Go to Top

Apps That Look Over Your Shoulder

Imagine: While looking over a suite of medical test results on your computer, you decide to paste the information into an email so your cousin, a doctor, can tell you what she thinks.

After sending the email, you reach for your iPhone to check the weather, or maybe you open TikTok to lift your spirits by watching a few silly videos. It would likely never enter your mind that by opening an app on your iPhone, you might send all the information you just copied and pasted on your computer not only to your cousin the doctor, but to an app vendor’s server in China, or anywhere else in the world.

Or perhaps it would enter your mind, if you happen to be a computer security specialist. But it would not have entered mine – at least, not before beta testers of a forthcoming iPhone operating system release began reporting suspicious behavior by some apps on their mobile devices.

Apple’s beta-test version of iOS 14, scheduled for wide release in the autumn, notifies iPhone users when an app peeks at data that is on the device clipboard. It turns out that dozens of them do. Researchers actually discovered this back in March. But the issue did not get very much attention until the iOS 14 beta testers began to flag it (and document it with YouTube videos).

LinkedIn, the business-oriented social network that Microsoft purchased in 2016, promptly said the apparent snooping by its app is a bug that will be fixed. But many other apps look at the clipboard by design, to help in targeting advertisements. This would explain the incursions by news sites, including The New York Times and The Wall Street Journal, and by shopping sites like Overstock.com. Google’s Chrome web browser (an alternative to the iPhone’s built-in browser, Safari) also helped itself to clipboard data from the iPhone’s messages app. It may have been targeting ads too, though the browser also asks users if they want to go to a website when it detects the clipboard contains a URL.

Apps grabbing whatever is on the device’s clipboard is worrying enough. But when coupled with Apple’s “universal clipboard” feature, this digital voyeurism enters a new dimension. Your mobile apps can look at data that seemingly never left your computer.

Universal clipboard lets users of Apple products move seamlessly between their computers, tablets and mobile phones, with all their information shared and synced among them. It is not active by default. The user must turn on a “handoff” feature on each device, as well as Bluetooth and Wi-Fi, and must sign into the same account on Apple’s iCloud. Once the feature is active, data copied onto the clipboard of one device automatically appears on the clipboard of the other devices, as long as they are within about 10 feet of one another.

While there are quite a few apps already known to grab clipboard data – and, I would wager, considerably more not yet known – a lot of user attention has focused on TikTok. This is because its owner, ByteDance Ltd., is based in Beijing. The app has been drawn surprisingly deep into China’s widening range of geopolitical conflicts, considering that TikTok is mainly a platform for teens and young adults to make and share brief, often slapstick videos set to music.

When India banned TikTok, along with 58 other China-based apps, after a violent clash between the two countries’ forces along their Himalayan border, I thought it made sense only as an economic sanction. The decision deprived ByteDance of a big and valuable developing market ahead of the company’s much anticipated initial public offering. But it did not strike me as a useful security move. Now I don’t think that is entirely true.

So I was not surprised when Secretary of State Mike Pompeo said this week that the U.S., too, might limit TikTok’s distribution. TikTok hardly rises to the level of the security threat that American officials have designated Huawei or other Chinese makers of high-tech gear. But it is not exactly trivial, either. It also was not comforting that ByteDance initially said it had implemented TikTok’s clipboard snooping as an anti-spam measure, although it said it would discontinue it. As some technology writers observed, the company said the same thing when researchers originally discovered the practice back in March.

ByteDance engaged in some corporate virtue-signaling this week by announcing that it will withdraw TikTok from Hong Kong in light of the new Chinese security law that has effectively ended that city’s political and cultural autonomy. But unlike Western companies that have announced similar steps to insulate their Hong Kong users from the demands of China’s political police, ByteDance is subject to the same jurisdiction on the Chinese mainland. Even as it discusses moving TikTok’s headquarters outside China (the unit already has an American CEO), ByteDance remains a Chinese-owned platform operator subject to Chinese strictures.

For a huge swath of TikTok users, the company’s location makes no practical difference. By the same token, nearly all of China’s 1.4 billion citizens go about daily life with little concern for the security apparatus that monitors their movements and activities. They don’t challenge the system and, in return, it mostly leaves them alone. But that does not mean the security apparatus is not gathering the tools and information it needs to confront anyone, inside China or out, who may someday run afoul of the Communist Party and its regime, or fail to toe its official line.

I don’t use Apple’s universal clipboard, but TikTok still lost at least one user this week. I deleted the app from my iPhone, where I had installed it because some of my music industry clients post videos there. I don’t think keeping it is a big risk, but for me it didn’t offer a big reward, either. In the interests of national security, I’ll just have to get my silly short videos elsewhere.

, , , , , , , ,