Skip to content

Critical flaws in Pinyin keyboard apps potentially impacts billions

  • by
  • 4 min read

Cloud-based Pinyin keyboards offered by major vendors, such as Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi, have been found to have critical vulnerabilities. If exploited, these vulnerabilities can intercept and expose users’ keystrokes during transmission, posing a serious threat to billions’ privacy and data security.

These apps leverage cloud-based prediction services to enhance user typing efficiency. However, this reliance on cloud services introduces vulnerabilities that malicious entities could exploit.

Researchers highlight that eight out of the nine vendors’ keyboard apps examined in the analysis exhibited critical vulnerabilities that could be leveraged to fully disclose the contents of users’ keystrokes while in transit. Only Huawei’s app seems to be free from flaws.

“Among the nine vendors whose apps we analysed, we found that there was only one vendor, Huawei, in whose apps we could not find any security issues regarding the transmission of users’ keystrokes. For each of the remaining eight vendors, in at least one of their apps, we discovered a vulnerability in which a passive network eavesdropper could completely reveal keystrokes,” noted researchers from The Citizen Lab.

This vulnerability exposes sensitive information, including financial data, login credentials, and private communications, to potential interception by malicious actors.

The widespread use of these keyboard apps, estimated to be utilised by up to one billion users globally for logographic language typing, underscores the significant impact of these security vulnerabilities.

While most vendors responded promptly to address the reported vulnerabilities, some keyboard apps, like Honor and Tencent, continue to remain vulnerable, posing persistent risks to users.

These vulnerabilities raise individual privacy concerns and have broader implications. Government intelligence agencies and other threat actors could potentially exploit them for mass surveillance, highlighting the broader cybersecurity challenges in widely adopted applications.

Researchers used tools like jadx for Dalvik bytecode for Android for native machine code to decompile and statically analyse the app binaries. Furthermore, Frida and IDA Pro were used to monitor real-time app execution and behaviour for Android, iOS and Windows versions of the apps.

Finally, Wireshark and Mitmproxy were used to capture and analyse the network traffic generated by the keyboard apps during their operation.

Here are the research findings:

A single cross represents that an active eavesdropper can exploit the flaw, while double crosses mean that both active and passive eavesdroppers can decrypt keystrokes. A check mark showcases no vulnerability, while the exclamation mark symbolises defects in cryptography implementation. Default keyboard apps are shown by asterisk. | Source: The Citizen Lab
  • Tencent: Tencent’s QQ Pinyin keyboard app for Android and Windows showcased this vulnerability.
  • Baidu: Baidu Pinyin for Windows was affected by a flaw that allowed network eavesdroppers to hack and decrypt network transmissions. The Android and iOS versions were affected by weakness in encryption.
  • iFlytek: iFlytek includes a vulnerability in Android, while the Windows and iOS versions are clear and safe.
  • Samsung: Threat actors could exploit Samsung Keyboard’s vulnerability in Android and the bundled Baidu IME version to recover the plaintext of improperly encrypted network transmissions.
  • Xiaomi: The preinstalled keyboard by Baidu, iFlytek and Sogou in Xiaomi Mi 11 also includes the keystroke vulnerability.
  • OPPO: Similarly, researchers discovered that the preinstalled keyboard from Baidu and Sogou on OPPO OnePlus Ace included the flaw.
  • Vivo: It appears that Vivo smartphones come with preinstalled Sogou IME, which, unfortunately, exhibits similar flaws.
  • Honor: Honor phones also have Baidu IME; therefore, they are unsafe.

Researchers attribute the primary cause of this widespread vulnerability to the prevalent scepticism of Western encryption standards across Chinese developers. This leads to the creation of potentially flawed encryption methods. Also, the developers may not have prioritised established security protocols like SSL/TLS, especially in the early 2010s. Furthermore, Android’s permissions model may not effectively prevent insecure network transmissions.

Analysts proposed the developers increase focus on apps’ security, better static and dynamic analysis techniques, and promptly submit vulnerability disclosures to the companies keeping in mind the official language of the company’s region. They also urged users to immediately update the apps to the latest version and disable any cloud-based feature.

In the News: CoralRaider deploys malware via CDN cache across 13 countries

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: