iOS 14’s Best Privacy Feature? Catching Data-Grabbing Apps

Every single iOS update, users gain more controls over what data app developers collect about them. The new iOS 14 is no different, except for one thing—it hasn’t even left beta and its privacy features are already causing havoc for major app developers.

WIRED UK

This story originally appeared on WIRED UK.

Privacy notifications, which pop up whenever an app accesses the microphone, camera or clipboard, are responsible for many apps’ dubious data collecting behaviors being outed in the past few weeks.

It’s just one privacy feature in a laundry list of new privacy-preserving features on iOS 14, which include requiring developers to declare what data they collect on their app; giving users the ability to choose whether they share their approximate location with an app instead of their precise location; and requiring developers to get users’ permission if they want to track them for advertising purposes.

But of all these additions, it’s the privacy notifications which have been causing chaos for app developers. It has been ratting out apps left and right ever since the beta was released back in June.

Last week, Instagram became the latest app to be called out by iOS 14’s privacy notifications feature after users began noticing that the green light indicator—which alerts users that the camera has been activated—kept turning on—even when the camera was not in use. Addressing the behavior, Instagram said that the activation of the camera was just a bug and that it was being triggered by a user swiping into the camera from the Instagram feed.

TikTok, LinkedIn, and Reddit have all so far been caught out by the new privacy notification, with users noticing that they were receiving alerts telling them that the apps were copying content from other apps every few keystrokes. All of them resolved to fix the issues. While Reddit blamed the behavior on a bug, TikTok said it was copying clipboard data as an anti-spam measure. LinkedIn said it copied clipboard data to perform an equality check between what the user was typing and what was in their clipboard.

Apple is able to detect this behavior whenever an app accesses the camera, microphone, or clipboard because all apps have to communicate with Apple’s API. “Functions like the clipboard and microphone need to be accessed through the operating system. [Apple] can check whether the access was initiated by the user via a UI selection, or were being performed unprompted by the application,” says Arosha Bandara, professor of software engineering at the Open University.

Researchers have warned of several major apps storing clipboard data for a number of years, but the iOS 14 beta makes the behavior public for everyone to see for the first time. Security researchers Talal Haj Bakry and Tommy Mysk identified 53 apps which were found to be copying clipboard data without users’ consent back in March.

“I believe that these privacy modifications are a huge step forward from a user perspective, because developers and Apple engineers knew about this before, but users didn’t know about it,” says security engineer Anastasiia Voitova. “Now users can see, so it’s making things transparent. Users can start asking questions.”

Voitova says there are a few reasons why app developers may be collecting clipboard data. One of these reasons is for ad tracking purposes. “From an iOS perspective, I imagine there are quite a lot of apps that access the clipboard,’ says Aidan Fitzpatrick, founder of app data firm Reincubate. “I imagine there are quite a lot of apps that abuse what’s on the clipboard to boost engagement in their app or learn more about you.”

Apps from game developer Popcap and Airbnb’s HotelTonight app, which had both been seen capturing clipboard data, told The Telegraph that it had traced the behavior back to tools from Google and product testing firm Apptimize, which both have third-party vendor libraries, This hints that the clipboard copying is unintentional on the app developer’s side, and could just be a side effect of lazy coding.

www.wired.com

Leave a Reply