It all started with the discoveries of researcher Tommy Mysk, who in an interview with Ars Technica in March had indicated a list of 53 apps that, for various reasons, take advantage of the content of the clipboard, without the user being aware of it. The problem, the researcher points out, is also extended to multiple devices, in the case of iOS. The iPhone operating system in fact integrates the notepad sharing function – the clipboard – which thus allows you to copy and paste information on a phone to synchronize it with all compatible devices owned by the same user. The function is especially used especially for sharing codes, passwords, emails or Bitcoin wallet addresses. “A [caratteristica] really dangerous – Mysk defines it – There is no reason why apps read notepad. An app that does not have a text field has no reason to read what we copy. ”
The reference is precisely to those services that have no specific reason to read what has been copied, without the user’s knowledge. These include news apps from Fox News, The New York Times and the Wall Street Journal, or the Fruit Ninja, Playerunknowns’s Battleground and Bejeweled games. But Viber, Weibo, Zoosk, AccuWeather and DAZN are added to the list reported by Ars Technica.
But the first concerns date back to the end of June, when several users noticed this behavior in Tik Tok, one of the most appreciated social networks by young people, which has an estimated base of 800 million accounts. In several videos shared on YouTube and Twitter it shows how the app collects the information contained in the notebook “every three presses of a button”, highlights a user on Twitter. The release of the beta version of iOS 14 allowed the observation of the phenomenon, which signaled the activity of the app on the notepad at almost every button pressed by the user while commenting on a video.
In accordance to reported from the Telegraph at the end of June, Tik Tok has however released an update with which it has disabled the function. The justification, the company says, derives from an anti-spam function, which makes use of the control of the user’s clipboard to prevent this from pasting the same comment several times.
“We have already released an updated version of the app on the Store [di Apple, ndr] in which the anti-spam function has been removed, so as to eliminate any possible confusion “, said a company spokesman. “TikTok is committed to protecting user privacy and being transparent about how our app works.”
However, several months had to pass between the release of the update and the first promise to remove the function. In fact, TikTok was already mentioned in the Mysk report since March, but it seems that the final decision came only after the announcement of iOS 14, which made the app’s aggressive behavior evident, with a practically continuous copy-paste.
Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification pic.twitter.com/OSXP43t5SZ
– Jeremy Burge (@jeremyburge) June 24, 2020
What to do
Although it can be assumed that this is a feature created only to acquire user information, that an app can access its notebook is an extremely useful function in some cases. A typical example is that of tracking a parcel: when we receive a message with the tracking code of our shipment and enter the conveyor app, many services automatically ask us if we want to use the string of numbers on the clipboard. Similarly, some services make use of this check to retrieve the code sent during the two-factor authentication process, and which typically serves to ascertain that the user who is connecting to an account is actually the owner even if he knows the password.
But it is precisely with passwords that the greatest risk arises. The most prudent from the point of view of their IT security now make increasingly extensive use of password managers: small software that contains an archive of all user access codes, protected by a single very robust password. Generally, the user who uses them copies the access key when he needs it and then pastes it in the appropriate text box in the service he wants to access. In the case of iOS, however, this key remains stored until another text is copied. Any app with automatic notebook reading capability could then store it, even if it doesn’t know what it refers to or for which account.
A solution is offered directly from the settings of the most common password managers, from which it is generally possible to enable the cancellation of the notepad after a period of time determined by the user. If you have copied a password, it will be deleted after the set time has elapsed. In any case, any app launched in that period could still acquire it silently (in the photo, a screen of the settings of KeePass for iOS).