App StoreSource: Joe Keller / iMore

What you need to know

  • Apps including TikTok can read your clipboard in iOS without permission.
  • Two developers have used Xcode to analyze the behavior of 50 apps.
  • It poses a massive risk of exposing private and personal data.

Two developers have revealed that apps in iOS 13.3 can read your iOS clipboard without permission.

According to the blog Mysk, two developers Tommy Mysk and Talal Haj Bakry have used Xcode to analyze the behavior of around 50 apps, with some startling results.

Your iOS/iPadOS clipboard, or pasteboard, is where information that you copy and paste is stored whilst you're using it. If you highlight anything on your iPhone or iPad, like text, a message from a friend, a password or a credit card number, it gets stored on your clipboard until you used it.

VPN Deals: Lifetime license for $16, monthly plans at $1 & more

From the report:

We have explored popular and top apps available on the App Store and observed their behavior using the standard Apple development tools. The results show that many apps frequently access the pasteboard and read its content without user consent, albeit only text-based data.

According to Mysk, who contacted iMore with additional information,

The exploit works with all data types such as text, photos, or PDF documents. Surprisingly, the apps we tested only chose to read text, but ignore other data types such as photos or PDF documents. In other words, all the apps we listed in our blog are only interested in reading text from the clipboard.

Apps named as guilty of this exploit include ABC News, CBS News, CNBC, Fox News, New York Times, Reuters, WSJ, 8 Ball Pool, TikTok and more.

The conclusion to the piece states:

Access to the pasteboard in iOS and iPadOS requires no app permission as of iOS 13.3. While the pasteboard provides the ease of sharing data between various apps, it poses a risk of exposing private and personal data to suspicious apps. We have investigated many popular apps in the App Store and found that they frequently access the pasteboard without the user being aware. Our investigation confirms that many popular apps read the text content of the pasteboard. However, it is not clear what the apps do with the data. To prevent apps from exploiting the pasteboard, Apple must act.

You can read the full report, including a full list of guilty apps here.

Updated: This article has been updated to correctly report on how the exploit works, as explained to us by Tommy Mysk.