In this report, we analyze the Windows, Android, and iOS versions of Tencent’s Sogou Input Method, the most popular Chinese-language input method in China. Our analysis found serious vulnerabilities in the app’s custom encryption system and how it encrypts sensitive data. These vulnerabilities could allow a network eavesdropper to decrypt sensitive communications sent by the app, including revealing all keystrokes being typed by the user. Following our disclosure of these vulnerabilities, Sogou released updated versions of the app that identified all of the issues we disclosed.
Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping.
“Your keyboard may occasionally capture ‘snippets’ of your typing. This includes short phrases, plus data about the keypresses you made to type the words, and whether you deleted or changed anything. These snippets are captured anonymously and you do not need to be signed in to share them.”
“Your keyboard may occasionally capture ‘snippets’ of your typing. This includes short phrases, plus data about the keypresses you made to type the words, and whether you deleted or changed anything. These snippets are captured anonymously and you do not need to be signed in to share them.”
https://support.microsoft.com/en-gb/topic/microsoft-swiftkey-keyboard-sharing-your-typing-data-faq-d737059d-8810-448e-b376-9af56171a37d#:~:text=If you are signed in,separate Microsoft product improvement service. From Microsoft themselves