With every iOS update, users gain more controls over what data that app developers can collect about them. The new iOS 14 is no different, except for one thing—it hasn’t even left beta, and its privacy features are already causing havoc for major app developers.
Privacy notifications, which pop up whenever an app accesses the microphone, camera, or clipboard, are responsible for many apps’ dubious data-collecting behaviors being outed in the past few weeks.
It’s just one privacy feature in a laundry list of new privacy-preserving features on iOS 14, which include requiring developers to declare what data they collect on their app; giving users the ability to choose whether they share their approximate location with an app instead of their precise location; and requiring developers to get users’ permission if they want to track them for advertising purposes.
But of all these additions, it’s the privacy notifications which have been causing chaos for app developers. It has been ratting out apps left and right ever since the beta was released back in June.
Last week, Instagram became the latest app to be called out by iOS 14’s privacy notifications feature after users began noticing that the green light indicator—which alerts users that the camera has been activated—kept turning on—even when the camera was not in use. Addressing the behavior, Instagram said that the activation of the camera was just a bug and that it was being triggered by a user swiping into the camera from the Instagram feed.
TikTok, LinkedIn, and Reddit have all so far been caught out by the new privacy notification, with users noticing that they were receiving alerts telling them that the apps were copying content from other apps every few keystrokes. All of them resolved to fix the issues. While Reddit blamed the behavior on a bug, TikTok said it was copying clipboard data as an antispam measure. LinkedIn said it copied clipboard data to perform an equality check between what the user was typing and what was in their clipboard.
Apple is able to detect this behavior whenever an app accesses the camera, microphone, or clipboard because all apps have to communicate with Apple’s API. “Functions like the clipboard and microphone need to be accessed through the operating system. [Apple] can check whether the access was initiated by the user via a UI selection or were being performed unprompted by the application,” says Arosha Bandara, professor of software engineering at the Open University.
Researchers have warned of several major apps storing clipboard data for a number of years, but the iOS 14 beta makes the behavior public for everyone to see for the first time. Security researchers Talal Haj Bakry and Tommy Mysk identified 53 apps that were found to be copying clipboard data without users’ consent back in March.
“I believe that these privacy modifications are a huge step forward from a user perspective, because developers and Apple engineers knew about this before, but users didn't know about it,” says security engineer Anastasiia Voitova. “Now users can see, so it's making things transparent. Users can start asking questions.”
Voitova says there are a few reasons why app developers may be collecting clipboard data. One of these reasons is for ad tracking purposes. “From an iOS perspective, I imagine there are quite a lot of apps that access the clipboard,” says Aidan Fitzpatrick, founder of app data firm Reincubate. “I imagine there are quite a lot of apps that abuse what’s on the clipboard to boost engagement in their app or learn more about you.”
Apps from game developer Popcap and Airbnb’s HotelTonight app, which had both been seen capturing clipboard data, told The Telegraph that it had traced the behavior back to tools from Google and product-testing firm Apptimize, which both have third-party vendor libraries. This hints that the clipboard copying is unintentional on the app developer’s side and could just be a side effect of lazy coding.
Many app developers take advantage of third-party app libraries to improve their apps, for example. It’s sometimes why unintentional clipboard-copying can occur. “The libraries inside the app gather the same permissions as the application itself, but developers often don't read the code of third-party libraries,” explains Voitova. “A developer might have really good intentions, but some libraries that they use can misuse permissions to do something bad.”
There are, of course, also legitimate user experience reasons for why an app might want to access your clipboard without your permission. A delivery app, for example, might want to automatically paste a tracking number into the text field upon opening the app. But for the apps which are maliciously capturing clipboard data or using the microphone, these privacy notifications and light indicators could get them to change their dodgy behavior.
The iOS 14 privacy notifications, for example, have already pushed TikTok, LinkedIn, Reddit, and Instagram to announce that they will code out the bug or stop the behavior altogether. Vice admitted that its Vice News app, which was flagged by Haj Bakry and Mysk, that it didn't even know their apps were accessing the clipboard until the iOS 14 beta was released.
Still, it’s wise to remember that most permissions abuse happens on Google’s Android operating system. Last year, researchers from the International Computer Science Institute found that up to 1,325 Android apps were gathering data, despite the researchers' apps denying them permission to access that data. But whether Google decides to implement privacy notifications, however, is a different story. The company has not said whether it intends to implement a similar feature in the future, but recent versions of Android have been giving users more information about the data that apps collect.
Maximilian Golla, a security researcher at the Max Planck Institute for Security and Privacy says that the business model on Android is different from iOS. “I wonder whether the app developers really want to change this, or Google really wants to implement such a feature, because they depend on this kind of tracking,” he thinks. “Google makes its money from Google AdSense, and I would be surprised if Google implements such a tracking notification.”
So while privacy notifications are having the unintended consequence of forcing developers to change their tracking habits, this transparency culture shift might only occur on iOS. Ultimately, Fitzpatrick thinks that these privacy notifications are eventually going to flush tracking behavior out of iOS apps. “Either they're going to stop doing it or they're going to have to explain why,” he says.
This story originally appeared on WIRED UK.