing to hide, so I'm not worried"

Downplay: "They only read my emails and everything I write to sell me stuff better. Sometimes I need stuff. They're helping me!" As if it can only be used to sell and nothing else.

World revolves around self: "Well ads don't affect me." Like it doesn't matter that everyone else is affected even if you aren't.

Completely ignoring the fact that if someone can manipulate you to buy stuff they might be able to use it to manipulate you do do other things. I mean we have political ads. And Coke ads aren't there to sell you coke (they are there to make you feel better about your purchase). Frankly, to me it doesn't even matter if no one has done that yet (I'm aware of the clear evidence that people have) but that we're giving people the ability to do this in mass and in very precise ways. That just leads to a potential turn in democracy. "Just educating people" doesn't solve the problem either. Ads are still effective on smart people. So the question is "are the benefits ~~profits~~ worth the cost?" It is reasonable to think "yes", but I'm a resounding "no."

Yes, we use political ads to "manipulate democracy" and the like, but a mass statewide commercial is a very different thing than an individualized ad targeted to a specific person. At least to me these are very different (and we still have regulations on what you can say in political ads). Where do we draw the line? We talk about data a lot here and what we can model with it. What will ads look like in 20-50 years if we don't draw a line in privacy and technology continues to become more powerful? I think individualized ads will look very different. We do need to determine what level of individualization we can target with an ad, and I don't see much of that happening.

Excellent comment, you changed my thinking on the issue. I feel like liberal, educated democracies are focused on the wrong problems. It’s only going to get harder to change course the longer we keep sailing in this direction of a laissez faire, anything-goes approach to software.

Apple’s infamous walled garden solves this problem to some extent, but introduces others because it lacks due process, leading to corruption where money can solve any problem, and so apps like Tiktok get to abuse their trust with impunity.

As I see it, democracy is unstable. I like living in a democratic system (yes, a democratically elected republic is still a democratic system). But we have to recognize that it is unstable and democracies work under the pretense that the keys to power are distributed and frequently moving hands (by elective processes). So the danger to democracy is the collection of keys, or the consolidation of power. Power consolidation DOES have benefits after all. I mean a benevolent dictator is probably the best form of government, the issue is that if the next dictator isn't benevolent (or how long until that). The same is with democracy. We keep power distributed so that when a malevolent (or even just non-benevolent) ruler comes into power they aren't able to do much. Essentially as long as we don't let corruption fill the majority of roles with power, we're fine. They have to spend a lot of time and resources consolidating that power.

Essentially this is what "turnkey tyranny" is: the point at which power is consolidated to such a degree that a malevolent ruler would have the power of a tyrant.

So it has never been about having something to hide or that people aren't using a power malevolently. It is the potential for abuse and that given enough time a power is likely to be abused. Distribution makes it more difficult (but does not eliminate) to abuse power.

With HN's love for federated systems, which essentially operate under similar principles, I'm surprised this is not a more popular concept. The only difference is that we're talking about government officials instead of Moxie.

All governments are unstable. The best we can hope for is they do the most good for the longest amount of time. The better a government does, the more its population tends to assume that it’s impossible for their government to fail, and they don’t guard against it, instead choosing convenience (and properly federated government is the opposite of convenient).


I dont have any memory of "CCP abuses TikTok to stir unrest in USA" being reported. Is there really such evidence?

If there is evidence, then please just ban the goddamn app out of any mobile smart phone platforms. It's too dangerous to open the lid of such mass bring-washing machine. Even in the Arab-spring, it was just passively allowing the information to propagate organically. No one with sane judgement should allow these apps being used as manipulation tools by any minority group...

> The west offered two-way street which China declined to walk on.


It's pretty simple, China doesn't allow western companies access to its markets reciprocally. This isn't controversial or esoteric information. It's a well known fact.

When two parties negotiate they generally try to negotiate in their personal interest. Given how many Western companies flocked to China the access was apparently still worth it.

It's not like this is uncommon either. The US themselves did this under Hamilton's American System and Japan did it in the late 19th century when they maximized goods and technology coming in while trying to keep as much foreign influence out. It's a reasonable strategy and particularly understandable with a historical view of East-Asia, which doesn't have the best experience with opening up to Western companies.

I never really understood where the problem is because China didn't kidnap Apple's CEO and forced them to build factories in China. If Americans think whatever China offers is not worth it they're free not to participate.

Sure, "American" multinational corporation managers love to play ball with CCP to make money. That doesn't mean Americans citizens love it or that American government should support it.

Well, I'm more concerned about my platform being subject to the control of my own government. Because I don't care very much about foreign governments given I happen to be a western citizen that has nothing to do with that countries. But what about ours, do you think our government is better than theirs? For how long?

> do you think our government is better than theirs? For how long?

America has problems, but your order-of-magnitude calibration is way off if you think a concentration-camp operating (i.e. the real kind with over a million people who committed no crime and are held just for their beliefs and culture) expansionist (Hong Kong, Tibet, Taiwan) totalitarian (speech is monitored and punished in a "go to prison, right away" manner rather than "twitter deleted my racist shit and nothing else happened to me" way) government. So yes, occasionally ineffective democracies that value human rights and freedoms (i.e. the west) is better than the CCP government, and will continue to be better now and into the foreseeable future.

Yes, you're right. My mistake was talking about better/worse governments, while we don't have to choose at all. I should rephrase it as: is our government good? I'm sure nobody can say it is, whichever government it may be. So that's why I find uncomfortable to hand all my data over to the ruling party in my country, while I don't care what a random CCP functionary can learn about the cafeterias I frequently go to.

On a per capita basis, the US has more people in prison than there are Uyghurs in Chinese camps and Chinese residents in prison combined.

The US invaded Iraq for oil colonization.

Your whataboutism didn't mention the ongoing protests that are working to fix the problems you're referencing which would never be allowed in China.

do you think our government is better than theirs?

Can't answer specifically without knowing who "ours" and "theirs" are, but I can answer generically. Governments that hold elections where more than one genuinely competing party can win if enough voters want to vote for them are better than governments that declare themselves the rulers.

Governments that defend the rights of people to express genuinely competing opinions, regardless of who agrees or disagrees, are better than governments that use or enable coercion to silence opinions they don't want people to hear.

Governments that use pervasive surveillance to monitor and punish people for thought crimes, where having or expressing forbidden opinions is treated as an actual "crime", are worse than governments that don't.

There is clearly a spectrum, and though my Chinese relatives keep pointing out how many US institutions are coming to resemble the Marxist institutions and people resemble the Red Guards they remember, the actual government of China is still far worse. "Since we, the CCP, are the People's Gov't, there is no further need for elections, and anyone who disagrees is an Enemy of The People, needs to be discovered, and deserves to be punished for that crime."

> subject to the absolute control of a foreign government

Especially a foreign government that is considered a top adversary by the US and vice-versa.

> a platform that is subject to the absolute control of a foreign government

I'm sure you would argue that Google, MS and Apple are completely independent of the US government.

I don't want to put words in your mouth but if you are implying that the US influence over Google, MS, and Apple is comparable to China's influence over TikTok and other Chinese companies then that is an utterly false equivalence. I don't have links but it is well established the role and influence CCP has in Chinese companies and US companies have gone to great legal lengths to restrict the US Government's involvement in certain areas like the fight over encryption.

>US companies have gone to great legal lengths to restrict the US Government's involvement in certain areas

Yeah, they spend a fortune on lobbying - nonetheless they are very compliant with the US "national security". Keep them downvotes coming, Snowden never blew a whistle.

I'm sure the government considers the years long ongoing battle between Apple and the FBI over device encryption to be "very compliant".

The issue is (as far as I know) the CCP has unfettered access to Chinese apps. On the other hand, the US government has to ask. While Google, MS, Apple, etc have all said "yes" plenty of times, they also have said "no" and are doing so more frequently as public opinion is changing on privacy. Literally the ability to say no is a big difference.

If I am wrong about the unfettered access, let me know.

The US has an independent judiciary which will rule on disputes between the government and Google/Apple/MS. China does not. It is really that simple.

> subject to the absolute control of a foreign government

National Security letters mean that for 95.75% of the world's population, what you just said applies to the USA.

Most of the anti-TikTok comments that have emerged recently are beyond hysterical. We are arguing about China using this app as a primary nexus of intelligence gathering, in a world where they already have the US government’s entire OPM database?[1]

A lot of apps are doing the stupid clipboard detection thing. As others have commented, there’s reasons for this that range from spam detection to link shortening. It’s lousy, I agree, but this has been a very common thing in a pre-iOS 14 world.

1: https://en.m.wikipedia.org/wiki/Office_of_Personnel_Manageme...

>In June 2015, the United States Office of Personnel Management (OPM) announced that it had been the target of a data breach targeting the records of as many as four million people

I'm pretty sure that tiktok has more than 4M users. I guess you can argue that OPM has more % of "high value" users compared to tiktok, but it's also 5 years out of date and contains different sets of data entirely. OPM data doesn't have your minute-by-minute location history and clipboard history, for instance.

The OPM database was a force multiplier, not a direct source of valuable data.

What it allows the Chinese government to do is filter any other source of data (such as TikTok) and exclude anyone in the US who doesn't have a security clearance. You then have vastly less raw intelligence to sift and try to find the accidental video someone posted with a whiteboard full of secrets in the background.

Intelligence gathering with OPM kind of leaks is passive activity, which can potentially be used for leverage.

Platforms like TikTok are active propaganda tools already, and can be used to shape discourse in democracies.

It is a major concern whether such tools are owned by foreign governments (tikTok) or private companies who do not need to comply with any regulations(Facebook twitter) etc.

When I was younger I would laugh at those ridiculous "forwards from grandma" about, like, secret Satanic messages embedded in Super Mario. Every kid knew these were nonsense; we just assumed it was a consequence of that generation growing up without technology.

I was wrong. Every generation is equally prone to hysteria. We learn nothing.

Thought the OPM hack was common knowledge, guess not. I added a link!

They'll use whatever data they can get their hands on.

Too little, too late. Already forced the family to uninstall it and its gone forever. Wish the kids could understand that its spyware with access to a lot of toxic social media.

> Already forced the family to uninstall it and its gone forever.

Honestly you’d be better off educating them and telling them it’s a good idea than forcing them to jettison an app they probably love. Tons of apps do this (as discovered in iOS 14) and I highly suggest not doing a crusade against one when a lot more do it. See: https://youtu.be/pRSWdtoUAjo

Fair enough, we don't have any of the known spyware - TikTok was the only one. I was already questioning the value of TikTok before it became well known that its spyware. I won't tell you about the week of crying because someone was calling my 8 year old a 'viscogirl' after seeing something on Tiktok about it. It really looks like toxic garbage to me.

It's starting to fill up with Pizzagate "secret dungeon basement" conspiracy theories too.. probably better off without it.

Doesn't sound so far fetched when TikTok is allowed to violate COPPA and is a haven for child predators.

You sure it wasn't "VSCO girl"?

I guess you know better than me, whatever.

My Daughter: "Dad let me install TikTok!"

Me: "No. It is Chinese spyware."

My Daughter: "<so and so from school> has TikTok!"

Me: "<so and so> is a Chinese asset!"

My Daughter: "No she's not!"

Every day.

In my experience it is a lot easier to tell your friends that you don't have any social media, rather than saying that you don't have a specific social media app/account/thing. Why? It's harder to understand why someone wouldn't install TikTok when they already have Snapchat/Instagram/everything else.

(I'm a high school student, abstaining from social media other than HN.)

Edit: Have you tried explaining to your daughter why TikTok is Chinese spyware?

HN is social media?

I think it is, at least as much as Reddit is as well. And before that Digg and Slashdot.


if you accept the premise that tiktok is collecting data for the chinese government, then anyone using the app would indeed be an asset

I cannot begin to imagine how my adolescenct daughter could be of any possible use to the middle kingdom. Remotely, via a dance app.

Incidental and unintended data leakage.

TikTok is a virally popular video app used globally by a generation of adolescence that have normalized the behavior of recording inane happenings in their life multiple times a day, with an undeveloped sense of propriety and limited ability to fully comprehend the significance of their actions.

Not that I have much of an opinion on TikTok's usage as an intelligence gathering source, I certainly appreciate its potential as one.

My daughters are constantly taking videos all over the place, with little regard to what is in the video beyond themselves. Even though they've been hounded on what is and isn't appropriate to capture in a video, I'm sure they have an under-developed sense of security/concern in that regard, particularly for "private" or deleted videos.

Access to the full corpus of video data uploaded to Tiktok would be a gold mine, least of which would actually be my adolescent daughters. Unrelated conversations picked up in the background, where/when they took the video, compromising/confidential artifacts exposed incidentally in the background, facial recognition on individuals in the video (whether the subject of the video or otherwise), etc. There are an immeasurable number of ways such a rich data source could be mined for signal intelligence.

Note that TikTok is far from the only app that fits this definition. There are plenty of other platforms that create a similarly useful corpus of video data. But anecdotally from my kids and their friends, TikTok is the flavor of the moment. Especially so for those young enough for the above concerns (or lack thereof) to be most valid.

This is not how spies work in the real world.

Kompromat, bribery, and threats. Not watching kids videos.

The intelligence apparatus of a nation-state is far more encompassing than just spies.

And no one has to actually watch any videos for the above-mentioned use cases. It's an engineering assignment for data science and tech teams, not spies.

As well, there's a very hazy line between government and industry interests in China, greatly expanding the potential use cases of sigint derived from such incidental data leakage beyond just what would be useful for kompromat, bribery, and threat. purposes.

Indeed, spies are just a single tool and have a very specific use cases — big-data, analytics and data science is where the big nation states are at nowadays.

We don't know much about China's systems here, but looking at XKeyscore [0] (NSA, via Snowden leaks) is likely to be somewhat insightful re function and capabilities.

[0] https://en.wikipedia.org/wiki/XKeyscore

See this: https://www.proofpoint.com/us/corporate-blog/post/understand...

A quote: TikTok app permissions include personal information and device control

First, our researchers examined the permissions TikTok requires on Android and iOS devices following installation. While some of the permissions detailed below are to be expected, all of this is consistent with TikTok’s written privacy policy. However, when you see all that TikTok gathers it can still be of concern. In summary, these permissions allow TikTok to:

Access the camera (and take pictures/video), the microphone (and record sound), the device’s WIFI connection, and the full contact list on the device Determine if the internet is available and access it Keep the device turned on and automatically start itself when the device restarts Secure detailed information on the user’s location using GPS and other apps that are running Read and write to the device’s storage, install/remove shortcuts, access the flashlight (turn it off and on), request additional installation packages Our researchers found that TikTok has full access to the audio, video, and address book on the device, which isn’t surprising given that TikTok is an audio-visual app by design.

However, the GPS tracking is surprising, especially as TikTok videos don’t obviously display location information. TikTok does call out their collection of location information in their privacy policy.

Recap: TikTok does not need to be collecting contact and location data from my kids or any of our devices. This vacuuming up of information at scale reveals the relationships between people and a lot more. And that is my main problem. TikTok is way more than just a video app, its spyware.

get outta here

Seems feasible it was a spam check. All my sensitive data is over in a separate work apps launcher anyway.

Personally, I find lots of useful content on TikTok. There's a divorce lawyer I've actually called in person. There's a nurse who gives coronavirus tips. There's a Chinese teacher. There's an idol who did a funny hand wash dance without showing a lot of skin and who does funny things with her cats. There's a fitness guy who always has a new way to do push ups or whatever. There's a chiro with back pain tips, etc.. One coworker does dances with her daughter - so maybe it helps parent-child bonding.

> All my sensitive data is over in a separate work apps launcher anyway.

How does that apply to children?

> and its gone forever

is it though?

do you honestly believe that?

I'm happy that ios14 is adding more transparency on whats apps are accessing like this clipboard situation. I'd love to see more of these, like camera roll and mic access.

iOS 14 has a new workflow that lets the user give an app access to a photo or selected photos without the app getting access to any of their other photos. Big privacy improvement on that front at least. I don't know about mic access.

iOS 14 is adding an indicator for apps using the camera and microphone. You'll also be able to see apps that recently used them in the control center.

This is so ridiculous. Google Maps accesses the clipboard. Try it out: copy an address and open maps.

So do Facebook and Instagram, I’m sure.

The level of paranoia in the Valley is astounding.

My clipboard frequently holds sensitive or even compromising information. If it isn't providing direct access to my finances, it might be something that could be used to blackmail me.

No, these random apps are not my spouse. They should not get access to sensitive info without explicit permission.

I think the point is that almost 20 apps 'got caught' reading the clipboard but people are only singling out TikTok because it's Chinese.

Google Maps has a clear use case for accessing the clipboard. If Tok Tok only accessed the clipboard on launch to check for a Tik Tok URL, that might be one thing, but there's no clear reason Tik Tok would need access to the clipboard literally every 3 keystrokes.

> Google Maps has a clear use case for accessing the clipboard.

I don't think it does. Neither application should "access" the clipboard.

I keep reading about naughty apps and wondering will the OS ever lock this stuff down.

Google maps detects copied addresses and lets you route to them in one click.

> Google maps detects copied addresses and lets you route to them in one click.

Routing to copied addresses is not a clear use case for letting something spy on everything the user copies, because we already have an invocation for handing clipboard contents to software exactly when the user desires it. It's called the "paste" command.

At some point engineers need to stop doing things just because they can.

It’s fine if an app has a valid use case to access clipboard. I have found it really convenient myself. I think the crux of the issue is that the apps should be forced to get permission from the user first, on a per-app basis.

What is the clear use case for "accessing the clipboard"?

I assume Google accesses the clipboard to see if there's an address in there and search for it. Whether that's a good use case or not is up for debate.

Personally I was surprised to learn that apps could read directly from the clipboard at all. I would've thought that was purely managed by the system and not given to the app until actually pasted.

Why not just have granular “clipboard” permission that could be granted or denied per-app?

Personally, I like the ease-of-use I get out of google maps grabbing addresses from my clipboard. Not everyone would like it though, and that is ok. They could decline the permission request.

But I don’t want other random apps being able to grab that info without permission.

There is no paranoia. There is no reason for tiktok to access by clipboard and snoop into what I have copied there. It is bad behaviour - nefarious or not.

The valley is the entire reason why we're paranoid: there's huge precedent for this kind of access being used for nefarious purposes.

Can someone answer why iOS even allows the ability to read the clipboard buffer in the first place? Just seems like poor privacy and security design.

I copy my password from my password manager and paste it into a different app. I can copy notes from OneNote and paste it into my email and there are many other use cases i can think of. With iOS 14 Apple is letting the user know that some app is accessing your clipboard.

All of your examples are things initiated directly by the user. There's no reason that preserving user-initiated "paste" needs to mean letting an app take what it wants.

it wasn't clear from OP. i suppose having a permission modal like Photos or Contacts will do.

I know, right?

It's not super hard to imagine a parallel universe where any software can copy to the clipboard but only the OS, upon user request, can paste back out of it. And yet here we are wallowing in filth. Why, because people have never heard of a callback before?

Let the application include a "paste" handler function, and then all clipboard exfiltration must be initiated by the user at the OS UI layer. Simple. Safe.

so that if you switch from app A to app B, it can check your clipboard buffer for if you have a URL pasted into it and load that URL in the context of the app

example: if you copied twitter://foo/tweet/bar or https://twitter.com/foo/tweet/bar, it checks your clipboard and loads that tweet instantly

at least that's what i read over on reddit about this on r/apple

Except that letting apps randomly pull from the clipboard, where you might have copied passwords, bank account numbers, or any other sensitive information, is such an obviously unsafe idea that the person who suggested it should have been immediately sent to special privacy consciousness training.

For what? To save one "send to app" or "paste"?

At least reserve that functionality exclusively for the operating system on the grounds of "TRUST YOU? HAHAHAHAHA".

A super minor convenience feature, and enabling it allows apps to just read from my clipboard at will?

The juice ain't worth the squeeze.

I recently made the change in Firefox on macOS to stop websites from accessing the clipboard [1], and now pasting into Facebook is completely broken.

I wonder if they've been checking out my clipboard contents.

[1] https://www.ghacks.net/2014/01/08/block-websites-reading-mod...

>I recently made the change in Firefox on macOS to stop websites from accessing the clipboard

I don't think you needed to do that. I searched around and wasn't able to find any proof of concept that was able to steal clipboard data from firefox. see: https://news.ycombinator.com/item?id=23635488

When I installed TikTok, my phone's battery life shortened by 2-3x. That's suspicious enough for me to stay far away from it

Apple manually reviews the code of every app update. Why aren't they blocking this functionality from getting released in the first place?

I feel like every time I submit an app update I get questioned about why my app needs access to $xyz feature.

> manually

Do you really think so?

An interesting reddit comment by someone who uncovered many more shady data collection practices by Tik Tok: https://www.reddit.com/r/videos/comments/fxgi06/not_new_news...

Just wanted to inform audience here that TikTok is blocked in China. [1]

[1] https://en.wikipedia.org/wiki/List_of_websites_blocked_in_ma...

Interesting, is this more proof that the Chinese gov't is using it as a spying app?

It's probably more because tik tok and douyin have different content policies, having to police tik tok content as strictly as domestic content would stifle tik tok's growth outside the GFW.

Stuff like this is why I prefer a reactive web interface over a mobile app.

It seems like unless you need direct access to the camera or it’s a game a web version should be fine.

I'm starting to think these devices need to provide examples when throwing up the permissions prompt. Worst case examples of what this permission can enable so that app developers might at least try to limit their requests.

Good on Apple. This and backwards compatibility, make a compelling case for iOS.

Why do phones need the clipboard at all? There is a 'share with' infrastructure. Why not explicitly send copied data to the desired app directly instead of storing it in a central place?

That works for sharing an article or a post, but how do you quote a portion of a post?

On Android, you can happily select some text then hit Share (same menu as Copy and Cut).

That pattern is mainly used to open an app to a specific activity. eg. opening google search to a particular search phrase, or opening the dialer to a particular phone number. I can't see it working for when you're writing a email, and want to include a link/quote/image.

But that's exactly what I just did. Highlighted some text in a news article and Share'd to my email client, it dropped the text in, quoted, to the body of an email with the link to the article under it.

I would really, really miss the clipboard on my phone were it not there. I use it daily.

Also, I couldn't imagine having to use the 'share' functionality just to copy/paste. It's already such a frustrating experience just finding the app I want to share with, that I usually just end up selecting the 'copy link' option, opening the target app, and pasting it.

Copy and paste.

I used to see lots of people question the merits of copy/paste when iOS didn't have it, because iOS didn't have it. When iOS finally got it, I thought the matter settled. The people who previously dismissed the feature now considered it the best Apple innovation since sliced bread (or perhaps the multi-buttoned computer mouse.)

Do you never copy/paste text within the same document? How do you rearrange sentences, paragraphs, etc? Highlight-and-drag is cumbersome in long documents and is really an implementation of cut/paste, not copy/paste.

Too little too late. They should be barred from US markets however there may be worse actors out there that borderline criminals could call ‘industry standard’.

Tim tok has no business snooping into by clipboard. It is bad behaviour irrespective of if it was nefarious or not. No need to justify this by bringing up behaviour of apps.

TikTok also is violating COPPA. Any underage child that signs up with a Google Account, you can clearly see from the Google account settings that they are collecting email addresses and other personal information. I believe Google and other app store providers should just remove them.

Is it possible for apps to read photos (not just metadata)?

Ya, little fucking late to back track that now.

It looks like apps can spy as much as they want and that it has little implications for the perpetrators... "ooops sorry! now let's carry on"

Hotels.com and a host of others did the same thing, indicating that this is not particular nefarious.

However we keep talking about TikTok.

Why is that?

Because Tik Tok takes data collection to a whole new level. It uses this, and every other trick in the book. And that matters because it's not clear that this data will be constrained to the activities of sending me extremely targeted advertising. Now we can have a reasonable debate about that, but this has a new level of concern.

As a Chinese app, how do I know the Chinese government will not use me as an unknowing participant in a future cyberwar? One thing Tik Tok does is collect a pretty exhaustive list apps installed on my phone. That could be used for identifying vulnerabilities they could potentially exploit.

Why should that mean its not nefarious? Just because other apps are doing underhand privacy invasion doesn't make it any better - they are all scum!

Everyone is talking about TikTok because the video that went viral showed TikTok.

but what's next?

maybe i do not know how clipboard works, but the message "<active app> pasted from <inactive app>" is the worst possible label.

Also funny how every app shows it. Guess IOS14 will be known by non technical users as "the cookie-law iphone version" and everything will continue as usual.

Tiktok has a lot of money. They can control speculator, then control America, then everyone.

This is just an overblown yellow-peril panic, right? How does any app paste? By "accessing the user clipboards". How does the chrome omnibox do "text you copied"? By "accessing the user clipboards".

Normal apps wait until the user attempts to perform a paste action to access the clipboard, instead of accessing the clipboard every two seconds.

TikTok reading it every couple seconds is definitely excessive. And frankly our tools fail us by not at least revealing that it's taking place -- new clipboard notification aside, as shown in TFA. How do I know how common vs weird this behavior actually is?

I'd only refine your post to say that it's common for apps to read the clipboard without you pasting. Right click Chrome's omnibar and it will show "Paste and go to <clipboard contents>", my bittorrent client and RSS clients prepopulate the new torrent/feed form if I have a URL in my clipboard.

Is the tiny convenience worth the ability to snoop? I don't think so. Or rather, I would like to decide that for myself.

Malice or just stupidity? I can imagine a dozen different reasons a program might access the clipboard in a loop, all of which reduce to "we are bad programmers".

Not all of them reduce to bad programmers. It could be either of malice or stupidity. In this age when data is valuable, it is better to be safe and assume malice.

It is the OS that should transfer the contents of the clipboard to an app, when the user tells it to do so, and not the other way around. The content of my clipboard shouldn't be any app's business until I decide to paste.

To be fair, I don't think the programmers implementing system APIs expected them to be (ab)used like this.

Now system API developers have to view downstream app developers in an adversarial manner...

Ok, but your beef is with Apple, not TikTok.

My beef is with the person who installs a spy camera in my shower, not with the person who didn't expect someone to install a spy camera in my shower. Only one of those people actually installed a spy camera in my shower.

Yeah it seems like it. Chrome and a lot of other apps show an insane amount of these popups on IOS14 to either actually check your clipboard or just to toggle "paste" buttons.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact