In a startling new report, researchers at Citizen Lab have revealed critical vulnerabilities in popular mobile keyboard apps used by over a billion people, primarily in China. The flaws allow network eavesdroppers to easily decrypt and spy on what users are typing on their phones and tablets.
The Citizen Lab team analyzed keyboard apps from nine major vendors, including Baidu, Sogou, iFlytek, Samsung, Huawei, Xiaomi, OPPO, Vivo, and Honor. Shockingly, they found serious encryption flaws in eight out of the nine apps tested, which would allow an attacker to completely reveal what users are typing.
Most concerning is that the majority of these vulnerable apps can be exploited by a completely passive network eavesdropper, without having to send any traffic themselves. Combined with Citizen Lab's previous report on vulnerabilities in Sogou's keyboard app, up to one billion users may be impacted.
What Makes this Data Valuable to Attackers
The ability to read what users are typing on their devices, including passwords, financial details, private messages, and more, is incredibly valuable to malicious actors and government surveillance agencies.
Given the privacy-sensitive nature of this data, the large number of affected users, and the ease of exploiting these flaws, it's very possible these vulnerabilities have already been leveraged for mass surveillance by sophisticated threat actors, including the Five Eyes intelligence agencies.
Vendors' Responses and Remaining Risks
Citizen Lab disclosed these vulnerabilities to all of the impacted vendors. While most responded and fixed the issues, some apps currently remain vulnerable. Users are urged to update their keyboard apps and mobile operating systems to the latest versions.
However, even with fixes available, there are still barriers to users receiving the security updates. Some devices are no longer supported, and in the case of Honor devices, there is no way to update the vulnerable pre-installed keyboard app.
Additionally, Citizen Lab found weaknesses in updated versions of some Baidu keyboard apps that could still potentially be exploited, though not as easily as the original flaws. Baidu has more work to do to comprehensively address the problems.
How did almost all of these keyboard apps end up with such glaring vulnerabilities?
While the specific mistakes varied, at the root there appears to be a lack of adoption of modern encryption best practices and standard protocols like TLS among Chinese app developers.
Language barriers likely play a role in this knowledge gap. To help bridge it, the report recommends international standards bodies continue engaging with Chinese security engineers. App stores and operating systems can also do more to analyze apps for insecure data transmissions and provide users clear information on apps' security practices.
With the current state of keyboard app security leaving many unknowingly exposed, addressing this systemic problem will require effort from all stakeholders.
In the meantime, privacy-conscious users may want to consider switching to non-cloud-based keyboards.