More than four dozen iOS apps, including TikTok, which is a social media platform and video-sharing phenomenon that has taken the Internet by storm, were found to have violated users’ privacy in March when researchers discovered a troubling privacy grab by these apps. Despite TikTok’s assurances that it will put an end to the practice, it continues to access some of the most sensitive data that Apple users have stored on their devices. This data can include passwords, addresses of cryptocurrency wallets, account-reset links, and personal messages. Another 32 applications that were discovered in March continue to operate.
The invasion of privacy occurs as a direct result of the apps’ repeated reading of any text that happens to be stored in clipboards. Clipboards are used by computers and other devices to store information that has been cut or copied from applications such as password managers and email programs. According to the findings of researchers Talal Haj Bakry and Tommy Mysk, the applications deliberately called an iOS programming interface that retrieves text from users’ clipboards, even though there was no obvious reason for the apps to do so.
Universal snooping
In many instances, the covert reading is not restricted to the data that is stored on the device that is currently in use. All Apple devices that use the same Apple ID and are within approximately 10 feet of each other share a universal clipboard. This allows for content to be copied from an app on one device and pasted into an app that is running on a different device. This is only possible if the iPhone or iPad uses the same Apple ID as the other Apple devices.
This leaves open the possibility that a piece of sensitive information could be read from the clipboards of other connected devices by an application running on an iPhone. This may include email messages, bitcoin addresses, or passwords that are temporarily stored on the clipboard of a nearby Mac or iPad. The iOS applications, despite the fact that they are running on a separate device, are easily able to read the sensitive data that is stored on the other machines.
Mysk, when asked about the apps’ ability to read data from the clipboard without discrimination, stated on Friday during an interview that “It’s very, very dangerous.” “There is no justification for this practice, as these applications are reading clipboards. An application that lacks a text input field has no reason to read text that has been copied from the clipboard.
