Security researchers have found that the TikTok iPhone app is spying on its users by secretly reading the clipboard.
The vulnerability, resulting from the fact that iOS and iPadOS apps have unrestricted access to the system-wide general pasteboard, means that a user's precise location may be made available to an app if they simply copy and paste a photo.
Researchers Talal Haj Bakry and Tommy Mysk of Mysk blog discovered this issue when investigating the beta version of iOS 14, due out in the autumn, which comes with more granular privacy and security settings. The upcoming version of the OS will notify users if an app or widget pastes text from the clipboard.
Earlier this year, the same researchers found that TikTok was found to be copying clipboard data on Android devices, which the developers Bytedance blamed on the use of an outdated Google advertising SDK and promised to change. The fact that the popular Chinese social media app is doing the same on Apple devices casts doubt on that claim.
Indeed, Forbes reports, the company has now changed its tune. The behaviour is "triggered by a feature designed to identify repetitive, spammy behaviour," Bytedance said, adding that it has already submitted a new version to the App Store amending this behaviour.
iOS 14's new security and privacy features will no doubt unearth a great many other apps that were ‘accidentally' snooping on their users.
"All apps will now be required to obtain user permission before tracking," the company says, adding that users will gain more control about the precision of location data shared with apps, and gain more transparency over their use of the microphone and camera.
App developers will also be limited in their ability to combine app and website data with third-party lists.
In truth, monitoring the clipboard is likely to be just one of many ways that TikTok is tracking users. In February, Reddit co-founder and CEO Steve Huffman branded the app "fundamentally parasitic", saying it uses "fingerprinting technology" that is "truly terrifying", and labelling TikTok as "spyware".
But existing users will need to change the settings for themselves
After a series of delays and warnings from cyber security and privacy experts, the government is abandoning its centralised approach to Covid-19 data collection
Twitter deletes 170,000 Chinese propaganda accounts, Zoom blocks US-Chinese activists over Tiananmen call
A year ago Twitter was accused of bowing to Chinese pressure, now it's Zoom's turn
Brad Smith, Microsoft President, says people's human rights needs to be protected as the technology is deployed
But no mention of use by intelligence agencies, the military and other law enforcement bodies