Apple 'Suddenly Catches TikTok Secretly Spying On Millions Of iPhone Users', Claims Forbes (forbes.com) 61
In February, Reddit's CEO called TikTok "fundamentally parasitic," according to a report on TechCrunch, adding "it's always listening, the fingerprinting technology they use is truly terrifying, and I could not bring myself to install an app like that on my phone... I actively tell people, 'Don't install that spyware on your phone.'"
TikTok called his remarks "baseless accusations made without a shred of evidence."
But now Apple "has fixed a serious problem in iOS 14, due in the fall, where apps can secretly access the clipboard on users' devices..." reports Forbes cybersecurity contributor Zak Doffman, noting that one of the biggest offenders it revealed still turns out to be TikTok: Worryingly, one of the apps caught snooping [in March] by security researchers Talal Haj Bakry and Tommy Mysk was China's TikTok. Given other security concerns raised about the app, as well as broader worries given its Chinese origins, this became a headline issue. At the time, TikTok owner Bytedance told me the problem related to the use of an outdated Google advertising SDK that was being replaced.
Well, maybe not. With the release of the new clipboard warning in the beta version of iOS 14, now with developers, TikTok seems to have been caught abusing the clipboard in a quite extraordinary way. So it seems that TikTok didn't stop this invasive practice back in April as promised after all. Worse, the excuse has now changed. According to TikTok, the issue is now "triggered by a feature designed to identify repetitive, spammy behavior," and has told me that it has "already submitted an updated version of the app to the App Store removing the anti-spam feature to eliminate any potential confusion." In other words: We've been caught doing something we shouldn't, we've rushed out a fix...
iOS users can relax, knowing that Apple's latest safeguard will force TikTok to make the change, which in itself shows how critical a fix this has been. For Android users, though, there is no word yet as to whether this is an issue for them as well.
Long-time Slashdot reader schwit1 also shares an online rumor from an anonymous Redditor (with a 7-year-old account) who claims to be a software engineer who's reverse engineered TikTok's software and learned more scary things, concluding that TikTok is a "data collection service that is thinly-veiled as a social network."
So far the most reputable news outlets that have repeated his allegations are Bored Panda, Stuff, Hot Hardware, and Illinois radio station WBNQ.
TikTok called his remarks "baseless accusations made without a shred of evidence."
But now Apple "has fixed a serious problem in iOS 14, due in the fall, where apps can secretly access the clipboard on users' devices..." reports Forbes cybersecurity contributor Zak Doffman, noting that one of the biggest offenders it revealed still turns out to be TikTok: Worryingly, one of the apps caught snooping [in March] by security researchers Talal Haj Bakry and Tommy Mysk was China's TikTok. Given other security concerns raised about the app, as well as broader worries given its Chinese origins, this became a headline issue. At the time, TikTok owner Bytedance told me the problem related to the use of an outdated Google advertising SDK that was being replaced.
Well, maybe not. With the release of the new clipboard warning in the beta version of iOS 14, now with developers, TikTok seems to have been caught abusing the clipboard in a quite extraordinary way. So it seems that TikTok didn't stop this invasive practice back in April as promised after all. Worse, the excuse has now changed. According to TikTok, the issue is now "triggered by a feature designed to identify repetitive, spammy behavior," and has told me that it has "already submitted an updated version of the app to the App Store removing the anti-spam feature to eliminate any potential confusion." In other words: We've been caught doing something we shouldn't, we've rushed out a fix...
iOS users can relax, knowing that Apple's latest safeguard will force TikTok to make the change, which in itself shows how critical a fix this has been. For Android users, though, there is no word yet as to whether this is an issue for them as well.
Long-time Slashdot reader schwit1 also shares an online rumor from an anonymous Redditor (with a 7-year-old account) who claims to be a software engineer who's reverse engineered TikTok's software and learned more scary things, concluding that TikTok is a "data collection service that is thinly-veiled as a social network."
So far the most reputable news outlets that have repeated his allegations are Bored Panda, Stuff, Hot Hardware, and Illinois radio station WBNQ.
Spying in iOS? (Score:1)
Re: (Score:3)
Chinese spying in software? EVEN MORE UNPOSSIBLE!
Re: (Score:2)
"data collection service that is thinly-veiled as a social network." now who would have believed that (facebook, twitter, anything Google) ;D. Boy, the chinese had to play catch up on this one but isn't there the chinese social media score system.
Don't need an ap do no install it and I mean 'NEED' it. Search on the web to find all the things you need to shut down on your operating system to get some of your privacy back, you should not be some corporations profit centre, to be data mined and psychologically
Re: (Score:2)
Maybe you don't know this but this kind of spying is possible in any OS [opensource.com]. Basically what this app is doing is reading the content of the clipboard. That's it. Anyone can do that. In any OS. Without asking permission or anything because... well, because clipboard is supposed to be a tool to share data between applications.
App polling whether paste icon enable... (Score:1)
Wasn't this determined to be the app checking whether or not to enable the paste icon?
Didn't several other apps also exhibit this behaviour?
Makes great headlines though... all part of the hysteria that divides the world by the powers that be...
Let me guess... Next week Apple & Forbes release TickTockUS
Re: (Score:3)
Re: (Score:3)
Wasn't this determined to be the app checking whether or not to enable the paste icon?
Didn't several other apps also exhibit this behaviour?
Firefox does/did this, at least on Windows, when you opened up the "Library" (Bookmarks and History). It would cause the browser to hang for several seconds if there was a *large* amount of data in the clipboard. I submitted a bug report and this has been corrected in Firefox 78.
Library (bookmarks/downloads) window freezes when large amount of data are on the clipboard [mozilla.org] The developer's correction note:
We used to read the contents of the clipboard to tell if paste was enabled, that unfortunately means updating commands was extremely slow for large clipboard data.
After this change we only check the data flavors. This means paste will be enabled more often, even for unsupported strings, but commands updating will be much faster. Places updates commands often, so this is quite useful.
Re: (Score:2)
Re: (Score:2)
You don't need to read the content of the clipboard in order to enable or disable buttons since there are functions to check if it has content or not, although I don't know if using those functions trigger this warning or not.
kek (Score:1)
App approval process (Score:4, Insightful)
More evidence apple's app approval process is security theatre.
Re: (Score:2)
More evidence apple's app approval process is security theatre.
You could say that, if Apple wasn't the one that eventually caught it.
Re: (Score:2)
Well, the idea of clipboard is to share information between applications and, until now, every single OS didn't have any problem with it and not warning the user when an application readed its content.
A spying app... on a spying device? (Score:2, Troll)
"data collection service that is thinly-veiled..." (Score:5, Funny)
That doesn't make any sense. All "social networks" are data collection services. They are not veiled in any way, thinly or otherwise. One could also say that water is a thinly-veiled wetting material.
Re: (Score:3)
TikTok is a "data collection service that is thinly-veiled as a social network." That doesn't make any sense. All "social networks" are data collection services. They are not veiled in any way, thinly or otherwise. One could also say that water is a thinly-veiled wetting material.
Yeah, that was also my first though when I read the headline.
... Really? Well, so are Google, Facebook, Twitter ....
Apple 'Suddenly Catches TikTok Secretly Spying On Millions Of iPhone Users',
Re: (Score:2)
Apple 'Suddenly Catches TikTok Secretly Spying On Millions Of iPhone Users', ... Really? Well, so are Google, Facebook, Twitter ....
Well, except, in this specific case if Facebook, Twitter or Google had been spying in the same way that TikTok was spying then they would also have been listed in the headline. They aren't. They had the capability but they chose not to use it and TikTok did. So however bad Google, Facebook, Twitter and so on are, TikTok is worse.
Re: (Score:3)
While this may be true of our understanding of social networks, do you really think that is true for the vast majority of people?
Re: (Score:1)
Tik-Tok is not alone here.
When will people realise that YOU are the target. slurping every little detail of your life is their goal.
All so called Social Media networks are after your life.
Like Drugs, you have a choice. Just say NO. Get them out of your life.
then you can begin your life again denying them their lifeblood, your data, your life.
Re: (Score:2)
Re: (Score:2)
Pretty much everyone including /. :(
I'm confused about something... (Score:2)
data collection service that is thinly-veiled as a social network
Can someone please explain to me the distinction in the above line of TFS?
Re:I'm confused about something... (Score:4, Insightful)
Well, it’s an evil Chinese data collection service that is thinly-veiled as a social network, as opposed to red-blooded American data collection services that are thinly-veiled as social networks like Facebook, Instagram, and WhatsApp.
Re: I'm confused about something... (Score:3)
Facebook, Instagram and WhatsApp are all the same company.
Re: (Score:1)
Facebook, Instagram and WhatsApp are all the same company.
Yes - a red-blooded American company!
(and they started out as separate entities, Facebook just gobbled the other two up to keep all that lovely data to itself)
Re: (Score:2)
Re: (Score:2)
TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device... well, they're using it.
* Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
* Other apps you have installed (I've even seen some I've deleted show up in their analytics payload - maybe using as cached value?)
* Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
* Whether or not you're rooted/jailbroken
* Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds - this is enabled by default if you ever location-tag a post IIRC
* They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication.
The scariest part of all of this is that much of the logging they're doing is remotely configurable, and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function.
They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you're trying to figure out what they're doing. There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.
I would imagine that other major player social networks aren't going quite as far as Tik-Tok.
It's absolutely amazing to me (Score:3)
Re: (Score:1, Insightful)
That this isn't simply expected from any software coming from any internet company.
Fixed that for you.
Re: (Score:2)
captain obvious here (Score:5, Insightful)
1) Like nearly every other internet firm that doesn't charge a subscription, TikTok survives on harvesting your data and selling ads. They're going to harvest as much as they can get away with, and sell as many ads as they can. Anything that they, or anyone else, says to the contrary is a either misinformation or a lie.
2) It's entirely possible that the Chinese government is either monitoring this or partially behind this. The Chinese government does NOT play fair in business or politics. I believe that I can reasonably claim my own country is a tad better at this (even under current leadership) but still we're no angels and we never have been....
3) No surprise that iOS is going to close this open window soon....while Android.... well, maybe they'll get around to it one of these decades. Apple makes its $ on hardware sales and subscriptions while Google makes $ on.... you guessed it.... data harvesting and ad sales. In other words, Apple's bread and butter is threatened by these sorts of things, while Google's business model is largely unaffected one way or another.
Re: (Score:1)
Somebody: Be good!
Google: Don't, be evil!
Re: (Score:1)
Re:captain obvious here (Score:5, Insightful)
This hypothesis has one glaring flaw. Of all Western corporations you mentioned, Apple is both by far the most compliant with CCP's demands, and by far the most exposed to CCP's actions.
In case of Google et al, they at least wouldn't effectively cease to exist as corporate entities if Chinese Communist Party decided that they hurt the feelings of Chinese people and decided to fully cut them off. Apple? It would be gone. All of its major hardware manufacturing is hopelessly exposed to Chinese government. Which is why Apple is almost always the first Western corporation to talk with CCP leadership to proactively meet their demands when it comes to things like censorship, data collection for government entities, etc. Whatever these demands may be, Apple is always first in line to grant them, because last time they tried to stall, their Chinese supply line had an "unexpected disruption". And being as hopelessly exposed to China in their manufacturing as Apple is, they got the message and folded within days.
So if there's something that Chinese intelligence wants from Apple, they don't need to get an app installed on your phone by you. They can simply ask. And if some Apple exec is stupid enough to say no, they'll have another "supply disruption". Then said exec will get fired, and Cook will fly to Beijing to apologise to CCP leadership personally.
It's a road well travelled in Beijing. They have the whole "how to get Western corporations exposed to Chinese manufacturing to comprehend that gentle but firm requests from Chinese government mean that you give what is requested or else..."
Re: (Score:2)
Of all Western corporations you mentioned, Apple is both by far the most compliant with CCP's demands
You have absolutely no way to know that.
Re: (Score:2)
Your argumentation as to why is excellent, completely DESTROYING me. I am DESTROYED.
Never trust the Chinese (Score:1)
Re: Never trust the Chinese (Score:2, Insightful)
Re: (Score:2, Informative)
Considering apple is a puppet for China you should add them to that list as well
And you are a puppet of Apple; since you make your living as an iOS App Developer.
So, by proxy, and by your own logic, you are a puppet for China.
Re: (Score:2, Funny)
Huawei, Reddit, TikTok et al. are nothing more than parts of the Chinese spy machinery, and we let them in, Every time. Enough.
TFA [arstechnica.com] mentioned 53 other apps that were found to exhibit the same behaviour.
Among them were apps by notorious Chinese companies such as:
ABC News
CBC News
CNBC
Fox News
News Break
New York Times
NPR
Reuters
The Economist
The Huffingt
Re: (Score:2)
Does the ABC News app also host a local socket so they can download, run, and even debug arbitrary executables?
Allowing user defined commands to be executed within webview has the potential to lead to arbitrary files being loaded on the device that is hosting the application. Which in theory can lead to malware being loaded from inside the application, chained with remote debugging to see what fails in your malware. It also allows a very big window for attackers to not only upload, but execute, and debug their malware as well(in almost real time).
Quote from Penetrum [penetrum.com] (find TikTok and open the PDF), but the Reddit user says the same thing.
There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.
TikTok.. the sound of inevitability (Score:1)
Don't trust Forbes (Score:3, Interesting)
Re: (Score:3)
Sure, read appleinsider if you want the truth about apples lack of security.
More accurate than reading your disingenous hater diatribes, iOS App Developer!
Forbes is screwy on anything to do with reality (Score:2)
It's not just Apple stories they're making up.
Re: (Score:2)
Once again (Score:4, Insightful)
Once again I miss out on all the fun, this time by not having a tiktok account.
if one of the biggest (Score:2)
If, according to the article, TikToK was one of the biggest offenders who were the others? or are they only going after chinese companies?
Surprise! China is snooping. (Score:2)
Is anyone really surprised that an application distributed free by a company controlled by the Chinese Communist government is spying on its users?
Remember when I was crazy for saying this happens? (Score:1)
Now we know journalists are dead because of it, and it's way too rampant and unchecked to stop now. Everyone who decried me for being paranoid is complicit. You can all eat shit.
It doesn't have to by spying (Score:2)
A Chinese service... (Score:1)
TikTok... (Score:1)