{"id":51281,"date":"2024-05-22T04:17:51","date_gmt":"2024-05-22T08:17:51","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=51281"},"modified":"2024-05-22T04:17:51","modified_gmt":"2024-05-22T08:17:51","slug":"prevent-android-keylogging-and-ime-spying","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/prevent-android-keylogging-and-ime-spying\/51281\/","title":{"rendered":"What does your Android keyboard tell strangers?"},"content":{"rendered":"

\u201cHackers can spy on every keystroke of Honor, OPPO, Samsung, Vivo, and Xiaomi smartphones over the internet\u201d \u2013 alarming headlines like this have been circulating in the media over the past few weeks. Their origin was a rather serious study on vulnerabilities in keyboard traffic encryption<\/a>. Attackers who are able to observe network traffic, for example, through an infected home router<\/a>, can indeed intercept every keystroke and uncover all your passwords and secrets. But don\u2019t rush to trade in your Android for an iPhone just yet \u2013 this only concerns Chinese language input using the pinyin system, and only if the \u201ccloud prediction\u201d feature is enabled. Nevertheless, we thought it would be worth investigating the situation with other languages and keyboards from other manufacturers.<\/p>\n

Why many pinyin keyboards are vulnerable to eavesdropping<\/h2>\n

The pinyin<\/a> writing system, also known as the Chinese phonetic alphabet, helps users write Chinese words using Latin letters and diacritics. It\u2019s the official romanization system for the Chinese language, adopted by the UN among others. Drawing Chinese characters on a smartphone is rather inconvenient, so the pinyin input method is very popular, used by over a billion people, according to some estimates. Unlike many other languages, word prediction for Chinese, especially in pinyin, is difficult to implement directly on a smartphone \u2013 it\u2019s a computationally complex task. Therefore, almost all keyboards (or more precisely, input methods \u2013 IMEs) use \u201ccloud prediction\u201d, meaning they instantaneously send the pinyin characters entered by the user to a server and receive word completion suggestions in return. Sometimes the \u201ccloud\u201d function can be turned off, but this reduces the speed and quality of the Chinese input.<\/p>\n

\"To<\/a>

To predict the text entered in pinyin, the keyboard sends data to the server<\/p><\/div>\n

Of course, all the characters you type are accessible to the keyboard developers due to the \u201ccloud prediction\u201d system. But that\u2019s not all! Character-by-character data exchange requires special encryption, which many developers fail to implement correctly. As a result, all keystrokes and corresponding predictions can be easily decrypted by outsiders.<\/p>\n

You can find details about each of the errors found in the original source<\/a>, but overall, of the nine keyboards analyzed, only the pinyin IME in Huawei smartphones had correctly implemented TLS encryption and resisted attacks. However, IMEs from Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi were found to be vulnerable to varying degrees, with Honor\u2019s standard pinyin keyboard (Baidu 3.1) and QQ pinyin failing to receive updates even after the researchers contacted the developers. Pinyin users are advised to update their IME to the latest version, and if no updates are available, to download a different pinyin IME.<\/p>\n

Do other keyboards send keystrokes?<\/h2>\n

There is no direct technical need for this. For most languages, word and sentence endings can be predicted directly on the device, so popular keyboards don\u2019t require character-by-character data transfer. Nevertheless, data about entered text may be sent to the server for personal dictionary synchronization between devices, for machine learning, or for other purposes not directly related to the primary function of the keyboard \u2013 such as advertising analytics.<\/p>\n

Whether you want such data to be stored on Google and Microsoft servers is a matter of personal choice, but it\u2019s unlikely that anyone would be interested in sharing it with outsiders. At least one such incident was publicized in 2016 \u2013 the SwiftKey keyboard was found to be predicting email addresses<\/a> and other personal dictionary entries of other users. After the incident, Microsoft temporarily disabled the synchronization service, presumably to fix the errors. If you don\u2019t want your personal dictionary stored on Microsoft\u2019s servers, don\u2019t create a SwiftKey account, and if you already have one, deactivate it and delete the data stored in the cloud by following these instructions<\/a>.<\/p>\n

There have been no other widely known cases of typed text being leaked. However, research has shown that popular keyboards actively monitor metadata as you type. For example, Google\u2019s Gboard and Microsoft\u2019s SwiftKey send data about every word entered<\/a>: language, word length, the exact input time, and the app in which the word was entered. SwiftKey also sends statistics on how much effort was saved: how many words were typed in full, how many were automatically predicted, and how many were swiped. Considering that both keyboards send the user\u2019s unique advertising ID to the \u201cheadquarters\u201d, this creates ample opportunity for profiling \u2013 for example, it becomes possible to determine which users are corresponding with each other in any<\/strong> messenger.<\/p>\n

If you create a SwiftKey account and don\u2019t disable the \u201cHelp Microsoft improve\u201d option, then according to the privacy policy, \u201csmall samples\u201d of typed text may be sent to the server. How this works and the size of these \u201csmall samples\u201d is unknown.<\/p>\n

\"Help Microsoft improve\"... what? Collecting your data?<\/a>

\u201cHelp Microsoft improve\u201d\u2026 what? Collecting your data?<\/p><\/div>\n

Google allows you to disable the \u201cShare Usage Statistics\u201d option in Gboard, which significantly reduces the amount of information transmitted: word lengths and apps where the keyboard was used are no longer included.<\/p>\n

Disabling the \"Share Usage Statistics\" option in Gboard significantly reduces the amount of information collected<\/a>

Disabling the \u201cShare Usage Statistics\u201d option in Gboard significantly reduces the amount of information collected<\/p><\/div>\n

In terms of cryptography, data exchange in Gboard and SwiftKey did not raise any concerns among the researchers, as both apps rely on the standard TLS implementation in the operating system and are resistant to common cryptographic attacks. Therefore, traffic interception in these apps is unlikely.<\/p>\n

In addition to Gboard and SwiftKey, the authors also analyzed the popular AnySoftKeyboard app. It fully lived up to its reputation as a keyboard for privacy diehards by not sending any telemetry to servers.<\/p>\n

Is it possible for passwords and other confidential data to leak from a smartphone?<\/h2>\n

An app doesn\u2019t have to be a keyboard to intercept sensitive data. For example, TikTok monitors all data<\/a> copied to the clipboard, even though this function seems unnecessary for a social network. Malware on Android often activates accessibility features and administrator rights<\/a> on smartphones to capture data from input fields and directly from files of \u201cinteresting\u201d apps.<\/p>\n

On the other hand, an Android keyboard can \u201cleak\u201d not only typed text. For example, the AI.Type keyboard caused a data leak for 31 million users<\/a>. For some reason, it collected data such as phone numbers, exact geolocations, and even the contents of address books.<\/p>\n

How to protect yourself from keyboard and input field spying<\/h2>\n