Popular Keyboard Apps Flaw

Researchers have uncovered critical security vulnerabilities in several widely used keyboard apps, including those from major tech giants Samsung, OPPO, Vivo, and Xiaomi.

These flaws could allow network eavesdroppers to intercept and decipher every keystroke a user makes, exposing sensitive personal and financial information.

The Citizen Lab’s comprehensive study focused on the security of cloud-based pinyin keyboard apps from nine different vendors.

The analysis included popular brands such as Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi.

Researchers meticulously examined how these apps transmit users’ keystrokes and searched for any vulnerabilities that could be exploited.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

The findings were alarming: eight of the nine vendors had apps vulnerable to interception.

Keystrokes Capture

This means that an attacker could potentially capture everything a user types, including passwords, credit card numbers, private messages, and more, with relatively minimal effort.

The only vendor whose keyboard app was found without such vulnerabilities was Huawei.

According to The Citizen Lab, the vulnerabilities discovered could affect up to one billion users worldwide, given the popularity of the affected keyboard apps.

VendorApp NameVulnerability DescriptionPotential ImpactUser Base Affected
SamsungSamsung KeyboardUnencrypted data transmissionExposure of all keystrokesHundreds of millions
OPPOOPPO KeyboardWeak encryption methodsEasy interception of typed dataTens of millions
VivoVivo KeyboardNo encryption in certain scenariosDirect access to keystrokesTens of millions
XiaomiXiaomi KeyboardInconsistent encryptionPeriodic exposure of keystrokesHundreds of millions
BaiduBaidu KeyboardUnencrypted data transmissionComplete access to typed informationHundreds of millions
HonorHonor KeyboardWeak encryption methodsPotential decryption of sensitive dataTens of millions
iFlytekiFlytek KeyboardNo encryption for specific data typesExposure of passwords and private messagesMillions
TencentTencent KeyboardInadequate security protocolsInterceptable personal and financial dataHundreds of millions
HuaweiHuawei KeyboardNo vulnerabilities foundN/AN/A

The ease with which these vulnerabilities can be exploited makes it a significant concern, mainly since keyboard apps are used for entering some of the most sensitive information on a device.

The report also highlighted that this is not an isolated issue. Previous analyses have shown similar vulnerabilities in other Chinese apps, and there have been instances where such weaknesses were exploited by intelligence agencies, including those from the Five Eyes alliance.

The vulnerabilities primarily involve the improper or unsecured transmission of keystroke data to cloud servers.

This data transmission, ideally encrypted, appears to be either poorly implemented or completely unencrypted in the cases mentioned, allowing anyone with the right tools and access to the network to intercept the data easily.

In light of these findings, The Citizen Lab has urged all affected companies to address these security flaws promptly.

Users of the implicated keyboard apps are advised to update their apps as soon as patches are available. In the meantime, switching to alternative keyboard apps that prioritize security might be wise.

The report has already prompted responses from several of the companies involved. Samsung, OPPO, Vivo, and Xiaomi have all acknowledged the issue and have announced that they are working on updates to fix the vulnerabilities.

The companies except Baidu, Vivo, and Xiaomi responded to our disclosures,” Citizenlab said.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.