Certain apps on iOS and Huawei devices have been deemed secure, but other apps may potentially enable passive snooping.
In Short
- Encryption flaws in Chinese apps put users at risk of snooping.
- Android and Windows programs have weaknesses, but iOS apps are secure.
- Some users may find it difficult to limit their exposure to eavesdropping.
Researchers have identified major encryption weaknesses in eight firms’ cloud-based pinyin input software, which might allow for eavesdropping. Although there is no indication that the vulnerabilities are regularly exploited, previous events highlight this as a potentially major concern.
Chinese writing contains hundreds of different characters that would never fit on standard keyboards, necessitating the use of alternative input methods (IMEs).
All of the exposed cloud products used pinyin systems, in which users typed phonetic pronunciations in the Roman alphabet and then chose from a list of equivalent symbols.
For decades, operating system makers and third-party developers have processed Chinese IMEs entirely on-device, but cloud services may discern the right characters more correctly.
Normally, any internet-based typing tool has inherent danger, but firms that provide cloud-based pinyin apps ensure user privacy through encryption.
Researchers from the University of Toronto examined the security of applications from nine companies:
These brands were able to effectively read keystrokes from all save the Huawei tool, potentially revealing every input to eavesdroppers. Some of the flaws can expose data to fully passive snoopers.
Notably, the researchers discovered no weaknesses in iOS apps because Apple automatically sandboxes the platform’s keyboard applications. Allowing iPhone keyboard applications to access and transfer data needs explicit user consent.
Meanwhile, comparable Android and Windows programs were rated far less safe. Android users may select whether keyboards connect to the internet, but the researchers discovered that the appropriate controls may be difficult for certain users to locate.
After the researchers notified all nine suppliers, the majority made patches to address the issues, but encryption weaknesses remain in Baidu’s applications, Honor’s keyboard, and Tencent’s QQ Pinyin service. Furthermore, the researchers cited dozens of comparable apps that they were unable to evaluate but might potentially have the same flaws.
The researchers raised concern, in part because of previous incidents involving government spying. According to the study, the Five Eyes – an intelligence-sharing organization comprised of the United States, the United Kingdom, Canada, Australia, and New Zealand – have exploited similar flaws in Chinese applications to snoop on users.