Nearly a billion mobile users, who owned multiple devices, could have had their communications exposed to malicious third parties, claims a report by cybersecurity researchers Citizen Lab.
It says that different device makers have used different keyboard apps that passed unencrypted communications, conveyed keystrokes via plain text and the like. Tencent QQ Pinyin, Baidu IME, iFlytek IME, Samsung Keyboard on Android, Xiaomi (with keyboard apps from Baidu, iFlytek and Sogou), OPPO, Vivo, Honor, all these allowed potential threat actors to decode the keystrokes of Chinese mobile users , completely passive, and without users having to send additional network traffic.
The team says it believes the keyboard apps on these devices “revealed the contents of users’ keystrokes on the go.”
Keep private conversations private
The only manufacturer whose keyboard app was safe is Huawei, the researchers said. As for Apple and Google, neither app has a feature to send keystrokes to cloud servers for cloud-based communications, making it impossible to analyze the keyboards for the security of the feature.
“However, we found that none of the mobile devices we analyzed had the Google keyboard, Gboard, pre-installed,” the researchers claim.
The researchers released their findings to manufacturers and say that as of April 1, virtually everyone has addressed their issues. Only Honor and Tencent (QQ Pinyin) are still a work in progress.
To protect against potential eavesdroppers, users should keep their apps and mobile operating systems up to date and use a keyboard that fully works on the device. Developers, on the other hand, are advised to use well-tested and standard encryption protocols, rather than building their own, potentially vulnerable versions. The hacker news reports.
“Given the scope of these vulnerabilities, the sensitivity of what users type on their devices, the ease with which these vulnerabilities were discovered, and the fact that the Five Eyes have previously exploited similar vulnerabilities in Chinese apps for surveillance, it is possible that such vulnerabilities Users’ keystrokes may also have been under mass surveillance,” the researchers concluded.