Major Security Flaws Expose Keystrokes of More Than 1 Billion Chinese Keyboard App Users

A critical security lapse has exposed the keystrokes of nearly one billion users who rely on cloud-based pinyin keyboard apps. Researchers at the Citizen Lab, a University of Toronto interdisciplinary research group, discovered vulnerabilities in eight out of nine popular apps, leaving user data vulnerable to “nefarious actors.”

These vulnerabilities stemmed from flaws in the way apps handle keystroke data during transmission. Baidu, Honor, iFlytek, OPPO, Samsung, Tencent (QQ Pinyin), Vivo, and Xiaomi keyboards were all found to have shortcomings. Notably, Huawei’s keyboard was the sole exception.

“These vulnerabilities could allow attackers to completely decipher what users are typing,” revealed researchers Jeffrey Knockel, Mona Wang, and Zoë Reichert. This echoes similar findings from last August, where the Citizen Lab identified encryption flaws in Tencent’s Sogou Input Method.

The impact is widespread, affecting popular IMEs (Input Method Editors) like Sogou, Baidu, and iFlytek. The identified issues include:

• Tencent QQ Pinyin: Vulnerable to an CBC padding oracle cyberattack that could potentially reveal typed content.
• Baidu IME (Windows): Network traffic can be decrypted, exposing typed text due to a flawed encryption protocol.
• iFlytek IME (Android): Insufficient encryption allows attackers to recover user input.
• Samsung Keyboard (Android): Keystroke data transmitted completely unencrypted.
• Pre-installed Keyboards: Devices from Xiaomi, OPPO, Vivo, and Honor come pre-installed with keyboards from Baidu, iFlytek, and Sogou, inheriting their vulnerabilities.

These weaknesses allow attackers to passively intercept and decipher users’ keystrokes without needing to send additional data. Thankfully, responsible disclosure by the Citizen Lab prompted most developers to address the issues by April 1, 2024. However, Honor and Tencent (QQ Pinyin) remain outstanding.

To mitigate these risks, users are urged to:

• Keep apps and operating systems updated.
• Switch to a keyboard app that processes data entirely on-device.
• Use well-established encryption protocols instead of custom solutions.

App stores should also avoid geoblocking security updates and allow developers to guarantee encrypted data transmission.

The Citizen Lab speculates that Chinese app developers might be hesitant to use Western encryption standards due to potential backdoor concerns. This could explain their reliance on in-house ciphers, which often lack robustness.

The researchers expressed concern that the large scale of this vulnerability, the sensitive nature of user-typed data, and the ease of exploitation raise the possibility of mass surveillance by state actors with a history of exploiting such flaws.