New research reveals vulnerabilities in popular Chinese-language keyboard apps leave users exposed.

Almost all apps used around the world to enter Chinese-language characters into mobile devices share a security weakness that enables the capture of keystroke data, potentially exposing nearly one billion users to surveillance and exploitation by adversaries.

Researchers at Toronto University’s Citizen Lab have found critical security vulnerabilities in the keyboard apps of Baidu, Honor, iFLYTEK, OPPO, Samsung, Tencent, VIVO and Xiaomi. Of the nine vendors examined, only Huawei was found not to pose security issues.

The flaws uncovered reveal how apps that transmit users’ keystrokes can render data such as login inputs (usernames and passwords), financial information, and messages that are otherwise end-to-end encrypted vulnerable to capture and exploitation by state surveillance groups and cybercriminals.

The recent analysis adds to findings released in August 2023 by Citizen Lab. At that time, researchers found the Sougou Input Method keyboard software made by Tencent, the most popular input method in China, did not utilize Transport Layer Security (TLS) when transmitting keystroke data to its cloud server to improve on predictive accuracy when typing. The widely adopted TLS cryptographic protocol is designed to provide communications security over computer networks and is utilized in applications such as email, instant messaging and voice over IP (VoIP), as well as to secure HTTPS (Hypertext Transfer Protocol Secure) connections for websites. The vulnerabilities exposed revealed third-parties with privileged network positions (such as ISP or anyone with access to upstream routers) could read texts and users’ inputs on devices in real-time as information was typed.

In their latest study, Citizen Lab notes:

Between this report and our Sogou report, we estimate that close to one billion users are affected by this class of vulnerabilities. Sogou, Baidu, and iFlytek IMEs alone comprise over 95% of the market share for third-party IMEs in China, which are used by around a billion people. In addition to the users of third party keyboard apps, we found that the default keyboards on devices from three manufacturers (Honor, OPPO, and Xiaomi) were also vulnerable to our attacks. Devices from Samsung and Vivo also bundled a vulnerable keyboard, but it was not used by default. In 2023, Honor, OPPO, and Xiaomi alone comprised nearly 50% of the smartphone market in China.

Having the capability to read what users type on their devices is of interest to a number of actors — including government intelligence agencies that operate globally — because it may encompass exceptionally sensitive information about users and their contacts including financial information, login credentials such as usernames or passwords, and messages that are otherwise end-to-end encrypted. Given the known capabilities of state actors, and that Five Eyes agencies have previously exploited similar vulnerabilities in Chinese apps for the express purpose of mass surveillance, it is possible that we were not the first to discover these vulnerabilities and that they have previously been exploited on a mass scale for surveillance purpose.

Citizen Lab recommends urgent updates and user awareness to protect against keystroke leakage, including the following safeguards:

• Users of Sogou, QQ, Baidu, and iFLYTEK input methods, regardless of whether the input method is installed from the app store or manually installed on the operating system, should ensure that the input method and operating system are maintained in the latest version.
• Privacy-conscious users should discontinue the cloud functionality in any input method.
• Privacy-conscious iOS users should not give the input method the permission to “allow full access”.

To read the Citizen Lab press release on their cybersecurity report, “The not-so-silent type: Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers,” go directly to their website here.

The full report in a PDF format is available below.

See the publisher’s website here for the original version of this report.