No mention of Apple?
iOS has a pinyin-based keyboard built in. Apple sometimes sells phones in China.
Many Chinese keyboard apps, some from major handset manufacturers, can leak keystrokes to determined snoopers, leaving perhaps three quarters of a billion people at risk according to research from the University of Toronto’s Citizen Lab. As the Lab’s findings [PDF] explain, “There is no way to fit the tens of thousands of …
That was S. Sharwood Esq. helpfully explaining but the report itself refers to neither Apple's nor Google's keyboard app having "a feature [sic] to transmit keystrokes to cloud servers" for help with interpretation and thus the inability to "analyse these keyboards for the security of this feature". Somewhat specific and leaves the broader question of screen input security wide open.
"I presume they meant to say OVERstated."
Its a fairly common idiom in British English I think. Politicians use it in AU often enough having the sense in the article but they can be trusted to stuff up most things.
The passive voice often obscures the sense and is a favourite of politicians and other weasels.
"I cannot understate the scope of these severe vulnerabilities" reads better for me but I think the original perhaps meant the "scope and severity of these vulnerabities" ie how bad and how widespread.
"Cannot be understated" perhaps implies the impossibility of expressing the scope of the vulnerabilities in any way that reduces their severity.
The sense of cannot here is probably better expressed with ought, should or must not.
"The scope of these severe vulnerabilities ought not be understated."
Dad's Army's Private Frazer was more succinct :"We're doomed..." :)
Japanese uses "romaji" which, like pinyin, allows the phonetic pronunciation of the Chinese character set to by typed on a standard qwerty keyboard as well. Actually, Japanese uses 3 alphabets, one of which is Kanji, which is the Chinese character set with additional meanings...
No wonder Westerners find Asian languages so difficult!
I will say now.. that this excuse..is bullshit. and about 5-8 years too late.
becasue i looked at the same thing at-least 8 years ago... when i was purchasing china made SBC & tablets....
To encode all the Chinese characters is a trivial matter, due to the way Chinese works.
The characters look complicated but they are not.
top -> bottom, Left-> right. and there is ALWAYS a stroke order.
So you just need to encode, the stroke order , start & dest and left to right, that is it!!!!!
a very small table of a couple of MB.
all these apps deliberately send what you are typing to their systems for obvious reasons....
However the authors have missed several key points.... which I'm not going to go into here.
There is a far bigger danger..... , these programs also capture non Chinese., so basically , usernames & passwords.
And one area these security specialists have completely missed is "translation"... a program that can translate things that you type in , but also things on the screen....
there is a favorite program in China for this..., I did an analysis...
not only did it "translate", but also when going to HSBC and other personal sites, it "translated" the logins, screen data , account data ... over to servers in China...
Then to top it off......, it also screen snapshoted, the screen and took a note of the user name on the computer, application being use time, all this going to a very well known platform in China.
and when it was not "translating" the Keyboard wedge was sending everything typed to the same servers.
but the greatest thing is that everything was sent using fucking HTTP.. and a single Xor value.
These are NOT bugs, they are systems built for surveillance........... and it is endemic to the whole software supply chain in China.
DO NOT EVER put ANY Chinese SW on any device you own.... and NEVER EVER use any network connected device made there.
I daily have to deal with "government mandated" software that has to be loaded onto company computers , for TAX and other things ,only to find them using viruses, to bypass and install "patches" and crypto mining systems.
Let's just say there is a lot of rouge programmers, working for the local....governments.........