Specialists at Citizen Lab have identified vulnerabilities in popular keyboard applications that can record keystrokes of Chinese users globally. Security flaws exist in nearly all applications, including those preinstalled on Android devices in China.
Researchers examined versions of keyboard applications for Android, iOS, and Windows from Tencent, Baidu, Iflytek, Sogou, Samsung, Huawei, Xiaomi, Oppo, Vivo, and Honor. The first four – Tencent, Iflytek, and Sogou are independent keyboard developers, while the rest are mobile device manufacturers that either created their own keyboards or included one or more apps from the other three developers on their devices.
Baidu, Tencent, Iflytek, and Sogou keyboard apps are used for easier input of Chinese characters, but many of them do not adequately secure transmitted data. The absence of Transport Layer Security (TLS), an encryption standard that could prevent data interception, is particularly concerning.
Summary table of vulnerabilities found in popular keyboard applications and keyboards preinstalled on popular smartphones
The vulnerabilities were discovered after researchers found that the Sogou app was sending data without using TLS, allowing third parties to intercept and decipher the entered information. While Sogou addressed the issue post-publication, certain pre-installed keyboards remain unpatched.
The ease of exploiting the identified vulnerabilities and the potential consequences, such as password leakage and exposure of confidential data, underscore the seriousness of the issue. Experts note that significant computing capabilities are not necessary to exploit the flaws, as basic knowledge is sufficient to intercept data on public Wi-Fi networks.
Compounding the problem is that many keyboard apps were developed in the 2000s, before widespread TLS implementation in software development. While most vulnerabilities have been rectified after security concerns surfaced, some companies have yet to respond to reports, leaving vulnerabilities unaddressed.
Further efforts by researchers, including altering the subject lines and content of emails in Chinese, prompted Iflytek to respond to emails and address the issues. However, data security concerns persist for millions of users, underscoring the need for increased collaboration and information sharing among researchers worldwide.