this post was submitted on 24 Aug 2023
51 points (94.7% liked)

Privacy

31982 readers
336 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I was taking a look at the Naomi Wu situation (A Chinese DIY tech youtuber who went missing after being watched by the government) and in one part they mentioned that she was concerned about her privacy, so started using Signal, but had a default chinese keyboard that had a keylogger and the police had looked into what she was talking on there.

I'm not sure if it was a mobile only thing, but it was mentioned that the keyboard app was used in like 70% por chinese smarthphones.

Now, I use AnySoftKey and refuse to use default keyboard apps, but how far can we reach on the keyboard security thing? Is typing on a computer or using a physical keyboard on a mobile device 100% safe? I think the keyboard issue is often overlooked and would like to know what recommendations your have? Or what should be known more?

all 45 comments
sorted by: hot top controversial new old
[–] [email protected] 13 points 1 year ago

It is very wise to use a FOSS keyboard app, because if you think about it a keyboard app would probably be the thing on your phone that knows the most about you. I don't mean that to fear monger, it's just a thought. Plus if you look at events in the past few years like swiftkey's little user data error it gives you an idea of how privacy invasive they could or could already be.

[–] [email protected] 13 points 1 year ago (2 children)

Holy shit I didn't know she was missing.

I guess advocating open source is enough to be imprisoned.

[–] [email protected] 12 points 1 year ago* (last edited 1 year ago)

Not quite missing, but she said she had received strike 2 of 3, and the 3rd one is really bad. So she's going quiet to avoid any potential stuff from happening.

https://www.hackingbutlegal.com/p/naomi-wu-and-the-silence-that-speaks-volumes

[–] [email protected] 7 points 1 year ago

Welcome to the CCP

[–] [email protected] 11 points 1 year ago (1 children)

For those who would like to know more about what happened to Naomi Wu, aka SexyCyborg:

https://www.hackingbutlegal.com/p/naomi-wu-and-the-silence-that-speaks-volumes

[–] [email protected] 3 points 1 year ago

Thanks for the link!
I have been worried about her ever since the "clipped wings" tweet. Hope she's doing ok 😮‍💨

[–] [email protected] 6 points 1 year ago (3 children)

Probably a good place to ask. Are there any FOSS keyboard apps for Android with swipe typing?

[–] [email protected] 6 points 1 year ago (1 children)

AnySoftKeyboard is FOSS and supports gesture typing. It has not been updated in a while and I find it buggy.

Helium314's OpenBoard fork is FOSS but supports Google's proprietary gesture typing library.

FlorisBoard is FOSS and supports gesture typing, but does not have word predictions. It is being worked on.

[–] [email protected] 3 points 1 year ago (2 children)

I use FlorisBoard - but it's under heavy development at the moment, as the dev is doing a complete rewrite... autocorrect isn't implemented yet, but swipe/gesture typing is.

There is another one that has swipe typing and autocorrect but can't recall the name at the moment

[–] [email protected] 3 points 1 year ago

Thanks for the suggestion. I have used this keyboard for about a day now and I love it. I didn't expect much going in but it actually has a lot of features and options.

[–] [email protected] 1 points 1 year ago (1 children)
[–] [email protected] 3 points 1 year ago

Yes, but you need this fork for swiping gestures.

https://github.com/erkserkserks/openboard

The reason is easy, the libary for swiping is propetary, FOSS projects won't use it and cut this feature.

[–] [email protected] 1 points 1 year ago (1 children)

Came here looking for the same thing. I still use Gboard because of swipe :(

[–] [email protected] 3 points 1 year ago

Use grapheneos, lineageos or something similar. Those contain the AOSP keyboard instead of the google keyboard.

[–] [email protected] 1 points 1 year ago (1 children)

I think the keyboard issue is often overlooked and would like to know what recommendations your have? Or what should be known more?

Overlooked? Not really, for years I have never used built-in keyboard from stock rom, keyboards from goolag store or goolag board.

Most people stick with non-foss keyboards just because it's convenient

[–] [email protected] 2 points 1 year ago

I can't lie, gboard is incredible, especially since I use two languages, and I don't have to switch the language every time, it just figures out which language to autocorrect to. switched to open board either way, but I do miss the convenience of gboard

[–] [email protected] 1 points 1 year ago

So, the keyboard is important, and is one thing; but one must not overlook that on touch devices, software keyboards run on top of operating systems, and hardware, too.

Actual keyboards made of physical keys/domes/switches, embedded controllers, and USB chips/cables, even if they seemingly present a similar attack surface (after all, they are also connected to hardware with an operating system), are practically harder to compromise.

Yes, in both cases, the operating system has access to the information (be it via the USB subsystem, or via the touch/input subsystem, etc), and the hardware too; but computer hardware is more heterogeneous, more modular and standardized, and "auditable" operating systems are much more common, and readily deployable. Heck, it is entirely possible to run open hardware and open software (including the toolchain to build said software) with a computer; but the same for mobile devices is very much uncharted territory.

The result is that even with our best effort, a mobile device is at the very best a black box, with an unlocked bootloader, a community provided recovery and operating system, often downloaded from random file hosting services, and built with toolchains of variable quality with several proprietary components.

This is not ideal, and it is the best case scenario. In many cases, people run the stock recovery/operating system, and simply sideload software on a device they do not even have root access to.

The takeaway here, is that while nothing is perfect, and there is always an attack surface, using unpredictable components (e.g. standardized, modular), with unpredictable software (e.g. dozen of different operating system families, each with their own version and qwirks), while also having a community of technologists auditing the code (even if only a handful of developers, there is much less risk of them all organizing towards a harmful goal than with a team of employees from a company ultimately led by a single person), practically provides a significantly different environment.
And unless you're an embedded engineer/genius able to design bug-free (g'luck) PCBs from open hardware ICs (so you can have them made via your vendor of choice) and simple components, and then use software you, or people you trust, audited, you have to recognize that you can only do "less bad".

Less bad being a dev-friendly device (old Google pixels come to mind, not sure if they're still like that), installing lineage, /e/ or another alternative system on it, and using software from f-droid (like AnySoftKeyboard - the one I am actually using for typing this).

That, or you decide to trust the reputable (YMMV) company of your choice with your digital life, identity, and data. Many pros I know in infosec go for Apple. It is true that, at least for professional use cases, with companies in the US or in western Europe, it arguably makes sense.

[–] [email protected] 1 points 1 year ago (2 children)

On a standard computer, be it a desktop or laptop, it's very hard to effectively avoid keylogging.

I don't say you 100% have a keylogger on your PC, that's not my point.
My point is that both on Windows, and on Linux systems that use the X11 window system instead of Wayland, any program can log your let presses with basically no effort.
On windows this is somewhat restricted when a program opens a secure desktop (a temporary "desktop", usually (always?) with a single window). This happens when you have to grant admin rights to a program, but other programs can request such a thing too, like the keepass password manager can be set to prompt for the password on a secure desktop. I don't know if the X11 window system of Linux has a similar feature.

But, as the other commenter said too, it depends on your threat model, because it can go a lot deeper than your choice of keyboard app.
If you use the original system of your smartphone, the manufacturer may have hidden software in it that can log your key presses even without cooperation if your keyboard app.
But if the modem - which is basically a different operating system that runs in parralel to the main one, but with the purpose of handling the connection with the cellular network, besides doing quite a few other things too - could get compromised, often it could be used to have open access to all the hardware that your main, android operating system uses. How is this on topic? This way intruders could observe where do you touch the touch screen, among a lot of other things.

[–] [email protected] 1 points 1 year ago (2 children)

This is exactly why Wayland replacing X11 is a good thing. X11 was developed in an academic, on-prem LAN environment where such security wasn't a big consideration in its architectural design and needs to be allowed to gracefully retire from mainline use.

[–] [email protected] 2 points 1 year ago (1 children)

I really don't see why you couldn't attack wayland if you're running code locally. Wayland is going to need keyboard hooks anyway to enable important productivity tools like anykey and clipboard managers.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Absolutely. With local and physical access, attacks are very doable. Starting with a security-conscious architecture means that it's easier to improve over time.

ETA: The main point is that tech and use cases have evolved. This means that architecture of existing components needs to be re-evaluated for whether they are still a good way of accomplishing a task. In the case of X.org/X11, the architecture is more challenging to secure due to fundamental design. Wayland may not have full parity for remote use yet but, currently, security is generally a higher priority, so, its newer architecture that DOES consider security and sandboxing gives a better starting point in that area.

I fully anticipate that Wayland will also be replaced in the future as tech and use evolves further (does it consider AR/XR? Man-Machine-Interfaces that might see adoption? etc.). Like biology, it's the nature of tech to evolve and, since there isn't a sign that bad actors will be absent in the future, Wayland's architecture will likely end up being insufficient to secure against input logging attacks of the future.

[–] [email protected] -2 points 1 year ago (1 children)

This is a /c/Privacy thread about mobile keyboards, my guy.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

No, this thread is a general one, and I have mentioned Wayland. And they responded to me.
The post may be more about mobile keyboards, but OP has also asked about what's the case with computers, besides phones

[–] [email protected] 1 points 1 year ago (1 children)

My point is that both on Windows, and on Linux systems that use the X11 window system instead of Wayland, any program can log your let presses with basically no effort.

On Wayland, they probably still can. Wayland's core protocol doesn't allow it, but extensions to enable things like global hotkeys can almost certainly be used for shenanigans.

Also, if the keylogger is running under your user account, it can insert crafted .desktop files wrapping around your apps, ptrace your apps, you name it. Sandboxing as in Flatpak can stop this sort of thing, but if you run an app outside such a sandbox, and it's malicious, game over.

[–] [email protected] 2 points 1 year ago (1 children)

Wayland's core protocol doesn't allow it, but extensions to enable things like global hotkeys can almost certainly be used for shenanigans.

But does it work without prompting the user?
Also, I'm not too familiar with how it works, but afaik global hotkeys on KDE are implemented by the display server/compositor/whatever it's called itself, and not sourced out to a different program.

Also, if the keylogger is running under your user account, it can insert crafted .desktop files wrapping around your apps, ptrace your apps, you name it.

Well, that's an interesting point, I haven't thought about that.

[–] [email protected] 3 points 1 year ago (1 children)

But does it work without prompting the user?
Also, I’m not too familiar with how it works, but afaik global hotkeys on KDE are implemented by the display server/compositor/whatever it’s called itself, and not sourced out to a different program.

Right, but they're configured by an unprivileged program: the settings app. Presumably, a keylogger can pretend to be the settings app.

[–] [email protected] 2 points 1 year ago (1 children)

Presumably, a keylogger can pretend to be the settings app.

Couldn't the display server check if the app is actually the settings app by looking at it's executable's location? Not sure how reliable that is, but if it is, it could check if it is coming from somewhere in /usr that is also not writable by the current user.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

The display server has no way of verifying the process ID on the other end of the Unix-domain socket connection, and therefore cannot verify the executable image. It also cannot verify that the settings app hasn't had any malicious code injected with ptrace, LD_PRELOAD, or the like, since the injected code can remove any traces of that before connecting to the display server.

[–] [email protected] 1 points 1 year ago

I use familiar Gboard with the network permission toggled off.

[–] [email protected] 1 points 1 year ago (2 children)

A while ago I read about a study where they showed how they recreated typed text on a computer keyboard based on the sound the keys made, using AI. I can't seem to find the post right now tho.

[–] [email protected] 1 points 1 year ago

There was a video by Youtuber The Morpheus, dont find it but here is a news article

[–] [email protected] 0 points 1 year ago (2 children)

Florisboard on FDroid.

And dont ever use any Stock Android, its all spyware. Thats simply the truth. At best its "only" Google. Samsung was the worst of the ones I tried, regarding bloatware, but Huawei and Xiami are also horrible and you dont need anything fancy but a keylogger keyboard.

[–] [email protected] 1 points 1 year ago (1 children)

If you go to the Florisboard git hub their is an easy route to install it via Google play, if you can't use fdroid or side load apps for any reason. It basically involves signing up to "beta test" the app which you then get in Google Play as normal.

This may be an important route on some parts of the world.

[–] [email protected] 1 points 1 year ago

I think in these parts of the world you need the Huawei app gallery. And I hope all Androids allow sideloading?

[–] [email protected] 0 points 1 year ago (1 children)

And dont ever use any Stock Android, its all spyware.

Also reboots your device if you try and revoke permissions from Google Play Services

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (2 children)

All that comes down to your threat model.

If you're very concerned about sophisticated actors getting effectively keyloggers on you. Install a privacy focused operating system on your phone, like graphene os (fixed spelling). Don't change the keyboard. Keep the default secure keyboard.

For your physical computer, uses very standard keyboard. Nothing fancy nothing that's reprogrammable. Most people have USB keyboards nowadays, make sure you plug your keyboard and mouse into their own USB controller, so nothing can snoop those keystrokes. Don't use a KVM, don't use a fancy monitor that basically got a computer inside of it.

If you think you might be a target, buy your keyboard with cash, in fact by all of your electronics of cash, don't order anything for delivery. They could get tampered with on the way to you.

[–] [email protected] 2 points 1 year ago

I mean if you're that concerned get a thinkpad X200, libre boot it, and run qubes OS

[–] [email protected] 1 points 1 year ago

At least we could name things properly. I'm 120% sure people who don't know graphene os have no idea what you mean by grafine os, and by searching they may even find something that's a bad knockoff or something like that.
Please always type names correctly, and also include a link to the official website, so that people don't install some literal spyware because they don't know better.


The commenter was meaning refer to graphene os: https://grapheneos.org
It's important to mention that it is only available for Google Pixel phones, and as such it is also unfit as a general recommendation that "you should install this on your phone".