> While many keyboard apps operate locally, solely within a user’s device, IME-based keyboard apps often have cloud features which enhance their functionality. Because of the complexities of predicting which characters a user may want to type next, especially in logographic languages like Chinese, IMEs often offer “cloud-based” prediction services which reach out over the network. Enabling “cloud-based” features in these apps means that longer strings of syllables that users type will be transmitted to servers elsewhere
LinuxBender 10 days ago [-]
Interesting. Testing this myself I have an uleFone running Android and when I pull up the text messaging interface there is a load of isakmp traffic to t-mobile and it continuously talks to Google AS15169 over HTTPS I assume for RCS. Every character I type creates a burst of isakmp vpn traffic. LTE over Wifi
I've not installed any keyboard apps, this is the bog standard uleFone. This happens even if I disable smart-reply and I always disable the Let others know when I am typing. I must be missing a setting somewhere. It's odd that if RCS uses Google over HTTPS then I dont know why it sends so many packets for each character I type to TMO over their VPN / isakmp especially since I have not sent a message. The isakmp packet rate is reduced slightly if I disable spell checking which allowed me to change more settings that were greyed out.
I guess my question is why would my phone mirror all my keypresses to both TMO over their VPN and to Google over RCS in bigger bursts vs keypress, all without my actually sending a message? It appears that to debug this I have to install Magisk to use my Squid SSL Bump proxy but I doubt that will help my with the isakmp traffic unless they bootstrap the preshared secret over HTTPS on a domain not using public key pinning which Google has on several subdomains.
pheatherlite 10 days ago [-]
What the f... woah
xinayder 10 days ago [-]
Gboard and Samsung Keyboard have built-in features to search for GIFs or do web searches, for example.
Who would have thought having cloud connected keyboards would be a bad thing, right?
7373737373 8 days ago [-]
If this is true, this company should be sued out of existence.
jsiepkes 10 days ago [-]
Personally I would never install a third-party keyboard but apparently in China it's quite common.
There was also the "row" between Singal and the Chinese based blogger a couple years back [1]. So this is quite a long standing issue.
When Apple announced third-party keyboard support for the iPhone, the implementation annoyingly reverted to Apple's own keyboard for password or other "sensitive" entries, specifically to mitigate this problem.
kaanyalova 9 days ago [-]
Wouldn't refusing network access for keyboards be a better solution, on Android majority of open source keyboard apps don't have network permission at all.
bashZorina_09 8 days ago [-]
This is my dream scenario, stock Android and iOS having the feature to disable network access for apps.
It's such a simple, quality of life improvement for certain apps that I know I never want to phone home for any reason outside of 'cloud centric' features. Blocking traffic and DNS requests by hand is time-consuming, and new servers / connections can prop up at anytime without one's knowledge, not to mention you might block a domain for a specific app but need it for another (star.c10r.facebook.com for example, which also blocks Meta AI research websites).
I kind of get why they wouldn't, such as unexpected behaviour, sweet data collection and license checking, but man. At least a handful of custom ROMs and local-VPN privacy apps on Android allows for this.
Yes, this is what I meant by local VPN privacy app (didn't find the right words admittedly, as it's not a standalone firewall per say and unfortunately cannot be used in tandem with a real VPN tunnel), excellent one though!
> Samsung Keyboard on Android, which transmits keystroke data via plain, unencrypted HTTP
Why is the keyboard sending any data at all? Is it essentially keylogging to Samsung servers or am I misinterpreting this?
https://citizenlab.ca/2024/04/vulnerabilities-across-keyboar...
> While many keyboard apps operate locally, solely within a user’s device, IME-based keyboard apps often have cloud features which enhance their functionality. Because of the complexities of predicting which characters a user may want to type next, especially in logographic languages like Chinese, IMEs often offer “cloud-based” prediction services which reach out over the network. Enabling “cloud-based” features in these apps means that longer strings of syllables that users type will be transmitted to servers elsewhere
I've not installed any keyboard apps, this is the bog standard uleFone. This happens even if I disable smart-reply and I always disable the Let others know when I am typing. I must be missing a setting somewhere. It's odd that if RCS uses Google over HTTPS then I dont know why it sends so many packets for each character I type to TMO over their VPN / isakmp especially since I have not sent a message. The isakmp packet rate is reduced slightly if I disable spell checking which allowed me to change more settings that were greyed out.
I guess my question is why would my phone mirror all my keypresses to both TMO over their VPN and to Google over RCS in bigger bursts vs keypress, all without my actually sending a message? It appears that to debug this I have to install Magisk to use my Squid SSL Bump proxy but I doubt that will help my with the isakmp traffic unless they bootstrap the preshared secret over HTTPS on a domain not using public key pinning which Google has on several subdomains.
Who would have thought having cloud connected keyboards would be a bad thing, right?
There was also the "row" between Singal and the Chinese based blogger a couple years back [1]. So this is quite a long standing issue.
[1] https://www.reddit.com/r/privacytoolsIO/comments/kzpxwt/opin...
It's such a simple, quality of life improvement for certain apps that I know I never want to phone home for any reason outside of 'cloud centric' features. Blocking traffic and DNS requests by hand is time-consuming, and new servers / connections can prop up at anytime without one's knowledge, not to mention you might block a domain for a specific app but need it for another (star.c10r.facebook.com for example, which also blocks Meta AI research websites).
I kind of get why they wouldn't, such as unexpected behaviour, sweet data collection and license checking, but man. At least a handful of custom ROMs and local-VPN privacy apps on Android allows for this.
https://news.ycombinator.com/item?id=40149332