A team of Canadian and international cybersecurity researchers has raised alarms about the Sogou mobile keyboard, widely used on Android devices, which has been shown to transmit everything users type to Tencent, a major IT company based in China. The disclosure highlights how such data transmission can occur covertly, leaving users unaware that their keystrokes are being collected and reviewed on remote servers. The researchers examined multiple operating systems, including Windows, Android, and iOS, and identified serious security gaps within EncryptWall, a custom encryption layer used by the keyboard. These gaps appear to allow sensitive keystroke data to be reconstructed if exploited by a breach, according to the researchers. Despite the findings, the Sogou keyboard remains available in app stores, which means millions of users could still be at risk.
Tencent has acknowledged the vulnerability, and The Citizen Lab, a leading digital rights watchdog, estimated that more than 450 million users could have been exposed by the flaw. The risk is not limited to login credentials but could also include passwords and intimate personal messages stored or transmitted through the keyboard. The situation underscores how keyboard applications can act as a high-value conduit for sensitive information, if their data handling practices and encryption are not properly secured. Still, the risk is not purely hypothetical; it has real implications for user privacy and data sovereignty across North America as well as globally.
Following extensive dialogue with The Citizen Lab, developers behind Sogou undertook remediation actions. Updates were released for all supported versions of the keyboard, and guidance was issued to improve the security of keystroke data handling. The episode serves as a reminder that software components, even those perceived as utilities, can become points of vulnerability if security testing and transparent data practices are not prioritized. It also highlights the importance of scrutinizing third-party keyboards and other input tools that operate with broad access to user data on multiple platforms.
The incident has sparked renewed conversations about mobile privacy across Canada, the United States, and other markets. Industry observers urge device owners to review the permissions granted to keyboard apps, to install only updates from trusted sources, and to consider alternatives that prioritize robust end-to-end protections and transparent security auditing. Researchers emphasize the value of ongoing collaboration among security teams, platform providers, and researchers to ensure that encryption schemes remain resilient against evolving threats. In the wake of this case, user safety remains a central concern as digital life becomes increasingly intertwined with everyday communication on mobile devices. One takeaway is clear: security is not a one-off fix but a continuous process that requires vigilant testing, timely updates, and clear accountability for who can access data and under what circumstances.