1 Billion Chinese Keyboard App Users’ Keystrokes Exposed! Find Out How

Published on April 25th, 2024

Cloud-based pinyin keyboard apps have been found to harbor critical security flaws, potentially exposing users’ keystrokes to malicious entities.

This revelation stems from a study by Citizen Lab, which scrutinized nine apps from major vendors including Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. Huawei’s keyboard app stood out as the sole exception devoid of such vulnerabilities.

Researchers Jeffrey Knockel, Mona Wang, and Zoë Reichert highlighted that these weaknesses could be exploited to fully unveil users’ keystrokes during transmission.

This discovery builds upon earlier research by the University of Toronto’s Citizen Lab, which had previously identified cryptographic weaknesses in Tencent’s Sogou Input Method in August.

The impact is staggering, potentially affecting nearly one billion users worldwide. Notably, IMEs from Sogou, Baidu, and iFlytek, commanding significant market shares, are among the most affected.

Billion Chinese Keyboard App

Popular Keyboard Apps Leave Users Vulnerable

Here’s a breakdown of the security issues found in various keyboard apps:

  • Tencent QQ Pinyin: This app is susceptible to an attack that could reveal what you type.
  • Baidu IME (Windows): A flaw in Baidu’s encryption protocol allows eavesdroppers to see what you type on Windows.
  • iFlytek IME (Android): Weak encryption in this app lets eavesdroppers potentially steal what you type on your Android device.
  • Samsung Keyboard (Android): This keyboard transmits your keystrokes completely unencrypted, making them easy to intercept.
  • Xiaomi Devices: These devices come with keyboards from Baidu, iFlytek, or Sogou, which have the vulnerabilities mentioned above.
  • OPPO Devices: Similar to Xiaomi, OPPO devices come pre-installed with keyboards (Baidu and Sogou) that have security problems.
  • Vivo Devices: These devices come with Sogou IME, which is vulnerable to eavesdropping.
  • Honor Devices: Honor devices come with Baidu IME, which has the security flaw mentioned earlier.

These keyboard apps make it possible for someone to steal your typed information if they’re able to intercept data being sent over the internet.

These vulnerabilities, if exploited successfully, could enable attackers to decrypt the keystrokes of Chinese mobile users passively, without triggering any additional network activity.

After responsible disclosure, all keyboard app developers, except for Honor and Tencent (QQ Pinyin), have resolved the issues by April 1, 2024.

Users are encouraged to maintain the latest updates for their apps and operating systems and consider switching to a keyboard app that operates entirely on their device to address these privacy concerns.

Chinese Keyboard App

Furthermore, experts suggest that app developers adopt established encryption protocols rather than creating their own, potentially flawed versions.

They also advocate for app store operators to refrain from restricting security updates based on location and to ensure developers attest to all transmitted data being encrypted.

The Citizen Lab proposes that Chinese app developers might be hesitant to adopt “Western” cryptographic standards due to fears of potential backdoors, prompting them to devise their own encryption methods.

Highlighting the gravity of these vulnerabilities and the sensitive nature of user input, coupled with the ease of their discovery, the researchers caution that mass surveillance could exploit such weaknesses.

They note previous instances where similar vulnerabilities in Chinese apps have been exploited by intelligence agencies, raising concerns about potential widespread surveillance of users’ keystrokes.