Hacker News new | past | comments | ask | show | jobs | submit login

Great to see another layer of transparency in ios14.

Bit I wonder why everyone talking about one specific app? I see a huge bias towards TikTok in headlines

"iOS 14 caught TikTok and other apps spying on the clipboard" [0]

"iOS 14 beta shows apps like TikTok still spy on your iPhone" [1]

There a bunch of apps like VICE, Google News, WSJ that has been caught doing exactly the same. [2]

I may find the explanation why TikTok did that. In China WeChat blocks direct links to their competitors. So apps like Taobao or Douyin have to find a workaround for deeplinks. When you want to share the video from Douyin with a friend in WeChat, Douyin generates the following message.

在东京刚毕业入职三个月的职场小白 搬家找房 坚持更新#日本vlog #东京 https://v.douyin.com/J8ceMYY/ 复制此链接,打开【抖音短视频】,直接观看视频!

In WeChat the link is not clickbale. To see the content user has to copy full text and go to the Douyin. The app will read the clipboard and perform the transition to the video. On the link below you can find the video - explanation [3]

Probably they had re-use some code in TikTok. Definitely they need to be more accurate towards data safety but I don't think they really made a pipeline for spying using clipboard.

There is a lot of buzz around TikTok these days, but I want to get an answer from other apps as well.

[0] https://bgr.com/2020/06/26/ios-14-beta-privacy-features-tikt...

[1] https://mashable.com/article/iphone-ios-14-privacy-clipboard...

[2] https://www.youtube.com/watch?v=pRSWdtoUAjo

[3] https://twitter.com/kidrulit/status/1277629462721384448






> Bit I wonder why everyone talking about one specific app?

In this particular case, I think it's because the person who apparently discovered it claims that other apps "don't collect anywhere near the same amount of data that TikTok does". [0]

> For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is. It's like comparing a cup of water to the ocean - they just don't compare.

[0] https://www.reddit.com/r/videos/comments/fxgi06/not_new_news...


I went trough this post earlier. Unfortunately the video has been removed for some reason.

> I'm getting a lot of DM's asking me to prove the majority of this with a paper and snippets of the offending code. I have a decent amount of my notes on my other laptop that recently had a motherboard failure and the majority of that data is on the laptop's SSD. It's a macbook pro, so recovering the data isn't exactly super simple. I have some frida scripts that I pushed to my git server as well as some markdown files + conversation logs I've had with exploit devs, but not much else. In order to get everyone the proof they require, I'll likely need to reverse the app all over again which isn't something I have time for right now.

That sounds like "dog ate my homework", but well, sh*t may happens.

> Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

What so special about it?

> Other apps you have installed (I've even seen some I've deleted show up in their analytics payload - maybe using as cached value?)

That interesting indeed. I heard some developers did that as well (Uber-Lift case ?) but it really strange that Android enables that. I'm not an Android dev, but I guess you can retrieve that through PackageManager?

> Everything network-related (ip, local ip, router mac, your mac, wifi access point name)

https://developer.android.com/reference/android/net/wifi/Wif...

wifiManager.getConnectionInfo()

> Whether or not you're rooted/jailbroken

My bank app does the same as well as plenty of other apps. Again, I mostly iOS guy, so not familiar with Android ecosystem that well.

> They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication

That sucks. Can anyone explain why they do that?

> On top of all of the above, they weren't even using HTTPS for the longest time. They leaked users' email addresses in their HTTP REST API, as well as their secondary emails used for password resets

Bold statement without any facts, tbh.

I don't wanna play devil's advocate and I don't support CCP or a big fan of TikTok.

I really enjoy reading well-made security research that unveil security valuation in Chinese app. [0]

But hardly rely on the posts without clear any data reinforcement

[0] https://citizenlab.ca/2020/05/we-chat-they-watch/


I don't use or like tiktok, but that post also came across as super fishy to me. Lots of it boiled down to "I'm a software engineer, trust me" with a good amount of FUD thrown in (going on about GPS data when the app doesn't even request the Location permission? complaining the app can see your screen resolution?). I'm sure the truth is somewhere in between but tiktok is the beating-horse of the day so you'll see all sorts of cool stuff like mainstream media using an anonymous reddit post as a source.

Exactly. Moreover, r/video doesn't seem the proper place to share the reverse-engineering analysis.

It's hard to trust a self proclaimed computer expert who neither uploads any data to share as evidence, nor backs up any his work anywhere nor syncs to any cloud.

Yeah, this was my exact problem with that comment. They ended it by saying apps like Facebook/Gmail/etc don't collect nearly the same amount of data, but I'm very hard pressed to believe that. I'll believe it when they show a side-by-side comparison of what portions of each category they listed TikTok is accessing/Facebook is accessing, with the accompanying bytecode they claim to have decoded.

Oh, it seems that from Android 11, it became much harder to see the list of installed apps.

https://news.ycombinator.com/item?id=23692964


Just because other apps do that is no excuse for bad behaviour. Almost all apps get flack for bad behaviour. Tiktok is the newest popular thing on the block and it is expected to be widely covered. Honestly it is okay to discuss the bar behaviours of an app without blaming other apps.

Being "caught" reading the clipboard is not an indictment that you are doing something wrong. It's very good that it is no longer occurring invisibly in the background, but so far what we have seen appears to be frivolous usage rather than malicious.

Smh, a newly registered account.

> Honestly it is okay to discuss the bar behaviours of an app without blaming other apps.

OP explained the reason for doing so, how can we just discuss the problem without checking the cause?


The app for Discord would also make the warning show, though the fix for that was a small one line change.

https://twitter.com/lolpython/status/1276235830692941829


I think it's probably because they were already in a series of such mess-ups so someone decided to check it with Tik Tok and that went viral. Also, it's a social media app that a lot of people use, so using that as part of the headlines for Media gains eyeballs.

Oh wow, thanks for sharing [2]. That's ludicrous (the consent manufacturing part).

> Bit I wonder why everyone talking about one specific app? I see a huge bias towards TikTok in headlines

1) TikTok is one of the most popular apps and was the second most downloaded last year [0]. Come on, they are at the top. That's why we talk about them.

2) TikTok has been caught in a lot of privacy scandals that appear to be more egregious than other apps.

3) There's a deep seated fear, and evidence, that Chinese companies share their data with their government.

It is all three, but mostly #1.

> [0][1]

These are the same event, why are you posting two instances of the same event like "TikTok is unfairly being targeted?"

> There a bunch of apps like VICE, Google News, WSJ that has been caught doing exactly the same. [2]

People are upset about that too. But frankly, VICE and the WSJ don't have as many downloads as TikTok. Even if you combine their total downloads they don't account for a tenth (<1/10th!!!!) of TikTok's downloads. Frankly I don't understand the logic here. Ignore the top dog just because others are doing the same thing? Just because others do it doesn't make it right and of course we should go after the one that's the biggest.

If you're bigger, people pay more attention to you. That's why TikTok is getting "singled out." BECAUSE TIKTOK IS ONE OF THE MOST POPULAR APPS IN THE WORLD! It doesn't matter what other apps do. That doesn't justify bad behavior. Am I the only one whose mom said "If all your friends jumped off a cliff, would you?"

[0] https://www.visualcapitalist.com/ranked-most-downloaded-apps...


Yeah the bar is high. But unfortunately people seek for short-term rewards and rarely care about their data leakage.

How did the #DeleteFacebook movement impact the companies business? Not that much I believe. The stocks keep rising. Would be interesting to see what will happen to Bytedance product?

> 3) There's a deep seated fear, and evidence, that Chinese companies share their data with their government.

Can you share the evidence of that please? Apparently Bytedance cut Domestic Engineers' Data Access to TikTok [0]

[0] https://en.pingwest.com/a/6875


>> 3) There's a deep seated fear, and evidence, that Chinese companies share their data with their government.

> Can you share the evidence of that please?

Not the parent commenter, but you may find this paper informative/insightful:

"Systematic Government Access to Private-Sector Data in China" (2017) [0]

Not by any means the only source, just happens to be one I read recently.

[0] https://www.oxfordscholarship.com/view/10.1093/oso/978019068...


Obligatory xkcd on bridge jumping:

https://xkcd.com/1170/


> In China WeChat blocks direct links to their competitors. So apps like Taobao or Douyin have to find a workaround for deeplinks.

I'm going to start by saying "No they don't." They don't _have_ to do anything. They decided to.

> In WeChat the link is not clickable. To see the content user has to copy full text and go to the Douyin. The app will read the clipboard

They could have chosen to give you a place to put links without snooping your clipboard. That was a decision they made.

> I don't think they really made a pipeline for spying using clipboard.

Does the app spy on the user's clipboard? Yes. QED.


They do it to get around very anti competitive behaviour. WeChat pretty much have monopoly on chat in China so if you want to get into that market I guess you have to come up with some way around it. Though I agree that a button that would activate it would likely have been a better way to do it. Even if they did not do anything nefarious this really makes it look like it was.

Spying on users is a dishonorable way to get around another corporate's anti-competitive behavior. Because it was not the only extremely obvious viable option (I mentioned a clearly honest obvious alternative), we have to conclude that they desire to act dishonorably.

That a big dispute in Sina tech. [0]

[0] https://www.scmp.com/abacus/culture/article/3029309/wechat-s...

> Chinese users have been complaining that WeChat’s practice of blocking certain apps is a huge blow to user experience. But WeChat isn’t the only one doing it. Chinese tech companies constantly add services to their own ecosystems and block services from other companies, leading some tech watchers to say that China’s mobile internet has been split into pieces.

Hope they can fix it one day


> Hope they can fix it one day

Taobao/Douyin/etc could save face today by giving you a place to enter links instead of spying.


While since you talk about bias,

Why every app(facebook,twitter,youtube....) of US is banned by China? But China's company can earn money in America?

Why US government allow this happen? They are huge threat to the safe of America!




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: