By Sean Kim, Head of Product, TikTok US
TikTok is committed to building an experience that protects the safety and privacy of our community. As part of our commitment to accountability, Roland Cloutier, our Chief Information Security Officer, wrote about our ongoing review of our security infrastructure and practices. As you may know, the use of third-party SDKs (software development kits) is a common practice in the industry to foster a more convenient user experience, but we have decided to take the step of eliminating all clipboard access not explicitly requested by the user. This includes blocking SDKs that go beyond typical practices in the sector in order to give users greater peace of mind.
During a recent review, we identified a few examples of third-parties, such as Facebook's SDK, attempting to access our users' clipboards, and today we sent an update to the App Store to block this kind of SDK access.
I'd like to take a step back and describe how we cooperate with third-party app developers. Most apps work with a number of developers to enable people to create great content and reach larger audiences. For example, developers like Adobe or Lightricks may launch a photo template or video editing app. We partner with these trusted developers so that users can easily share content made on an outside or third-party app to TikTok.
When a user wants to share content created on a third-party app, it is critical that we authenticate the outside app. This helps to protect our platform and our community from malicious actors. In the past, we used UIPasteboard in iOS to copy authentication credentials over to TikTok. These credentials included:
- Bundle id: the third-party app identifier with Apple;
- Client key and secret: unique identifiers that authorize the third-party app with TikTok; and,
- Unique id: an identifier provided by the third-party developer to attribute an id with the content that is being shared. This id is created by the third-party developer.
We have removed the code that enabled the process described above. Moving forward, we will authenticate developers through a URL schema. We've already informed existing third-party developers of the fix, and they are working on their end to make the transition smooth. (If you are a third-party developer, please visit our TikTok for Developers website for the latest updates and news). In the meantime, users might see that they are unable to share a video or photo to TikTok until the third-party developer updates to TikTokOpenSDK 4.0.0. We recognize the extra work this creates for developers, and we appreciate their commitment to helping us protect the privacy of the TikTok community.
TikTok also partners with third-party developers so that users can share TikTok videos on their social channels, such as Instagram or Snapchat. In order to make this happen, some third-party apps access a device's clipboard through an API. Starting with the new update, TikTok will only allow a third-party app to access a users clipboard when an action is expressly initiated by a user, such as sharing to Snapchat or Instagram Stories. We are building a better experience that brings joy to the TikTok community and safeguards sensitive data and information. As Roland says, security is a job that is never done, but we are going to aggressively build an experience that respects and protects our community. Thank you to our partners for helping us achieve excellence over and over.