Keyboard apps used by one billion users found to have a flaw that exposes keystrokes

The flaw was found in keyboard apps used for inputting Chinese characters using the pinyin writing system. The researchers analyzed apps from nine vendors - Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The devices that were examined were sold in China. 

It was found that Samsung Keyboard didn't perform encryption of any kind and most others did not use asymmetric cryptography.

Since creating keyboards that allow users to type Chinese characters quickly and easily is something of a challenge, many of these apps, including the ones that the researchers analyzed, offer cloud-based prediction. The inclusion of this feature means that whatever is typed is sent to servers elsewhere. 

Out of all the pinyin keyboard apps Citizen Lab analyzed, all except Huawei's were found to have vulnerabilities that could be exploited to reveal what a user was typing. The flaw essentially turns cloud-based keyboards into keyloggers.

The vulnerabilities can be exploited by a passive network eavesdropper without any interference to the communication channel, making them difficult to detect.

Flaws like these which let you read what someone types on their device can be of interest to various actors including government intelligence agencies. The researchers fear that they may have not been the first to discover the vulnerabilities and they may have been exploited for surveillance purposes.

The researchers believe that up to a billion users may have been affected by this and another similar vulnerability. The vulnerabilities were reported to all the vendors and most of them have fixed them.

The report notes that neither Apple's nor Google's keyboard apps transmit keystrokes to cloud servers.

If you don't want anyone finding out what you type on your phone, it's recommended that you stick to on-device keyboards and keep your apps and operating systems up to date.