Great to see another layer of transparency in ios14.
Bit I wonder why everyone talking about one specific app?
I see a huge bias towards TikTok in headlines
"iOS 14 caught TikTok and other apps spying on the clipboard" 
"iOS 14 beta shows apps like TikTok still spy on your iPhone" 
There a bunch of apps like VICE, Google News, WSJ that has been caught doing exactly the same. 
I may find the explanation why TikTok did that. In China WeChat blocks direct links to their competitors. So apps like Taobao or Douyin have to find a workaround for deeplinks.
When you want to share the video from Douyin with a friend in WeChat, Douyin generates the following message.
In WeChat the link is not clickbale. To see the content user has to copy full text and go to the Douyin. The app will read the clipboard and perform the transition to the video. On the link below you can find the video - explanation 
Probably they had re-use some code in TikTok. Definitely they need to be more accurate towards data safety but I don't think they really made a pipeline for spying using clipboard.
There is a lot of buzz around TikTok these days, but I want to get an answer from other apps as well.
> Bit I wonder why everyone talking about one specific app?
In this particular case, I think it's because the person who apparently discovered it claims that other apps "don't collect anywhere near the same amount of data that TikTok does". 
> For what it's worth I've reversed the Instagram, Facebook, Reddit, and Twitter apps. They don't collect anywhere near the same amount of data that TikTok does, and they sure as hell aren't outright trying to hide exactly whats being sent like TikTok is. It's like comparing a cup of water to the ocean - they just don't compare.
I went trough this post earlier. Unfortunately the video has been removed for some reason.
> I'm getting a lot of DM's asking me to prove the majority of this with a paper and snippets of the offending code. I have a decent amount of my notes on my other laptop that recently had a motherboard failure and the majority of that data is on the laptop's SSD. It's a macbook pro, so recovering the data isn't exactly super simple. I have some frida scripts that I pushed to my git server as well as some markdown files + conversation logs I've had with exploit devs, but not much else. In order to get everyone the proof they require, I'll likely need to reverse the app all over again which isn't something I have time for right now.
That sounds like "dog ate my homework", but well, sh*t may happens.
> Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
What so special about it?
> Other apps you have installed (I've even seen some I've deleted show up in their analytics payload - maybe using as cached value?)
That interesting indeed. I heard some developers did that as well (Uber-Lift case ?) but it really strange that Android enables that.
I'm not an Android dev, but I guess you can retrieve that through PackageManager?
> Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
I don't use or like tiktok, but that post also came across as super fishy to me. Lots of it boiled down to "I'm a software engineer, trust me" with a good amount of FUD thrown in (going on about GPS data when the app doesn't even request the Location permission? complaining the app can see your screen resolution?). I'm sure the truth is somewhere in between but tiktok is the beating-horse of the day so you'll see all sorts of cool stuff like mainstream media using an anonymous reddit post as a source.
Yeah, this was my exact problem with that comment. They ended it by saying apps like Facebook/Gmail/etc don't collect nearly the same amount of data, but I'm very hard pressed to believe that. I'll believe it when they show a side-by-side comparison of what portions of each category they listed TikTok is accessing/Facebook is accessing, with the accompanying bytecode they claim to have decoded.
Just because other apps do that is no excuse for bad behaviour. Almost all apps get flack for bad behaviour. Tiktok is the newest popular thing on the block and it is expected to be widely covered.
Honestly it is okay to discuss the bar behaviours of an app without blaming other apps.
Being "caught" reading the clipboard is not an indictment that you are doing something wrong. It's very good that it is no longer occurring invisibly in the background, but so far what we have seen appears to be frivolous usage rather than malicious.
I think it's probably because they were already in a series of such mess-ups so someone decided to check it with Tik Tok and that went viral. Also, it's a social media app that a lot of people use, so using that as part of the headlines for Media gains eyeballs.
> Bit I wonder why everyone talking about one specific app? I see a huge bias towards TikTok in headlines
1) TikTok is one of the most popular apps and was the second most downloaded last year . Come on, they are at the top. That's why we talk about them.
2) TikTok has been caught in a lot of privacy scandals that appear to be more egregious than other apps.
3) There's a deep seated fear, and evidence, that Chinese companies share their data with their government.
It is all three, but mostly #1.
These are the same event, why are you posting two instances of the same event like "TikTok is unfairly being targeted?"
> There a bunch of apps like VICE, Google News, WSJ that has been caught doing exactly the same. 
People are upset about that too. But frankly, VICE and the WSJ don't have as many downloads as TikTok. Even if you combine their total downloads they don't account for a tenth (<1/10th!!!!) of TikTok's downloads. Frankly I don't understand the logic here. Ignore the top dog just because others are doing the same thing? Just because others do it doesn't make it right and of course we should go after the one that's the biggest.
If you're bigger, people pay more attention to you. That's why TikTok is getting "singled out." BECAUSE TIKTOK IS ONE OF THE MOST POPULAR APPS IN THE WORLD! It doesn't matter what other apps do. That doesn't justify bad behavior. Am I the only one whose mom said "If all your friends jumped off a cliff, would you?"
They do it to get around very anti competitive behaviour. WeChat pretty much have monopoly on chat in China so if you want to get into that market I guess you have to come up with some way around it. Though I agree that a button that would activate it would likely have been a better way to do it. Even if they did not do anything nefarious this really makes it look like it was.
Spying on users is a dishonorable way to get around another corporate's anti-competitive behavior. Because it was not the only extremely obvious viable option (I mentioned a clearly honest obvious alternative), we have to conclude that they desire to act dishonorably.
> Chinese users have been complaining that WeChat’s practice of blocking certain apps is a huge blow to user experience. But WeChat isn’t the only one doing it. Chinese tech companies constantly add services to their own ecosystems and block services from other companies, leading some tech watchers to say that China’s mobile internet has been split into pieces.
The security implications of allowing communications on a platform that is subject to the absolute control of a foreign government, seems like a very very bad idea. That can be a lesson learned the easy way or the hard way.
I honestly think we give Chinese apps too much equal footing. In about 5-8 years, when China has insane surveillance network around the world (they already have), this comment is going to sound the most sensible thing to do - blanket ban any application developed and served by the CCP or similar government.
People teeter-totter about righteousness and freedom of choice, but IMO we need to stop feeding the CCP with more power/$$$/influence ... NOW ... Freedom of choice is great when there is fairness and democratic values built in, when the government isn't on some Han-supremacy drug and expansionist motives.
Someone will inevitably respond with whataboutism and smear American companies into the mix as if they're expressing their understanding of hypocracy and one-sidedness. It is supposed to be one-sided. The west offered two-way street which China declined to walk on. So, now all bets are off. Equivalency with the western apps/services/goods is no longer a valid counter argument.
On fair, just, and rational grounds - I am a progressive. In unfair, unjust and irrational waters - I am a conservative.
The CCP has already shown they’re willing to abuse TikTok to stir unrest in the USA, you aren’t even making a theoretical argument. I’m a lot more worried about China than Russia, when it comes to bad behavior by state actors.
This is why I'm always confused my privacy arguments. When someone says that they want privacy the responses go like:
reference Goebbels: "I have nothing to hide, so I'm not worried"
Downplay: "They only read my emails and everything I write to sell me stuff better. Sometimes I need stuff. They're helping me!" As if it can only be used to sell and nothing else.
World revolves around self: "Well ads don't affect me." Like it doesn't matter that everyone else is affected even if you aren't.
Completely ignoring the fact that if someone can manipulate you to buy stuff they might be able to use it to manipulate you do do other things. I mean we have political ads. And Coke ads aren't there to sell you coke (they are there to make you feel better about your purchase). Frankly, to me it doesn't even matter if no one has done that yet (I'm aware of the clear evidence that people have) but that we're giving people the ability to do this in mass and in very precise ways. That just leads to a potential turn in democracy. "Just educating people" doesn't solve the problem either. Ads are still effective on smart people. So the question is "are the benefits ~~profits~~ worth the cost?" It is reasonable to think "yes", but I'm a resounding "no."
Yes, we use political ads to "manipulate democracy" and the like, but a mass statewide commercial is a very different thing than an individualized ad targeted to a specific person. At least to me these are very different (and we still have regulations on what you can say in political ads). Where do we draw the line? We talk about data a lot here and what we can model with it. What will ads look like in 20-50 years if we don't draw a line in privacy and technology continues to become more powerful? I think individualized ads will look very different. We do need to determine what level of individualization we can target with an ad, and I don't see much of that happening.
Excellent comment, you changed my thinking on the issue. I feel like liberal, educated democracies are focused on the wrong problems. It’s only going to get harder to change course the longer we keep sailing in this direction of a laissez faire, anything-goes approach to software.
Apple’s infamous walled garden solves this problem to some extent, but introduces others because it lacks due process, leading to corruption where money can solve any problem, and so apps like Tiktok get to abuse their trust with impunity.
As I see it, democracy is unstable. I like living in a democratic system (yes, a democratically elected republic is still a democratic system). But we have to recognize that it is unstable and democracies work under the pretense that the keys to power are distributed and frequently moving hands (by elective processes). So the danger to democracy is the collection of keys, or the consolidation of power. Power consolidation DOES have benefits after all. I mean a benevolent dictator is probably the best form of government, the issue is that if the next dictator isn't benevolent (or how long until that). The same is with democracy. We keep power distributed so that when a malevolent (or even just non-benevolent) ruler comes into power they aren't able to do much. Essentially as long as we don't let corruption fill the majority of roles with power, we're fine. They have to spend a lot of time and resources consolidating that power.
Essentially this is what "turnkey tyranny" is: the point at which power is consolidated to such a degree that a malevolent ruler would have the power of a tyrant.
So it has never been about having something to hide or that people aren't using a power malevolently. It is the potential for abuse and that given enough time a power is likely to be abused. Distribution makes it more difficult (but does not eliminate) to abuse power.
With HN's love for federated systems, which essentially operate under similar principles, I'm surprised this is not a more popular concept. The only difference is that we're talking about government officials instead of Moxie.
All governments are unstable. The best we can hope for is they do the most good for the longest amount of time. The better a government does, the more its population tends to assume that it’s impossible for their government to fail, and they don’t guard against it, instead choosing convenience (and properly federated government is the opposite of convenient).
I dont have any memory of "CCP abuses TikTok to stir unrest in USA" being reported. Is there really such evidence?
If there is evidence, then please just ban the goddamn app out of any mobile smart phone platforms. It's too dangerous to open the lid of such mass bring-washing machine. Even in the Arab-spring, it was just passively allowing the information to propagate organically. No one with sane judgement should allow these apps being used as manipulation tools by any minority group...
When two parties negotiate they generally try to negotiate in their personal interest. Given how many Western companies flocked to China the access was apparently still worth it.
It's not like this is uncommon either. The US themselves did this under Hamilton's American System and Japan did it in the late 19th century when they maximized goods and technology coming in while trying to keep as much foreign influence out. It's a reasonable strategy and particularly understandable with a historical view of East-Asia, which doesn't have the best experience with opening up to Western companies.
I never really understood where the problem is because China didn't kidnap Apple's CEO and forced them to build factories in China. If Americans think whatever China offers is not worth it they're free not to participate.
“Equal” footing? China doesn’t allow anyone to use my app, instead I was required to have a conference call with Tencent where they insisted I give them all of my code so they can release their own version in China which they super cereal pinky promise they’ll give me all the revenue from. I declined and they made an incredibly shitty clone of my app instead which I was never allowed to compete with. Fuck chinks.
Well, I'm more concerned about my platform being subject to the control of my own government. Because I don't care very much about foreign governments given I happen to be a western citizen that has nothing to do with that countries. But what about ours, do you think our government is better than theirs? For how long?
> do you think our government is better than theirs? For how long?
America has problems, but your order-of-magnitude calibration is way off if you think a concentration-camp operating (i.e. the real kind with over a million people who committed no crime and are held just for their beliefs and culture) expansionist (Hong Kong, Tibet, Taiwan) totalitarian (speech is monitored and punished in a "go to prison, right away" manner rather than "twitter deleted my racist shit and nothing else happened to me" way) government. So yes, occasionally ineffective democracies that value human rights and freedoms (i.e. the west) is better than the CCP government, and will continue to be better now and into the foreseeable future.
Yes, you're right. My mistake was talking about better/worse governments, while we don't have to choose at all. I should rephrase it as: is our government good? I'm sure nobody can say it is, whichever government it may be. So that's why I find uncomfortable to hand all my data over to the ruling party in my country, while I don't care what a random CCP functionary can learn about the cafeterias I frequently go to.
do you think our government is better than theirs?
Can't answer specifically without knowing who "ours" and "theirs" are, but I can answer generically. Governments that hold elections where more than one genuinely competing party can win if enough voters want to vote for them are better than governments that declare themselves the rulers.
Governments that defend the rights of people to express genuinely competing opinions, regardless of who agrees or disagrees, are better than governments that use or enable coercion to silence opinions they don't want people to hear.
Governments that use pervasive surveillance to monitor and punish people for thought crimes, where having or expressing forbidden opinions is treated as an actual "crime", are worse than governments that don't.
There is clearly a spectrum, and though my Chinese relatives keep pointing out how many US institutions are coming to resemble the Marxist institutions and people resemble the Red Guards they remember, the actual government of China is still far worse. "Since we, the CCP, are the People's Gov't, there is no further need for elections, and anyone who disagrees is an Enemy of The People, needs to be discovered, and deserves to be punished for that crime."
I don't want to put words in your mouth but if you are implying that the US influence over Google, MS, and Apple is comparable to China's influence over TikTok and other Chinese companies then that is an utterly false equivalence. I don't have links but it is well established the role and influence CCP has in Chinese companies and US companies have gone to great legal lengths to restrict the US Government's involvement in certain areas like the fight over encryption.
The issue is (as far as I know) the CCP has unfettered access to Chinese apps. On the other hand, the US government has to ask. While Google, MS, Apple, etc have all said "yes" plenty of times, they also have said "no" and are doing so more frequently as public opinion is changing on privacy. Literally the ability to say no is a big difference.
If I am wrong about the unfettered access, let me know.
Most of the anti-TikTok comments that have emerged recently are beyond hysterical. We are arguing about China using this app as a primary nexus of intelligence gathering, in a world where they already have the US government’s entire OPM database?
A lot of apps are doing the stupid clipboard detection thing. As others have commented, there’s reasons for this that range from spam detection to link shortening. It’s lousy, I agree, but this has been a very common thing in a pre-iOS 14 world.
>In June 2015, the United States Office of Personnel Management (OPM) announced that it had been the target of a data breach targeting the records of as many as four million people
I'm pretty sure that tiktok has more than 4M users. I guess you can argue that OPM has more % of "high value" users compared to tiktok, but it's also 5 years out of date and contains different sets of data entirely. OPM data doesn't have your minute-by-minute location history and clipboard history, for instance.
The OPM database was a force multiplier, not a direct source of valuable data.
What it allows the Chinese government to do is filter any other source of data (such as TikTok) and exclude anyone in the US who doesn't have a security clearance. You then have vastly less raw intelligence to sift and try to find the accidental video someone posted with a whiteboard full of secrets in the background.
When I was younger I would laugh at those ridiculous "forwards from grandma" about, like, secret Satanic messages embedded in Super Mario. Every kid knew these were nonsense; we just assumed it was a consequence of that generation growing up without technology.
I was wrong. Every generation is equally prone to hysteria. We learn nothing.
> Already forced the family to uninstall it and its gone forever.
Honestly you’d be better off educating them and telling them it’s a good idea than forcing them to jettison an app they probably love. Tons of apps do this (as discovered in iOS 14) and I highly suggest not doing a crusade against one when a lot more do it. See: https://youtu.be/pRSWdtoUAjo
Fair enough, we don't have any of the known spyware - TikTok was the only one. I was already questioning the value of TikTok before it became well known that its spyware. I won't tell you about the week of crying because someone was calling my 8 year old a 'viscogirl' after seeing something on Tiktok about it. It really looks like toxic garbage to me.
In my experience it is a lot easier to tell your friends that you don't have any social media, rather than saying that you don't have a specific social media app/account/thing. Why? It's harder to understand why someone wouldn't install TikTok when they already have Snapchat/Instagram/everything else.
(I'm a high school student, abstaining from social media other than HN.)
Edit: Have you tried explaining to your daughter why TikTok is Chinese spyware?
TikTok is a virally popular video app used globally by a generation of adolescence that have normalized the behavior of recording inane happenings in their life multiple times a day, with an undeveloped sense of propriety and limited ability to fully comprehend the significance of their actions.
Not that I have much of an opinion on TikTok's usage as an intelligence gathering source, I certainly appreciate its potential as one.
My daughters are constantly taking videos all over the place, with little regard to what is in the video beyond themselves. Even though they've been hounded on what is and isn't appropriate to capture in a video, I'm sure they have an under-developed sense of security/concern in that regard, particularly for "private" or deleted videos.
Access to the full corpus of video data uploaded to Tiktok would be a gold mine, least of which would actually be my adolescent daughters. Unrelated conversations picked up in the background, where/when they took the video, compromising/confidential artifacts exposed incidentally in the background, facial recognition on individuals in the video (whether the subject of the video or otherwise), etc. There are an immeasurable number of ways such a rich data source could be mined for signal intelligence.
Note that TikTok is far from the only app that fits this definition. There are plenty of other platforms that create a similarly useful corpus of video data. But anecdotally from my kids and their friends, TikTok is the flavor of the moment. Especially so for those young enough for the above concerns (or lack thereof) to be most valid.
The intelligence apparatus of a nation-state is far more encompassing than just spies.
And no one has to actually watch any videos for the above-mentioned use cases. It's an engineering assignment for data science and tech teams, not spies.
As well, there's a very hazy line between government and industry interests in China, greatly expanding the potential use cases of sigint derived from such incidental data leakage beyond just what would be useful for kompromat, bribery, and threat. purposes.
TikTok app permissions include personal information and device control
Access the camera (and take pictures/video), the microphone (and record sound), the device’s WIFI connection, and the full contact list on the device
Determine if the internet is available and access it
Keep the device turned on and automatically start itself when the device restarts
Secure detailed information on the user’s location using GPS and other apps that are running
Read and write to the device’s storage, install/remove shortcuts, access the flashlight (turn it off and on), request additional installation packages
Our researchers found that TikTok has full access to the audio, video, and address book on the device, which isn’t surprising given that TikTok is an audio-visual app by design.
TikTok does not need to be collecting contact and location data from my kids or any of our devices. This vacuuming up of information at scale reveals the relationships between people and a lot more. And that is my main problem. TikTok is way more than just a video app, its spyware.
Seems feasible it was a spam check. All my sensitive data is over in a separate work apps launcher anyway.
Personally, I find lots of useful content on TikTok. There's a divorce lawyer I've actually called in person. There's a nurse who gives coronavirus tips. There's a Chinese teacher. There's an idol who did a funny hand wash dance without showing a lot of skin and who does funny things with her cats. There's a fitness guy who always has a new way to do push ups or whatever. There's a chiro with back pain tips, etc.. One coworker does dances with her daughter - so maybe it helps parent-child bonding.
iOS 14 has a new workflow that lets the user give an app access to a photo or selected photos without the app getting access to any of their other photos. Big privacy improvement on that front at least. I don't know about mic access.
Google Maps has a clear use case for accessing the clipboard. If Tok Tok only accessed the clipboard on launch to check for a Tik Tok URL, that might be one thing, but there's no clear reason Tik Tok would need access to the clipboard literally every 3 keystrokes.
> Google maps detects copied addresses and lets you route to them in one click.
Routing to copied addresses is not a clear use case for letting something spy on everything the user copies, because we already have an invocation for handing clipboard contents to software exactly when the user desires it. It's called the "paste" command.
At some point engineers need to stop doing things just because they can.
It’s fine if an app has a valid use case to access clipboard. I have found it really convenient myself. I think the crux of the issue is that the apps should be forced to get permission from the user first, on a per-app basis.
I copy my password from my password manager and paste it into a different app. I can copy notes from OneNote and paste it into my email and there are many other use cases i can think of. With iOS 14 Apple is letting the user know that some app is accessing your clipboard.
It's not super hard to imagine a parallel universe where any software can copy to the clipboard but only the OS, upon user request, can paste back out of it. And yet here we are wallowing in filth. Why, because people have never heard of a callback before?
Let the application include a "paste" handler function, and then all clipboard exfiltration must be initiated by the user at the OS UI layer. Simple. Safe.
Except that letting apps randomly pull from the clipboard, where you might have copied passwords, bank account numbers, or any other sensitive information, is such an obviously unsafe idea that the person who suggested it should have been immediately sent to special privacy consciousness training.
For what? To save one "send to app" or "paste"?
At least reserve that functionality exclusively for the operating system on the grounds of "TRUST YOU? HAHAHAHAHA".
I'm starting to think these devices need to provide examples when throwing up the permissions prompt. Worst case examples of what this permission can enable so that app developers might at least try to limit their requests.
That pattern is mainly used to open an app to a specific activity. eg. opening google search to a particular search phrase, or opening the dialer to a particular phone number. I can't see it working for when you're writing a email, and want to include a link/quote/image.
But that's exactly what I just did. Highlighted some text in a news article and Share'd to my email client, it dropped the text in, quoted, to the body of an email with the link to the article under it.
I would really, really miss the clipboard on my phone were it not there. I use it daily.
Also, I couldn't imagine having to use the 'share' functionality just to copy/paste. It's already such a frustrating experience just finding the app I want to share with, that I usually just end up selecting the 'copy link' option, opening the target app, and pasting it.
I used to see lots of people question the merits of copy/paste when iOS didn't have it, because iOS didn't have it. When iOS finally got it, I thought the matter settled. The people who previously dismissed the feature now considered it the best Apple innovation since sliced bread (or perhaps the multi-buttoned computer mouse.)
Do you never copy/paste text within the same document? How do you rearrange sentences, paragraphs, etc? Highlight-and-drag is cumbersome in long documents and is really an implementation of cut/paste, not copy/paste.
TikTok also is violating COPPA. Any underage child that signs up with a Google Account, you can clearly see from the Google account settings that they are collecting email addresses and other personal information. I believe Google and other app store providers should just remove them.
Because Tik Tok takes data collection to a whole new level. It uses this, and every other trick in the book. And that matters because it's not clear that this data will be constrained to the activities of sending me extremely targeted advertising. Now we can have a reasonable debate about that, but this has a new level of concern.
As a Chinese app, how do I know the Chinese government will not use me as an unknowing participant in a future cyberwar? One thing Tik Tok does is collect a pretty exhaustive list apps installed on my phone. That could be used for identifying vulnerabilities they could potentially exploit.
TikTok reading it every couple seconds is definitely excessive. And frankly our tools fail us by not at least revealing that it's taking place -- new clipboard notification aside, as shown in TFA. How do I know how common vs weird this behavior actually is?
I'd only refine your post to say that it's common for apps to read the clipboard without you pasting. Right click Chrome's omnibar and it will show "Paste and go to <clipboard contents>", my bittorrent client and RSS clients prepopulate the new torrent/feed form if I have a URL in my clipboard.
Is the tiny convenience worth the ability to snoop? I don't think so. Or rather, I would like to decide that for myself.
It is the OS that should transfer the contents of the clipboard to an app, when the user tells it to do so, and not the other way around. The content of my clipboard shouldn't be any app's business until I decide to paste.
My beef is with the person who installs a spy camera in my shower, not with the person who didn't expect someone to install a spy camera in my shower. Only one of those people actually installed a spy camera in my shower.