Is your phone tracking what you type?

Conceptual image of a large group of cctv camera watching and spying on a mobile phone with messages, it illustrates digital surveillance concept
(Image credit: Getty Images)

We've all wondered if our phones are spying on us, perhaps recording our information, somehow leaking it. Well, a new report has revealed that this one-time daydream may have turned into a real-life Orwellian nightmare for some.

Citizen Lab has found that at least one billion people have been susceptible to having every keystroke logged, opening them up to mass surveillance. After analyzing nine of the most-used keyboard apps for Chinese speakers, eight of them had vulnerabilities that could fully expose all the typed messages.

"Anyone could just eavesdrop on the traffic and decrypt it, fully seeing what you're typing," Jeffrey Knockel, Senior Research Associate at Citizen Lab who worked on the report, told me. He believes criminals and, even more so, intelligence agencies have likely exploited these vulnerabilities to their advantage.

"From the Snowden revelations, we know that Five Eyes agencies have targeted Chinese apps with poor cryptography [before] for mass surveillance. So, it's more than plausible these intelligence organizations are already scooping up what these folks are typing. Given the hundreds of millions of users using these apps, that's just alarming to think about," he added, urging everyone to immediately update their keyboard app.

Which brands and keystroke apps are affected?

Between August and November 2023, researchers investigated the security of cloud-based pinyin keyboard apps (a method used by nearly 76% of mainland Chinese keyboard users to romanize Chinese characters) from the nine most popular vendors. 

Specifically, they analyzed preinstalled apps from Baidu, Honor, Huawei, iFlyTek, OPPO, Samsung, Tencent, Vivo, and Xiaomi, on the lookout for vulnerabilities during the transmission between users' devices and the cloud. Eight out of the nine vendors showed critical vulnerabilities that researchers could exploit to fully reveal the contents of what users were typing while this data was in transit. 

"Interestingly, Huawei was the only company to get a pass from us," Knockel told me.

The latest research follows a previous Citizen Lab study on similar keyboard apps developed by the Sogou vendor, which revealed the same vulnerabilities. Both findings suggest that at least one billion Chinese speakers have been affected. 

Citizen Lab reported the findings to all vendors, with most of them promptly fixing all the issues. As of April 1, 2024, only Honor apps remain vulnerable to potential attacks.

Below is a list of all the vulnerabilities researchers have found for each provider:

  • Baidu: Windows app (network eavesdroppers can decrypt network transmissions); Android and iOS apps (privacy and security weaknesses in the encryption used)  
  • Honor (Honor Play7T): Baidu IME Honor version app (network eavesdroppers can decrypt network transmissions from the keyboards)
  • Huawei (Huawei Mate 50 Pro): no vulnerabilities during the transmission of users’ keystrokes. Notably, Huawei used TLS to encrypt keystrokes in the app versions analyzed.  
  • iFlyTek: Android (network eavesdroppers can recover the plaintext of insufficiently encrypted network transmissions); iOS and Windows (no vulnerabilities during the transmission of users’ keystrokes) 
  • OPPO (OPPO OnePlus Ace): Baidu IME and Sogou IME Custom version apps (network eavesdroppers can decrypt network transmissions from the keyboards)
  • Samsung:  Samsung Android and Samsung’s bundled version Baidu IME apps (network eavesdroppers can recover the plaintext of insufficiently encrypted network transmissions); Sogou IME Samsung app (no vulnerabilities)
  • Tencent: Android and Windows (network eavesdroppers can recover the plaintext of encrypted network transmissions)
  • Vivo (Vivo Y78+): Sogou IME Custom version app (network eavesdroppers can decrypt network transmissions from the keyboards); Jovi IME (no vulnerabilities during the transmission of users’ keystrokes) 
  • Xiaomi (Xiaomi Mi 11): Baidu IME, Sogou IME, and iFlyTek IME Xiaomi version apps (network eavesdroppers can decrypt network transmissions from the keyboards)

How can attackers exploit keyboard vulnerabilities?

Researchers identified these keyboard apps as potentially problematic due to the way they transmit what you're typing over the internet. All these apps fall into the category of input method editors (IMEs). This means that, contrary to Latin-alphabet Google and Apple apps where keystrokes never leave your device, these apps have cloud features for boosting functionality which users are prompted to enable after installation or on first use.

This is done to make it easier to predict Chinese words or characters, which is typically much more difficult rather than with, for example, English. However, as previous studies revealed, "cloud-based" keyboards and input methods can function as vectors for surveillance by behaving as keyloggers. 

Did you know?

Spyware

(Image credit: Future)

A type of malware, a keylogger is spyware that keeps track of and records every keystrokes as you type. Put simply, keyloggers log what you type on your keyboard. In some cases, they can even enable cybercriminals to access your device camera or microphone.

According to Citizen Lab's findings, attackers can successfully execute entirely passive network eavesdropper attacks on all vulnerable apps. Also known as sniffing or snooping, eavesdropping relies on unsecured network communications to access data in transit between devices. This means attackers can intercept, delete, or modify data while in transit if not correctly encrypted. They can do all that passively, which means they don't send any additional network traffic. 

Many of us have learned to use a virtual private network to encrypt all the data leaving our devices. However, Knockel told me that not even the best VPN services can help here. 

"[That's] just because the traffic is still being sent over the internet," he said. "Whatever encryption it would normally be transmitted, there's still the potential for surveillance after it leaves the VPN server."

Likewise, using a secure encrypted messaging app like Signal cannot help either. Quite the opposite actually, you may be even more in danger when doing so. 

"Users of apps like Signal might be adding increased risk just because they might be under this illusion of safety that doesn't actually exist," Knockel said. "Your chat app itself might have end-to-end encryption, but if your keyboard is sending traffic on top of that to some server, that's not end-to-end encrypted at all."

Who may have been the target?

Citizen Lab might be the first to report on these keyboard apps' vulnerabilities, but they don't certainly deny that others have discovered and exploited them already. 

As the report notes, "the vulnerabilities that we discovered would be inevitably discovered by anyone who thinks to look for them. Furthermore, the vulnerabilities do not require technological sophistication to exploit."

The next obvious question is, who may have exploited these backdoors for all this time?

While the Communist Party of China might quickly jump to mind as the first obvious suspect, researchers largely exclude this possibility. That's because, as they note, Chinese authorities already have all the legal means to access citizens' communications. It also isn't very plausible for the Chinese government to create such a dangerous backdoor for any other adversary to exploit.

Intelligence agencies across the Five Eyes countries (especially the US) seem a rather more plausible option. The 2008 Snowden leak already unveiled a similar program, known as XKeyscore, for which agents exploited cryptography vulnerabilities in Chinese apps. 

"Given the enormous intelligence value of knowing what users are typing, we can conclude that not only do the NSA and more broadly the Five Eyes have the capabilities to mass exploit the vulnerabilities we found, but also the strong motivation to exploit them," the report reads. "The only remaining question is whether any [other] government had knowledge of these vulnerabilities."

How can you secure your keystroke privacy?

According to Citizen Lab, a lack of research and skepticism of Western security standards are the main reasons why such dangerous vulnerabilities remained undetected for so long.

While researchers now urge everyone using one of the unsecured apps to download the latest updated (fixed) version, it's worth remembering that more research is needed to exclude that other keyboard apps or languages are also vulnerable.

The good news is that you can actively take some steps to mitigate the risks. 

For starters, keeping your operating system up to date is key for maintaining good digital hygiene. So, keep updating your keyboard app, as well as any other application, as soon as a new version becomes available. 

Knockel also suggests that those more concerned about their privacy should switch from a cloud-based keyboard app to one that operates entirely on-device.

"The cloud-based ones offer better Chinese suggestions, so you might not necessarily want to switch. But, in general, that will put you in a safer position, at least from a security and privacy perspective, by not even transmitting that information in the first place."

While not excluding that other languages may be also at risk, Knockel confirmed that Citizen Lab is currently looking into apps from other countries to see if these are vulnerable, too. "But that's still very preliminary," he said.

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to [email protected]