Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
China Government Privacy Social Networks

Apple 'Suddenly Catches TikTok Secretly Spying On Millions Of iPhone Users', Claims Forbes (forbes.com) 61

In February, Reddit's CEO called TikTok "fundamentally parasitic," according to a report on TechCrunch, adding "it's always listening, the fingerprinting technology they use is truly terrifying, and I could not bring myself to install an app like that on my phone... I actively tell people, 'Don't install that spyware on your phone.'"

TikTok called his remarks "baseless accusations made without a shred of evidence."

But now Apple "has fixed a serious problem in iOS 14, due in the fall, where apps can secretly access the clipboard on users' devices..." reports Forbes cybersecurity contributor Zak Doffman, noting that one of the biggest offenders it revealed still turns out to be TikTok: Worryingly, one of the apps caught snooping [in March] by security researchers Talal Haj Bakry and Tommy Mysk was China's TikTok. Given other security concerns raised about the app, as well as broader worries given its Chinese origins, this became a headline issue. At the time, TikTok owner Bytedance told me the problem related to the use of an outdated Google advertising SDK that was being replaced.

Well, maybe not. With the release of the new clipboard warning in the beta version of iOS 14, now with developers, TikTok seems to have been caught abusing the clipboard in a quite extraordinary way. So it seems that TikTok didn't stop this invasive practice back in April as promised after all. Worse, the excuse has now changed. According to TikTok, the issue is now "triggered by a feature designed to identify repetitive, spammy behavior," and has told me that it has "already submitted an updated version of the app to the App Store removing the anti-spam feature to eliminate any potential confusion." In other words: We've been caught doing something we shouldn't, we've rushed out a fix...

iOS users can relax, knowing that Apple's latest safeguard will force TikTok to make the change, which in itself shows how critical a fix this has been. For Android users, though, there is no word yet as to whether this is an issue for them as well.

Long-time Slashdot reader schwit1 also shares an online rumor from an anonymous Redditor (with a 7-year-old account) who claims to be a software engineer who's reverse engineered TikTok's software and learned more scary things, concluding that TikTok is a "data collection service that is thinly-veiled as a social network."

So far the most reputable news outlets that have repeated his allegations are Bored Panda, Stuff, Hot Hardware, and Illinois radio station WBNQ.
This discussion has been archived. No new comments can be posted.

Apple 'Suddenly Catches TikTok Secretly Spying On Millions Of iPhone Users', Claims Forbes

Comments Filter:
    • Chinese spying in software? EVEN MORE UNPOSSIBLE!

      • by rtb61 ( 674572 )

        "data collection service that is thinly-veiled as a social network." now who would have believed that (facebook, twitter, anything Google) ;D. Boy, the chinese had to play catch up on this one but isn't there the chinese social media score system.

        Don't need an ap do no install it and I mean 'NEED' it. Search on the web to find all the things you need to shut down on your operating system to get some of your privacy back, you should not be some corporations profit centre, to be data mined and psychologically

    • Maybe you don't know this but this kind of spying is possible in any OS [opensource.com]. Basically what this app is doing is reading the content of the clipboard. That's it. Anyone can do that. In any OS. Without asking permission or anything because... well, because clipboard is supposed to be a tool to share data between applications.

  • Wasn't this determined to be the app checking whether or not to enable the paste icon?
    Didn't several other apps also exhibit this behaviour?
    Makes great headlines though... all part of the hysteria that divides the world by the powers that be...

    Let me guess... Next week Apple & Forbes release TickTockUS

    • Comment removed based on user account deletion
    • Wasn't this determined to be the app checking whether or not to enable the paste icon?
      Didn't several other apps also exhibit this behaviour?

      Firefox does/did this, at least on Windows, when you opened up the "Library" (Bookmarks and History). It would cause the browser to hang for several seconds if there was a *large* amount of data in the clipboard. I submitted a bug report and this has been corrected in Firefox 78.

      Library (bookmarks/downloads) window freezes when large amount of data are on the clipboard [mozilla.org] The developer's correction note:

      We used to read the contents of the clipboard to tell if paste was enabled, that unfortunately means updating commands was extremely slow for large clipboard data.

      After this change we only check the data flavors. This means paste will be enabled more often, even for unsupported strings, but commands updating will be much faster. Places updates commands often, so this is quite useful.

    • by jblues ( 1703158 )
      +1 mod this up
    • You don't need to read the content of the clipboard in order to enable or disable buttons since there are functions to check if it has content or not, although I don't know if using those functions trigger this warning or not.

  • No one saw that coming.
  • by tiananmen tank man ( 979067 ) on Saturday June 27, 2020 @12:45PM (#60235096)

    More evidence apple's app approval process is security theatre.

    • More evidence apple's app approval process is security theatre.

      You could say that, if Apple wasn't the one that eventually caught it.

    • Well, the idea of clipboard is to share information between applications and, until now, every single OS didn't have any problem with it and not warning the user when an application readed its content.

  • If you're using a "smart" phone, you've already decided that you don't care about your own privacy. The entire "smart" phone, Apple or Google, is a spying device. Why would anybody be surprised that any "app" spys on users? That's literally the purpose of "apps".
  • by DogDude ( 805747 ) on Saturday June 27, 2020 @12:48PM (#60235118)
    TikTok is a "data collection service that is thinly-veiled as a social network."

    That doesn't make any sense. All "social networks" are data collection services. They are not veiled in any way, thinly or otherwise. One could also say that water is a thinly-veiled wetting material.
    • TikTok is a "data collection service that is thinly-veiled as a social network." That doesn't make any sense. All "social networks" are data collection services. They are not veiled in any way, thinly or otherwise. One could also say that water is a thinly-veiled wetting material.

      Yeah, that was also my first though when I read the headline.

      Apple 'Suddenly Catches TikTok Secretly Spying On Millions Of iPhone Users', ... Really? Well, so are Google, Facebook, Twitter ....

      • Apple 'Suddenly Catches TikTok Secretly Spying On Millions Of iPhone Users', ... Really? Well, so are Google, Facebook, Twitter ....

        Well, except, in this specific case if Facebook, Twitter or Google had been spying in the same way that TikTok was spying then they would also have been listed in the headline. They aren't. They had the capability but they chose not to use it and TikTok did. So however bad Google, Facebook, Twitter and so on are, TikTok is worse.

    • While this may be true of our understanding of social networks, do you really think that is true for the vast majority of people?

      • by Anonymous Coward

        Tik-Tok is not alone here.
        When will people realise that YOU are the target. slurping every little detail of your life is their goal.

        All so called Social Media networks are after your life.
        Like Drugs, you have a choice. Just say NO. Get them out of your life.

        then you can begin your life again denying them their lifeblood, your data, your life.

      • by DogDude ( 805747 )
        No, I don't think that's true of most people. I think that most people have no idea what's going on with any part of the Internet. But considering this is an article from Forbes, I would expect the author and the magazine to understand what sort of business TikTok is, and how money is made. It would be just as ridiculous if Forbes had published an article about the (shocking!) fact that McDonald's makes money from selling food for people to eat.
    • by antdude ( 79039 )

      Pretty much everyone including /. :(

  • data collection service that is thinly-veiled as a social network

    Can someone please explain to me the distinction in the above line of TFS?

    • by 93 Escort Wagon ( 326346 ) on Saturday June 27, 2020 @01:39PM (#60235302)

      Well, it’s an evil Chinese data collection service that is thinly-veiled as a social network, as opposed to red-blooded American data collection services that are thinly-veiled as social networks like Facebook, Instagram, and WhatsApp.

    • It is possible to run a social network service without harvesting customer data (you'll still collect it as part of the service, but it wouldn't be used for anything except what is needed to operate the service itself). You might even be able to run it at a profit, serving ads targeted at interest groups rather than individuals based on personal data. Unfortunately these days it is hardly a viable business model anymore, and not something that will charm any VC. Unless they think they can later buy the s
    • by jezwel ( 2451108 )
      From the Reddit comment:

      TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device... well, they're using it.

      * Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
      * Other apps you have installed (I've even seen some I've deleted show up in their analytics payload - maybe using as cached value?)
      * Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
      * Whether or not you're rooted/jailbroken
      * Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds - this is enabled by default if you ever location-tag a post IIRC
      * They set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication.

      The scariest part of all of this is that much of the logging they're doing is remotely configurable, and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function.

      They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you're trying to figure out what they're doing. There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

      I would imagine that other major player social networks aren't going quite as far as Tik-Tok.

  • by RitchCraft ( 6454710 ) on Saturday June 27, 2020 @01:13PM (#60235212)
    That this isn't simply expected from any software coming from China.
    • Re: (Score:1, Insightful)

      by Anonymous Coward

      That this isn't simply expected from any software coming from any internet company.

      Fixed that for you.

  • by hdyoung ( 5182939 ) on Saturday June 27, 2020 @01:31PM (#60235280)
    Three things that should come as absolutely no surprise to anyone on the planet nowadays:

    1) Like nearly every other internet firm that doesn't charge a subscription, TikTok survives on harvesting your data and selling ads. They're going to harvest as much as they can get away with, and sell as many ads as they can. Anything that they, or anyone else, says to the contrary is a either misinformation or a lie.

    2) It's entirely possible that the Chinese government is either monitoring this or partially behind this. The Chinese government does NOT play fair in business or politics. I believe that I can reasonably claim my own country is a tad better at this (even under current leadership) but still we're no angels and we never have been....

    3) No surprise that iOS is going to close this open window soon....while Android.... well, maybe they'll get around to it one of these decades. Apple makes its $ on hardware sales and subscriptions while Google makes $ on.... you guessed it.... data harvesting and ad sales. In other words, Apple's bread and butter is threatened by these sorts of things, while Google's business model is largely unaffected one way or another.
    • by Anonymous Coward

      Somebody: Be good!

      Google: Don't, be evil!

      • by Anonymous Coward
        Google started with "Don't be evil" and progressed to "Don't get caught being evil" but now it's just "Ah, fuck it!"
    • by Luckyo ( 1726890 ) on Saturday June 27, 2020 @03:18PM (#60235552)

      This hypothesis has one glaring flaw. Of all Western corporations you mentioned, Apple is both by far the most compliant with CCP's demands, and by far the most exposed to CCP's actions.

      In case of Google et al, they at least wouldn't effectively cease to exist as corporate entities if Chinese Communist Party decided that they hurt the feelings of Chinese people and decided to fully cut them off. Apple? It would be gone. All of its major hardware manufacturing is hopelessly exposed to Chinese government. Which is why Apple is almost always the first Western corporation to talk with CCP leadership to proactively meet their demands when it comes to things like censorship, data collection for government entities, etc. Whatever these demands may be, Apple is always first in line to grant them, because last time they tried to stall, their Chinese supply line had an "unexpected disruption". And being as hopelessly exposed to China in their manufacturing as Apple is, they got the message and folded within days.

      So if there's something that Chinese intelligence wants from Apple, they don't need to get an app installed on your phone by you. They can simply ask. And if some Apple exec is stupid enough to say no, they'll have another "supply disruption". Then said exec will get fired, and Cook will fly to Beijing to apologise to CCP leadership personally.

      It's a road well travelled in Beijing. They have the whole "how to get Western corporations exposed to Chinese manufacturing to comprehend that gentle but firm requests from Chinese government mean that you give what is requested or else..."

      • Of all Western corporations you mentioned, Apple is both by far the most compliant with CCP's demands

        You have absolutely no way to know that.

  • by Anonymous Coward
    Huawei, Reddit, TikTok et al. are nothing more than parts of the Chinese spy machinery, and we let them in, Every time. Enough.
    • Considering apple is a puppet for China you should add them to that list as well
      • Re: (Score:2, Informative)

        by NoMoreACs ( 6161580 )

        Considering apple is a puppet for China you should add them to that list as well

        And you are a puppet of Apple; since you make your living as an iOS App Developer.

        So, by proxy, and by your own logic, you are a puppet for China.

    • Re: (Score:2, Funny)

      by alexo ( 9335 )

      Huawei, Reddit, TikTok et al. are nothing more than parts of the Chinese spy machinery, and we let them in, Every time. Enough.

      TFA [arstechnica.com] mentioned 53 other apps that were found to exhibit the same behaviour.

      Among them were apps by notorious Chinese companies such as:
      ABC News
      CBC News
      CNBC
      Fox News
      News Break
      New York Times
      NPR
      Reuters
      The Economist
      The Huffingt

      • by q4Fry ( 1322209 )

        Does the ABC News app also host a local socket so they can download, run, and even debug arbitrary executables?

        Allowing user defined commands to be executed within webview has the potential to lead to arbitrary files being loaded on the device that is hosting the application. Which in theory can lead to malware being loaded from inside the application, chained with remote debugging to see what fails in your malware. It also allows a very big window for attackers to not only upload, but execute, and debug their malware as well(in almost real time).

        Quote from Penetrum [penetrum.com] (find TikTok and open the PDF), but the Reddit user says the same thing.

        There's also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

  • TikTok.. the sound of inevitability (of your liberties and privacy and human rights being thrown onto the fire like a good old book burning)
  • Don't trust Forbes (Score:3, Interesting)

    by methano ( 519830 ) on Saturday June 27, 2020 @03:02PM (#60235516)
    Almost every time I see a negative article on Apple in Google News, it's from Forbes. I quit reading them.
  • Comment removed based on user account deletion
  • Once again (Score:4, Insightful)

    by JustAnotherOldGuy ( 4145623 ) on Saturday June 27, 2020 @03:57PM (#60235654) Journal

    Once again I miss out on all the fun, this time by not having a tiktok account.

  • If, according to the article, TikToK was one of the biggest offenders who were the others? or are they only going after chinese companies?

  • Is anyone really surprised that an application distributed free by a company controlled by the Chinese Communist government is spying on its users?

  • Now we know journalists are dead because of it, and it's way too rampant and unchecked to stop now. Everyone who decried me for being paranoid is complicit. You can all eat shit.

  • Now if the app was caught sending clipboard data to servers then it's spying. If they're just accessing the clipboard data that's not spying. When you copy a link on Android then click the url bar in Chrome it gives the option "Link you just copied" and it could be very similar functionality. Video link you just copied... something, I don't know as I don't use TikTok. But there are legitimate reasons an app might be monitoring the clipboard looking for some specific data that it can respond to. Not saying i
  • ... turns out to be fascist? Nooo!
  • .... is just another app for attention whores. Meh.

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...