30 comments

  • zkid18 11 days ago

    Great to see another layer of transparency in ios14.

    Bit I wonder why everyone talking about one specific app? I see a huge bias towards TikTok in headlines

    "iOS 14 caught TikTok and other apps spying on the clipboard" [0]

    "iOS 14 beta shows apps like TikTok still spy on your iPhone" [1]

    There a bunch of apps like VICE, Google News, WSJ that has been caught doing exactly the same. [2]

    I may find the explanation why TikTok did that. In China WeChat blocks direct links to their competitors. So apps like Taobao or Douyin have to find a workaround for deeplinks. When you want to share the video from Douyin with a friend in WeChat, Douyin generates the following message.

    在东京刚毕业入职三个月的职场小白 搬家找房 坚持更新#日本vlog #东京 https://v.douyin.com/J8ceMYY/ 复制此链接,打开【抖音短视频】,直接观看视频!

    In WeChat the link is not clickbale. To see the content user has to copy full text and go to the Douyin. The app will read the clipboard and perform the transition to the video. On the link below you can find the video - explanation [3]

    Probably they had re-use some code in TikTok. Definitely they need to be more accurate towards data safety but I don't think they really made a pipeline for spying using clipboard.

    There is a lot of buzz around TikTok these days, but I want to get an answer from other apps as well.

    [0] https://bgr.com/2020/06/26/ios-14-beta-privacy-features-tikt...

    [1] https://mashable.com/article/iphone-ios-14-privacy-clipboard...

    [2] https://www.youtube.com/watch?v=pRSWdtoUAjo

    [3] https://twitter.com/kidrulit/status/1277629462721384448

    • stronglikedan 11 days ago

      > Bit I wonder why everyone talking about one specific app?

      In this particular case, I think it's because the person who apparently discovered it claims that other apps "don't collect anywhere near the same amount of data that TikTok does". [0]

      > For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is. It's like comparing a cup of water to the ocean - they just don't compare.

      [0] https://www.reddit.com/r/videos/comments/fxgi06/not_new_news...

      • zkid18 11 days ago

        I went trough this post earlier. Unfortunately the video has been removed for some reason.

        > I'm getting a lot of DM's asking me to prove the majority of this with a paper and snippets of the offending code. I have a decent amount of my notes on my other laptop that recently had a motherboard failure and the majority of that data is on the laptop's SSD. It's a macbook pro, so recovering the data isn't exactly super simple. I have some frida scripts that I pushed to my git server as well as some markdown files + conversation logs I've had with exploit devs, but not much else. In order to get everyone the proof they require, I'll likely need to reverse the app all over again which isn't something I have time for right now.

        That sounds like "dog ate my homework", but well, sh*t may happens.

        > Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

        What so special about it?

        > Other apps you have installed (I've even seen some I've deleted show up in their analytics payload - maybe using as cached value?)

        That interesting indeed. I heard some developers did that as well (Uber-Lift case ?) but it really strange that Android enables that. I'm not an Android dev, but I guess you can retrieve that through PackageManager?

        > Everything network-related (ip, local ip, router mac, your mac, wifi access point name)

        https://developer.android.com/reference/android/net/wifi/Wif...

        wifiManager.getConnectionInfo()

        > Whether or not you're rooted/jailbroken

        My bank app does the same as well as plenty of other apps. Again, I mostly iOS guy, so not familiar with Android ecosystem that well.

        > They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication

        That sucks. Can anyone explain why they do that?

        > On top of all of the above, they weren't even using HTTPS for the longest time. They leaked users' email addresses in their HTTP REST API, as well as their secondary emails used for password resets

        Bold statement without any facts, tbh.

        I don't wanna play devil's advocate and I don't support CCP or a big fan of TikTok.

        I really enjoy reading well-made security research that unveil security valuation in Chinese app. [0]

        But hardly rely on the posts without clear any data reinforcement

        [0] https://citizenlab.ca/2020/05/we-chat-they-watch/

        • parliament32 11 days ago

          I don't use or like tiktok, but that post also came across as super fishy to me. Lots of it boiled down to "I'm a software engineer, trust me" with a good amount of FUD thrown in (going on about GPS data when the app doesn't even request the Location permission? complaining the app can see your screen resolution?). I'm sure the truth is somewhere in between but tiktok is the beating-horse of the day so you'll see all sorts of cool stuff like mainstream media using an anonymous reddit post as a source.

          • zkid18 11 days ago

            Exactly. Moreover, r/video doesn't seem the proper place to share the reverse-engineering analysis.

          • sukilot 11 days ago

            It's hard to trust a self proclaimed computer expert who neither uploads any data to share as evidence, nor backs up any his work anywhere nor syncs to any cloud.

            • ianmobbs 11 days ago

              Yeah, this was my exact problem with that comment. They ended it by saying apps like Facebook/Gmail/etc don't collect nearly the same amount of data, but I'm very hard pressed to believe that. I'll believe it when they show a side-by-side comparison of what portions of each category they listed TikTok is accessing/Facebook is accessing, with the accompanying bytecode they claim to have decoded.

              • zkid18 11 days ago

                Oh, it seems that from Android 11, it became much harder to see the list of installed apps.

                https://news.ycombinator.com/item?id=23692964

            • thewindow 11 days ago

              Just because other apps do that is no excuse for bad behaviour. Almost all apps get flack for bad behaviour. Tiktok is the newest popular thing on the block and it is expected to be widely covered. Honestly it is okay to discuss the bar behaviours of an app without blaming other apps.

              • benologist 11 days ago

                Being "caught" reading the clipboard is not an indictment that you are doing something wrong. It's very good that it is no longer occurring invisibly in the background, but so far what we have seen appears to be frivolous usage rather than malicious.

                • sniperjzp 11 days ago

                  Smh, a newly registered account.

                  > Honestly it is okay to discuss the bar behaviours of an app without blaming other apps.

                  OP explained the reason for doing so, how can we just discuss the problem without checking the cause?

                • erk__ 11 days ago

                  The app for Discord would also make the warning show, though the fix for that was a small one line change.

                  https://twitter.com/lolpython/status/1276235830692941829

                  • amrrs 11 days ago

                    I think it's probably because they were already in a series of such mess-ups so someone decided to check it with Tik Tok and that went viral. Also, it's a social media app that a lot of people use, so using that as part of the headlines for Media gains eyeballs.

                    • xster 11 days ago

                      Oh wow, thanks for sharing [2]. That's ludicrous (the consent manufacturing part).

                      • godelski 11 days ago

                        > Bit I wonder why everyone talking about one specific app? I see a huge bias towards TikTok in headlines

                        1) TikTok is one of the most popular apps and was the second most downloaded last year [0]. Come on, they are at the top. That's why we talk about them.

                        2) TikTok has been caught in a lot of privacy scandals that appear to be more egregious than other apps.

                        3) There's a deep seated fear, and evidence, that Chinese companies share their data with their government.

                        It is all three, but mostly #1.

                        > [0][1]

                        These are the same event, why are you posting two instances of the same event like "TikTok is unfairly being targeted?"

                        > There a bunch of apps like VICE, Google News, WSJ that has been caught doing exactly the same. [2]

                        People are upset about that too. But frankly, VICE and the WSJ don't have as many downloads as TikTok. Even if you combine their total downloads they don't account for a tenth (<1/10th!!!!) of TikTok's downloads. Frankly I don't understand the logic here. Ignore the top dog just because others are doing the same thing? Just because others do it doesn't make it right and of course we should go after the one that's the biggest.

                        If you're bigger, people pay more attention to you. That's why TikTok is getting "singled out." BECAUSE TIKTOK IS ONE OF THE MOST POPULAR APPS IN THE WORLD! It doesn't matter what other apps do. That doesn't justify bad behavior. Am I the only one whose mom said "If all your friends jumped off a cliff, would you?"

                        [0] https://www.visualcapitalist.com/ranked-most-downloaded-apps...

                        • zkid18 11 days ago

                          Yeah the bar is high. But unfortunately people seek for short-term rewards and rarely care about their data leakage.

                          How did the #DeleteFacebook movement impact the companies business? Not that much I believe. The stocks keep rising. Would be interesting to see what will happen to Bytedance product?

                          > 3) There's a deep seated fear, and evidence, that Chinese companies share their data with their government.

                          Can you share the evidence of that please? Apparently Bytedance cut Domestic Engineers' Data Access to TikTok [0]

                          [0] https://en.pingwest.com/a/6875

                          • jimsmart 10 days ago

                            >> 3) There's a deep seated fear, and evidence, that Chinese companies share their data with their government.

                            > Can you share the evidence of that please?

                            Not the parent commenter, but you may find this paper informative/insightful:

                            "Systematic Government Access to Private-Sector Data in China" (2017) [0]

                            Not by any means the only source, just happens to be one I read recently.

                            [0] https://www.oxfordscholarship.com/view/10.1093/oso/978019068...

                          • sukilot 11 days ago

                            Obligatory xkcd on bridge jumping:

                            https://xkcd.com/1170/

                          • ebg13 11 days ago

                            > In China WeChat blocks direct links to their competitors. So apps like Taobao or Douyin have to find a workaround for deeplinks.

                            I'm going to start by saying "No they don't." They don't _have_ to do anything. They decided to.

                            > In WeChat the link is not clickable. To see the content user has to copy full text and go to the Douyin. The app will read the clipboard

                            They could have chosen to give you a place to put links without snooping your clipboard. That was a decision they made.

                            > I don't think they really made a pipeline for spying using clipboard.

                            Does the app spy on the user's clipboard? Yes. QED.

                            • erk__ 11 days ago

                              They do it to get around very anti competitive behaviour. WeChat pretty much have monopoly on chat in China so if you want to get into that market I guess you have to come up with some way around it. Though I agree that a button that would activate it would likely have been a better way to do it. Even if they did not do anything nefarious this really makes it look like it was.

                              • ebg13 11 days ago

                                Spying on users is a dishonorable way to get around another corporate's anti-competitive behavior. Because it was not the only extremely obvious viable option (I mentioned a clearly honest obvious alternative), we have to conclude that they desire to act dishonorably.

                              • zkid18 11 days ago

                                That a big dispute in Sina tech. [0]

                                [0] https://www.scmp.com/abacus/culture/article/3029309/wechat-s...

                                > Chinese users have been complaining that WeChat’s practice of blocking certain apps is a huge blow to user experience. But WeChat isn’t the only one doing it. Chinese tech companies constantly add services to their own ecosystems and block services from other companies, leading some tech watchers to say that China’s mobile internet has been split into pieces.

                                Hope they can fix it one day

                                • ebg13 11 days ago

                                  > Hope they can fix it one day

                                  Taobao/Douyin/etc could save face today by giving you a place to enter links instead of spying.

                              • xijinping250 11 days ago

                                While since you talk about bias,

                                Why every app(facebook,twitter,youtube....) of US is banned by China? But China's company can earn money in America?

                                Why US government allow this happen? They are huge threat to the safe of America!

                            • rdlecler1 11 days ago

                              The security implications of allowing communications on a platform that is subject to the absolute control of a foreign government, seems like a very very bad idea. That can be a lesson learned the easy way or the hard way.

                              • systemvoltage 11 days ago

                                I honestly think we give Chinese apps too much equal footing. In about 5-8 years, when China has insane surveillance network around the world (they already have), this comment is going to sound the most sensible thing to do - blanket ban any application developed and served by the CCP or similar government.

                                People teeter-totter about righteousness and freedom of choice, but IMO we need to stop feeding the CCP with more power/$$$/influence ... NOW ... Freedom of choice is great when there is fairness and democratic values built in, when the government isn't on some Han-supremacy drug and expansionist motives.

                                Someone will inevitably respond with whataboutism and smear American companies into the mix as if they're expressing their understanding of hypocracy and one-sidedness. It is supposed to be one-sided. The west offered two-way street which China declined to walk on. So, now all bets are off. Equivalency with the western apps/services/goods is no longer a valid counter argument.

                                On fair, just, and rational grounds - I am a progressive. In unfair, unjust and irrational waters - I am a conservative.

                                • jquery 11 days ago

                                  The CCP has already shown they’re willing to abuse TikTok to stir unrest in the USA, you aren’t even making a theoretical argument. I’m a lot more worried about China than Russia, when it comes to bad behavior by state actors.

                                  • godelski 11 days ago

                                    This is why I'm always confused my privacy arguments. When someone says that they want privacy the responses go like:

                                    reference Goebbels: "I have nothing to hide, so I'm not worried"

                                    Downplay: "They only read my emails and everything I write to sell me stuff better. Sometimes I need stuff. They're helping me!" As if it can only be used to sell and nothing else.

                                    World revolves around self: "Well ads don't affect me." Like it doesn't matter that everyone else is affected even if you aren't.

                                    Completely ignoring the fact that if someone can manipulate you to buy stuff they might be able to use it to manipulate you do do other things. I mean we have political ads. And Coke ads aren't there to sell you coke (they are there to make you feel better about your purchase). Frankly, to me it doesn't even matter if no one has done that yet (I'm aware of the clear evidence that people have) but that we're giving people the ability to do this in mass and in very precise ways. That just leads to a potential turn in democracy. "Just educating people" doesn't solve the problem either. Ads are still effective on smart people. So the question is "are the benefits ~~profits~~ worth the cost?" It is reasonable to think "yes", but I'm a resounding "no."

                                    Yes, we use political ads to "manipulate democracy" and the like, but a mass statewide commercial is a very different thing than an individualized ad targeted to a specific person. At least to me these are very different (and we still have regulations on what you can say in political ads). Where do we draw the line? We talk about data a lot here and what we can model with it. What will ads look like in 20-50 years if we don't draw a line in privacy and technology continues to become more powerful? I think individualized ads will look very different. We do need to determine what level of individualization we can target with an ad, and I don't see much of that happening.

                                    • jquery 11 days ago

                                      Excellent comment, you changed my thinking on the issue. I feel like liberal, educated democracies are focused on the wrong problems. It’s only going to get harder to change course the longer we keep sailing in this direction of a laissez faire, anything-goes approach to software.

                                      Apple’s infamous walled garden solves this problem to some extent, but introduces others because it lacks due process, leading to corruption where money can solve any problem, and so apps like Tiktok get to abuse their trust with impunity.

                                      • godelski 11 days ago

                                        As I see it, democracy is unstable. I like living in a democratic system (yes, a democratically elected republic is still a democratic system). But we have to recognize that it is unstable and democracies work under the pretense that the keys to power are distributed and frequently moving hands (by elective processes). So the danger to democracy is the collection of keys, or the consolidation of power. Power consolidation DOES have benefits after all. I mean a benevolent dictator is probably the best form of government, the issue is that if the next dictator isn't benevolent (or how long until that). The same is with democracy. We keep power distributed so that when a malevolent (or even just non-benevolent) ruler comes into power they aren't able to do much. Essentially as long as we don't let corruption fill the majority of roles with power, we're fine. They have to spend a lot of time and resources consolidating that power.

                                        Essentially this is what "turnkey tyranny" is: the point at which power is consolidated to such a degree that a malevolent ruler would have the power of a tyrant.

                                        So it has never been about having something to hide or that people aren't using a power malevolently. It is the potential for abuse and that given enough time a power is likely to be abused. Distribution makes it more difficult (but does not eliminate) to abuse power.

                                        With HN's love for federated systems, which essentially operate under similar principles, I'm surprised this is not a more popular concept. The only difference is that we're talking about government officials instead of Moxie.

                                        • jquery 11 days ago

                                          All governments are unstable. The best we can hope for is they do the most good for the longest amount of time. The better a government does, the more its population tends to assume that it’s impossible for their government to fail, and they don’t guard against it, instead choosing convenience (and properly federated government is the opposite of convenient).

                                    • justicezyx 11 days ago

                                      What?!

                                      I dont have any memory of "CCP abuses TikTok to stir unrest in USA" being reported. Is there really such evidence?

                                      If there is evidence, then please just ban the goddamn app out of any mobile smart phone platforms. It's too dangerous to open the lid of such mass bring-washing machine. Even in the Arab-spring, it was just passively allowing the information to propagate organically. No one with sane judgement should allow these apps being used as manipulation tools by any minority group...

                                    • ianmobbs 11 days ago

                                      > The west offered two-way street which China declined to walk on.

                                      What?

                                      • MintelIE 11 days ago

                                        It's pretty simple, China doesn't allow western companies access to its markets reciprocally. This isn't controversial or esoteric information. It's a well known fact.

                                        • Barrin92 11 days ago

                                          When two parties negotiate they generally try to negotiate in their personal interest. Given how many Western companies flocked to China the access was apparently still worth it.

                                          It's not like this is uncommon either. The US themselves did this under Hamilton's American System and Japan did it in the late 19th century when they maximized goods and technology coming in while trying to keep as much foreign influence out. It's a reasonable strategy and particularly understandable with a historical view of East-Asia, which doesn't have the best experience with opening up to Western companies.

                                          I never really understood where the problem is because China didn't kidnap Apple's CEO and forced them to build factories in China. If Americans think whatever China offers is not worth it they're free not to participate.

                                          • sukilot 11 days ago

                                            Sure, "American" multinational corporation managers love to play ball with CCP to make money. That doesn't mean Americans citizens love it or that American government should support it.

                                      • FriendlyNormie 11 days ago

                                        “Equal” footing? China doesn’t allow anyone to use my app, instead I was required to have a conference call with Tencent where they insisted I give them all of my code so they can release their own version in China which they super cereal pinky promise they’ll give me all the revenue from. I declined and they made an incredibly shitty clone of my app instead which I was never allowed to compete with. Fuck chinks.

                                      • severino 11 days ago

                                        Well, I'm more concerned about my platform being subject to the control of my own government. Because I don't care very much about foreign governments given I happen to be a western citizen that has nothing to do with that countries. But what about ours, do you think our government is better than theirs? For how long?

                                        • jeanvalmarc 11 days ago

                                          > do you think our government is better than theirs? For how long?

                                          America has problems, but your order-of-magnitude calibration is way off if you think a concentration-camp operating (i.e. the real kind with over a million people who committed no crime and are held just for their beliefs and culture) expansionist (Hong Kong, Tibet, Taiwan) totalitarian (speech is monitored and punished in a "go to prison, right away" manner rather than "twitter deleted my racist shit and nothing else happened to me" way) government. So yes, occasionally ineffective democracies that value human rights and freedoms (i.e. the west) is better than the CCP government, and will continue to be better now and into the foreseeable future.

                                          • severino 10 days ago

                                            Yes, you're right. My mistake was talking about better/worse governments, while we don't have to choose at all. I should rephrase it as: is our government good? I'm sure nobody can say it is, whichever government it may be. So that's why I find uncomfortable to hand all my data over to the ruling party in my country, while I don't care what a random CCP functionary can learn about the cafeterias I frequently go to.

                                            • sukilot 11 days ago

                                              On a per capita basis, the US has more people in prison than there are Uyghurs in Chinese camps and Chinese residents in prison combined.

                                              The US invaded Iraq for oil colonization.

                                              • Larrikin 11 days ago

                                                Your whataboutism didn't mention the ongoing protests that are working to fix the problems you're referencing which would never be allowed in China.

                                            • SiVal 11 days ago

                                              do you think our government is better than theirs?

                                              Can't answer specifically without knowing who "ours" and "theirs" are, but I can answer generically. Governments that hold elections where more than one genuinely competing party can win if enough voters want to vote for them are better than governments that declare themselves the rulers.

                                              Governments that defend the rights of people to express genuinely competing opinions, regardless of who agrees or disagrees, are better than governments that use or enable coercion to silence opinions they don't want people to hear.

                                              Governments that use pervasive surveillance to monitor and punish people for thought crimes, where having or expressing forbidden opinions is treated as an actual "crime", are worse than governments that don't.

                                              There is clearly a spectrum, and though my Chinese relatives keep pointing out how many US institutions are coming to resemble the Marxist institutions and people resemble the Red Guards they remember, the actual government of China is still far worse. "Since we, the CCP, are the People's Gov't, there is no further need for elections, and anyone who disagrees is an Enemy of The People, needs to be discovered, and deserves to be punished for that crime."

                                            • president 11 days ago

                                              > subject to the absolute control of a foreign government

                                              Especially a foreign government that is considered a top adversary by the US and vice-versa.

                                              • radikalerludwig 11 days ago

                                                > a platform that is subject to the absolute control of a foreign government

                                                I'm sure you would argue that Google, MS and Apple are completely independent of the US government.

                                                • wpasc 11 days ago

                                                  I don't want to put words in your mouth but if you are implying that the US influence over Google, MS, and Apple is comparable to China's influence over TikTok and other Chinese companies then that is an utterly false equivalence. I don't have links but it is well established the role and influence CCP has in Chinese companies and US companies have gone to great legal lengths to restrict the US Government's involvement in certain areas like the fight over encryption.

                                                  • radikalerludwig 11 days ago

                                                    >US companies have gone to great legal lengths to restrict the US Government's involvement in certain areas

                                                    Yeah, they spend a fortune on lobbying - nonetheless they are very compliant with the US "national security". Keep them downvotes coming, Snowden never blew a whistle.

                                                    • khuey 11 days ago

                                                      I'm sure the government considers the years long ongoing battle between Apple and the FBI over device encryption to be "very compliant".

                                                  • godelski 11 days ago

                                                    The issue is (as far as I know) the CCP has unfettered access to Chinese apps. On the other hand, the US government has to ask. While Google, MS, Apple, etc have all said "yes" plenty of times, they also have said "no" and are doing so more frequently as public opinion is changing on privacy. Literally the ability to say no is a big difference.

                                                    If I am wrong about the unfettered access, let me know.

                                                    • ls612 11 days ago

                                                      The US has an independent judiciary which will rule on disputes between the government and Google/Apple/MS. China does not. It is really that simple.

                                                    • grecy 11 days ago

                                                      > subject to the absolute control of a foreign government

                                                      National Security letters mean that for 95.75% of the world's population, what you just said applies to the USA.

                                                    • numair 11 days ago

                                                      Most of the anti-TikTok comments that have emerged recently are beyond hysterical. We are arguing about China using this app as a primary nexus of intelligence gathering, in a world where they already have the US government’s entire OPM database?[1]

                                                      A lot of apps are doing the stupid clipboard detection thing. As others have commented, there’s reasons for this that range from spam detection to link shortening. It’s lousy, I agree, but this has been a very common thing in a pre-iOS 14 world.

                                                      1: https://en.m.wikipedia.org/wiki/Office_of_Personnel_Manageme...

                                                      • gruez 11 days ago

                                                        >In June 2015, the United States Office of Personnel Management (OPM) announced that it had been the target of a data breach targeting the records of as many as four million people

                                                        I'm pretty sure that tiktok has more than 4M users. I guess you can argue that OPM has more % of "high value" users compared to tiktok, but it's also 5 years out of date and contains different sets of data entirely. OPM data doesn't have your minute-by-minute location history and clipboard history, for instance.

                                                        • mike_d 11 days ago

                                                          The OPM database was a force multiplier, not a direct source of valuable data.

                                                          What it allows the Chinese government to do is filter any other source of data (such as TikTok) and exclude anyone in the US who doesn't have a security clearance. You then have vastly less raw intelligence to sift and try to find the accidental video someone posted with a whiteboard full of secrets in the background.

                                                          • manquer 11 days ago

                                                            Intelligence gathering with OPM kind of leaks is passive activity, which can potentially be used for leverage.

                                                            Platforms like TikTok are active propaganda tools already, and can be used to shape discourse in democracies.

                                                            It is a major concern whether such tools are owned by foreign governments (tikTok) or private companies who do not need to comply with any regulations(Facebook twitter) etc.

                                                            • knzhou 11 days ago

                                                              When I was younger I would laugh at those ridiculous "forwards from grandma" about, like, secret Satanic messages embedded in Super Mario. Every kid knew these were nonsense; we just assumed it was a consequence of that generation growing up without technology.

                                                              I was wrong. Every generation is equally prone to hysteria. We learn nothing.

                                                              • abledon 11 days ago
                                                                • numair 11 days ago

                                                                  Thought the OPM hack was common knowledge, guess not. I added a link!

                                                                • apta 11 days ago

                                                                  They'll use whatever data they can get their hands on.

                                                                • annoyingnoob 11 days ago

                                                                  Too little, too late. Already forced the family to uninstall it and its gone forever. Wish the kids could understand that its spyware with access to a lot of toxic social media.

                                                                  • Shank 11 days ago

                                                                    > Already forced the family to uninstall it and its gone forever.

                                                                    Honestly you’d be better off educating them and telling them it’s a good idea than forcing them to jettison an app they probably love. Tons of apps do this (as discovered in iOS 14) and I highly suggest not doing a crusade against one when a lot more do it. See: https://youtu.be/pRSWdtoUAjo

                                                                    • annoyingnoob 11 days ago

                                                                      Fair enough, we don't have any of the known spyware - TikTok was the only one. I was already questioning the value of TikTok before it became well known that its spyware. I won't tell you about the week of crying because someone was calling my 8 year old a 'viscogirl' after seeing something on Tiktok about it. It really looks like toxic garbage to me.

                                                                      • mikeyouse 11 days ago

                                                                        It's starting to fill up with Pizzagate "secret dungeon basement" conspiracy theories too.. probably better off without it.

                                                                        • techntoke 11 days ago

                                                                          Doesn't sound so far fetched when TikTok is allowed to violate COPPA and is a haven for child predators.

                                                                        • saagarjha 11 days ago

                                                                          You sure it wasn't "VSCO girl"?

                                                                    • nsxwolf 11 days ago

                                                                      My Daughter: "Dad let me install TikTok!"

                                                                      Me: "No. It is Chinese spyware."

                                                                      My Daughter: "<so and so from school> has TikTok!"

                                                                      Me: "<so and so> is a Chinese asset!"

                                                                      My Daughter: "No she's not!"

                                                                      Every day.

                                                                      • vulcan01 11 days ago

                                                                        In my experience it is a lot easier to tell your friends that you don't have any social media, rather than saying that you don't have a specific social media app/account/thing. Why? It's harder to understand why someone wouldn't install TikTok when they already have Snapchat/Instagram/everything else.

                                                                        (I'm a high school student, abstaining from social media other than HN.)

                                                                        Edit: Have you tried explaining to your daughter why TikTok is Chinese spyware?

                                                                        • Gatsky 11 days ago

                                                                          HN is social media?

                                                                          • criddell 11 days ago

                                                                            I think it is, at least as much as Reddit is as well. And before that Digg and Slashdot.

                                                                        • justicezyx 11 days ago

                                                                          > My Daughter: "<so and so from school> has TikTok!"

                                                                          > Me: "<so and so> is a Chinese asset!"

                                                                          I cannot believe this is allowed on this forum.

                                                                          IIRC, you are suggesting some individual in your daughter's school, presumably a Chinese ethnic, is a "Chinese asset"? What do you mean by "Chinese asset"?

                                                                          Edit: It seems I read the asset wrong. See replies below.

                                                                          • gruez 11 days ago
                                                                            • grillvogel 11 days ago

                                                                              if you accept the premise that tiktok is collecting data for the chinese government, then anyone using the app would indeed be an asset

                                                                              • pinkfoot 11 days ago

                                                                                I cannot begin to imagine how my adolescenct daughter could be of any possible use to the middle kingdom. Remotely, via a dance app.

                                                                                • cosmie 11 days ago

                                                                                  Incidental and unintended data leakage.

                                                                                  TikTok is a virally popular video app used globally by a generation of adolescence that have normalized the behavior of recording inane happenings in their life multiple times a day, with an undeveloped sense of propriety and limited ability to fully comprehend the significance of their actions.

                                                                                  Not that I have much of an opinion on TikTok's usage as an intelligence gathering source, I certainly appreciate its potential as one.

                                                                                  My daughters are constantly taking videos all over the place, with little regard to what is in the video beyond themselves. Even though they've been hounded on what is and isn't appropriate to capture in a video, I'm sure they have an under-developed sense of security/concern in that regard, particularly for "private" or deleted videos.

                                                                                  Access to the full corpus of video data uploaded to Tiktok would be a gold mine, least of which would actually be my adolescent daughters. Unrelated conversations picked up in the background, where/when they took the video, compromising/confidential artifacts exposed incidentally in the background, facial recognition on individuals in the video (whether the subject of the video or otherwise), etc. There are an immeasurable number of ways such a rich data source could be mined for signal intelligence.

                                                                                  Note that TikTok is far from the only app that fits this definition. There are plenty of other platforms that create a similarly useful corpus of video data. But anecdotally from my kids and their friends, TikTok is the flavor of the moment. Especially so for those young enough for the above concerns (or lack thereof) to be most valid.

                                                                                  • pinkfoot 11 days ago

                                                                                    This is not how spies work in the real world.

                                                                                    Kompromat, bribery, and threats. Not watching kids videos.

                                                                                    • cosmie 11 days ago

                                                                                      The intelligence apparatus of a nation-state is far more encompassing than just spies.

                                                                                      And no one has to actually watch any videos for the above-mentioned use cases. It's an engineering assignment for data science and tech teams, not spies.

                                                                                      As well, there's a very hazy line between government and industry interests in China, greatly expanding the potential use cases of sigint derived from such incidental data leakage beyond just what would be useful for kompromat, bribery, and threat. purposes.

                                                                                      • jimsmart 10 days ago

                                                                                        Indeed, spies are just a single tool and have a very specific use cases — big-data, analytics and data science is where the big nation states are at nowadays.

                                                                                        We don't know much about China's systems here, but looking at XKeyscore [0] (NSA, via Snowden leaks) is likely to be somewhat insightful re function and capabilities.

                                                                                        [0] https://en.wikipedia.org/wiki/XKeyscore

                                                                                      • annoyingnoob 11 days ago

                                                                                        See this: https://www.proofpoint.com/us/corporate-blog/post/understand...

                                                                                        A quote: TikTok app permissions include personal information and device control

                                                                                        First, our researchers examined the permissions TikTok requires on Android and iOS devices following installation. While some of the permissions detailed below are to be expected, all of this is consistent with TikTok’s written privacy policy. However, when you see all that TikTok gathers it can still be of concern. In summary, these permissions allow TikTok to:

                                                                                        Access the camera (and take pictures/video), the microphone (and record sound), the device’s WIFI connection, and the full contact list on the device Determine if the internet is available and access it Keep the device turned on and automatically start itself when the device restarts Secure detailed information on the user’s location using GPS and other apps that are running Read and write to the device’s storage, install/remove shortcuts, access the flashlight (turn it off and on), request additional installation packages Our researchers found that TikTok has full access to the audio, video, and address book on the device, which isn’t surprising given that TikTok is an audio-visual app by design.

                                                                                        However, the GPS tracking is surprising, especially as TikTok videos don’t obviously display location information. TikTok does call out their collection of location information in their privacy policy.

                                                                                        Recap: TikTok does not need to be collecting contact and location data from my kids or any of our devices. This vacuuming up of information at scale reveals the relationships between people and a lot more. And that is my main problem. TikTok is way more than just a video app, its spyware.

                                                                                • RyanGoosling 11 days ago

                                                                                  get outta here

                                                                              • lnanek2 11 days ago

                                                                                Seems feasible it was a spam check. All my sensitive data is over in a separate work apps launcher anyway.

                                                                                Personally, I find lots of useful content on TikTok. There's a divorce lawyer I've actually called in person. There's a nurse who gives coronavirus tips. There's a Chinese teacher. There's an idol who did a funny hand wash dance without showing a lot of skin and who does funny things with her cats. There's a fitness guy who always has a new way to do push ups or whatever. There's a chiro with back pain tips, etc.. One coworker does dances with her daughter - so maybe it helps parent-child bonding.

                                                                                • annoyingnoob 11 days ago

                                                                                  > All my sensitive data is over in a separate work apps launcher anyway.

                                                                                  How does that apply to children?

                                                                                • vmception 11 days ago

                                                                                  > and its gone forever

                                                                                  is it though?

                                                                                  do you honestly believe that?

                                                                                • nickthegreek 11 days ago

                                                                                  I'm happy that ios14 is adding more transparency on whats apps are accessing like this clipboard situation. I'd love to see more of these, like camera roll and mic access.

                                                                                  • natch 11 days ago

                                                                                    iOS 14 has a new workflow that lets the user give an app access to a photo or selected photos without the app getting access to any of their other photos. Big privacy improvement on that front at least. I don't know about mic access.

                                                                                  • RandallBrown 11 days ago

                                                                                    iOS 14 is adding an indicator for apps using the camera and microphone. You'll also be able to see apps that recently used them in the control center.

                                                                                  • Calvin02 11 days ago

                                                                                    This is so ridiculous. Google Maps accesses the clipboard. Try it out: copy an address and open maps.

                                                                                    So do Facebook and Instagram, I’m sure.

                                                                                    The level of paranoia in the Valley is astounding.

                                                                                    • warent 11 days ago

                                                                                      My clipboard frequently holds sensitive or even compromising information. If it isn't providing direct access to my finances, it might be something that could be used to blackmail me.

                                                                                      No, these random apps are not my spouse. They should not get access to sensitive info without explicit permission.

                                                                                      • apexalpha 11 days ago

                                                                                        I think the point is that almost 20 apps 'got caught' reading the clipboard but people are only singling out TikTok because it's Chinese.

                                                                                      • wycy 11 days ago

                                                                                        Google Maps has a clear use case for accessing the clipboard. If Tok Tok only accessed the clipboard on launch to check for a Tik Tok URL, that might be one thing, but there's no clear reason Tik Tok would need access to the clipboard literally every 3 keystrokes.

                                                                                        • ebg13 11 days ago

                                                                                          > Google Maps has a clear use case for accessing the clipboard.

                                                                                          I don't think it does. Neither application should "access" the clipboard.

                                                                                          • bravoetch 11 days ago

                                                                                            I keep reading about naughty apps and wondering will the OS ever lock this stuff down.

                                                                                            • aetch 11 days ago

                                                                                              Google maps detects copied addresses and lets you route to them in one click.

                                                                                              • ebg13 11 days ago

                                                                                                > Google maps detects copied addresses and lets you route to them in one click.

                                                                                                Routing to copied addresses is not a clear use case for letting something spy on everything the user copies, because we already have an invocation for handing clipboard contents to software exactly when the user desires it. It's called the "paste" command.

                                                                                                At some point engineers need to stop doing things just because they can.

                                                                                            • monkpit 11 days ago

                                                                                              It’s fine if an app has a valid use case to access clipboard. I have found it really convenient myself. I think the crux of the issue is that the apps should be forced to get permission from the user first, on a per-app basis.

                                                                                              • justicezyx 11 days ago

                                                                                                What is the clear use case for "accessing the clipboard"?

                                                                                                • wycy 11 days ago

                                                                                                  I assume Google accesses the clipboard to see if there's an address in there and search for it. Whether that's a good use case or not is up for debate.

                                                                                                  Personally I was surprised to learn that apps could read directly from the clipboard at all. I would've thought that was purely managed by the system and not given to the app until actually pasted.

                                                                                                  • monkpit 11 days ago

                                                                                                    Why not just have granular “clipboard” permission that could be granted or denied per-app?

                                                                                                    Personally, I like the ease-of-use I get out of google maps grabbing addresses from my clipboard. Not everyone would like it though, and that is ok. They could decline the permission request.

                                                                                                    But I don’t want other random apps being able to grab that info without permission.

                                                                                              • thewindow 11 days ago

                                                                                                There is no paranoia. There is no reason for tiktok to access by clipboard and snoop into what I have copied there. It is bad behaviour - nefarious or not.

                                                                                                • saagarjha 11 days ago

                                                                                                  The valley is the entire reason why we're paranoid: there's huge precedent for this kind of access being used for nefarious purposes.

                                                                                                • wuunderbar 11 days ago

                                                                                                  Can someone answer why iOS even allows the ability to read the clipboard buffer in the first place? Just seems like poor privacy and security design.

                                                                                                  • perfectstorm 11 days ago

                                                                                                    I copy my password from my password manager and paste it into a different app. I can copy notes from OneNote and paste it into my email and there are many other use cases i can think of. With iOS 14 Apple is letting the user know that some app is accessing your clipboard.

                                                                                                    • ebg13 11 days ago

                                                                                                      All of your examples are things initiated directly by the user. There's no reason that preserving user-initiated "paste" needs to mean letting an app take what it wants.

                                                                                                      • perfectstorm 11 days ago

                                                                                                        it wasn't clear from OP. i suppose having a permission modal like Photos or Contacts will do.

                                                                                                    • ebg13 11 days ago

                                                                                                      I know, right?

                                                                                                      It's not super hard to imagine a parallel universe where any software can copy to the clipboard but only the OS, upon user request, can paste back out of it. And yet here we are wallowing in filth. Why, because people have never heard of a callback before?

                                                                                                      Let the application include a "paste" handler function, and then all clipboard exfiltration must be initiated by the user at the OS UI layer. Simple. Safe.

                                                                                                      • MuffinFlavored 11 days ago

                                                                                                        so that if you switch from app A to app B, it can check your clipboard buffer for if you have a URL pasted into it and load that URL in the context of the app

                                                                                                        example: if you copied twitter://foo/tweet/bar or https://twitter.com/foo/tweet/bar, it checks your clipboard and loads that tweet instantly

                                                                                                        at least that's what i read over on reddit about this on r/apple

                                                                                                        • ebg13 11 days ago

                                                                                                          Except that letting apps randomly pull from the clipboard, where you might have copied passwords, bank account numbers, or any other sensitive information, is such an obviously unsafe idea that the person who suggested it should have been immediately sent to special privacy consciousness training.

                                                                                                          For what? To save one "send to app" or "paste"?

                                                                                                          At least reserve that functionality exclusively for the operating system on the grounds of "TRUST YOU? HAHAHAHAHA".

                                                                                                          • beervirus 11 days ago

                                                                                                            A super minor convenience feature, and enabling it allows apps to just read from my clipboard at will?

                                                                                                            The juice ain't worth the squeeze.

                                                                                                        • grecy 11 days ago

                                                                                                          I recently made the change in Firefox on macOS to stop websites from accessing the clipboard [1], and now pasting into Facebook is completely broken.

                                                                                                          I wonder if they've been checking out my clipboard contents.

                                                                                                          [1] https://www.ghacks.net/2014/01/08/block-websites-reading-mod...

                                                                                                          • gruez 11 days ago

                                                                                                            >I recently made the change in Firefox on macOS to stop websites from accessing the clipboard

                                                                                                            I don't think you needed to do that. I searched around and wasn't able to find any proof of concept that was able to steal clipboard data from firefox. see: https://news.ycombinator.com/item?id=23635488

                                                                                                          • dagav 11 days ago

                                                                                                            When I installed TikTok, my phone's battery life shortened by 2-3x. That's suspicious enough for me to stay far away from it

                                                                                                            • jb775 11 days ago

                                                                                                              Apple manually reviews the code of every app update. Why aren't they blocking this functionality from getting released in the first place?

                                                                                                              I feel like every time I submit an app update I get questioned about why my app needs access to $xyz feature.

                                                                                                              • ebg13 11 days ago

                                                                                                                > manually

                                                                                                                Do you really think so?

                                                                                                              • chrisshroba 11 days ago

                                                                                                                An interesting reddit comment by someone who uncovered many more shady data collection practices by Tik Tok: https://www.reddit.com/r/videos/comments/fxgi06/not_new_news...

                                                                                                                • jp42 11 days ago

                                                                                                                  Just wanted to inform audience here that TikTok is blocked in China. [1]

                                                                                                                  [1] https://en.wikipedia.org/wiki/List_of_websites_blocked_in_ma...

                                                                                                                  • apta 11 days ago

                                                                                                                    Interesting, is this more proof that the Chinese gov't is using it as a spying app?

                                                                                                                    • chillacy 11 days ago

                                                                                                                      It's probably more because tik tok and douyin have different content policies, having to police tik tok content as strictly as domestic content would stifle tik tok's growth outside the GFW.

                                                                                                                  • feross 11 days ago
                                                                                                                    • brightball 11 days ago

                                                                                                                      Stuff like this is why I prefer a reactive web interface over a mobile app.

                                                                                                                      It seems like unless you need direct access to the camera or it’s a game a web version should be fine.

                                                                                                                      • hnick 11 days ago

                                                                                                                        I'm starting to think these devices need to provide examples when throwing up the permissions prompt. Worst case examples of what this permission can enable so that app developers might at least try to limit their requests.

                                                                                                                        • racl101 11 days ago

                                                                                                                          Good on Apple. This and backwards compatibility, make a compelling case for iOS.

                                                                                                                          • toohotatopic 11 days ago

                                                                                                                            Why do phones need the clipboard at all? There is a 'share with' infrastructure. Why not explicitly send copied data to the desired app directly instead of storing it in a central place?

                                                                                                                            • gruez 11 days ago

                                                                                                                              That works for sharing an article or a post, but how do you quote a portion of a post?

                                                                                                                              • parliament32 11 days ago

                                                                                                                                On Android, you can happily select some text then hit Share (same menu as Copy and Cut).

                                                                                                                                • gruez 11 days ago

                                                                                                                                  That pattern is mainly used to open an app to a specific activity. eg. opening google search to a particular search phrase, or opening the dialer to a particular phone number. I can't see it working for when you're writing a email, and want to include a link/quote/image.

                                                                                                                                  • parliament32 10 days ago

                                                                                                                                    But that's exactly what I just did. Highlighted some text in a news article and Share'd to my email client, it dropped the text in, quoted, to the body of an email with the link to the article under it.

                                                                                                                              • stronglikedan 11 days ago

                                                                                                                                I would really, really miss the clipboard on my phone were it not there. I use it daily.

                                                                                                                                Also, I couldn't imagine having to use the 'share' functionality just to copy/paste. It's already such a frustrating experience just finding the app I want to share with, that I usually just end up selecting the 'copy link' option, opening the target app, and pasting it.

                                                                                                                                • seanalexander 11 days ago

                                                                                                                                  Copy and paste.

                                                                                                                                  • catalogia 11 days ago

                                                                                                                                    I used to see lots of people question the merits of copy/paste when iOS didn't have it, because iOS didn't have it. When iOS finally got it, I thought the matter settled. The people who previously dismissed the feature now considered it the best Apple innovation since sliced bread (or perhaps the multi-buttoned computer mouse.)

                                                                                                                                    Do you never copy/paste text within the same document? How do you rearrange sentences, paragraphs, etc? Highlight-and-drag is cumbersome in long documents and is really an implementation of cut/paste, not copy/paste.

                                                                                                                                  • thewindow 11 days ago

                                                                                                                                    Tim tok has no business snooping into by clipboard. It is bad behaviour irrespective of if it was nefarious or not. No need to justify this by bringing up behaviour of apps.

                                                                                                                                    • qserasera 11 days ago

                                                                                                                                      Too little too late. They should be barred from US markets however there may be worse actors out there that borderline criminals could call ‘industry standard’.

                                                                                                                                      • techntoke 11 days ago

                                                                                                                                        TikTok also is violating COPPA. Any underage child that signs up with a Google Account, you can clearly see from the Google account settings that they are collecting email addresses and other personal information. I believe Google and other app store providers should just remove them.

                                                                                                                                        • bradley195 11 days ago

                                                                                                                                          Is it possible for apps to read photos (not just metadata)?

                                                                                                                                          • knodi 11 days ago

                                                                                                                                            Ya, little fucking late to back track that now.

                                                                                                                                            • xchip 11 days ago

                                                                                                                                              It looks like apps can spy as much as they want and that it has little implications for the perpetrators... "ooops sorry! now let's carry on"

                                                                                                                                              • chvid 11 days ago

                                                                                                                                                Hotels.com and a host of others did the same thing, indicating that this is not particular nefarious.

                                                                                                                                                However we keep talking about TikTok.

                                                                                                                                                Why is that?

                                                                                                                                                • swalsh 11 days ago

                                                                                                                                                  Because Tik Tok takes data collection to a whole new level. It uses this, and every other trick in the book. And that matters because it's not clear that this data will be constrained to the activities of sending me extremely targeted advertising. Now we can have a reasonable debate about that, but this has a new level of concern.

                                                                                                                                                  As a Chinese app, how do I know the Chinese government will not use me as an unknowing participant in a future cyberwar? One thing Tik Tok does is collect a pretty exhaustive list apps installed on my phone. That could be used for identifying vulnerabilities they could potentially exploit.

                                                                                                                                                  • joosters 11 days ago

                                                                                                                                                    Why should that mean its not nefarious? Just because other apps are doing underhand privacy invasion doesn't make it any better - they are all scum!

                                                                                                                                                    Everyone is talking about TikTok because the video that went viral showed TikTok.

                                                                                                                                                  • jacknews 11 days ago

                                                                                                                                                    but what's next?

                                                                                                                                                    • wildchild 11 days ago

                                                                                                                                                      I don't think all these whores were concerned about it.

                                                                                                                                                      • MarioKartBowser 11 days ago

                                                                                                                                                        Hi, sure, let the PLA brainwash your child.

                                                                                                                                                        • gcbw3 11 days ago

                                                                                                                                                          maybe i do not know how clipboard works, but the message "<active app> pasted from <inactive app>" is the worst possible label.

                                                                                                                                                          Also funny how every app shows it. Guess IOS14 will be known by non technical users as "the cookie-law iphone version" and everything will continue as usual.

                                                                                                                                                          • prodpo 11 days ago

                                                                                                                                                            Tiktok has a lot of money. They can control speculator, then control America, then everyone.

                                                                                                                                                            • jeffbee 11 days ago

                                                                                                                                                              This is just an overblown yellow-peril panic, right? How does any app paste? By "accessing the user clipboards". How does the chrome omnibox do "text you copied"? By "accessing the user clipboards".

                                                                                                                                                              • freeone3000 11 days ago

                                                                                                                                                                Normal apps wait until the user attempts to perform a paste action to access the clipboard, instead of accessing the clipboard every two seconds.

                                                                                                                                                                • hombre_fatal 11 days ago

                                                                                                                                                                  TikTok reading it every couple seconds is definitely excessive. And frankly our tools fail us by not at least revealing that it's taking place -- new clipboard notification aside, as shown in TFA. How do I know how common vs weird this behavior actually is?

                                                                                                                                                                  I'd only refine your post to say that it's common for apps to read the clipboard without you pasting. Right click Chrome's omnibar and it will show "Paste and go to <clipboard contents>", my bittorrent client and RSS clients prepopulate the new torrent/feed form if I have a URL in my clipboard.

                                                                                                                                                                  Is the tiny convenience worth the ability to snoop? I don't think so. Or rather, I would like to decide that for myself.

                                                                                                                                                                  • jeffbee 11 days ago

                                                                                                                                                                    Malice or just stupidity? I can imagine a dozen different reasons a program might access the clipboard in a loop, all of which reduce to "we are bad programmers".

                                                                                                                                                                    • thewindow 11 days ago

                                                                                                                                                                      Not all of them reduce to bad programmers. It could be either of malice or stupidity. In this age when data is valuable, it is better to be safe and assume malice.

                                                                                                                                                                  • noisem4ker 11 days ago

                                                                                                                                                                    It is the OS that should transfer the contents of the clipboard to an app, when the user tells it to do so, and not the other way around. The content of my clipboard shouldn't be any app's business until I decide to paste.

                                                                                                                                                                    • andrewzah 11 days ago

                                                                                                                                                                      To be fair, I don't think the programmers implementing system APIs expected them to be (ab)used like this.

                                                                                                                                                                      Now system API developers have to view downstream app developers in an adversarial manner...

                                                                                                                                                                      • jeffbee 11 days ago

                                                                                                                                                                        Ok, but your beef is with Apple, not TikTok.

                                                                                                                                                                        • ebg13 11 days ago

                                                                                                                                                                          My beef is with the person who installs a spy camera in my shower, not with the person who didn't expect someone to install a spy camera in my shower. Only one of those people actually installed a spy camera in my shower.

                                                                                                                                                                      • geoah 11 days ago

                                                                                                                                                                        Yeah it seems like it. Chrome and a lot of other apps show an insane amount of these popups on IOS14 to either actually check your clipboard or just to toggle "paste" buttons.