During WWDC 2020 Apple had a big privacy focus on iOS 14, introducing clipboard notifications. This is a simple alert to let you know when an app has requested access to what’s been copied, ready for pasting. Some apps have been using this in it’s intended way, others… well.. haven’t and that’s what were going to take a look at in this video.
Despite clipboard monitoring just occurring on a device with iOS 14 installed it goes a little more deeper than that especially for users with more than one apple device
For those that aren’t aware of have simply forgotten about Universal Clipboard, it’s a feature of theApple ecosphere where you copy something on one apple device and it’s available for pasting on another Apple Device. As an example, you can copy some text from your mac and it will magically be available for pasting on your other iOS device. A really handy feature.
The whole issue with apps being able to spy on your clipboard was reported to Apple way back in January 2, 2020 by security researchers Talal Haj Bakry and Tommy Mysk
According to an interview with Forbes
“We submitted this to Apple on January 2, 2020,” the researchers explained in their original blog. “After analyzing the submission, Apple informed us that they don’t see an issue with this vulnerability.”
The interesting point in the original article was the statement “this is only a potential security hole with no claim that it has been exploited in the wild. “
Coming back to WWDC 20202 and the clipboard notifications, the first high profile app to be caught out with suspicious activity is the new darling of the social media world TikTok.
With an estimated 104 million iOS installs in the first half of 2018 alone, TikTok as this seemed to be popping up alerts more often than anyone would be comfortable with.
Twitter got a hold of this and needless to say things kicked off. TikTok were incredibly fast to issue as statement.
“Following the beta release of iOS14 on June 22, users saw notifications while using a number of popular apps. For TikTok, this was triggered by a feature designed to identify repetitive, spammy behavior. We have already submitted an updated version of the app to the App Store removing the anti-spam feature to eliminate any potential confusion.
TikTok is committed to protecting users’ privacy and being transparent about how our app works. We look forward to welcoming outside experts to our Transparency Center later this year.”
The story with TikTok privacy goes a little deeper than this but that’s for another video
As for the reason to prevent spammy behaviour, we’ve had chat boots and other server side stuff to do this for years.
However, TikTok isn’t the only social networking app caught taking a more than regular peek on your clipboard for potentially dubious reasons.
ToTalk — totalk.gofeiyu.com
TikTok — com.SimpleDate.Tok
Truecaller — com.truesoftware.TrueCallerOther
Viber — com.viber
Weibo — com.sina.weibo
Zoosk — com.zoosk.Zoosk
You might think that news apps might be exempt from this behaviour but nope as
ABC News — com.abcnews.ABCNews
Al Jazeera English — ajenglishiphone
CBC News — ca.cbc.CBCNews
CBS News — com.H443NM7F8H.CBSNews
CNBC — com.nbcuni.cnbc.cnbcrtipad
Fox News — com.foxnews.foxnews
New York Times — com.nytimes.NYTimes
Reuters — com.thomsonreuters.Reuters
Russia Today — com.rt.RTNewsEnglish
Stern Nachrichten — de.grunerundjahr.sternneu
The Economist — com.economist.lamarr
The Huffington Post — com.huffingtonpost.HuffingtonPost
The Wall Street Journal — com.dowjones.WSJ.ipad
Vice News — com.vice.news.VICE-News
Has also trigged alerts. Well at least theres no issue with games right, I mean they already have adverts and marketing stuff in them.. …… Well
8 Ball Pool™ — com.miniclip.8ballpoolmult
Bejeweled — com.ea.ios.bejeweledskies
Fruit Ninja — com.halfbrick.FruitNinjaLite
Plants vs. Zombies™ Heroes
The list doesn’t stop there however…. Some other popular ones are
Accuweather — com.yourcompany.TestWithCustomTabs
AliExpress Shopping App
Dazn — com.dazn.theApp
Hotels.com — com.hotels.HotelsNearMe
Hotel Tonight — com.hoteltonight.prod
And thats just some iOS apps that were reading users’ keystrokes and triggering off the notification.
Clipboard reading done right way.
When done properly and some might argue not being done by a popular app from a state controlled country where surveillance is ever prevalent, its a handy feature.
If you copy a photo to your clipboard Pixelmator photo will only read this if it’s an image and if it is, Pixelmator will prompt the user to open it for editing.
The best reddit reader app on the planet Apollo will prompt you to open a reddit link in Apollo when it’s detected. From the Apollo developer himself who best explains whats happening with his app and in general.
“Since iOS doesn’t have a mechanism to open URLs in a specific third party app Apollo has a feature where if you open the app with a Reddit URL on your clipboard it’ll offer to open that URL in Apollo, I think I copied this from Instapaper awhile ago.
This does cause a potentially creepy looking notification with Apollo sometimes, but just wanted to explain why/what it’s doing. It’s literally just like “Hey iOS, is there a URL on the clipboard? Oh there is, is it a Reddit one? Okay cool let me ask them if they want to open it.”
Obviously at no point does anything else happen like it leaving the device or anything. It’ll show this banner even if there’s not a Reddit URL because it needs to check the URL to see if it’s a Reddit URL in the first place. Schrodinger’s Reddit URL.
Fair play for transparency of a smaller dev vs this big corporates who at the time of this video have yet to issue any statements.
The question remains is how worried should we be? Are the big apps just simply going to add to their terms and conditions which we all blindly click accept to? Should be worried that mainly apps from a country where state surveillance and monitor is commonplace or is privacy something that’s long been given up in the age of Facebook and now TikTok.