Over a Billion Chinese Keyboard Users Vulnerable to Keystroke Theft

Millions of Chinese smartphone users are facing a significant security risk after researchers from the Citizen Lab discovered major vulnerabilities in popular cloud-based pinyin keyboard apps. These apps, from industry giants like Baidu, Tencent, and Xiaomi, potentially exposed users’ keystrokes to malicious actors. This means that sensitive information typed by users, such as passwords, credit card details, and private messages, could be intercepted and stolen.

The Pinyin Problem and Exposed Keystrokes

The issue stems from the complexity of the Chinese language. With tens of thousands of characters, a standard keyboard isn’t sufficient. Chinese users rely on “Input Method Editor” (IME) software, often using pinyin, a system that represents Mandarin sounds with the Latin alphabet.

Smartphone keyboard apps in China, both pre-installed and downloadable, commonly use pinyin. However, translating Latin characters to Chinese requires processing, and some apps upload keystrokes to the cloud for this purpose. This creates a sort of vulnerability, as attackers could potentially intercept this data.

These flaws create a risky situation for users as the research uncovered critical weaknesses, raising serious security concerns. The issues raised are:

• Weak Encryption: Baidu’s pinyin app uses weak encryption, allowing eavesdroppers to easily read users’ keystrokes.
• Compromised Encryption: Apps from Samsung, Xiaomi, OPPO, Honor, and iFlytek use encryption already cracked by attackers, enabling them to intercept keystrokes.
• Additional Issues: Tencent, Xiaomi, OPPO, and Vivo apps have vulnerabilities allowing active eavesdropping on keystrokes.

These vulnerabilities are particularly concerning because the studied apps hold over 95% market share in China. Citizen Lab estimates roughly 780 million users are at risk, with the number potentially closer to 1 billion if prior findings with the Sogou app are considered.

Experts Call for Stronger Security Measures

Security experts have weighed in on the situation, highlighting the concerning nature of these vulnerabilities and offering advice for affected users.

“The recent breach in cloud-based pinyin keyboard apps highlights the risks of digital supply chain attacks,” says Clement Lee, Security Architect at Check Point Software Technologies. “These attacks exploit weaknesses within software development processes, leading to the compromise of user data.” Lee emphasises the need for app developers to implement stricter security protocols, conduct regular security audits, and adopt a “zero-trust” model throughout development. He also stresses the importance of transparency and collaboration within the software supply chain to prevent similar vulnerabilities in the future.

Adam Brown, Managing Consultant at Synopsys Software Integrity Group, highlights a concerning trend in mobile device security. “After evaluating various manufacturers’ devices for our clients, we’ve found that all but a handful fail to deliver a truly secure platform,” says Brown. This lack of focus on security creates a situation where even basic user information can be compromised through vulnerabilities in pre-installed apps like keyboards.

While Brown acknowledges the risks associated with third-party keyboards, he underscores the helplessness users face when vulnerabilities exist in pre-installed keyboards. “In this case, good software security maturity in a business can influence consumer choice,” Brown concludes. Users, when faced with a choice between manufacturers, may prioritise those with a strong track record of prioritising software security.

Actionable Steps for Users

It’s a worrying situation, but there are ways to stay safe.

• Switch to Local Processing Keyboards: Security experts like Kelvin Lim, Senior Director at Synopsys Software Integrity Group, recommend switching to keyboard apps that process information locally on the device rather than sending it to the cloud. This reduces the risk of data interception. Local processing keyboards store and process user input directly on the device, eliminating the need for data transmission and reducing the attack surface for malicious actors.
• Keep Apps and Operating Systems Updated: Lim also emphasises the importance of keeping your keyboard app and phone’s operating system updated with the latest versions. These updates often include security patches that address newly discovered vulnerabilities. By keeping your software up to date, you ensure you have the latest security protections in place.
• Be Wary of Third-Party App Permissions: While some users may prefer the additional features offered by third-party keyboard apps, it’s crucial to be cautious about the permissions you grant them. Only give permissions that are absolutely necessary for the app to function.

A Global Cybersecurity Concern

These exposed keyboard flaws scream for better cybersecurity.

Our increasing dependence on cloud services and the possibility of vulnerabilities in pre-installed apps put users worldwide at risk. There are ways to fight back, though. By staying alert to threats, following security experts’ advice, and choosing apps and devices from security-conscious companies, you can minimise the chance of your information being stolen. This security breach should be a wake-up call for the mobile app industry. They need stricter development practices and stronger security testing, to create a safer digital environment for everyone.