TikTok, a Chinese-owned social media has been a phenomenon. There are at least 800 million users globally and the number keeps rising. Amid its popularity, TikTok accesses some of Apple users’ most private data, which can include passwords. Another 53 apps identified in March are still doing this practice.
This finding has been confirmed by researchers Talal Haj Bakry and Tommy Mysk. On their blog post, they mentioned that these apps are quietly reading users’ clipboard every time the apps are opened. The clipboard is a feature where all the text copied or cut is stored. These apps’ accesses can be dangerous, as user sometimes paste their passwords, messages, and cryptocurrency wallet addresses. It is not clear yet the reason for doing so.
Finding on iOS 14
Alongside the developer beta release of iOS 14, this security concern regains attention. Apple added a novel feature providing a banner warning every time an app reads clipboard contents. Users are appreciating this, exposing apps engaged in this practice and how frequently they do it.
A YouTube video, gaining more than 100 thousand views has demonstrated this finding. When users open an app with this access, a pop-up message on top of the screen will give notification. Check out the video below.
Among these apps, TikTok gains more attention. A Twitter thread revealed that the apps are reading clipboard data aggressively, unlike any other apps. On the thread, the user mentioned that TikTok is pasting the data every 1-3 keystrokes.
If you have an iOS 14 beta installed on your phone, you can reproduce this finding. For example, you can copy some text from a website. Then, open TikTok and start typing in any text field. A notification will warn you every time an app “pastes” data from your clipboard.
To reproduce:
1. Have something on your clipboard. Eg copy some text from Notes or a website
2. Open TikTok and start typing in any text field
3. You learn from iOS 14 beta each time an app “pastes” – but in this instance I didn’t request it, and none of that text appears in UI— Jeremy Burge (@jeremyburge) June 24, 2020
Earlier in March, TikTok said it would remove the clipboard-access algorithm in a few weeks. In fact, after more than three months, the app is still spying users’ clipboard data.
List of Apps Spying User’s Clipboard Data
Here’s a list of the other 53 apps:
News
- ABC News — com.abcnews.ABCNews
- Al Jazeera English — ajenglishiphone
- CBC News — ca.cbc.CBCNews
- CBS News — com.H443NM7F8H.CBSNews
- CNBC — com.nbcuni.cnbc.cnbcrtipad
- Fox News — com.foxnews.foxnews
- News Break — com.particlenews.newsbreak
- New York Times — com.nytimes.NYTimes
- NPR — org.npr.nprnews
- ntv Nachrichten — de.n-tv.n-tvmobil
- Reuters — com.thomsonreuters.Reuters
- Russia Today — com.rt.RTNewsEnglish
- Stern Nachrichten — de.grunerundjahr.sternneu
- The Economist — com.economist.lamarr
- The Huffington Post — com.huffingtonpost.HuffingtonPost
- The Wall Street Journal — com.dowjones.WSJ.ipad
- Vice News — com.vice.news.VICE-News
Games
- 8 Ball Pool™ — com.miniclip.8ballpoolmult
- AMAZE!!! — com.amaze.game
- Bejeweled — com.ea.ios.bejeweledskies
- Block Puzzle —Game.BlockPuzzle
- Classic Bejeweled — com.popcap.ios.Bej3
- Classic Bejeweled HD —com.popcap.ios.Bej3HD
- FlipTheGun — com.playgendary.flipgun
- Fruit Ninja — com.halfbrick.FruitNinjaLite
- Golfmasters — com.playgendary.sportmasterstwo
- Letter Soup — com.candywriter.apollo7
- Love Nikki — com.elex.nikki
- My Emma — com.crazylabs.myemma
- Plants vs. Zombies™ Heroes — com.ea.ios.pvzheroes
- Pooking – Billiards City — com.pool.club.billiards.city
- PUBG Mobile — com.tencent.ig
- Tomb of the Mask — com.happymagenta.fromcore
- Tomb of the Mask: Color — com.happymagenta.totm2
- Total Party Kill — com.adventureislands.totalpartykill
- Watermarbling — com.hydro.dipping
Social Networking
- TikTok — com.zhiliaoapp.musically
- ToTalk — totalk.gofeiyu.com
- Tok — com.SimpleDate.Tok
- Truecaller — com.truesoftware.TrueCallerOther
- Viber — com.viber
- Weibo — com.sina.weibo
- Zoosk — com.zoosk.Zoosk
Other
- 10% Happier: Meditation —com.changecollective.tenpercenthappier
- 5-0 Radio Police Scanner — com.smartestapple.50radiofree
- Accuweather — com.yourcompany.TestWithCustomTabs
- AliExpress Shopping App — com.alibaba.iAliexpress
- Bed Bath & Beyond — com.digby.bedbathbeyond
- Dazn — com.dazn.theApp
- Hotels.com — com.hotels.HotelsNearMe
- Hotel Tonight — com.hoteltonight.prod
- Overstock — com.overstock.app
- Pigment – Adult Coloring Book — com.pixite.pigment
- Recolor Coloring Book to Color — com.sumoing.ReColor
- Sky Ticket — de.sky.skyonline
- The Weather Network — com.theweathernetwork.weathereyeiphone