Your keyboard app on your smartphone might be lowkey eavesdropping on you. With every word you type on the screen, someone might be accessing your sensitive information including your login password.
A recent investigation conducted by Toronto University's Citizen Lab has revealed alarming vulnerabilities in nearly all keyboard apps designed for entering Chinese characters on mobile devices. This flaw affects users across various platforms, including Android and iOS, potentially exposing their sensitive data to unauthorized access.
Widespread Vulnerability Among Pinyin Keyboard Apps
(Photo : Chris J. Davis from Unsplash)
Mobile users should beware that keyboard apps with Chinese characters could capture their keystrokes, paving the way for their login data to be stolen without them knowing.
The study focused on cloud-based Pinyin apps, which are used to convert Chinese characters into words spelled with Roman letters. These apps are popular among users in China and are provided by nine major vendors including Baidu, Samsung, Huawei, Tencent, Xiaomi, Vivo, OPPO, iFlytek, and Honor. The findings indicated that all apps, except Huawei's, transmitted keystroke data to the cloud unencrypted, allowing easy interception by eavesdroppers.
Researchers pointed out that this vulnerability was not limited to minor developers; major tech giants were also implicated. The data at risk includes highly sensitive information such as login credentials, financial data, and private messages that users would expect to be end-to-end encrypted.
"All of the vulnerabilities that we covered in this report can be exploited entirely passively without sending any additional network traffic. As such, we might wonder, are these vulnerabilities actively under mass exploitation?" the researchers said.
They added that there's no need for a more difficult way to detect these vulnerabilities since they are easy to boot and discover.
Related Article: Zoom Calls Vulnerable to Keystroke Eavesdropping: Researchers Reveal Alarming Threat
Technical Breakdown of the Flaws
Citizen Lab's examination showed that each affected keyboard app consists of two components: a local, on-device component and a cloud-based prediction service. This setup helps handle complex characters and long strings of syllables but also introduces significant security risks. The apps from major tech companies and mobile software developers alike were found to be transmitting user data in clear text.
For instance, Tencent's QQ Pinyin app for Android and Windows was specifically noted for a vulnerability that allowed decryption of keystrokes via active eavesdropping methods.
Similarly, Baidu's IME for Windows was exploitable through both active and passive eavesdropping, showcasing a grave concern regarding user privacy and data security.
Hardware Vendors and Encrypted Transmission
According to DarkReading, the study also highlighted issues with apps developed or used by hardware manufacturers. Samsung's in-house keyboard app, for example, offered no encryption whatsoever, sending keystroke data openly. Although Samsung provides alternatives like Tencent's Sogou app or Baidu's app, these too were found vulnerable by the Citizen Lab research.
Exposed Data of Chinese Keyboard App Users
The implications of these vulnerabilities are vast, affecting potentially up to one billion users, as estimated by Citizen Lab. The exposed data could be exploited for mass surveillance, not only by domestic entities but also by international intelligence services.
The report draws parallels with past security flaws found in other Chinese-developed software, such as the UC browser, which had been exploited by intelligence agencies from the Five Eyes nations for surveillance purposes.
Read Also: Your Phone Could Be Eavesdropping on You: Here's How to Stop Apps From Invading Your Privacy
