Security vulnerabilities uncovered in cloud-based pinyin keyboard apps could be exploited to reveal users' keystrokes to nefarious actors.

The findings come from the Citizen Lab, which discovered weaknesses in eight of nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The only vendor whose keyboard app did not have any security shortcomings is that of Huawei's.

The vulnerabilities could be exploited to "completely reveal the contents of users' keystrokes in transit," researchers Jeffrey Knockel, Mona Wang, and Zoë Reichert said.

The disclosure builds upon prior research from the interdisciplinary laboratory based at the University of Toronto, which identified cryptographic flaws in Tencent's Sogou Input Method last August.

Collectively, it's estimated that close to one billion users are affected by this class of vulnerabilities, with Input Method Editors (IMEs) from Sogou, Baidu, and iFlytek accounting for a huge chunk of the market share.

A summary of the identified issues is as follows -

• Tencent QQ Pinyin, which is vulnerable to a CBC padding oracle attack that could make it possible to recover plaintext

• Baidu IME, which allows network eavesdroppers to decrypt network transmissions and extract the typed text on Windows owing to a bug in the BAIDUv3.1 encryption protocol

• iFlytek IME, whose Android app allows network eavesdroppers to recover the plaintext of insufficiently encrypted network transmissions

• Samsung Keyboard on Android, which transmits keystroke data via plain, unencrypted HTTP

• Xiaomi, which comes preinstalled with keyboard apps from Baidu, iFlytek, and Sogou (and therefore susceptible to the same aforementioned flaws)

• OPPO, which comes preinstalled with keyboard apps from Baidu and Sogou (and therefore susceptible to the same aforementioned flaws)

• Vivo, which comes preinstalled with Sogou IME (and therefore susceptible to the same aforementioned flaw)

• Honor, which comes preinstalled with Baidu IME (and therefore susceptible to the same aforementioned flaw)

Successful exploitation of these vulnerabilities could permit adversaries to decrypt Chinese mobile users' keystrokes entirely passively without sending any additional network traffic. Following responsible disclosure, every keyboard app developer with the exception of Honor and Tencent (QQ Pinyin) have addressed the issues as of April 1, 2024.

Users are advised to keep their apps and operating systems up-to-date and switch to a keyboard app that entirely operates on-device to mitigate these privacy issues.

Other recommendations call on app developers to use well-tested and standard encryption protocols instead of developing homegrown versions that could have security problems. App store operators have also been urged not to geoblock security updates and allow developers to attest to all data being transmitted with encryption.

The Citizen Lab theorized it's possible that Chinese app developers are less inclined to use "Western" cryptographic standards owing to concerns that they may contain backdoors of their own, prompting them to develop in-house ciphers.

"Given the scope of these vulnerabilities, the sensitivity of what users type on their devices, the ease with which these vulnerabilities may have been discovered, and that the Five Eyes have previously exploited similar vulnerabilities in Chinese apps for surveillance, it is possible that such users' keystrokes may have also been under mass surveillance," the researchers said.