In this report, we analyze the Windows, Android, and iOS versions of Tencent’s Sogou Input Method, the most popular Chinese-language input method in China. Our analysis found serious vulnerabilities in the app’s custom encryption system and how it encrypts sensitive data. These vulnerabilities could allow a network eavesdropper to decrypt sensitive communications sent by the app, including revealing all keystrokes being typed by the user. Following our disclosure of these vulnerabilities, Sogou released updated versions of the app that identified all of the issues we disclosed.
Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping.
For an aac user, it can be super helpful to be able to install a custom communication system as a keyboard as then they can use it with all the other apps. The keyboard apps have the same disclosures as all the others and you should avoid giving it the ability to export data with access to the Internet. Really any app can do this while you’re in it and ask those name brand apps you bank with or whatever are made by third parties and could be logging anything to anywhere if no one bothered to check.
That said, I am unhappy with how android play store has never allowed you to filter apps by permission and has made it harder and harder to even see what permissions an app will request or “require”. The permissions system is so good, should be made more fine-grained but instead they seem focused on “data safety statements” that are just cya for the platform as far as I can tell.
You need something that can watch/report your Internet traffic around the clock and selectively “fail” dns lookups you don’t like or something. I think iPhone does have something like this built in?
For an aac user, it can be super helpful to be able to install a custom communication system as a keyboard as then they can use it with all the other apps. The keyboard apps have the same disclosures as all the others and you should avoid giving it the ability to export data with access to the Internet. Really any app can do this while you’re in it and ask those name brand apps you bank with or whatever are made by third parties and could be logging anything to anywhere if no one bothered to check.
That said, I am unhappy with how android play store has never allowed you to filter apps by permission and has made it harder and harder to even see what permissions an app will request or “require”. The permissions system is so good, should be made more fine-grained but instead they seem focused on “data safety statements” that are just cya for the platform as far as I can tell.
You need something that can watch/report your Internet traffic around the clock and selectively “fail” dns lookups you don’t like or something. I think iPhone does have something like this built in?
This is something I dislike about iOS, too. The app store doesn’t distinguish in its privacy summaries.