How ubiquitous keyboard software puts hundreds of millions of Chinese users at risk

For millions of Chinese people, the first software they download on a new laptop or smartphone is always the same: a keyboard app. Yet few of them are aware that it may make everything they type vulnerable to spying eyes. Since dozens of Chinese characters can share the same latinized phonetic spelling, the ordinary QWERTY…

Starting in the PC era, Chinese software developers proposed all kinds of IME products to expedite typing, some even ditching phonetic spelling and allowing users to draw or choose the components of a Chinese character. As a result, downloading third-party keyboard software became standard practice for everyone in China.

Released in 2006, Sogou Input Method quickly became the most popular keyboard app in the country. It was more capable than any competitor in predicting which character or word the user actually wanted to type, and it did that by scraping text from the internet and maintaining an extensive library of Chinese words. The cloud-based library was updated frequently to include newly coined words, trending expressions, or names of people in the news. In 2007, when Google launched its Chinese keyboard, it even copied Sogou’s word library (and later had to apologize).

In 2014, when the iPhone finally enabled third-party IMEs for the first time, Chinese users rushed to download Sogou’s keyboard app, leaving 3,000 reviews in just one day. At one point, over 90% of Chinese PC users were using Sogou.

Over the years, its market dominance has waned; as of last year, Baidu Input Method was the top keyboard app in China, with 607 million users and 46.4% of the market share. But Sogou still had 561 million users, according to iiMedia, an analytics firm

Exposing the loophole

A keyboard app can access a wide variety of user information. For example, once Sogou is downloaded and added to the iPhone keyboard options, the app will ask for “full access.” If it’s granted, anything the user types can be sent to Sogou’s cloud-based server. 

Connecting to the cloud is what makes most IMEs successful, allowing them to improve text prediction and enable other miscellaneous features, like the ability to search for GIFs and memes. But this also adds risk since content can, at least in theory, be intercepted during transmission. 

It becomes the apps’ responsibility to properly encrypt the data and prevent that from happening. Sogou’s privacy policy says it has “adopted industry-standard security technology measures … to maximize the prevention of leak, destruction, misuse, unauthorized access, unauthorized disclosure, or alteration” of users’ personal information.