TikTok makes people shake! Multiple apps peep into clipboard data, risking leakage of encrypted private keys and sensitive information.
Researchers have found that over fifty iOS applications, including TikTok, regularly access data from the iOS clipboard, potentially exposing cryptocurrency wallet private keys without users' knowledge. This security issue has caught Apple's attention, leading the development team to introduce a new feature in the iOS 14 Beta version.
Table of Contents
Apps like TikTok Accessing Clipboard Data
In March this year, security researchers Tommy Mysk and Talal Haj Bakry released areport revealing that over fifty iOS apps, including TikTok, were regularly accessing data from the iOS clipboard. This poses a significant risk for cryptocurrency investors as cryptocurrency wallet private keys are complex and lengthy, often stored on devices and accessed by copying and pasting wallet addresses. These apps being able to access data from the clipboard means that users' private keys may have unknowingly been exposed.
Additionally, due to Apple's various products (including iPhone, iPad, and Mac) having a shared universal clipboard feature, devices under the same Apple ID within close proximity (approximately 10 feet) can read clipboard data from one another to facilitate pasting content between devices.
Despite TikTok's promise during an interview with the UK media outlet Telegraph in March to immediately cease this practice for user privacy, researchers found that the app never stopped accessing clipboard data.
According to tweets by the researchers, the app continues to read clipboard data every time a user writes a comment, potentially happening as frequently as every second, surpassing the frequency observed in the March study.
https://twitter.com/jeremyburge/status/1275896482433040386
iOS 14 Introduces New Feature
This security issue has caught the attention of Apple, and the development team has added a new feature in the iOS 14 Beta version that sends banner warnings when apps access clipboard content. A test video has been leaked on YouTube, garnering over 87,000 views since its release, revealing many familiar apps unknowingly accessing clipboard data.
In fact, most apps do not have malicious intent, and accessing clipboard data can indeed enhance user experience in certain situations. There have been no reports of cryptocurrency theft due to this issue. However, the presence of this feature raises concerns about data security within iOS.
Researcher Tommy Mysk believes that the notification feature released in iOS 14 Beta is a good start, but suggests that there should be a standardized access permission for clipboard access, similar to the access notifications when apps request microphone or camera access. Additionally, Apple should require app developers to disclose the purpose of accessing this clipboard data.