Flaws in Chinese keyboard apps leave 750 million users open to snooping, researchers claim

Many Chinese keyboard apps, some from major handset manufacturers, can leak keystrokes to determined snoopers, leaving perhaps three quarters of a billion people at risk according to research from the University of Toronto’s Citizen Lab.

As the Lab’s findings [PDF] explain, “There is no way to fit the tens of thousands of Chinese characters that exist onto a single keyboard.”

Computers set for use by Chinese language speakers therefore employ “Input Method Editor” (IME) software , the most popular of which use the Pinyin scheme that makes it possible to represent the sounds of Mandarin using the Latin alphabet. Smartphones intended for use by Chinese speakers often include Pinyin keyboard apps, and they’re also available in app stores.

But mapping the Latin alphabet to Chinese characters is not easy, so some Pinyin apps upload keystrokes to the cloud for processing. Apple and Google don't use this technique.

According to Citizen Lab, Baidu’s Pinyin app uses weak encryption so users’ keystrokes are vulnerable to interception by an eavesdropper who can therefore read all input. Apps from Samsung, Xiaomi, OPPO, Honor and iFlytek use crypto that has already been compromised by a working exploit that allows active and passive eavesdroppers to intercept keystrokes. Baidu’s Pinyin app for Windows has the same problem.

Apps from Tencent, Xiaomi, OPPO and Vivo have crypto issues that allow an active eavesdropper to intercept keystrokes.

IME apps are tailored to different devices, and some versions of IME apps have vulnerabilities that are only present on certain machines.

Citizen Lab reported its findings to the relevant companies, with mixed results.

“All companies except Baidu, Vivo, and Xiaomi responded to our disclosures,” the Lab’s report states. Baidu did fix the most serious issues the researchers found but didn’t fix them all.

Tencent promised to fix its wares by April 1st but appears not to have done so at the time of publication – perhaps because it considers one if its insecure app to have reached end-of-life.

Even if apps are updated to address the flaws Citizen lab found, the org worries that difficulties updating software mean the problems will persist. Honor devices, for example, don’t offer a facility to update keyboard apps. Updating Samsung’s apps requires creation of an account. The Lab’s researchers also found some app updates are geoblocked.

“The scope of these severe vulnerabilities cannot be understated,” the report concludes, because the keyboard apps Citizen Lab studied enjoy over 95 percent market share in China, and the handset-makers that pre-installed vulnerable software collectively own half the market.

By Citizen Lab’s reckoning, about 780 million people were therefore at risk of smartphone surveillance.

It gets worse: the Lab last year found similar problems with a popular input app called Sogou, leading to an “estimate that close to one billion users are affected by this class of vulnerabilities.”

At this point, readers might reach the conclusion that China’s government would not mind access to its citizens’ smartphones.

Citizen Lab suggests that hypothesis is weak – because Beijing doesn’t need backdoors as it already collects keystroke data, wouldn’t like the idea of third parties doing likewise, and constantly urges improved software security.

The Lab attributes the issues to a reluctance to use proven ciphers, perhaps out of fear they’ve been compromised by western powers.

The research suggests many actions that could be taken across the smartphone ecosystem – developers, manufacturers, and app stores – to make this kind of vulnerability history.

For now, however, it has more practical advice: update your Pinyin apps, ASAP. ®