Skip to content
A recent investigation by Citizen Lab has uncovered significant security vulnerabilities across popular Chinese keyboard apps, affecting potentially billions of users. The bugs identified in cloud-based Pinyin keyboard apps allow malicious actors to hack into devices and user accounts, intercepting user data transmitted between devices and the cloud.
The study analyzed preinstalled apps from major vendors, including Baidu, Honor, Huawei, iFlyTek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. Shockingly, eight out of nine vendors were found to have critical vulnerabilities, leaving user data exposed to interception by passive network eavesdroppers.
Only Huawei emerged unscathed from the security audit conducted by Citizen Lab.
The implications of these studies are profound—bugs such as these could have impacted hundreds of millions of users, particularly given the widespread adoption of Honor, OPPO, and Xiaomi smartphones in China and its neighbors.
The nature of these bugs allowed attackers to intercept users’ keystrokes when they were in transit. This, in turn, compromised sensitive information, ranging from text messages to financial details.
The crux of the issue lies in how typing data is transmitted over the internet. Unlike the Latin-based alphabet, most mainland Chinese users use pinyin keyboards to send data to remote servers for predictive text functions. This reliance on cloud-based features renders the apps vulnerable to surveillance, effectively functioning as keyloggers.
While Citizen Lab promptly notified all affected vendors of the vulnerabilities, only Honor failed to address the issues by the deadline.
Since then, most service providers have patched the bugs, prompting researchers to advise users to update their apps and operating systems for enhanced security.
Moreover, to mitigate future privacy and sensitive data risks, users are urged to transition away from cloud-based keyboard apps to those operating entirely on-device.
The revelations underscore the critical importance of robust security measures in mobile applications, particularly for widely used keyboard apps that handle vast amounts of personal data.
As cyber threats continue to evolve, proactive steps must be taken to safeguard user privacy and protect against potential exploitation by malicious actors.
