Bit I wonder why everyone talking about one specific app?
I see a huge bias towards TikTok in headlines
"iOS 14 caught TikTok and other apps spying on the clipboard" 
"iOS 14 beta shows apps like TikTok still spy on your iPhone" 
There a bunch of apps like VICE, Google News, WSJ that has been caught doing exactly the same. 
I may find the explanation why TikTok did that. In China WeChat blocks direct links to their competitors. So apps like Taobao or Douyin have to find a workaround for deeplinks.
When you want to share the video from Douyin with a friend in WeChat, Douyin generates the following message.
在东京刚毕业入职三个月的职场小白 搬家找房 坚持更新#日本vlog #东京 https://v.douyin.com/J8ceMYY/ 复制此链接，打开【抖音短视频】，直接观看视频！
In WeChat the link is not clickbale. To see the content user has to copy full text and go to the Douyin. The app will read the clipboard and perform the transition to the video. On the link below you can find the video - explanation 
Probably they had re-use some code in TikTok. Definitely they need to be more accurate towards data safety but I don't think they really made a pipeline for spying using clipboard.
There is a lot of buzz around TikTok these days, but I want to get an answer from other apps as well.
In this particular case, I think it's because the person who apparently discovered it claims that other apps "don't collect anywhere near the same amount of data that TikTok does". 
> For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is. It's like comparing a cup of water to the ocean - they just don't compare.
> I'm getting a lot of DM's asking me to prove the majority of this with a paper and snippets of the offending code. I have a decent amount of my notes on my other laptop that recently had a motherboard failure and the majority of that data is on the laptop's SSD. It's a macbook pro, so recovering the data isn't exactly super simple. I have some frida scripts that I pushed to my git server as well as some markdown files + conversation logs I've had with exploit devs, but not much else. In order to get everyone the proof they require, I'll likely need to reverse the app all over again which isn't something I have time for right now.
That sounds like "dog ate my homework", but well, sh*t may happens.
> Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
What so special about it?
> Other apps you have installed (I've even seen some I've deleted show up in their analytics payload - maybe using as cached value?)
That interesting indeed. I heard some developers did that as well (Uber-Lift case ?) but it really strange that Android enables that.
I'm not an Android dev, but I guess you can retrieve that through PackageManager?
> Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
> Whether or not you're rooted/jailbroken
My bank app does the same as well as plenty of other apps. Again, I mostly iOS guy, so not familiar with Android ecosystem that well.
> They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication
That sucks. Can anyone explain why they do that?
> On top of all of the above, they weren't even using HTTPS for the longest time. They leaked users' email addresses in their HTTP REST API, as well as their secondary emails used for password resets
Bold statement without any facts, tbh.
I don't wanna play devil's advocate and I don't support CCP or a big fan of TikTok.
I really enjoy reading well-made security research that unveil security valuation in Chinese app. 
But hardly rely on the posts without clear any data reinforcement
> Honestly it is okay to discuss the bar behaviours of an app without blaming other apps.
OP explained the reason for doing so, how can we just discuss the problem without checking the cause?
1) TikTok is one of the most popular apps and was the second most downloaded last year . Come on, they are at the top. That's why we talk about them.
2) TikTok has been caught in a lot of privacy scandals that appear to be more egregious than other apps.
3) There's a deep seated fear, and evidence, that Chinese companies share their data with their government.
It is all three, but mostly #1.
These are the same event, why are you posting two instances of the same event like "TikTok is unfairly being targeted?"
> There a bunch of apps like VICE, Google News, WSJ that has been caught doing exactly the same. 
People are upset about that too. But frankly, VICE and the WSJ don't have as many downloads as TikTok. Even if you combine their total downloads they don't account for a tenth (<1/10th!!!!) of TikTok's downloads. Frankly I don't understand the logic here. Ignore the top dog just because others are doing the same thing? Just because others do it doesn't make it right and of course we should go after the one that's the biggest.
If you're bigger, people pay more attention to you. That's why TikTok is getting "singled out." BECAUSE TIKTOK IS ONE OF THE MOST POPULAR APPS IN THE WORLD! It doesn't matter what other apps do. That doesn't justify bad behavior. Am I the only one whose mom said "If all your friends jumped off a cliff, would you?"
How did the #DeleteFacebook movement impact the companies business? Not that much I believe. The stocks keep rising.
Would be interesting to see what will happen to Bytedance product?
> 3) There's a deep seated fear, and evidence, that Chinese companies share their data with their government.
Can you share the evidence of that please?
Apparently Bytedance cut Domestic Engineers' Data Access to TikTok 
> Can you share the evidence of that please?
Not the parent commenter, but you may find this paper informative/insightful:
"Systematic Government Access to Private-Sector Data in China" (2017) 
Not by any means the only source, just happens to be one I read recently.
I'm going to start by saying "No they don't." They don't _have_ to do anything. They decided to.
> In WeChat the link is not clickable. To see the content user has to copy full text and go to the Douyin. The app will read the clipboard
They could have chosen to give you a place to put links without snooping your clipboard. That was a decision they made.
> I don't think they really made a pipeline for spying using clipboard.
Does the app spy on the user's clipboard? Yes. QED.
> Chinese users have been complaining that WeChat’s practice of blocking certain apps is a huge blow to user experience. But WeChat isn’t the only one doing it. Chinese tech companies constantly add services to their own ecosystems and block services from other companies, leading some tech watchers to say that China’s mobile internet has been split into pieces.
Hope they can fix it one day
Taobao/Douyin/etc could save face today by giving you a place to enter links instead of spying.
Why every app(facebook,twitter,youtube....) of US is banned by China? But China's company can earn money in America?
Why US government allow this happen? They are huge threat to the safe of America!
People teeter-totter about righteousness and freedom of choice, but IMO we need to stop feeding the CCP with more power/$$$/influence ... NOW ... Freedom of choice is great when there is fairness and democratic values built in, when the government isn't on some Han-supremacy drug and expansionist motives.
Someone will inevitably respond with whataboutism and smear American companies into the mix as if they're expressing their understanding of hypocracy and one-sidedness. It is supposed to be one-sided. The west offered two-way street which China declined to walk on. So, now all bets are off. Equivalency with the western apps/services/goods is no longer a valid counter argument.
On fair, just, and rational grounds - I am a progressive. In unfair, unjust and irrational waters - I am a conservative.
reference Goebbels: "I have nothing to hide, so I'm not worried"
Downplay: "They only read my emails and everything I write to sell me stuff better. Sometimes I need stuff. They're helping me!" As if it can only be used to sell and nothing else.
World revolves around self: "Well ads don't affect me." Like it doesn't matter that everyone else is affected even if you aren't.
Completely ignoring the fact that if someone can manipulate you to buy stuff they might be able to use it to manipulate you do do other things. I mean we have political ads. And Coke ads aren't there to sell you coke (they are there to make you feel better about your purchase). Frankly, to me it doesn't even matter if no one has done that yet (I'm aware of the clear evidence that people have) but that we're giving people the ability to do this in mass and in very precise ways. That just leads to a potential turn in democracy. "Just educating people" doesn't solve the problem either. Ads are still effective on smart people. So the question is "are the benefits ~~profits~~ worth the cost?" It is reasonable to think "yes", but I'm a resounding "no."
Yes, we use political ads to "manipulate democracy" and the like, but a mass statewide commercial is a very different thing than an individualized ad targeted to a specific person. At least to me these are very different (and we still have regulations on what you can say in political ads). Where do we draw the line? We talk about data a lot here and what we can model with it. What will ads look like in 20-50 years if we don't draw a line in privacy and technology continues to become more powerful? I think individualized ads will look very different. We do need to determine what level of individualization we can target with an ad, and I don't see much of that happening.
Apple’s infamous walled garden solves this problem to some extent, but introduces others because it lacks due process, leading to corruption where money can solve any problem, and so apps like Tiktok get to abuse their trust with impunity.
Essentially this is what "turnkey tyranny" is: the point at which power is consolidated to such a degree that a malevolent ruler would have the power of a tyrant.
So it has never been about having something to hide or that people aren't using a power malevolently. It is the potential for abuse and that given enough time a power is likely to be abused. Distribution makes it more difficult (but does not eliminate) to abuse power.
With HN's love for federated systems, which essentially operate under similar principles, I'm surprised this is not a more popular concept. The only difference is that we're talking about government officials instead of Moxie.
I dont have any memory of "CCP abuses TikTok to stir unrest in USA" being reported. Is there really such evidence?
If there is evidence, then please just ban the goddamn app out of any mobile smart phone platforms. It's too dangerous to open the lid of such mass bring-washing machine. Even in the Arab-spring, it was just passively allowing the information to propagate organically. No one with sane judgement should allow these apps being used as manipulation tools by any minority group...
It's not like this is uncommon either. The US themselves did this under Hamilton's American System and Japan did it in the late 19th century when they maximized goods and technology coming in while trying to keep as much foreign influence out. It's a reasonable strategy and particularly understandable with a historical view of East-Asia, which doesn't have the best experience with opening up to Western companies.
I never really understood where the problem is because China didn't kidnap Apple's CEO and forced them to build factories in China. If Americans think whatever China offers is not worth it they're free not to participate.
America has problems, but your order-of-magnitude calibration is way off if you think a concentration-camp operating (i.e. the real kind with over a million people who committed no crime and are held just for their beliefs and culture) expansionist (Hong Kong, Tibet, Taiwan) totalitarian (speech is monitored and punished in a "go to prison, right away" manner rather than "twitter deleted my racist shit and nothing else happened to me" way) government. So yes, occasionally ineffective democracies that value human rights and freedoms (i.e. the west) is better than the CCP government, and will continue to be better now and into the foreseeable future.
The US invaded Iraq for oil colonization.
Can't answer specifically without knowing who "ours" and "theirs" are, but I can answer generically. Governments that hold elections where more than one genuinely competing party can win if enough voters want to vote for them are better than governments that declare themselves the rulers.
Governments that defend the rights of people to express genuinely competing opinions, regardless of who agrees or disagrees, are better than governments that use or enable coercion to silence opinions they don't want people to hear.
Governments that use pervasive surveillance to monitor and punish people for thought crimes, where having or expressing forbidden opinions is treated as an actual "crime", are worse than governments that don't.
There is clearly a spectrum, and though my Chinese relatives keep pointing out how many US institutions are coming to resemble the Marxist institutions and people resemble the Red Guards they remember, the actual government of China is still far worse. "Since we, the CCP, are the People's Gov't, there is no further need for elections, and anyone who disagrees is an Enemy of The People, needs to be discovered, and deserves to be punished for that crime."
Especially a foreign government that is considered a top adversary by the US and vice-versa.
I'm sure you would argue that Google, MS and Apple are completely independent of the US government.
Yeah, they spend a fortune on lobbying - nonetheless they are very compliant with the US "national security". Keep them downvotes coming, Snowden never blew a whistle.
If I am wrong about the unfettered access, let me know.
National Security letters mean that for 95.75% of the world's population, what you just said applies to the USA.
A lot of apps are doing the stupid clipboard detection thing. As others have commented, there’s reasons for this that range from spam detection to link shortening. It’s lousy, I agree, but this has been a very common thing in a pre-iOS 14 world.
I'm pretty sure that tiktok has more than 4M users. I guess you can argue that OPM has more % of "high value" users compared to tiktok, but it's also 5 years out of date and contains different sets of data entirely. OPM data doesn't have your minute-by-minute location history and clipboard history, for instance.
What it allows the Chinese government to do is filter any other source of data (such as TikTok) and exclude anyone in the US who doesn't have a security clearance. You then have vastly less raw intelligence to sift and try to find the accidental video someone posted with a whiteboard full of secrets in the background.
Platforms like TikTok are active propaganda tools already, and can be used to shape discourse in democracies.
It is a major concern whether such tools are owned by foreign governments (tikTok) or private companies who do not need to comply with any regulations(Facebook twitter) etc.
I was wrong. Every generation is equally prone to hysteria. We learn nothing.
Honestly you’d be better off educating them and telling them it’s a good idea than forcing them to jettison an app they probably love. Tons of apps do this (as discovered in iOS 14) and I highly suggest not doing a crusade against one when a lot more do it. See: https://youtu.be/pRSWdtoUAjo
Me: "No. It is Chinese spyware."
My Daughter: "<so and so from school> has TikTok!"
Me: "<so and so> is a Chinese asset!"
My Daughter: "No she's not!"
(I'm a high school student, abstaining from social media other than HN.)
Edit: Have you tried explaining to your daughter why TikTok is Chinese spyware?
TikTok is a virally popular video app used globally by a generation of adolescence that have normalized the behavior of recording inane happenings in their life multiple times a day, with an undeveloped sense of propriety and limited ability to fully comprehend the significance of their actions.
Not that I have much of an opinion on TikTok's usage as an intelligence gathering source, I certainly appreciate its potential as one.
My daughters are constantly taking videos all over the place, with little regard to what is in the video beyond themselves. Even though they've been hounded on what is and isn't appropriate to capture in a video, I'm sure they have an under-developed sense of security/concern in that regard, particularly for "private" or deleted videos.
Access to the full corpus of video data uploaded to Tiktok would be a gold mine, least of which would actually be my adolescent daughters. Unrelated conversations picked up in the background, where/when they took the video, compromising/confidential artifacts exposed incidentally in the background, facial recognition on individuals in the video (whether the subject of the video or otherwise), etc. There are an immeasurable number of ways such a rich data source could be mined for signal intelligence.
Note that TikTok is far from the only app that fits this definition. There are plenty of other platforms that create a similarly useful corpus of video data. But anecdotally from my kids and their friends, TikTok is the flavor of the moment. Especially so for those young enough for the above concerns (or lack thereof) to be most valid.
Kompromat, bribery, and threats. Not watching kids videos.
And no one has to actually watch any videos for the above-mentioned use cases. It's an engineering assignment for data science and tech teams, not spies.
As well, there's a very hazy line between government and industry interests in China, greatly expanding the potential use cases of sigint derived from such incidental data leakage beyond just what would be useful for kompromat, bribery, and threat. purposes.
We don't know much about China's systems here, but looking at XKeyscore  (NSA, via Snowden leaks) is likely to be somewhat insightful re function and capabilities.
TikTok app permissions include personal information and device control
Access the camera (and take pictures/video), the microphone (and record sound), the device’s WIFI connection, and the full contact list on the device
Determine if the internet is available and access it
Keep the device turned on and automatically start itself when the device restarts
Secure detailed information on the user’s location using GPS and other apps that are running
Read and write to the device’s storage, install/remove shortcuts, access the flashlight (turn it off and on), request additional installation packages
Our researchers found that TikTok has full access to the audio, video, and address book on the device, which isn’t surprising given that TikTok is an audio-visual app by design.
TikTok does not need to be collecting contact and location data from my kids or any of our devices. This vacuuming up of information at scale reveals the relationships between people and a lot more. And that is my main problem. TikTok is way more than just a video app, its spyware.
Personally, I find lots of useful content on TikTok. There's a divorce lawyer I've actually called in person. There's a nurse who gives coronavirus tips. There's a Chinese teacher. There's an idol who did a funny hand wash dance without showing a lot of skin and who does funny things with her cats. There's a fitness guy who always has a new way to do push ups or whatever. There's a chiro with back pain tips, etc.. One coworker does dances with her daughter - so maybe it helps parent-child bonding.
How does that apply to children?
is it though?
do you honestly believe that?
So do Facebook and Instagram, I’m sure.
The level of paranoia in the Valley is astounding.
No, these random apps are not my spouse. They should not get access to sensitive info without explicit permission.
I don't think it does. Neither application should "access" the clipboard.
Routing to copied addresses is not a clear use case for letting something spy on everything the user copies, because we already have an invocation for handing clipboard contents to software exactly when the user desires it. It's called the "paste" command.
At some point engineers need to stop doing things just because they can.
Personally I was surprised to learn that apps could read directly from the clipboard at all. I would've thought that was purely managed by the system and not given to the app until actually pasted.
Personally, I like the ease-of-use I get out of google maps grabbing addresses from my clipboard. Not everyone would like it though, and that is ok. They could decline the permission request.
But I don’t want other random apps being able to grab that info without permission.
It's not super hard to imagine a parallel universe where any software can copy to the clipboard but only the OS, upon user request, can paste back out of it. And yet here we are wallowing in filth. Why, because people have never heard of a callback before?
Let the application include a "paste" handler function, and then all clipboard exfiltration must be initiated by the user at the OS UI layer. Simple. Safe.
example: if you copied twitter://foo/tweet/bar or https://twitter.com/foo/tweet/bar, it checks your clipboard and loads that tweet instantly
at least that's what i read over on reddit about this on r/apple
For what? To save one "send to app" or "paste"?
At least reserve that functionality exclusively for the operating system on the grounds of "TRUST YOU? HAHAHAHAHA".
The juice ain't worth the squeeze.
I wonder if they've been checking out my clipboard contents.
I don't think you needed to do that. I searched around and wasn't able to find any proof of concept that was able to steal clipboard data from firefox. see: https://news.ycombinator.com/item?id=23635488
I feel like every time I submit an app update I get questioned about why my app needs access to $xyz feature.
Do you really think so?
It seems like unless you need direct access to the camera or it’s a game a web version should be fine.
Also, I couldn't imagine having to use the 'share' functionality just to copy/paste. It's already such a frustrating experience just finding the app I want to share with, that I usually just end up selecting the 'copy link' option, opening the target app, and pasting it.
Do you never copy/paste text within the same document? How do you rearrange sentences, paragraphs, etc? Highlight-and-drag is cumbersome in long documents and is really an implementation of cut/paste, not copy/paste.
However we keep talking about TikTok.
Why is that?
As a Chinese app, how do I know the Chinese government will not use me as an unknowing participant in a future cyberwar? One thing Tik Tok does is collect a pretty exhaustive list apps installed on my phone. That could be used for identifying vulnerabilities they could potentially exploit.
Everyone is talking about TikTok because the video that went viral showed TikTok.
Also funny how every app shows it. Guess IOS14 will be known by non technical users as "the cookie-law iphone version" and everything will continue as usual.
I'd only refine your post to say that it's common for apps to read the clipboard without you pasting. Right click Chrome's omnibar and it will show "Paste and go to <clipboard contents>", my bittorrent client and RSS clients prepopulate the new torrent/feed form if I have a URL in my clipboard.
Is the tiny convenience worth the ability to snoop? I don't think so. Or rather, I would like to decide that for myself.
Now system API developers have to view downstream app developers in an adversarial manner...