> They used to check your clipboard the whole time too.
To be fair quite a lot of apps did this to enable deep links/automatically opening certain clipboard links. Every big app has changed this to no longer show the 'pasted from' notification. And it was never shown that they export those clipboard contents to homebase.
>it was never shown that they export those clipboard contents to homebase
When it comes to an app gathering data for a company, is anybody really willing to give the app makers the benefit of the doubt? If there is information available, somebody is going to take it and try to squeeze a penny out of it. Not everybody, but when it gives you a competitive advantage it has a tendency to grow.
The cool thing about phones is that you can MITM yourself and see what apps are sending, assuming they don't certificate pin (which TikTok doesn't). The person that reported this during the beta period didn't find any evidence when doing so.
Can you actually still widely do this? Last time I checked on the latest versions of Android apps don't accept user certificates so you can't really do much about any https traffic, which really is the bulk.
You can, on a rooted phone. There's ways to install a CA certificate with root (described in my only popular blog post) but there's also alternatives, like using Frida to disable TLS verification all together.
It's certainly not as easy and reliable as it used to be, but it's still common for security research to use these tactics to see what apps are doing.
The basis of many enterprise networks is device-installed CAs so I would be thoroughly surprised. iOS at least still allows you to install a custom CA and only a few apps will refuse to work with it, who likely reject connections that aren't secured via a specific CA.
There is also another cool feature of moderns phones - updates. Unless a corporation can prove that each and every single release and test version in the past and the future didn't and will not do something, then it is always possible that some versions did this or will be doing in the future.
"Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification pic.twitter.com/OSXP43t5SZ "
afaik apps can detect patterns on the pasteboard without triggering the notification (i.e. check if the URL is a TikTok URL or not), but they can't actually access the contents without triggering the notification. it's enforced by the pasteboard API on iOS.
so they probably updated their apps to perform this check before doing anything.
Everything TikTok is usually linked to malice and espionage from China. If this is a common industry practice at the very least you give it the benefit of the doubt. It doesn't make it ok. It just makes it not automatically linked to international cyber warfare.
The incidents that might qualify as cyber warfare could also just be looked at as the same struggle for power on a different front, compared to economics. It can't be lost on Chinese leaders how valuable it is to the US to have so much money and data flowing through its domestic tech companies. Tech companies can't cross the line into cyber warfare themselves and get a pass on it, but they do play a role in it.
why should it get you kicked out of the meeting room? if everyone else is doing it and have a better ux, i'd imagine you'd be kicked out of the meeting roomm if you're not doing it.
> They use the local network as one of their sensors to identify you (fingerprinting).
Well they already disclosed the other ways they are identifying you in [0] but have they disclosed this one that finds other devices on your local network for 'fingerprinting' purposes in their privacy policy?
The worst thing about this is that they haven't disclosed as to why they are specifically doing this. Not even the commenters here know why, since we can rule out AirPlay and Chromecast support as valid reasons to request such permissions.
>> They used to check your clipboard the whole time too.
That's a design error on the UI side. An app should not have read access to the clipboard, it should have the ability to accept data from the clipboard when the user pastes it.
There's legitamate uses though, of which I was made painfully aware when google crippled the api and kde connect clipboard sync became way less impressive
The problem is with clipboard access is because apps abuse it not because it's a problem that have read access at all. Google Maps pulling my clipboard which has an address in it as the top suggestion for destinations is a good thing and respect the user's time.
>> The problem is with clipboard access is because apps abuse it not because it's a problem that have read access at all. Google Maps pulling my clipboard which has an address in it as the top suggestion for destinations is a good thing and respect the user's time.
You can't have it both ways. Malicious apps are going to abuse it. In order to avoid that there needs to be access control at the very least - Google maps could get whitelisted for example.
Having a helpful use-case doesn't make it not a security issue.
Is there a way to check if a website does read your clipboard. I know you have to interact with the site, so they can read it. So in theorie, a website can read your clipboard every time you click on something, is this true?
To be fair quite a lot of apps did this to enable deep links/automatically opening certain clipboard links. Every big app has changed this to no longer show the 'pasted from' notification. And it was never shown that they export those clipboard contents to homebase.