TikTok seems to be copying and pasting your clipboard with every keystroke
A new privacy feature in iOS 14 has revealed that TikTok is copying the contents of your clipboard with every keystroke. The new feature – called paste notifications – shows that TikTok is inspecting the clipboard with each new keystroke, and it’s possible that they’re also grabbing the contents and storing it for later to be sent off with the other information that TikTok phones home with. This discovery was tweeted by Jeremy Burge and is demonstrated in a video below:
Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification pic.twitter.com/OSXP43t5SZ
— Jeremy Burge (@jeremyburge) June 24, 2020
Editor’s note: According to The Telegraph, TikTok has stated they will stop reading the contents of the clipboard now that they have been caught.
TikTok stores all kinds of information and sends it back to China
A Reddit user, bangorlol, posted to the Videos subreddit with a breakdown of what information TikTok takes from users and sends back to China. They found that TikTok used pretty much all the data collection ability available to mobile app developers. Information gathered by TikTok and sent home include:
- “Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)”
- “Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?)”
- “Everything network-related (ip, local ip, router mac, your mac, wifi access point name)”
- “Whether or not you’re rooted/jailbroken”
- “Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post IIRC”
- “They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication”
Many established cybersecurity firms have also done this teardown and found similar alarming privacy concerns. One such company, Penetrum, included this note in their latest static report of TikTok version 1.8.0:
“The app copies data to clipboard. Sensitive data should not be copied to clipboard as other applications can access it.”
With iOS 14, this behavior is now front and center for TikTok users – and they absolutely should be concerned.
The clipboard as a privacy attack vector
The contents of your clipboard can be very sensitive. With the proliferation of password managers, which create the pattern of copying and pasting passwords, this raises the concern that TikTok is storing your passwords for other apps and websites and sending it back to China. Of course, it isn’t possible to know exactly what TikTok is doing with the clipboard contents. It could just be checking for certain types of links to increase functionality for users; however, TikTok doesn’t have the best track record so it’s understandable why experts around the world are wary of this behavior.
It’s important to remember that besides what you copy for pasting, anything you enter into an app or website can be viewed.
As an aside: any app can already steal what you type into it, even if you don't hit send.
Websites can do it too.
It's sneaky and I don't like it, but they can do it (not necessarily legally re: GDPR, but that's another issue)
Always assume an app can use what you type into it
— Jeremy Burge (@jeremyburge) June 25, 2020
Even when entering – or copying and pasting – a password into an app or website, it’s entirely possible for that information to be stored somewhere and you have to trust the service that you’re using to have proper security measures in place for that. It’s bad enough that an app can potentially be storing and sending off the contents of your clipboard, but if they’re doing so in an unsecured manner – others could get access to that sensitive clipboard information, too. The TikTok app hasn’t been known as a privacy respecting app, and this latest update should really raise some eyebrows even from the average user.