back to article Flaws in Chinese keyboard apps leave 750 million users open to snooping, researchers claim

Many Chinese keyboard apps, some from major handset manufacturers, can leak keystrokes to determined snoopers, leaving perhaps three quarters of a billion people at risk according to research from the University of Toronto’s Citizen Lab. As the Lab’s findings [PDF] explain, “There is no way to fit the tens of thousands of …

  1. PhilipN Silver badge

    No mention of Apple?

    iOS has a pinyin-based keyboard built in. Apple sometimes sells phones in China.

    1. Roland6 Silver badge

      Re: No mention of Apple?

      I expect some US iPhone users use the pinyin-based keyboard, which if processed in the cloud in China….

    2. Androgynous Cupboard Silver badge

      Re: No mention of Apple?

      "Apple and Google don't use this technique." - from the article.

    3. FrogsAndChips Silver badge

      Re: No mention of Apple?

      In case it wasn't present in the article when you posted your comment: "some Pinyin apps upload keystrokes to the cloud for processing. Apple and Google don't use this technique."

      1. PhilipN Silver badge

        Re: No mention of Apple?

        That was S. Sharwood Esq. helpfully explaining but the report itself refers to neither Apple's nor Google's keyboard app having "a feature [sic] to transmit keystrokes to cloud servers" for help with interpretation and thus the inability to "analyse these keyboards for the security of this feature". Somewhat specific and leaves the broader question of screen input security wide open.

  2. CowHorseFrog Silver badge

    Why arent these xiaomi hackers helping xiamomi with their shitty new car ?

  3. Tom Chiverton 1 Silver badge

    You say security issue, governments say feature

    1. gnasher729 Silver badge

      As explained in the article, the Chinese government doesn’t need any exploits, and they certainly don’t want competition. They are very interested in keeping their citizens safe from anyone else.

  4. Binraider Silver badge

    Ahh yes, the 82MB Mouse Driver; or the 227MB keyboard driver using 5% of CPU. Is it not obvious why we cannot have nice things?

    1. Binraider Silver badge

      Downvote presumably by some nob writing spyware into their crap drivers.

  5. sarusa Silver badge
    Devil

    'flaws'

    Okay, yeah, sure, that is a totally accidental 'flaw'.

  6. Dave Pickles
    Headmaster

    “The scope of these severe vulnerabilities cannot be understated”

    I presume they meant to say OVERstated.

    1. Anonymous Coward
      Anonymous Coward

      Re: “The scope of these severe vulnerabilities cannot be understated”

      一个漂亮的新键盘 - but so much easier in English though.

      1. J.G.Harston Silver badge

        Re: “The scope of these severe vulnerabilities cannot be understated”

        That's easy for you to say.

    2. Bebu Silver badge
      Windows

      Re: “The scope of these severe vulnerabilities cannot be understated”

      "I presume they meant to say OVERstated."

      Its a fairly common idiom in British English I think. Politicians use it in AU often enough having the sense in the article but they can be trusted to stuff up most things.

      The passive voice often obscures the sense and is a favourite of politicians and other weasels.

      "I cannot understate the scope of these severe vulnerabilities" reads better for me but I think the original perhaps meant the "scope and severity of these vulnerabities" ie how bad and how widespread.

      "Cannot be understated" perhaps implies the impossibility of expressing the scope of the vulnerabilities in any way that reduces their severity.

      The sense of cannot here is probably better expressed with ought, should or must not.

      "The scope of these severe vulnerabilities ought not be understated."

      Dad's Army's Private Frazer was more succinct :"We're doomed..." :)

  7. Anonymous Coward
    Anonymous Coward

    Hmmm, I'm using Microsoft SwiftKey, which does send typing data to Microsoft by default. Is it safe? And since I disabled that sending, did it actually stop doing it?

  8. Anonymous Coward
    Anonymous Coward

    All your type are belong to us

    Stand by your computer, the secret police are on their way.

  9. J.G.Harston Silver badge

    So you need a live internet connection to be able to type anything? That's madness!

  10. pc-fluesterer.info
    FAIL

    "Flaw"? Works as designed!

    Move on, nothing to see here.

  11. EricB123 Silver badge

    It's Not Just Chinese...

    Japanese uses "romaji" which, like pinyin, allows the phonetic pronunciation of the Chinese character set to by typed on a standard qwerty keyboard as well. Actually, Japanese uses 3 alphabets, one of which is Kanji, which is the Chinese character set with additional meanings...

    No wonder Westerners find Asian languages so difficult!

  12. Anonymous Coward
    Anonymous Coward

    I will say now.. that this excuse..is bullshit. and about 5-8 years too late.

    becasue i looked at the same thing at-least 8 years ago... when i was purchasing china made SBC & tablets....

    To encode all the Chinese characters is a trivial matter, due to the way Chinese works.

    The characters look complicated but they are not.

    top -> bottom, Left-> right. and there is ALWAYS a stroke order.

    So you just need to encode, the stroke order , start & dest and left to right, that is it!!!!!

    a very small table of a couple of MB.

    all these apps deliberately send what you are typing to their systems for obvious reasons....

    However the authors have missed several key points.... which I'm not going to go into here.

    There is a far bigger danger..... , these programs also capture non Chinese., so basically , usernames & passwords.

    And one area these security specialists have completely missed is "translation"... a program that can translate things that you type in , but also things on the screen....

    there is a favorite program in China for this..., I did an analysis...

    not only did it "translate", but also when going to HSBC and other personal sites, it "translated" the logins, screen data , account data ... over to servers in China...

    Then to top it off......, it also screen snapshoted, the screen and took a note of the user name on the computer, application being use time, all this going to a very well known platform in China.

    and when it was not "translating" the Keyboard wedge was sending everything typed to the same servers.

    but the greatest thing is that everything was sent using fucking HTTP.. and a single Xor value.

    These are NOT bugs, they are systems built for surveillance........... and it is endemic to the whole software supply chain in China.

    DO NOT EVER put ANY Chinese SW on any device you own.... and NEVER EVER use any network connected device made there.

    I daily have to deal with "government mandated" software that has to be loaded onto company computers , for TAX and other things ,only to find them using viruses, to bypass and install "patches" and crypto mining systems.

    Let's just say there is a lot of rouge programmers, working for the local....governments.........

  13. Anonymous Coward
    Anonymous Coward

    oh... and parts of that article/ paper are plagiarized.....from things that are years old.

    and NOT accredited......

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like