In this report, we analyze the Windows, Android, and iOS versions of Tencent’s Sogou Input Method, the most popular Chinese-language input method in China. Our analysis found serious vulnerabilities in the app’s custom encryption system and how it encrypts sensitive data. These vulnerabilities could allow a network eavesdropper to decrypt sensitive communications sent by the app, including revealing all keystrokes being typed by the user. Following our disclosure of these vulnerabilities, Sogou released updated versions of the app that identified all of the issues we disclosed.
Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping.
3rd party keyboards exist for iOS - I used to use them too. Keyboards can access every app that you use a keyboard in, so basically everything from your passwords to credit card can be logged. There’d be a popup warning about it on installation that everyone ignores.
But the native keyboard does adopt parts of other good apps + lack of substantial development in said apps (looking at you, Swiftkey iOS). Once the native keyboard added slide to type + spacebar navigation years back, third party keyboards lost their lustre for me lol.
Technically Apple could log all our keypresses too. It’s just a matter of whether that sort of data is worth it for them to collect, or are they prioritising security with their current focuses on privacy features in newer updates.
3rd party keyboards exist for iOS - I used to use them too. Keyboards can access every app that you use a keyboard in, so basically everything from your passwords to credit card can be logged. There’d be a popup warning about it on installation that everyone ignores.
But the native keyboard does adopt parts of other good apps + lack of substantial development in said apps (looking at you, Swiftkey iOS). Once the native keyboard added slide to type + spacebar navigation years back, third party keyboards lost their lustre for me lol.
Technically Apple could log all our keypresses too. It’s just a matter of whether that sort of data is worth it for them to collect, or are they prioritising security with their current focuses on privacy features in newer updates.