Apple habitually promises more security and privacy than its rivals, in exchange for quite a bit more money and a much more wall-gardened app ecosystem.
However, when app developers Talal Haj Bakry and Tommy Mysk warned back in February that many apps were leaking information via data in the system’s clipboard, Apple told them they didn’t see an issue with this vulnerability.
But there’s been a change of heart in the meantime, with the iOS version, now in beta and due to be released in the fall, introducing a new feature – “paste notifications,” that lets the user know when apps access content in their clipboards.
And now developers who are testing the next version of the mobile OS are flushing out one app after another for accessing this data for no apparent reason, and apparently, without permission.
The first was was China’s mega-successful viral app TikTok, followed by Microsoft’s LinkedIn, and finally, Reddit made it to the list as well.
Reddit said it had traced the way this was happening in its code and would be releasing a fix on July 14.
Most apps appeared to be accessing the clipboard only once on startup, while TikTok was accused of doing this “with every few keystrokes”. But it now looks like this was true of all three.
However, they are merely among the 53 apps discovered to engage in this behavior.
TikTok claimed not to store any of the data the app was able to access, and that this “feature” was stopped with a fix rolled out on June 27.
Apple is yet to comment on any of this. Could this widespread ability of apps to gain access to data in the clipboard have something to do with the infrastructure of its OS – and is providing a notification alert all, and the best they can do?
For now, in order to avoid bad press, apps themselves are scrambling to remove their ability to access this data.
LinkedIn, who like TikTok also “captures every keystroke,” has offered a convoluted explanation: “The code path was performing an ‘equality check’ between the clipboard content and that typed into a LinkedIn text box.”
Asked what this actually means, a spokesperson said, “Equality check is a publicly referenced term – so we don’t have anything to add.” This snottiness aside – LinkedIn, too, promised a fix.