Icon for Chinese Keyboard - Pinyin by Desh

Desh Keyboard for Chinese is a security risk and privacy leak

There are very few Android Keyboard apps with user-friendly support for Chinese, especially if you want Pinyin input support like I do. The Indian group known as Desh Keyboards has published a popular and highly-rated app called “Chinese Keyboard – Pinyin”. Google Play claims over 500,000 downloads of the app.

Functionally, this Pinyin keyboard does work well and in my testing is easier to get started with than many others.

But Desh’s Chinese Keyboard has an insidious security hole that most users never realize. EVERY character you type in Chinese mode gets sent silently across the Internet! The Pinyin-to-中文 conversion process depends on an unspecified remote translation service! There’s no warning that this is happening, no question during installation whether to enable it, and no mention in the documentation. I only discovered it by experiment because I have habituated privacy-focused behaviors to manage my systems…

I use the Datura Firewall app which comes with the Calyx OS distribution of Android. My standard procedure is to block apps from unwanted network access using Datura after installation. I discovered this way that the Desh Chinese keyboard works as one would expect for English (Latin character set) input with the firewall blocking it. But when switched to Chinese mode, the keyboard is useless. It can’t convert anything from Pinyin into Chinese characters. It has no built-in conversion ability. I experimented and verified that it suddenly works fine again only while Desh is unblocked in the Daltura firewall. Further, this is not a one-time download of a Chinese character set and dictionary. It ALWAYS depends on this for every character or word you type.

Now consider typical casual and naïve Android users who writes in Chinese. Not only does all the text of their Chinese messages get streamed to this hidden, unknown, and untrustable “service”, consider if they use the app to type usernames & passwords!

Desh also publishes similar keyboard apps for Japanese, Hindi, Russian, Bengali, and many other Asian languages. Since I don’t need those keyboards I haven’t tested whether they also leak your keystrokes to an online translation service in the same way, but I suspect it highly likely especially for Japanese. If you find that they do, please comment on this post to share it.

My guess is that the Indian software developers at Desh are typical of the sloppy fools building so many internet apps these days. They may simply be oblivious or apathetic to this gross security problem like most poorly-trained programmers. But if you’re inclined toward conspiracy, consider the political tensions between India and China, Bangladesh, Russia, and other nations of the users of these apps. Desh and whoever operates the online conversion service could easily be harvesting account credentials and other information to spy on, defraud, or otherwise harm those people.

Related Posts

Leave a Reply