Millions at Risk: Popular Keyboard Apps Leak Keystrokes (
Experts at Citizen Lab have identified vulnerabilities in popular keyboard applications that could be exploited to log keystrokes of Chinese users worldwide. These security issues are nearly ubiquitous across apps, including those pre-installed on Android devices in China.
Researchers examined keyboard applications for Android, iOS, and Windows developed by Tencent, Baidu, iFlytek, Sogou, and device manufacturers such as Samsung, Huawei, Xiaomi, OPPO, Vivo, and Honor. The first four companies—Tencent, Baidu, iFlytek, and Sogou—are independent software developers, while the latter group has either developed their keyboards or pre-installed one or more applications from the first group on their devices.
Applications by Baidu, Tencent, iFlytek, and Sogou, which facilitate the input of Chinese characters, often fail to adequately protect transmitted data. Particularly concerning is the absence of Transport Layer Security (TLS), an encryption standard that could prevent data interception.
The vulnerabilities were discovered after researchers found that the Sogou app was transmitting data without TLS, allowing third parties to intercept and decrypt inputted information. Although Sogou rectified the issue following its publication, some pre-installed keyboards remain un-updated.
The ease of exploiting these vulnerabilities and the potential consequences, including the leakage of passwords and sensitive information, highlight the seriousness of the issue. Experts assert that exploiting these flaws does not require significant computing power, merely basic knowledge to intercept data over public Wi-Fi networks.
The problem is exacerbated by the fact that many of the keyboard applications were developed in the 2000s, before the widespread adoption of TLS in software development. While most vulnerabilities have been addressed following security revelations, some companies have yet to respond to reports of issues, leaving vulnerabilities unmitigated.
Additional efforts by researchers, including modifying email headers and texts to Chinese, prompted iFlytek to respond to communications and address the problems. However, data security issues remain pressing for millions of users, underscoring the need for closer collaboration and information sharing among researchers across different countries.
