Chinese keyboard app on Xiaomi, Oppo, and Vivo phones has security flaw, reveals what users type
Summary
The most popular typing in Chinese is the pinyin method, based on the pinyin romanisation of Chinese characters, used by nearly 76% of the users.
A Chinese keyboard app that comes pre-installed on millions of Android smartphones has a critical security flaw, new research has revealed. The app’s vulnerability could potentially expose users’ sensitive information, including what they type, the Citizen Lab, an academic research group in Toronto, Canada, has revealed.
The group investigated the security of cloud-based pinyin keyboard apps already installed in the device and found that eight of nine vendors transmitted user keystrokes for vulnerabilities, potentially exposing the keystrokes of more than a billion users to eavesdroppers.
The most popular typing in Chinese is the pinyin method, based on the pinyin romanisation of Chinese characters, used by nearly 76% of the users.
“We reported these vulnerabilities to all nine vendors. Most vendors responded, took the issue seriously, and fixed the reported vulnerabilities, although some keyboard apps remain vulnerable,” they said.
“Sogou, Baidu, and iFlytek IMEs alone comprise over 95% of the market share for third-party IMEs in China, which are used by around a billion people. In addition to the users of third-party keyboard apps, we found that the default keyboards on devices from three manufacturers (Honor, OPPO, and Xiaomi) were also vulnerable to attacks.
“Devices from Samsung and Vivo also bundled a vulnerable keyboard, but it was not used by default. In 2023, Honor, OPPO, and Xiaomi alone comprised nearly 50% of the smartphone market in China,” the report said.
The study concludes with a summary of recommendations to users:
The users of QQ pinyin or the pre-installed keyboard should switch keyboards immediately.
The users of any Sogou, Baidu, or iFlytek keyboard should ensure their keyboards and operating systems are up-to-date.
The users of any Baidu IME keyboard should switch to a different keyboard or disable the ‘cloud-based’ feature in their devices.
Users with privacy concerns should not enable ‘cloud-based’ features on their keyboards or IMEs or should switch to a keyboard that does not offer ‘cloud-based’ prediction.
The iOS users should not enable ‘Full Access’ for their keyboards or IMEs who are having privacy concerns.
The users are advised to keep their devices and apps updated to protect themselves against potential threats, be mindful of the permissions granted to apps, and use reputable security software. Additionally, users should consider using alternative keyboard apps from trusted sources to mitigate the risk and protect their privacy and security.
Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout
3 Mins Read
Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter