Researchers from CitizenLab at the University of Toronto in Canada analyzed the cloud input methods of nine manufacturers: Baidu, Honor, Huawei, iFlytek, OPPO, Vivo, Samsung, Tencent, and Xiaomi, and found that eight input method software contained serious vulnerabilities. Allows researchers to completely break encryption methods designed by manufacturers to protect user input. There are also some manufacturers that do not use any encryption method to protect user input content .
▲ Schematic diagram of the BCTR mode encryption scheme used by Baidu IME on Android and iOS
Researchers submitted vulnerability reports to the nine affected developers. Most developers took the problem seriously and responded, patching the vulnerabilities. However, there are still a few input methods that have not patched the vulnerabilities.
Among the applications of nine manufacturers tested, only Huawei's products did not find any security issues related to uploading user input content to the cloud. Each of the other manufacturers has at least one application that contains vulnerabilities, allowing passive network attackers to Monitor the complete content of user input.
Reference link
https://citizenlab.ca/wp-content/uploads/2024/04/CitizenLabReport175-keyboardvuln.pdf