Over the past several months, security researchers have warned the public about a number of apps snooping in users’ private data. Among the most concerning is the popular video-sharing app TikTok. If you have a young person in your life, you probably know all about the challenges, pranks, and dances that have come from TikTok. You may even be a veteran TikTok-er yourself. But please be aware that the security flaw found in this and other apps can expose data such as addresses, passwords, and financial information. While it might be all fun and games on the frontside, the backside of many apps can pose a serious security risk, both for individuals and businesses.
Data Scraping From Your Clipboard
Alarm bells started to ring about Tik Tok when security researchers discovered that the app was taking advantage of a flaw in Apple’s iOS. This flaw allowed apps to read content copied onto a device’s clipboard. Because Apple’s OS allows multiple devices using the same Apple ID (and within 10 feet of one another) to share a clipboard, this means that information copied onto a clipboard is accessible by all of your devices. For example, if you copy something on your Mac, it can be read by an app on your iPhone. That’s great if you want to have access to your information regardless of what device you use. It’s not so great if a third-party app accesses this information for its own purposes.
The current version of Apple’s OS allows apps to read any data copied to the clipboard on an iOS device. Apple’s fix for this vulnerability won’t be available until the fall, with the release of iOS14, meaning your clipboard data is unprotected until that time. Additionally, users receive no notification and there is no setting available to restrict this type of activity. However, such notifications will be part of the fix included in the release of iOS14.
What Does This Mean for Data Security?
In March 2020, security researchers identified this issue and found more than four dozen apps taking advantage of this flaw, including many major news apps. Each time one of these apps was opened, it read users’ clipboard data. Of the 56 apps listed in the original report, the one that gained the most attention was TikTok, likely due to its Chinese ownership. Whatever your feelings may be about global politics, the notion that potentially sensitive personal data could be accessed by anyone should give you pause.
Many people use their phone’s clipboard feature to copy text from one location to another – for instance, from a password manager into a banking app. For iOS users, the potential to expose sensitive information expands to include any other devices that share their Apple ID information.
Regardless whether your phone is for business or personal use, this vulnerability could mean big problems for your data security. Unfortunately, iOS users will have to wait until fall for the latest update, which will likely happen in September 2020. Among other features, iOS14 will notify users every time an app accesses the device clipboard.
Protecting Your Clipboard Data
The other piece of this puzzle, however, is the apps themselves. Identifying the issue and listing the apps engaging in this behavior helped to put an end to some of it. Nearly half of the apps listed on the original report curtailed or eliminated the practice altogether. (In case you’re wondering, TikTok was not one of them. As recently as June 30, 2020, the app was still reading clipboard content.) The remaining apps have yet to release an update that eliminates this practice. You can continue to wait for app updates, but the app development process can be lengthy.
In the meantime, iPhone users will want to be very cautious about the information they copy to their device clipboard. In fact, you may want to get into the habit of clearing your clipboard. Clearing clipboard contents takes a few extra steps, but could be worth it if that protects your sensitive personal information. The easiest method to do this is to open up something that has a text field and put in a string of characters or a couple of blank spaces and then copy that. This will effectively erase the last information you copied to your clipboard.
If you’re an Android user, however, don’t think you’re off the hook. We’ve been focusing on iOS because of its universal sharing feature among devices, but that doesn’t mean Android is immune to clipboard snooping. In fact, all apps can read clipboard content, regardless of the operating system. Apple is fixing the flaw in its OS by triggering a notification each time an app accesses clipboard content. Android users don’t have that function available to them. Copying a string of characters or blank spaces will work to clear clipboard content on an Android device, as well.
Additional Security Measures
We’d be remiss not to mention two factor authentication in relation to this issue. In the event an app accesses sensitive personal information on your clipboard, having 2FA can provide some piece of mind. Requiring a second set of credentials can protect your data from unauthorized login by a third party. If you choose to use 2FA as an additional step, key in the provided code manually. The copy/paste method will write that information to your clipboard.
If it seems there is no end to the ways your personal information can be accessed and compromised, you’re right. Technology and modern life move quickly. It pays to be savvy and vigilant and to keep your devices and apps updated. Lieberman Technologies can provide guidance and assistance for many of your IT issues, including data security. Contact us for more information!