In brief: Anyone who types in Chinese using cloud-based apps from Baidu, Honor, iFlytek, Oppo, Samsung, Tencent, Vivo, and Xiaomi should update their software immediately. The Huawei service appears to be safe, but security flaws in the other apps, most of which recently received patches, could invite snooping, potentially impacting up to a billion users.
Researchers recently discovered severe encryption flaws in cloud-based pinyin input software from eight companies that could allow eavesdropping. Although there is no evidence that the vulnerabilities are actively being exploited, earlier incidents make this a potentially serious issue.
Chinese writing incorporates thousands of unique characters that could never fit on conventional keyboards, so typing in the language requires alternate input methods (IMEs). All of the vulnerable cloud tools employed pinyin systems, in which users type phonetic pronunciations using Roman letters and then pick from a selection of corresponding symbols. Operating system vendors and third-party developers have provided Chinese IMEs with wholly on-device processing for decades, but cloud services can determine the correct characters more accurately.
Normally, any internet-based typing utility comes with inherent risk, but the companies offering cloud-based pinyin apps guarantee user privacy through encryption. Researchers from the University of Toronto tested the security of apps from nine companies: Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi, and successfully read keystrokes from all of them except the Huawei tool, potentially exposing every input to eavesdroppers. Some of the vulnerabilities can leak data to completely passive snoopers.
Notably, the researchers found no flaws in iOS apps because Apple automatically sandboxes the platform’s keyboard apps. Allowing iPhone keyboard apps to access and transmit data requires explicit user permission. Meanwhile, equivalent Android and Windows tools were deemed far less secure. Android users can choose whether keyboards connect to the internet, but the researchers found that the corresponding controls could be too difficult for some users to find.
After the researchers warned all nine vendors, most released updates to fix the problems, but encryption flaws remain in Baidu’s apps, Honor’s keyboard, and Tencent’s QQ Pinyin service. Furthermore, the researchers listed dozens of similar apps that they couldn’t test but might suffer from the same issues.
The researchers expressed alarm partly due to prior episodes involving government surveillance. The report notes that the Five Eyes – an intelligence-sharing alliance between the US, UK, Canada, Australia, and New Zealand – had previously used similar vulnerabilities in Chinese apps to spy on their users.