ResearchApp Privacy and Controls

Chinese Keyboard App Vulnerabilities Explained

What are cloud-based pinyin keyboard apps?

There are various ways to type Chinese on a keyboard. The most popular input method for mainland Chinese users is the pinyin input method, based on the pinyin romanization of Chinese characters. With any Chinese input method, prediction is necessary to determine which character a user intends to type, since there are far greater characters than there are keys on a keyboard.

As a result, all Chinese keyboards use some amount of prediction. By default, the prediction capabilities are limited by your phone’s hardware. To overcome this limitation, Chinese keyboards often offer “cloud-based” prediction services which transmit your keystrokes to a server that hosts more powerful prediction models. As many have previously pointed out, this is a massive privacy tradeoff, as “cloud-based” keyboards and input methods can function as vectors for surveillance and essentially behave as keyloggers.

We note that this report is not about how operators of cloud-based keyboards can read users’ keystrokes, which is a phenomenon that has already been extensively studied and documented. This report is primarily concerned with protecting this keystroke data from network eavesdroppers.

Which keyboard apps were analyzed in this study? And how did you choose which apps to study?

We analyzed third-party keyboard apps Tencent QQ, Baidu, and iFlytek, on the Android, iOS, and Windows platforms. Along with Tencent Sogou, they comprise over 95% of the market share for third-party keyboard apps in China.

We also analyzed the keyboard apps installed by default on Honor, Huawei, OPPO, Vivo, Samsung, and Xiaomi devices sold in China. We chose these since they are all popular phone manufacturers in China. In 2023, Honor, OPPO, and Xiaomi alone comprised nearly 50% of the smartphone market in China.

What types of software vulnerabilities were identified in the keyboard apps you analyzed?

To enable the “cloud-based” prediction features, the keyboards we analyzed transmit user keystrokes to a server on the Internet. We found that these apps’ transmission of keystrokes over the Internet were insecure in various ways. This means that if you are using one of these keyboard apps, your ISP, VPN, or even other users on the same WiFi network as you, can retrieve the keystrokes you are typing into your device.

Among the nine vendors whose keyboard apps we analyzed, we found that there was only one vendor, Huawei, in whose apps we could not find any security issues regarding the transmission of users’ keystrokes.

We note that we did not perform a full audit of any app or make any attempt to exhaustively find every security vulnerability in any software. Our report concerns analyzing keyboard apps for a particular class of vulnerabilities that we discovered, and the absence of our reporting of other vulnerabilities should not be considered evidence of their absence.

What are the implications of these vulnerability discoveries for users of these keyboard apps?

Keystrokes are a particularly sensitive class of information, as they comprise everything we enter into our devices, including passwords, financial data, and browsing data. We estimate that up to one billion users could be vulnerable to having their keystrokes intercepted, constituting a tremendous risk to user security.

We notified all affected vendors, and in most cases the vendors updated the apps to address the vulnerabilities. We urgently encourage users to update their keyboards, operating systems, or switch to keyboards with only “on-device” prediction (e.g., not “cloud-based”). Keyboards that are not cloud-based include Google’s Gboard and Apple’s default iOS keyboard.

What do researchers recommend for users to do in light of these discoveries?

First, high-risk users or users with privacy concerns should not enable “cloud-based” features on their keyboards or IMEs. iOS users can also restrict their keyboards’ network access by revoking the “Full Access” permission for their keyboards or IMEs.

Users of QQ Pinyin should switch keyboards immediately. Users of Honor devices should disable the pre-installed Baidu keyboard and use a different third-party keyboard. We also recommend against using Baidu keyboards in general, as their updated network security protocol still contains privacy weaknesses.

Otherwise, users of any Sogou, Baidu, or iFlyTek keyboard, including the versions that are bundled or pre-installed on operating systems, should ensure their keyboards and operating systems are up-to-date. At-risk users may consider switching to a keyboard that is not cloud-based such as Google’s Gboard or Apple’s default iOS keyboard.

If updates to certain keyboards are not available, how can a user protect themselves?

In some cases, we had trouble updating the keyboards on our test devices. In these cases, we recommend users disable those keyboards and switch to a different keyboard.

What have the vendors done in response to the research findings?

We notified all affected vendors, and in most cases the vendors updated the apps to address the vulnerabilities.

All companies except Baidu, Vivo, and Xiaomi responded to our disclosures1. Baidu fixed the most serious issues we reported to them shortly after our disclosure, but Baidu has yet to fix all issues that we reported to them. The mobile device manufacturers whose preinstalled keyboard apps we analyzed fixed issues in their apps except for their Baidu apps, which either only had the most serious issues addressed or, in the case of Honor, did not address any issues (see the table below for the security status of the apps that we analyzed as of April 1, 2024).

Legend
✘✘ working exploit created to decrypt transmitted keystrokes for both active and passive eavesdroppers
working exploit created to decrypt transmitted keystrokes for an active eavesdropper
! weaknesses present in cryptography implementation
no known issues or all known issues fixed
N/A product not offered or not present on device analyzed
Keyboard developer Android iOS Windows
Tencent N/A
Baidu ! ! !
iFlytek

Pre-installed keyboard developer

Device manufacturer Own Sogou Baidu iFlytek iOS Windows
Samsung  * ! N/A N/A N/A
Huawei  * N/A N/A N/A N/A
Xiaomi N/A  * ! N/A N/A
OPPO N/A  !* N/A N/A N/A
Vivo  * N/A N/A N/A N/A
Honor N/A N/A  ✘✘* N/A N/A N/A

* Default keyboard app on our test device.
Both QQ Pinyin and Sogou IME are developed by Tencent; in this report we analyzed QQ Pinyin and found the same issues as we had in Sogou IME.

In summary, we no longer have working exploits against any products except Honor’s keyboard app and Tencent’s QQ Pinyin. Baidu’s keyboard apps on other devices continue to contain weaknesses in their cryptography which we are unable to exploit at this time to fully decrypt users’ keystrokes in transit.

  1. After the publication of our report, Baidu responded to our disclosure. We have included this response, as well as our response to Baidu, in the Appendix.↩︎