Almost all Chinese keyboard apps around the world they have a security hole which makes it possible to spy on what users type.
The vulnerability, which allows subtheft of typing data these apps send to the cloud has existed for years and could have been exploited by cybercriminals and government surveillance groups, according to researchers at Citizen Lab, a research lab technology and security with the University of Toronto.
These apps help users type Chinese characters more efficiently and are ubiquitous on devices used by Chinese people. The four most popular apps, made by big companies Internet such as Baidu, Tencent and iFlytek, basically represent all the typing methods used by Chinese people.
The researchers also looked at the keyboard apps that come pre-installed on Android phones sold in China. What they discovered was shocking. Almost every third-party app and Android phone with pre-installed keyboards failed to protect users by properly encrypting content that they typed. A smartphone made by Huawei was the only device where no such vulnerability was found.
In August 2023, the same researchers discovered that Sogou, one of the most popular keyboard apps, was not using Transport Layer Security (TLS) when transmitting typing data to the cloud server for better forecasts typing. Without TLS, a widely used international encryption protocol that protects users, keystrokes can be collected and then decrypted by third parties.
Although Sogou fixed the problem after it was made public last year, some Sogou keyboards pre-installed on phones have not yet been updated to the latest version.