Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
Encryption China Privacy Security Software

Almost Every Chinese Keyboard App Has a Security Flaw That Reveals What Users Type (technologyreview.com) 78

Posted by BeauHD from the PSA dept.
An anonymous reader quotes a report from MIT Technology Review: Almost all keyboard apps used by Chinese people around the world share a security loophole that makes it possible to spy on what users are typing. The vulnerability, which allows the keystroke data that these apps send to the cloud to be intercepted, has existed for years and could have been exploited by cybercriminals and state surveillance groups, according to researchers at the Citizen Lab, a technology and security research lab affiliated with the University of Toronto.

These apps help users type Chinese characters more efficiently and are ubiquitous on devices used by Chinese people. The four most popular apps -- built by major internet companies like Baidu, Tencent, and iFlytek -- basically account for all the typing methods that Chinese people use. Researchers also looked into the keyboard apps that come preinstalled on Android phones sold in China. What they discovered was shocking. Almost every third-party app and every Android phone with preinstalled keyboards failed to protect users by properly encrypting the content they typed. A smartphone made by Huawei was the only device where no such security vulnerability was found.

In August 2023, the same researchers found that Sogou, one of the most popular keyboard apps, did not use Transport Layer Security (TLS) when transmitting keystroke data to its cloud server for better typing predictions. Without TLS, a widely adopted international cryptographic protocol that protects users from a known encryption loophole, keystrokes can be collected and then decrypted by third parties. Even though Sogou fixed the issue after it was made public last year, some Sogou keyboards preinstalled on phones are not updated to the latest version, so they are still subject to eavesdropping. [...] After the researchers got in contact with companies that developed these keyboard apps, the majority of the loopholes were fixed. But a few companies have been unresponsive, and the vulnerability still exists in some apps and phones, including QQ Pinyin and Baidu, as well as in any keyboard app that hasn't been updated to the latest version.
This discussion has been archived. No new comments can be posted.

Almost Every Chinese Keyboard App Has a Security Flaw That Reveals What Users Type More

Almost Every Chinese Keyboard App Has a Security Flaw That Reveals What Users Type

Comments Filter:

  • What you say? (Score:5, Funny)

    by ebunga ( 95613 ) on Wednesday April 24, 2024 @11:34PM (#64423142)

    I totally did not see this coming. Nope, never in a million years.

    • Google keyboard on each Android phone, does exactly the same.

      • Re:Google does the same on your phone. (Score:5, Informative)

        by sodul ( 833177 ) on Thursday April 25, 2024 @05:23AM (#64423454) Homepage

        This is exactly why I stick to the vanilla keyboard on my iPhone ... why would I want to send my keystrokes, including passwords, to a remote third party? Because "Trust Us" TM ?

      • You're not a troll at all. You're completely correct.
        Samsung keyboard is even worse.
        You have to use an opensource keyboard.

      • Google keyboard on each Android phone, does exactly the same.

        This is false. Try shutting off all network connections on an Android phone and see if Gboard behavior changes.

        The truth is that keyboard prediction works just fine with no network. There is absolutely no reason for any keystrokes to be sent to a server. This is true for English, and it's true for Chinese characters.

        The problem is not TLS. The problem is that any data at all has to be sent over the network.

        • The language model doesn't update in realtime. They are sending aggregate data opportunistically and then later on retraining the model. The new predictive text model would be delivered in a future app update.

          I don't think it's worth the trade-off necessarily, Google already had the full content of every Gmail message ever sent. But I'm also too lazy to look into it or find an alternative, because nobody has time to die on every hill.

          • Emails are a completely different format of communication though, and predictive text should reflect that. A simple example- a user types "I'm". In a text message, "I'm here" would be a good prediction. In an email, that would probably be a bad prediction.

            • You're assuming the OS tells the keyboard what the context is? As far as I know, that data shouldn't be leaked to the keyboard app maker.

      • If Google isn't lying, Gboard allows one to turn off sending statistics to Google and also turn off personalized suggestion.

        The news article is about keyboard apps developed by companies in China. Their "security flaws" are probably a feature for the government, not a bug.

      • Comment removed based on user account deletion
      • It's not just that, lack of use and misuse of encryption is pervasive in the Android ecosystem. It's not just "Chinese keyboard apps", look at any market segment you like and you'll find either poor to nonexistent encryption or, where TLS is used, lack of host name verification, lack of certificate checking, you name it. In some cases it's so bad that it's easier to list the few apps that do get it right (as far as an external check can tell) than the ones that don't.

    • I'm amazed it's so obvious though - it's like they didn't even try to hide their intentions here. Not using TLS? OMG that's obvious. You'd have thought maybe it was more like "use TLS with a janky cert" or "use TLS, but separately send keystrokes to second server" - but no, just leave it wide open for all nation states to snoop over.

      • From what I read, it's typing Chinese characters by spelling phonetically with latin characters. If it's transmitting on each keystroke, it will probably use UDP with no handshake. That said, it doesn't mean you can't have a key exchange and use public key cryptography. EncryptWall is what they were using, which was apparently broken since 2002.

        Nevermind. They aren't that clever anyway. I found a security researcher's writeup [citizenlab.ca] from last year and it is using an HTTP endpoint. It would have taken zero ef

    • How about we only choose keyboard apps that don't require internet permission. To hell with predicitive typing by sending to a server. Not worth it.

    • My Millennial and Gen-Z friends (the latter in particular) still don't see it coming. "It's totally unfair to ban TikTok! Why shouldn't we trust them?! Old people just want young people to be miserable."
    • Thatâ(TM)s not a flaw, thatâ(TM)s a feature.

  • Word use (Score:5, Funny)

    by Brett Buck ( 811747 ) on Wednesday April 24, 2024 @11:37PM (#64423150)

    Security "flaw"? As it if were some accident?

             

    • Re:Word use (Score:4, Insightful)

      by 93 Escort Wagon ( 326346 ) on Thursday April 25, 2024 @01:09AM (#64423226)

      Maybe all those people were accidentally born in China.

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      Probably just a case of them not really thinking about it, like we didn't before Snowden.

      People seem to forget that most sites didn't bother with HTTPS and most apps send data in the clear before Snowden's revelations. That was when the push really started to encrypt everything by default, and browsers started warning about non-HTTPS etc.

      China just hasn't had their Snowden moment so is like we were 10 years ago.

    • Yeah I get the jokes "but it's China of course it's spyware".. everyone seems to ignore the sentence in the summary "After the researchers got in contact with companies that developed these keyboard apps, the majority of the loopholes were fixed".

      The same people that say China is incompetent at tech then blames them for willingly having this security flaw. Pick a lane! In this case it's much likely to just be incompetence. After all, they don't need an intentional security flaw; even if the traffic was 10

    • Flaw/design feature .... potato/potato

  • fposa djvoint aeoincow. ampcsaliocjdoi qjrc0iqjvav. hsaoifj fjsf. afds fasf fdoso af wt f apptrpe ca l ja f papivmcnbzxmf rp afjoapqmc admdas cdma camfka!

    Take that ya Chinese!

  • Every Chinese Keyboard App Has a... (Score:5, Informative)

    by Raistlin77 ( 754120 ) on Wednesday April 24, 2024 @11:46PM (#64423154)
    ...hidden function that sends all keystrokes to malicious actors. FTFY

  • They found one phine (Score:3)

    by hdyoung ( 5182939 ) on Wednesday April 24, 2024 @11:47PM (#64423156)
    That was actually secure? The intelligence establishment will get right on this and fix that problem.

    • Re: They found one phine (Score:3, Interesting)

      by dwater ( 72834 )

      So, this confirms why Huawei was banned. Blame the uk since they worked with Huawei to secure their products...until the USA ordered the UK to stop doing so and instead ban Huawei.

  • All your keyboard (Score:5, Funny)

    by fjo3 ( 1399739 ) on Thursday April 25, 2024 @12:42AM (#64423204)
    are belong to us!

  • A government spying on their citizens. Say it isn't so! This isn't something that just the commies do either. There are plenty of 3 letter agencies in the US that I'm sure are doing the same thing in the guise of "security".

    • Hey, now. We're far more civilized and make spying on our own citizens illegal. ...That's why we have agreements with our allies to spy on each other's citizens and share the information to ensure we don't break this very important law.

  • comedy (Score:5, Insightful)

    by nicubunu ( 242346 ) on Thursday April 25, 2024 @01:36AM (#64423244) Homepage

    This is pure comedy: Huawei, the company accused the most of spying, is found to spying the least.

    • Re: comedy (Score:2, Insightful)

      by dwater ( 72834 )

      I missed where it said anyone was spying. In fact, I'd be amazed if this wasn't being exploited by the CIA (et al) more than anyone else - after all, they're the masters of spying.

      • The Chinese state is pretty good too and, in fact, has multiple times the number of people that the US has, dedicated to that. Both sides must have been fully aware of this. They must 100% both already now about this. The disturbing thing should be that clearly both of them are more happy for the other to have the data than for the people to be able to protect there data. We already knew that about western security services which have kept back zero days repeatedly, but did we know that the Chinese security

      • Re: (Score:1)

        by Anonymous Coward

        I missed where it said anyone was spying. In fact, I'd be amazed if this wasn't being exploited by the CIA (et al) more than anyone else - after all, they're the masters of spying.

        I think you also missed the part where these apps were developed by Chinese companies. Did the CIA infiltrate them too? What I expect is that every organization with ISP wiretaps has been taking advantage of this leak, especially now after the widespread discovery.

        What's not in the article and would be interesting to know is how much these apps are being used outside China to type Chinese, as the article claims these apps are used around the world.

    • This is pure comedy: Huawei, the company accused the most of spying, is found to spying the least.

      To be fair, the difference is that Huawei controls the networks so they can do their spying there based on the characters that arrive at the servers. So nobody's accusing them of not spying, it's just they're doing their spying securely.

      • Re: (Score:1)

        by Anonymous Coward
        Which is why America wanted to ban them.
        Then all the Chinese people in America are forced to use insecure versions that the US can spy on.

    • Re: (Score:1)

      by Anonymous Coward

      This is pure comedy: Huawei, the company accused the most of spying, is found to spying the least.

      You misunderstand. Huawei's apps were the only ones not leaking to third parties with ISP level wiretaps. Nothing in the story or even logically says Huawei isn't spying on users of it's apps. The mere fact that all these apps are connecting to third party servers suggests they're all sharing private information, it's only that some are not keeping the content shared private from MITM attacks.

    • Only if you think Google isn't spying because they made Chrome warn about non-HTTPS, but they get everyone's data directly from the browser.

    • Next thing you know, we'll discover that social media via TikTok doesn't actually contain any state secrets worth spying upon.

  • ...don't tell everybody!

  • the keystroke data that these apps send to the cloud

    So they already tell the govt everything you type. No need for any security.

  • A smartphone made by Huawei was the only device where no such security vulnerability was found.

    Wasn't Huawei on the US administration's radar for being a PRC spyware distributor?

    If that doesn't convince you the US spews out just as much propaganda as China does, I don't know what does.

    • Yes, because Huawei phones have implemented a more advanced version of the backdoor. Why just leak unencrypted data when you can encrypt it and send it directly to the CCP?

  • The CCP want to make us all their slaves like the mainlanders.

  • It isn’t a “flaw” (Score:5, Informative)

    by Smonster ( 2884001 ) on Thursday April 25, 2024 @07:20AM (#64423596)
    It’s not a flaw, it’s a feature. The only flaw was thinking they weren’t monitoring you.

  • ...if I just assumed that every single one of my keystrokes is recorded and exfiltrated some place without my knowledge? Maybe one of them listening in right now could let me know?

  • From the article, it sounds like the keyboard apps are sending up to the cloud to generate Chinese characters from the keystrokes (pinyin [wikipedia.org] method), and providing things like predictive text. The researchers aren't calling that the vulnerability, but rather the fact that this traffic is being done out via insecure channels.

    I guess my question is: why is it necessary to send that data up to the cloud at all? Can't that character generation and predictive text all be done natively on the phone? Do these C

  • Does AOSP not support Chinese input?

    BTW, Heliboard is available from Izzy and is open source and does good (non-nudge) prediction locally.

    • There appears to be one [googlesource.com]. The Chinese language involves thousands of characters. A lot of them have you type the word phonetically using latin characters (Pinyin). So predictive text is difficult and I expect it's probably not that good or efficient.

      The original Google Pinyin keyboard released by Google China used a dictionary stolen from Sogou, so that's not great. But it does illustrate how hard it is to make a good keyboard in the Chinese language.

  • Some anti-virus programs send all your keystrokes to their servers to constantly check for bad URLs being typed (anywhere and not just in a URL bar). Depending on your IT org's level of paranoia, you may have more than one of these programs capturing your every keystroke. Yes, the ones I found that did this used HTTPS but this highly invasive approach has never seemed the best approach to me. And why IT orgs that are so worried about data loss allow everything typed to leave the building is beyond me.
  • A flaw implies a deficiency in the design which is not intended. I presume this is a back door required by their government given almost every single one has the same so called flaw. Fret not if you live in one of the many so called democratic countries as your government has already or continues to lobby for the same privilege in a so called attempt to protect the children. Minority report is their final goal except they will not need any psychic people to allow the program to identify whom among us are

  • And the CCP says (Score:3)

    by Chris Mattern ( 191822 ) on Thursday April 25, 2024 @09:30AM (#64423848)

    "Security flaw...or security feature?"

  • No TLS is bad. But why cloud? (Score:3)

    by gnasher719 ( 869701 ) on Thursday April 25, 2024 @11:26AM (#64424196)
    Seriously, why does a keyboard app have to send my keystrokes to the cloud? Does that mean it stops working if I turn on airplane mode? Does that mean even without the bug not using TLS, that cloud server knows everything I type?

  • Is that what they're calling it?

  • why on God's green Earth is a keyboard widget offloading the work to machines outside the device? Are smartphones not powerful enough? Is the Chinese language so taxing that 6 CPU cores and 4GB of ram isnt enough?

  • "Security Flaw" or government spying? (Score:3)

    by tlhIngan ( 30335 ) <slashdot&worf,net> on Thursday April 25, 2024 @05:07PM (#64425482)

    "Every Chinese Keyboard App Allows Chinese Government Spying"

    That's the real headline. It's not a "security flaw". It's an intentional backdoor to allow the government to monitor what people are typing.

    Because once they post it, it's too late - even if you get the platform to take it down, someone's probably seen it, and if it contains "sensitive information" then the ideas might spread.

    But if someone starts typing some keywords, then it could be pre-emptively shut down ahead of time. Posting something pro-democracy? Better to lock your phone than let you post it. Hey, we can cause your phone to reboot so it looks like a phone bug!

    And if you're a known torublemaker, well, then everything you type is being monitored.

  • Is it really a flaw if it is designed in feature?
  • So does my OnePlus stock keyboard send my passwords to China? And how do you find a keyboard app that you know is not gathering your typing?

  • It's a feature.

  • Unfortunately, this is how the powers-that-be want it in Asia!

Slashdot Top Deals

The star of riches is shining upon you.

Close