Listen - Have this article read to you.(audio only click below)
Significant security weaknesses have been found in cloud-based Chinese keyboard apps, which could potentially allow malicious individuals to access and view the keystrokes of over 1 billion users.
According to research by Citizen Lab, security vulnerabilities were found in eight out of nine keyboard apps from companies such as Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The only exception was Huawei, whose keyboard app was found to be secure with no weaknesses.
The security weaknesses could be used to expose the information typed by users while it is being transmitted, according to researchers Jeffrey Knockel, Mona Wang, and Zoë Reichert.
New information has been released by a research team at the University of Toronto, who previously found security vulnerabilities in Tencent’s Sogou Input Method in August.
Altogether, it is believed that nearly one billion users are impacted by this group of vulnerabilities, with Input Method Editors (IMEs) created by Sogou, Baidu, and iFlytek being responsible for a significant portion of the market.
A brief overview of the problems that have been identified is outlined below –
If these vulnerabilities are successfully taken advantage of, it could allow attackers to decrypt the keystrokes of Chinese mobile users without the need for any extra network traffic. After responsible disclosure, all keyboard app developers except for Honor and Tencent (QQ Pinyin) have fixed these issues by April 1, 2024.
It is recommended for users to regularly update their apps and operating systems and use a keyboard app that works solely on their device to reduce privacy concerns.
Other suggestions advise app developers to utilize established and proven encryption protocols rather than creating their own versions which may have vulnerabilities. It is also recommended that app store operators do not restrict security updates based on location and allow developers to confirm that all data is transmitted securely with encryption.
The Citizen Lab suggested that Chinese app developers may prefer not to use Western cryptographic standards because they are worried about potential backdoors. This could be why they choose to create their own encryption methods instead.
The researchers expressed concern about the wide range of vulnerabilities, the privacy implications of user typing on devices, how easily these vulnerabilities could be found, and the fact that the Five Eyes have used similar vulnerabilities for surveillance in Chinese apps before. They suggested that users’ keystrokes could potentially be under surveillance on a large scale.