Submitted by shellystarzz t3_z5979p in technology
AvatarWan t1_ixvxm9j wrote
Reply to comment by mikeymumbelz in U.S. bans the sale and import of some tech from Chinese companies Huawei and ZTE by shellystarzz
Re: the TikTok stuff. Wasn’t there something about when iOS 14 or something came out, the one where it gave you a notification about when an app copied the clip board. TikTok was basically copying everything it saw in the clipboard even if you weren’t actively pasting something.
https://www.theverge.com/2020/6/26/21304228/tiktok-security-ios-clipboard-access-ios14-beta-feature
That’s sketch af.
mikeymumbelz t1_ixvy9dz wrote
No shit!
Thank you for sharing this. Genuinely didn't know it.
nicuramar t1_ixwnmim wrote
But it’s a lot more nuanced than implied.
nicuramar t1_ixwnku9 wrote
> That’s sketch af.
Maybe, maybe not. Several apps did that. When you say “copying everything”, it really just means called the API to get the clipboard. It doesn’t mean or imply anything about what’s done with the data. Could be looked at and thrown away, which seems likely. In many cases apps would do this to look for e.g. app specific links.
Since there was no specific reason not to do it, they might as well do it often.
AvatarWan t1_ixx7jef wrote
>Maybe, maybe not. Several apps did that.
No, that just means all those apps are sketch af too. You don't accidentally read the clipboard; somebody wrote that code thinking it was ok to read your personal data. You didn't know what was happening until apple gave that notification so why should they have any benefit of the doubt when it comes to what they were using it for.
nicuramar t1_ixyew0n wrote
> No, that just means all those apps are sketch af too.
No it doesn’t.
> You don’t accidentally read the clipboard
I never said anything about accidentally reading it.
> somebody wrote that code thinking it was ok to read your personal data.
No they didn’t, this is complete speculation. The most common use case is to look at the clipboard data to see if it’s, say, a YouTube link, if you’re the YouTube app, and so on. There are several obvious uses like that.
The API wasn’t protected at all, and guidelines doesn’t say anything about private data.
> so why should they have any benefit of the doubt when it comes to what they were using it for.
Because your argument is “I can’t think of any legitimate uses so it’s for bad purposes”. But that’s an argument from lack of imagination. Several times before when this has been brought up, actual developers have chipped in with examples. You’re just making stuff up.
AvatarWan t1_ixykmuu wrote
Uh huh. So they’ve now changed their app so it doesn’t do that anymore. Mind letting me know what functionality they gave up doing that? Because I can’t find anything on something that TikTok can’t do anymore because they stopped reading your clipboard data.
I don’t have to think of a legitimate reason why TikTok would need to read my clipboard data, that’s their responsibility. If they can’t, then it shouldn’t be done.
There’s no argument you can make that justifies reading the data if after they were discovered they both changed their app to no longer do that and they didn’t lose any functionality.
nicuramar t1_ixyy2cj wrote
> Uh huh. So they’ve now changed their app so it doesn’t do that anymore.
Sure, and so did many others. This is because now the API works differently, and notifies the user.
> Mind letting me know what functionality they gave up doing that?
I don’t know what tiktok used it for, but I have examples above. It’s also likely possible to code it in a different way so as to not lose functionality. Developers are sometimes lazy. The API worked, so why do it differently.
> I don’t have to think of a legitimate reason why TikTok would need to read my clipboard data, that’s their responsibility. If they can’t, then it shouldn’t be done.
Fortunately for you, they don’t anymore.
> There’s no argument you can make that justifies reading the data
I think I did make such arguments.
> after they were discovered they both changed their app to no longer do that and they didn’t lose any functionality.
You make it sound like it was a big secret. It was just an API that used to not pop up a notification, and now does. So all apps that used this before, now got noticed. But this doesn’t imply anything about how they used it.
Why did they change their app? Well, it’s obviously very annoying for the user with those pop ups, and it raises questions about why they do it. But that still doesn’t mean there weren’t perfectly fine reasons for it.
AvatarWan t1_ixz4jmg wrote
Instagram didn't do it, Twitter didn't do it, Facebook didn't do it. None of the mobile apps in their space did what TikTok was doing. Why was TikTok?
You made arguments, none of them are a good reason for copying clipboard data every second and then suddenly changing that behavior with no functionality loss.
Did they ever give a good reason to be doing it? They haven't. It would seem from a PR perspective if it was for some user functionality benefit you would just say, our bad, we did it so we could parse youtube links automatically for you. They didn't do that.
nicuramar t1_iy1lkra wrote
> Instagram didn’t do it, Twitter didn’t do it, Facebook didn’t do it. None of the mobile apps in their space did what TikTok was doing. Why was TikTok?
Who knows. You don’t, at least.
> You made arguments, none of them are a good reason for copying clipboard data every second and then suddenly changing that behavior with no functionality loss.
Plenty of apps did it, and the functionality lost isn’t always clear to the user, or, like I already said, it was just written a different way so no function was lost.
> Did they ever give a good reason to be doing it? They haven’t.
Sure they did. For instance:
> Following the beta release of iOS14 on June 22, users saw notifications while using a number of popular apps. For TikTok, this was triggered by a feature designed to identify repetitive, spammy behavior. We have already submitted an updated version of the app to the App Store removing the anti-spam feature to eliminate any potential confusion.
Other apps did similar. Also, it wasn’t “every second”.
> It would seem from a PR perspective if it was for some user functionality benefit you would just say, our bad, we did it so we could parse youtube links automatically for you. They didn’t do that.
They did do that.
Viewing a single comment thread. View all comments