Flaws in Popular Keyboard Apps Expose Users to Potential Surveillance

Researchers from Citizen Lab at the University of Toronto have uncovered significant security flaws in popular Chinese keyboard applications that potentially expose the keystrokes of nearly one billion users to unauthorized network surveillance.

The analysis, led by Jeffrey Knockel, Mona Wang, and Zoë Reichert, scrutinized cloud-based pinyin keyboard apps from major developers like Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi, revealing critical vulnerabilities that could fully expose user input during transmission.

Study findings

The extensive study involved reverse-engineering and network analysis to test the security of these apps against potential eavesdropping. The vulnerabilities, prevalent in apps from eight of the nine vendors examined (all but Huawei), could allow a passive observer to decrypt and access user inputs, including sensitive information like passwords and personal messages.

This weakness stems from inadequate encryption protocols and security measures, particularly in the transmission of data to cloud servers for predictive typing suggestions, which is a common feature in these keyboard apps.

Among the analyzed apps, the ones from Baidu, Tencent (QQ Pinyin), and iFlytek were noted for their substantial market share and severe security flaws.

These apps, widely used across various devices and platforms, failed to securely encrypt data, making them vulnerable to interception and decryption by any skilled network eavesdropper.

The revelation is especially concerning given the ease of exploiting these vulnerabilities and the vast number of users potentially affected—estimated to be close to one billion globally.

The report also highlighted the historical interest of international surveillance agencies, like the Five Eyes, in exploiting similar vulnerabilities for mass surveillance purposes, suggesting a significant risk of widespread data exposure.

Disclosure and fixing

Following the discovery, Citizen Lab reported the vulnerabilities to the involved vendors. Most vendors responded promptly and have taken steps to rectify the vulnerabilities, though some apps remain susceptible.

Users are urged to update their keyboard apps and mobile operating systems regularly to protect their data. Additionally, at-risk users should consider switching to locally operated keyboard apps that do not rely on cloud-based processing.

To mitigate risks and enhance security, users are advised to:

• Update both their keyboard apps and operating systems to the latest versions.
• Use keyboard apps that process data locally rather than those relying on cloud services.
• Stay informed about the security status of the apps they use and follow recommended security practices.

The findings underline the critical need for robust encryption practices and proactive security measures to protect sensitive user data from unauthorized access and potential surveillance.