Popular iOS apps like TikTok might be snooping on sensitive user information such as Bitcoin addresses and bank passwords, security publication ArsTechnica reported earlier this week.
Snooping on Bitcoin Addresses
Reports from this week confirm last week’s release of Apple’s iOS 14 developer beta for iPhone alerts users when mobile apps “read” data from one’s clipboard section on devices – and even those of nearby devices with an AppleID.
The security lapse has existed since March this year. Researchers Tommy Mysk and Talal Haj Bakry, at the time, said Chinese social app TikTok and others were “recalling data” from the iOS and iPadOS clipboard.
The clippings include Bitcoin addresses and other sensitive financial information, noted ArsTechnica.
The iOS 14 beta includes a custom alert for the user when another app is “copying” or reading clipboard information – even when the device is at rest. In particular, TikTok in is requesting data every couple of keystrokes, a now-viral tweet shows.
Apple’s various modern devices, including iPhones, iPads, and Mac computers, also share a Universal Clipboard feature. When the devices that share an Apple ID are in close proximity (about 10 feet), they can read the clipboard data from the others, in case you want to paste something from one device to another.
“Even if most of the major identified apps likely aren’t using the function maliciously, the existence of the feature raises doubts about the security of data within iOS.”
50 Other Apps Use Feature
As per the whistleblower researchers, about 50 other major apps use the clipboard-copying feature, ranging from news like The New York Times, CBS News, and Fox News, games including Bejeweled and PUBG Mobile, and other apps including AccuWeather and Hotels.com.
The Telegraph reported in March that TikTok would patch the issue, but as the recent report shows, it did not. A TikTok representative told ArsTechnica the function was an anti-spam measure, and a future update eliminates the issue.
But Mysk is not impressed. He states only two apps – Hotel Tonight and 10% Happier- made updates while others continue to run the malicious feature.