If you’ve ever copied and pasted sensitive information—passwords, authentication codes, credit card numbers, work documents, you name it—using your iPhone, then TikTok may already have it.
On June 22, Apple introduced its iOS 14 and iPadOS 14 operating systems (due out this fall), which included a new security feature that notifies users whenever an app reads the content stored on their clipboard in an apparent attempt to address a security loophole discovered in February. Among the apps found to be exploiting the vulnerability: everyone’s favorite repository of dance fads, TikTok.
According to a blog post by software developers Talal Haj Bakry and Tommy Mysk, Apple’s Universal Clipboard—which holds data that’s copied and pasted, and makes it accessible across devices that share the same Apple ID—may be accessed by by iPhone and iPad apps “completely transparently and without user consent.” This means that when you copy information on one device, it will also be accessible to your other Apple devices nearby and, by extension, the iOS and iPadOS apps on those devices exploiting the loophole.
Social networking platforms, mobile phone games, e-commerce sites, and news apps were among the 53 apps found to have access to users’ clipboards. There is currently no evidence that the information is being used for malicious purposes, though the security loophole leaves the possibility “wide open,” Mysk told the Telegraph.
Indeed, some developers, including those of VICE News’ own app, said they were unaware their apps were accessing users’ clipboard until Apple released its iOS 14 beta this month. A developer spearheading VICE’s app said that an initial investigation suggested that the code accessing the clipboard is contained in third-party vendor libraries, and the team is currently working to identify and remove the offending ones.
But whereas apps like VICE’s, and others belonging to the likes of the New York Times and Accuweather, appear to access user’s clipboards once upon opening, TikTok accesses them continuously, and at an astounding rate. An experiment conducted using the beta version of iOS 14 revealed that TikTok reads users’ clipboard information about once every second.
And this isn’t the first time the app has been caught with hands in the clipboard cookie jar.
In March, after the clipboard issues first came to light, TikTok told the Telegraph that they would disable the function “in the next few weeks”. Zak Doffman, a cybersecurity columnist writing for Forbes, said he was told something similar in April, and that the clipboard access was blamed on outdated third-party ad software.
However, the problem apparently went unfixed for over a month, and when Doffman renewed his concerns after the release of the iOS 14 beta, he wrote, TikTok changed its excuse, saying this time that the clipboard access was intended to “identify repetitive, spammy behaviour.”
Again, the app maker promised to fix the behavior. It remains unclear whether Android users face the same privacy concerns. TikTok’s spokesperson said the anti-spam feature isn’t included in the Android version of the app, though Mysk noted that the Android operating system is more lenient than Apple’s when it comes to clipboard reading.
TikTok, meanwhile, has come under increasing scrutiny from cybersecurity experts and the U.S. government due to its affiliation with China. Its parent company is Beijing-based ByteDance, which is also the creator of Douyin, TikTok’s Chinese counterpart. Several U.S. agencies that handle national security have forbidden employees from using the app over security concerns.
Despite TikTok’s claims of political impartiality and corporate independence, evidence of Chinese influence over its operations have surfaced. A set of internal company guidelines obtained by the Guardian in September 2019 revealed that the app censors issues in alignment with the Chinese government’s policies, and former TikTok employees in the U.S. told the Washington Post that Beijing-based moderators have the final say over the censorship of content.
Concerns aside, TikTok is arguably the hottest app around. Its viral dance challenges and addictive interface have proven irresistible to Zoomers and social media influencers. According to mobile app market intelligence company Sensor Tower, TikTok was the most downloaded app in the first quarter of the year, with 315 million downloads, breaking the record for most downloads for any app in a single quarter.