“Hackers can spy on every keystroke of Honor, OPPO, Samsung, Vivo, and Xiaomi smartphones over the internet” – alarming headlines like this have been circulating in the media over the past few weeks. Their origin was a rather serious study on vulnerabilities in keyboard traffic encryption. Attackers who are able to observe network traffic, for example, through an infected home router, can indeed intercept every keystroke and uncover all your passwords and secrets. But don’t rush to trade in your Android for an iPhone just yet – this only concerns Chinese language input using the pinyin system, and only if the “cloud prediction” feature is enabled. Nevertheless, we thought it would be worth investigating the situation with other languages and keyboards from other manufacturers.
“黑客可以通过互联网窥探荣誉、OPPO、三星、Vivo和小米智能手机的每一个细节”–过去几周,媒体上流传着这样令人震惊的头条新闻。他们的起源是一个相当严重的研究漏洞键盘流量加密。能够观察网络流量的攻击者,例如,通过受感染的家庭路由器,确实可以拦截每一个密码,并发现所有的密码和秘密。但不要急于用你的Android换一部iPhone–这只涉及使用Android系统的中文输入,而且只有在启用了“云预测”功能的情况下。尽管如此,我们认为值得调查其他语言和其他制造商的键盘的情况。
Why many pinyin keyboards are vulnerable to eavesdropping
为什么许多键盘容易被窃听
The pinyin writing system, also known as the Chinese phonetic alphabet, helps users write Chinese words using Latin letters and diacritics. It’s the official romanization system for the Chinese language, adopted by the UN among others. Drawing Chinese characters on a smartphone is rather inconvenient, so the pinyin input method is very popular, used by over a billion people, according to some estimates. Unlike many other languages, word prediction for Chinese, especially in pinyin, is difficult to implement directly on a smartphone – it’s a computationally complex task. Therefore, almost all keyboards (or more precisely, input methods – IMEs) use “cloud prediction”, meaning they instantaneously send the pinyin characters entered by the user to a server and receive word completion suggestions in return. Sometimes the “cloud” function can be turned off, but this reduces the speed and quality of the Chinese input.
拼音书写系统,也被称为汉语拼音,帮助用户使用拉丁字母和变音符号书写中文单词。它是中文的官方罗马化系统,被联合国等机构采用。在智能手机上绘制汉字是相当不方便的,所以汉字输入法非常受欢迎,据估计有超过10亿人使用。与许多其他语言不同,中文的单词预测,特别是在Android中,很难直接在智能手机上实现—这是一项计算复杂的任务。因此,几乎所有的键盘(或者更准确地说,输入法—IME)都使用“云预测”,这意味着它们会立即将用户输入的字符发送到服务器,并接收单词完成建议。有时可以关闭“云”功能,但这会降低中文输入的速度和质量。
To predict the text entered in pinyin, the keyboard sends data to the server
为了预测在键盘中输入的文本,键盘将数据发送到服务器
Of course, all the characters you type are accessible to the keyboard developers due to the “cloud prediction” system. But that’s not all! Character-by-character data exchange requires special encryption, which many developers fail to implement correctly. As a result, all keystrokes and corresponding predictions can be easily decrypted by outsiders.
当然,由于“云预测”系统,键盘开发人员可以访问您输入的所有字符。但这还不是全部!字符串数据交换需要特殊的加密,许多开发人员无法正确实现。因此,所有的密码和相应的预测都可以很容易地被外人破译。
You can find details about each of the errors found in the original source, but overall, of the nine keyboards analyzed, only the pinyin IME in Huawei smartphones had correctly implemented TLS encryption and resisted attacks. However, IMEs from Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi were found to be vulnerable to varying degrees, with Honor’s standard pinyin keyboard (Baidu 3.1) and QQ pinyin failing to receive updates even after the researchers contacted the developers. Pinyin users are advised to update their IME to the latest version, and if no updates are available, to download a different pinyin IME.
您可以在原始源中找到有关每个错误的详细信息,但总体而言,在分析的9个键盘中,只有华为智能手机中的SIMIME正确实现了TLS加密并抵御了攻击。然而,来自百度,荣誉,科大讯飞,OPPO,三星,腾讯,Vivo和小米的IME被发现存在不同程度的漏洞,即使在研究人员联系开发人员后,荣誉的标准键盘(百度3.1)和QQ键盘也无法收到更新。建议拼音用户将他们的IME更新到最新版本,如果没有更新,请下载不同的IME。
Do other keyboards send keystrokes?
其他键盘会发出噪音吗?
There is no direct technical need for this. For most languages, word and sentence endings can be predicted directly on the device, so popular keyboards don’t require character-by-character data transfer. Nevertheless, data about entered text may be sent to the server for personal dictionary synchronization between devices, for machine learning, or for other purposes not directly related to the primary function of the keyboard – such as advertising analytics.
这在技术上没有直接的需要。对于大多数语言,单词和句子的结尾可以直接在设备上预测,所以流行的键盘不需要逐个字符的数据传输。然而,有关输入文本的数据可能会被发送到服务器,用于设备之间的个人词典同步,用于机器学习,或用于与键盘的主要功能不直接相关的其他目的-例如广告分析。
Whether you want such data to be stored on Google and Microsoft servers is a matter of personal choice, but it’s unlikely that anyone would be interested in sharing it with outsiders. At least one such incident was publicized in 2016 – the SwiftKey keyboard was found to be predicting email addresses and other personal dictionary entries of other users. After the incident, Microsoft temporarily disabled the synchronization service, presumably to fix the errors. If you don’t want your personal dictionary stored on Microsoft’s servers, don’t create a SwiftKey account, and if you already have one, deactivate it and delete the data stored in the cloud by following these instructions.
你是否希望这些数据存储在谷歌和微软的服务器上是一个个人选择的问题,但不太可能有人有兴趣与外界分享。2016年,至少有一个这样的事件被公开-SwiftKey键盘被发现预测其他用户的电子邮件地址和其他个人词典条目。事件发生后,微软暂时禁用了同步服务,大概是为了修复错误。如果您不希望您的个人词典存储在Microsoft的服务器上,请不要创建SwiftKey帐户,如果您已经有一个帐户,请按照以下说明停用它并删除存储在云中的数据。
There have been no other widely known cases of typed text being leaked. However, research has shown that popular keyboards actively monitor metadata as you type. For example, Google’s Gboard and Microsoft’s SwiftKey send data about every word entered: language, word length, the exact input time, and the app in which the word was entered. SwiftKey also sends statistics on how much effort was saved: how many words were typed in full, how many were automatically predicted, and how many were swiped. Considering that both keyboards send the user’s unique advertising ID to the “headquarters”, this creates ample opportunity for profiling – for example, it becomes possible to determine which users are corresponding with each other in any messenger.
没有其他广为人知的打字文本被泄露的情况。然而,研究表明,流行的键盘会在您键入时主动监视元数据。例如,谷歌的Gboard和微软的SwiftKey会发送有关输入的每个单词的数据:语言、单词长度、确切的输入时间以及输入单词的应用程序。SwiftKey还发送有关节省了多少精力的统计数据:有多少单词是完整输入的,有多少是自动预测的,有多少是滑动的。考虑到两个键盘都将用户的唯一广告ID发送到“总部”,这为分析创造了充足的机会-例如,可以确定哪些用户在任何信使中相互对应。
If you create a SwiftKey account and don’t disable the “Help Microsoft improve” option, then according to the privacy policy, “small samples” of typed text may be sent to the server. How this works and the size of these “small samples” is unknown.
如果您创建了SwiftKey帐户,并且没有禁用“帮助Microsoft改进”选项,则根据隐私策略,键入文本的“小样本”可能会发送到服务器。这是如何工作的,这些“小样本”的大小是未知的。
“Help Microsoft improve”… what? Collecting your data?
“帮助微软改进”什么收集您的数据?
Google allows you to disable the “Share Usage Statistics” option in Gboard, which significantly reduces the amount of information transmitted: word lengths and apps where the keyboard was used are no longer included.
Google允许您禁用Gboard中的“共享使用统计”选项,这将大大减少传输的信息量:单词长度和使用键盘的应用程序不再包括在内。
Disabling the “Share Usage Statistics” option in Gboard significantly reduces the amount of information collected
禁用Gboard中的“共享使用统计”选项会显著减少收集的信息量
In terms of cryptography, data exchange in Gboard and SwiftKey did not raise any concerns among the researchers, as both apps rely on the standard TLS implementation in the operating system and are resistant to common cryptographic attacks. Therefore, traffic interception in these apps is unlikely.
在密码学方面,Gboard和SwiftKey中的数据交换没有引起研究人员的任何担忧,因为这两个应用程序都依赖于操作系统中的标准TLS实现,并且可以抵抗常见的密码攻击。因此,这些应用程序中的流量拦截不太可能。
In addition to Gboard and SwiftKey, the authors also analyzed the popular AnySoftKeyboard app. It fully lived up to its reputation as a keyboard for privacy diehards by not sending any telemetry to servers.
除了Gboard和SwiftKey之外,作者还分析了流行的AnySoftKeyboard应用程序。它完全不辜负其作为隐私顽固分子键盘的声誉,没有向服务器发送任何遥测数据。
Is it possible for passwords and other confidential data to leak from a smartphone?
密码和其他机密数据是否可能从智能手机中泄露?
An app doesn’t have to be a keyboard to intercept sensitive data. For example, TikTok monitors all data copied to the clipboard, even though this function seems unnecessary for a social network. Malware on Android often activates accessibility features and administrator rights on smartphones to capture data from input fields and directly from files of “interesting” apps.
应用程序不必是拦截敏感数据的键盘。例如,TikTok监控所有复制到剪贴板的数据,尽管这个功能对于社交网络来说似乎是不必要的。Android上的恶意软件通常会激活智能手机上的辅助功能和管理员权限,从输入字段和直接从“有趣”应用程序的文件中捕获数据。
On the other hand, an Android keyboard can “leak” not only typed text. For example, the AI.Type keyboard caused a data leak for 31 million users. For some reason, it collected data such as phone numbers, exact geolocations, and even the contents of address books.
另一方面,Android键盘不仅可以“泄漏”键入的文本。例如,AI.Type键盘导致了3100万用户的数据泄露。出于某种原因,它收集了电话号码、确切的地理位置甚至地址簿的内容等数据。
How to protect yourself from keyboard and input field spying
如何保护自己免受键盘和输入字段间谍
- Whenever possible, use a keyboard that doesn’t send unnecessary data to the server. Before installing a new keyboard app, search the web for information about it – if there have been any scandals associated with it, it will show up immediately.
尽可能使用不会向服务器发送不必要数据的键盘。在安装新的键盘应用程序之前,在网上搜索有关它的信息-如果有任何与它相关的丑闻,它会立即显示。
- If you’re more concerned about the keyboard’s convenience than its privacy (we don’t judge, the keyboard is important), go through the settings and disable the synchronization and statistics transfer options wherever possible. These may be hidden under various names, including “Account”, “Cloud”, “Help us improve”, and even “Audio donations”.
如果你更关心键盘的便利性而不是隐私(我们不评判,键盘很重要),请查看设置并尽可能禁用同步和统计数据传输选项。这些可能隐藏在各种名称下,包括“帐户”,“云”,“帮助我们改进”,甚至“音频捐赠”。
- Check which Android permissions the keyboard needs and revoke any that it doesn’t need. Access to contacts or the camera is definitely not necessary for a keyboard.
检查键盘需要哪些Android权限,并撤销任何不需要的权限。接触或相机绝对不是键盘所必需的。
- Only install apps from trusted sources, check the app’s reputation, and, again, don’t give it excessive permissions.
只安装来自可信来源的应用程序,检查应用程序的声誉,并再次强调,不要给予过多的权限。
- Use comprehensive protection for all your Android and iOS smartphones, such as Kaspersky Premium.
为您的所有Android和iOS智能手机提供全面的保护,例如卡巴斯基高级版。
