A new report by Citizen Lab has uncovered critical security vulnerabilities in popular keyboard apps, potentially exposing the keystrokes of nearly a billion users to eavesdroppers.
Researchers analyzed keyboard apps from nine major vendors: Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. Alarmingly, they found vulnerabilities in eight of these apps that could allow attackers to steal users’ keystrokes as they type.
The report details various weaknesses in how these apps transmit data. Some apps, like Samsung Keyboard, send keystrokes completely unencrypted, making them easy for anyone snooping on the network to intercept. Others rely on flawed encryption methods that can be cracked.
The ease of eavesdropping varies depending on the app. In some cases, a malicious actor on the same Wi-Fi network could steal your data. Even more concerning, some vulnerabilities are exploitable by entirely passive eavesdroppers, who can intercept data without needing any interaction from the user.
The report highlights Huawei as the only vendor whose keyboard app did not exhibit these vulnerabilities. This offers some peace of mind for Huawei users but leaves a significant number of users potentially exposed.
Citizen Lab estimates that the combined market share of Baidu, Sogou (mentioned in a previous report by Citizen Lab), and iFlytek represents over 95% of the third-party IME market in China, translating to roughly one billion users at risk.
This security lapse has serious consequences. Keystrokes can contain sensitive information like passwords, credit card details, and private messages. If intercepted, this data could be used for identity theft, financial fraud, and other malicious activities.
Nevertheless, the report shows the importance of using secure keyboard apps. Users should prioritize apps with a strong reputation for security and that encrypt user data properly. Additionally, it’s recommended to avoid using sensitive information on public Wi-Fi networks.
Researchers urge app developers to address these vulnerabilities immediately by implementing strong encryption methods and secure data transmission protocols.