Encryption flaws risks exposure of text typed in Android cloud keyboard apps
Take action: Avoid using cloud based keyboards on your mobile device, since it's just another app. You are typing everything in the keyboard, from notes to passwords and MFA codes. You are at the mercy of the developer which may not be as vetted as the device vendor. If you are developing applications, don't try to reinvent the encryption wheel. Adopt standard, open source and publicly tested encryption protocols and avoid creating proprietary ones. Standard protocols are tested too many times to have an immediate flaw.
Learn More
Security flaws in the encryption mechanisms of several cloud-based pinyin keyboard apps have been reported by Citizen Lab researchers. These flaws potentially exposing nearly one billion users' keystrokes to unauthorized access.
Pinyin keyboards are used primarily to facilitate the typing of Chinese characters on digital devices. Pinyin is the romanization of the Chinese characters based on their pronunciation. In Mandarin Chinese, which is the standard dialect, Pinyin involves using the Roman alphabet to transcribe the sound of each character.
Cloud-based keyboards offer several advantages and functionalities that enhance the user experience, like predictive text and autocorrect, personalization, multiple language support and external tools integration like AI enhancements.
The study focused on keyboard apps from major vendors including Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. Huawei’s keyboard app was the only one not reported to have any security issues.
The report raised concerns about the potential reluctance of Chinese app developers to use Western cryptographic standards, fearing they might contain backdoors. This hesitancy could lead to the development of less secure, in-house ciphers.
The vulnerabilities in the cloud based keyboards allow for various forms of exploitation:
- Tencent QQ Pinyin is susceptible to a CBC padding oracle attack, enabling attackers to recover plaintext.
- Baidu IME has a flaw in its BAIDUv3.1 encryption protocol on Windows, allowing network eavesdroppers to decrypt and read typed text.
- iFlytek IME on Android fails to sufficiently encrypt network transmissions, making it possible for attackers to decipher plaintext.
- Samsung Keyboard transmits keystrokes in plain, unencrypted HTTP, posing a risk of interception.
- Xiaomi, OPPO, and Vivo devices come preinstalled with keyboard apps that inherit these vulnerabilities due to their integration with other compromised IMEs like Baidu, iFlytek, and Sogou.
- Honor also comes with a preinstalled Baidu IME sharing similar encryption issues.
Although most vendors have issued fixes following responsible disclosure, Tencent (QQ Pinyin) and Honor have not yet addressed the vulnerabilities as of April 1, 2024.
Users are advised to update their apps and operating systems regularly and consider switching to keyboard apps that operate solely on-device, avoiding those that transmit keystrokes or data off-device.
App developers should adopt standard, well-tested encryption protocols and avoid creating proprietary ones, which might be vulnerable to security flaws.
