TikTok may be snooping on Bitcoin addresses, other clipboard data
Last week’s release of Apple’s iOS 14 developer beta for iPhone has made it more obvious than ever that many popular iOS apps are reading your clipboard data even when they have no clear reason to—and they can do so from other nearby Apple devices, too.
The alarm was first sounded back in March when researchers Tommy Mysk and Talal Haj Bakry reported that social video sensation TikTok and dozens of other apps were regularly recalling data from the iOS and iPadOS clipboard, even when you’re not in a text input box. And as Ars Technica pointed out in a recent report, that data could potentially include Bitcoin addresses or other sensitive financial information.
The iOS 14 beta release includes an alert that now tells users when another app is copying data from the clipboard. As a viral video shared to Twitter last week shows, TikTok in particular is requesting data every couple of keystrokes, yet it was not initiated by the user nor is it being pasted into the field.
Apple’s various modern devices, including iPhones, iPads, and Mac computers, also share a Universal Clipboard feature. When the devices that share an Apple ID are in close proximity (about 10 feet), they can read the clipboard data from the others, in case you want to paste something from one device to another.
All considered together, it’s a potentially unnerving situation for anyone handling sensitive data on an Apple device, whether it’s passwords, Bitcoin addresses, or other private and valuable information. Even if most of the major identified apps likely aren’t using the function maliciously, the existence of the feature raises doubts about the security of data within iOS.
Mysk and Haj Bakry identified more than 50 major apps this spring that utilized the functionality, ranging from the aforementioned TikTok—which has an estimated 800 million users—to news apps such as The New York Times, CBS News, and Fox News, games including Bejeweled and PUBG Mobile, and other apps including AccuWeather and Hotels.com.
The Telegraph reported in March that TikTok planned to address the issue, but did not. A TikTok representative told Ars Technica last week that the functionality was implemented as an anti-spam measure, and that an updated version of the app without the clipboard callback has already been submitted to the App Store for approval.
Mysk told Ars Technica that only two other apps out of the 50+ major apps identified in March—Hotel Tonight and 10% Happier—changed the functionality thereafter. However, now that the iOS 14 beta has implemented the warning, developers may be more motivated to avoid alarming potentially millions of users once iOS 14 rolls out publicly this fall.