Chinese keyboard apps have a flaw that allows users to intercept input, Baidu, Samsung, Tencent, Xiaomi, etc.

Some keyboard apps for smartphones send input to the cloud to provide predictive text conversion. A study by Citizen Lab, a research institute at the University of Toronto, on Chinese keyboard apps found that eight out of nine apps contained vulnerabilities that could allow keystrokes to be intercepted.

The not-so-silent type: Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers - The Citizen Lab
https://citizenlab.ca/2024/04/vulnerabilities-across-keyboard-apps-reveal-keystrokes-to-network-eavesdroppers/

Chinese Keyboard App Vulnerabilities Explained - The Citizen Lab
https://citizenlab.ca/2024/04/chinese-keyboard-app-vulnerabilities-explained/

The predictive conversion and predictive input functions installed on smartphones and PCs basically operate locally for Japanese and English. On the other hand, keyboard apps and IMEs developed for Chinese often send input contents to the cloud to improve the accuracy of the predictive input function. However, if there is a vulnerability in the cloud transmission function, there is a risk that attackers can intercept input contents. Therefore, Citizen Lab analyzed software that provides predictive input functions via the cloud and examined the risk of input contents being intercepted.

Citizen Lab analyzed keyboard apps for Android and iOS, as well as IMEs for Windows, provided by Tencent, Baidu, iFlytek, Samsung, Huawei, Xiaomi, OPPO, Vivo, and Honor. The results revealed that software from eight companies, excluding Huawei, had a vulnerability that could allow input data to be stolen. In particular, Samsung's keyboard app, Samsung Keyboard, sent input data to the cloud without encrypting it.

Citizen Lab has warned that a vulnerability in keyboard apps puts up to one billion users at risk of having their typing exposed.

A network eavesdropper can completely reveal keystrokes for apps we tested. This puts up to a billion people who use these input methods at risk, including people who live in #China and diaspora users across the world, and others.

We urge all users of Sogou, Baidu, and iFlytek…

— Citizen Lab (@citizenlab) April 23, 2024

Citizen Lab has already notified each company of the problem, and all seven companies other than Baidu have completed addressing the problem. Baidu fixed some of the issues immediately after Citizen Lab's notification, but the problem still remains.

Citizen Lab urges users to take the following measures:
- Disable the 'cloud-based predictive input function' of keyboard apps and IMEs
・Restrict access permissions for keyboard apps and IME
・Users of 'QQ Pinyin' who have not seen any improvement despite Tencent's promise of a fix by the first quarter of 2024 should immediately stop using the app.
Honor device users should stop using the pre-installed Baidu keyboard app.
・Update your keyboard app and IME to the latest version.
- Use the standard keyboard app provided by Google or Apple

◆ Forum is currently open
A forum related to this article has been set up on the official GIGAZINE Discord server . Anyone can post freely, so please feel free to comment! If you do not have a Discord account, please refer to the account creation procedure article to create an account!

• Discord | 'Is your smartphone's keyboard still in the default setting? Do you have any keyboard apps installed?' | GIGAZINE
https://discord.com/channels/1037961069903216680/1232633455087452230