Read on Twitter
iOS 14 beta has a banner to confirm when you paste from another device (eg copy on a Mac and paste on iPhone)
Seems to be bugging out and showing with every keystroke in TikTok
Seems to be bugging out and showing with every keystroke in TikTok
(it's a beta, so I'm not complaining, just...observing in public)
The alternative possibility is TikTok stealing what is on my clipboard every single time I type a keystroke.
I don't have a way to know for sure. Thought it worth putting out there.
I don't have a way to know for sure. Thought it worth putting out there.
Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification
To reproduce:
1. Have something on your clipboard. Eg copy some text from Notes or a website
2. Open TikTok and start typing in any text field
3. You learn from iOS 14 beta each time an app “pastes” - but in this instance I didn’t request it, and none of that text appears in UI
1. Have something on your clipboard. Eg copy some text from Notes or a website
2. Open TikTok and start typing in any text field
3. You learn from iOS 14 beta each time an app “pastes” - but in this instance I didn’t request it, and none of that text appears in UI
I’m no expert on this so others will have to weigh in on how to tell if TikTok is reading/using the clipboard without consent or “inspecting” it.
I would wonder what why it needs to inspect the clipboard at all, but even moresso to do it every keystroke https://twitter.com/ecormany/status/1275903947899797505?s=21 https://twitter.com/ecormany/status/1275903947899797505
I would wonder what why it needs to inspect the clipboard at all, but even moresso to do it every keystroke https://twitter.com/ecormany/status/1275903947899797505?s=21 https://twitter.com/ecormany/status/1275903947899797505
More context about other apps. Interested whether any do it every keystroke, or just on certain actions like this https://twitter.com/nathanblawrence/status/1275834753082671104?s=21 https://twitter.com/nathanblawrence/status/1275834753082671104
A few notes on TikTok and clipboard access, because I've yet to see this compiled in one place:
Based on reports from developers, it appears that a number of apps on iOS (and presumably Android?) check the clipboard contents from time to time.
Until iOS 14 this happened silently, but now we have an alert. Which is great.
Until iOS 14 this happened silently, but now we have an alert. Which is great.
Some apps check for URLs or other content on the clipboard as a feature (eg Apollo for Reddit) to check if it can use the clipboard contents and offer functionality to the user. Other apps don't make the purpose clear (eg Microsoft Teams).
The sticking point seems to be that clipboard access triggers an alert on iOS 14 that the app pasted your clipboard contents.
Best it works like this as we (the users) have no way to know what happens next.
Best it works like this as we (the users) have no way to know what happens next.
We (the users) cannot tell which apps access the clipboard to 'inspect' it to offer features, or which apps access the clipboard to potentially paste + send the contents to a remote server
If there is a way to detect what an app does with its clipboard access, I'd love to know
If there is a way to detect what an app does with its clipboard access, I'd love to know
In the case of TikTok, why it needs to check the clipboard (and trigger the alert it is being 'pasted') after every 1-3 keystrokes is odd. It CAN be explained as a potential bad implementation of a framework. Or something more nefarious.
No way to know, that I can see?
No way to know, that I can see?
As an aside: any app can already steal what you type into it, even if you don't hit send.
Websites can do it too.
It's sneaky and I don't like it, but they can do it (not necessarily legally re: GDPR, but that's another issue)
Always assume an app can use what you type into it
Websites can do it too.
It's sneaky and I don't like it, but they can do it (not necessarily legally re: GDPR, but that's another issue)
Always assume an app can use what you type into it
The difficulty here is no way to ban an app from having clipboard access. That would be a welcome feature.
Or to sandbox the clipboards use per-app, unless permission granted for a single-use external-app paste. Or for access for an hour, day, week, or permanently.
Or to sandbox the clipboards use per-app, unless permission granted for a single-use external-app paste. Or for access for an hour, day, week, or permanently.
As far as I'm aware, all apps can access the clipboard on macOS, Windows, Android, and iOS without permission.
It's been a common feature. The main change now is iOS reporting when an app accesses it (usually after a user presses paste, but not always) https://twitter.com/liamdforsyth/status/1276149554317086721?s=20
It's been a common feature. The main change now is iOS reporting when an app accesses it (usually after a user presses paste, but not always) https://twitter.com/liamdforsyth/status/1276149554317086721?s=20
It's a very clever tweak.
By telling the user when the clipboard is accessed, they can ignore it if it's just after tapping Paste (good, it did what I asked)
But any other time the 'app pasted content from other app' banner shows, users will want to know why
By telling the user when the clipboard is accessed, they can ignore it if it's just after tapping Paste (good, it did what I asked)
But any other time the 'app pasted content from other app' banner shows, users will want to know why
Oh and for all the comments of "see, THIS is EXACTLY why I never installed TikTok" c'mon now
Don't pretend like half of y'all really would be dancing to Renegade on TikTok it if it wasn't for your security concerns
Don't pretend like half of y'all really would be dancing to Renegade on TikTok it if it wasn't for your security concerns
We all want apps to respect user data. But for those just wanting to dunk on the teens and feel superior about it, and there's no need.
We can focus on valid security and privacy concerns without the value judgements around the TikTok demographic.
We can focus on valid security and privacy concerns without the value judgements around the TikTok demographic.
