Apple / WIRED
Every single iOS update, users gain more controls over what data app developers collect about them. The new iOS 14 is no different, except for one thing – it hasn’t even left beta and its privacy features are already causing havoc for major app developers.
Privacy notifications, which pop up whenever an app accesses the microphone, camera or clipboard, are responsible for many apps’ dubious data collecting behaviours being outed in the past few weeks.
It’s just one privacy feature in a laundry list of new privacy-preserving features on iOS 14, which include requiring developers to declare what data they collect on their app; giving users the ability to choose whether they share their approximate location with an app instead of their precise location; and requiring developers to get users’ permission if they want to track them for advertising purposes.
But of all these additions, it’s the privacy notifications which have been causing chaos for app developers. It has been ratting out apps left and right ever since the beta was released back in June.
Last week, Instagram became the latest app to be called out by iOS 14’s privacy notifications feature after users began noticing that the green light indicator – which alerts users that the camera has been activated – kept turning on – even when the camera was not in use. Addressing the behaviour, Instagram said that the activation of the camera was just a bug and that it was being triggered by a user swiping into the camera from the Instagram feed.
TikTok, LinkedIn and Reddit have all so far been caught out by the new privacy notification, with users noticing that they were receiving alerts telling them that the apps were copying content from other apps every few keystrokes. All of them resolved to fix the issues. While Reddit blamed the behaviour on a bug, TikTok said it was copying clipboard data as an anti-spam measure. LinkedIn said it copied clipboard data to perform an equality check between what the user was typing and what was in their clipboard.
Apple is able to detect this behaviour whenever an app accesses the camera, microphone or clipboard because all apps have to communicate with Apple’s API. “Functions like the clipboard and microphone need to be accessed through the operating system. [Apple] can check whether the access was initiated by the user via a UI selection, or were being performed unprompted by the application,” says Arosha Bandara, professor of software engineering at the Open University.
Researchers have warned of several major apps storing clipboard data for a number of years, but the iOS 14 beta makes the behaviour public for everyone to see for the first time. Security researchers Talal Haj Bakry and Tommy Mysk identified 53 apps which were found to be copying clipboard data without users’ consent back in March.
“I believe that these privacy modifications are a huge step forward from a user perspective, because developers and Apple engineers knew about this before, but users didn’t know about it,” says security engineer Anastasiia Voitova. “Now users can see, so it’s making things transparent. Users can start asking questions.”
Voitova says there are a few reasons why app developers may be collecting clipboard data. One of these reasons is for ad tracking purposes. “From an iOS perspective, I imagine there are quite a lot of apps that access the clipboard,’ says Aidan Fitzpatrick, founder of app data firm Reincubate. “I imagine there are quite a lot of apps that abuse what’s on the clipboard to boost engagement in their app or learn more about you.”
Apps from game developer Popcap and Airbnb’s HotelTonight app, which had both been seen capturing clipboard data, told The Telegraph that it had traced the behaviour back to tools from Google and product testing firm Apptimize, which both have third-party vendor libraries, This hints that the clipboard copying is unintentional on the app developer’s side, and could just be a side effect of lazy coding.
Many app developers take advantage of third-party app libraries to improve their apps, for example. It’s sometimes why unintentional clipboard-copying can occur. “The libraries inside the app gather the same permissions as the application itself, but developers often don’t read the code of third-party libraries,” explains Voitova. “A developer might have really good intentions, but some libraries that they use can misuse permissions to do something bad.”
There are, of course, also legitimate user experience reasons for why an app might want to access your clipboard without your permission. A delivery app, for example, might want to automatically paste a tracking number into the text field upon opening the app. But for the apps which are maliciously capturing clipboard data or using the microphone, these privacy notifications and light indicators could get them to change their dodgy behaviour.
The iOS 14 privacy notifications, for example, have already pushed TikTok, LinkedIn, Reddit and Instagram to announce that they will code out the bug or stop the behaviour altogether. VICE admitted that its VICE News app, which was flagged up by Haj Bakry and Mysk that it didn’t even know their apps were accessing the clipboard until the iOS 14 beta was released.
Still, it’s wise to remember that most permissions abuse happens on Google’s Android operating system. Last year, researchers from the International Computer Science Institute found up to 1,325 Android apps were gathering data, despite the researchers apps denying them permission to access that data. But whether Google decides to implement privacy notifications, however, is a different story. The company has not said whether it intends to implement a similar feature in the future but recent versions of Android have been giving users more information about the data that apps collect.
Maximilian Golla, a security researcher at the Max Planck Institute for Security and Privacy says that the business model on Android is different to iOS. “I wonder whether the app developers really want to change this, or Google really wants to implement such a feature because they depend on this kind of tracking,” he thinks. “Google makes its money from Google AdSense, and I would be surprised if Google implements such a tracking notification.”
So, while privacy notifications are having the unintended consequence of forcing developers to change their tracking habits, this transparency culture shift might only occur on iOS. Ultimately, Fitzpatrick thinks that these privacy notifications are eventually going to flush tracking behaviour out of iOS apps. “Either they’re going to stop doing it, or they’re going to have to explain why,” he says.
Alex Lee is a writer for WIRED. He tweets from @1AlexL
More great stories from WIRED
🚚 The French town that created its own Amazon
🦆 Google got rich from your data. DuckDuckGo is fighting back
😷 Which face mask should you buy? The WIRED guide
🔊 Listen to The WIRED Podcast, the week in science, technology and culture, delivered every Friday
👉 Follow WIRED on Twitter, Instagram, Facebook and LinkedIn
Get The Email from WIRED, your no-nonsense briefing on all the biggest stories in technology, business and science. In your inbox every weekday at 12pm sharp.
Thank You. You have successfully subscribed to our newsletter. You will hear from us shortly.
Sorry, you have entered an invalid email. Please refresh and try again.