[judge2020]

> They used to check your clipboard the whole time too.

To be fair quite a lot of apps did this to enable deep links/automatically opening certain clipboard links. Every big app has changed this to no longer show the 'pasted from' notification. And it was never shown that they export those clipboard contents to homebase.

[colechristensen]

>it was never shown that they export those clipboard contents to homebase

When it comes to an app gathering data for a company, is anybody really willing to give the app makers the benefit of the doubt? If there is information available, somebody is going to take it and try to squeeze a penny out of it. Not everybody, but when it gives you a competitive advantage it has a tendency to grow.

[judge2020]

The cool thing about phones is that you can MITM yourself and see what apps are sending, assuming they don't certificate pin (which TikTok doesn't). The person that reported this during the beta period didn't find any evidence when doing so.

https://old.reddit.com/r/videos/comments/fxgi06/not_new_news...

[duiker101]

Can you actually still widely do this? Last time I checked on the latest versions of Android apps don't accept user certificates so you can't really do much about any https traffic, which really is the bulk.

[jeroenhd]

You can, on a rooted phone. There's ways to install a CA certificate with root (described in my only popular blog post) but there's also alternatives, like using Frida to disable TLS verification all together.

It's certainly not as easy and reliable as it used to be, but it's still common for security research to use these tactics to see what apps are doing.

[judge2020]

The basis of many enterprise networks is device-installed CAs so I would be thoroughly surprised. iOS at least still allows you to install a custom CA and only a few apps will refuse to work with it, who likely reject connections that aren't secured via a specific CA.

[k1rcher]

From a legitimate reverse engineering/security auditing standpoint, cert pinning is generally very trivial to bypass.

see: Frida, xposed framework (not sure if still relevant)

[from]

There is a way to do it where you recompile the APK to enable trusting user CAs, see https://daksh.github.io/MITM/.

[Yizahi]

There is also another cool feature of moderns phones - updates. Unless a corporation can prove that each and every single release and test version in the past and the future didn't and will not do something, then it is always possible that some versions did this or will be doing in the future.

[zuhsetaqi]

"Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification pic.twitter.com/OSXP43t5SZ "

— Jeremy Burge (@jeremyburge) June 24, 2020

TikTok wasn’t checking it for link opening …

[pizza]

> Every big app has changed this to no longer show the 'pasted from' notification.

Is that because they stopped checking your clipboard, or because they managed to check in a way that doesn't alert the user?

[_fzslm]

afaik apps can detect patterns on the pasteboard without triggering the notification (i.e. check if the URL is a TikTok URL or not), but they can't actually access the contents without triggering the notification. it's enforced by the pasteboard API on iOS.

so they probably updated their apps to perform this check before doing anything.

[MichaelGroves]

"Lots of people do it" should never be considered a legitimate excuse. Trying to use that excuse should get you kicked out of the meeting room.

[dudus]

Everything TikTok is usually linked to malice and espionage from China. If this is a common industry practice at the very least you give it the benefit of the doubt. It doesn't make it ok. It just makes it not automatically linked to international cyber warfare.

[smolder]

The incidents that might qualify as cyber warfare could also just be looked at as the same struggle for power on a different front, compared to economics. It can't be lost on Chinese leaders how valuable it is to the US to have so much money and data flowing through its domestic tech companies. Tech companies can't cross the line into cyber warfare themselves and get a pass on it, but they do play a role in it.

[vlunkr]

I don't think they're trying to say it's a valid excuse, just that there are reasons to check clipboard content that aren't malicious.

[hungryhobo]

why should it get you kicked out of the meeting room? if everyone else is doing it and have a better ux, i'd imagine you'd be kicked out of the meeting roomm if you're not doing it.

[blackoil]

Theoretically maybe, practically we have a proverbs 'No one is fired for buying (IBM|MS|Google|AWS)'