TikTok, LinkedIn, and maybe others have been copying the iOS clipboard every keystroke

I haven’t seen a thread on this yet, though I imagine we’re going to be hearing a lot about it in the coming weeks. Many apps have apparently been secretly copying your iOS clipboard for no apparent purpose.

The practice seems incredibly invasive, though in LinkedIn’s case this supposedly “only does an equality check between the clipboard contents and the currently typed content in a text box. We don’t store or transmit the clipboard contents”:

TikTok has also been caught with a similar “bug.”

All of these apps are being found out thanks to iOS 14’s new notification upon clipboard access.

(Sorry for all the links!)

Yep I’ve found the same. Gumtree (uk equivalent to Craigslist) does it, as does eBay the parent company.

I contacted them and got told I was wrong so sent them a screenshot. Now they are ‘investigating’.

It’s going to be amazing how many of these ‘bugs’ are fixed right before or after iOS 14 is released. Good on Apple for exposing this offensive practice.

Been that way for years. How do people think apps like pocket detect links automatically and ask if you’d like to add to your reading list? Glad this is finally being exposed…

An app can ask the clipboard what kind of data it has (text, url, image, etc) without copying every entry.

Tbh there are use cases where this practice, such as Pocket, make sense because it enables a feature that improves the user experience. I know the developer of Deliveries has already said they are contemplating removing this feature from his app because of the warning, if though he has a legitimate use case for it unlike LinkedIn and TikTok which are just harvesting data.

Apps like Pocket and Deliveries will show a clipboard notification when it makes sense to see one.

The apps exposed in these different reports have no obvious or intuitive need to read the clipboard, let alone to do so every keystroke…

Clearly. The point is that access is not opt-in. And from what we’re seeing, there are no controls in place that limit what they have access to.

Right. Shouldn’t pocket accessing my clipboard be opt-in? How do we know that’s all that pocket is doing?

My understanding of the iOS security / execution model is that all but the one or two most recently used apps are suspended…correct?

So in order for TikTok to get, say, something critical like a password that you copied from 1Password, you’d need to get the password, copy it to the clipboard, then switch to TikTok before you did anything else - correct? It wouldn’t be able to just be silently running in the background (let’s say 15 apps ago) and still be monitoring?

I think as long as it’s in your clipboard, it’s in your clipboard. So if the last thing you ever copied is a password, even if it was a day ago, apps that read the clipboard get it.

What I meant was that an app, say Pocket, can ask the clipboard if there are URL’s present without actually copying them. But that seems to be beside the point of your remarks. If I understand correctly, what you want is the ability to approve any copy from the clipboard. Is that correct?

There are a few reasons Apps can continue running in the background (with several limitations). Facebook has been abusing this in the past. I would not be surprised if TikTok also tried doing this.

Please note that 1Password’s auto-fill does not use the clipboard (except for 2FA codes, which are only valid for a short time) and 1Password clears/restores the clipboard after some time: