I was taking a look at the Naomi Wu situation (A Chinese DIY tech youtuber who went missing after being watched by the government) and in one part they mentioned that she was concerned about her privacy, so started using Signal, but had a default chinese keyboard that had a keylogger and the police had looked into what she was talking on there.

I’m not sure if it was a mobile only thing, but it was mentioned that the keyboard app was used in like 70% por chinese smarthphones.

Now, I use AnySoftKey and refuse to use default keyboard apps, but how far can we reach on the keyboard security thing? Is typing on a computer or using a physical keyboard on a mobile device 100% safe? I think the keyboard issue is often overlooked and would like to know what recommendations your have? Or what should be known more?

  •  argv_minus_one   ( @argv_minus_one@beehaw.org ) 
    310 months ago

    My point is that both on Windows, and on Linux systems that use the X11 window system instead of Wayland, any program can log your let presses with basically no effort.

    On Wayland, they probably still can. Wayland’s core protocol doesn’t allow it, but extensions to enable things like global hotkeys can almost certainly be used for shenanigans.

    Also, if the keylogger is running under your user account, it can insert crafted .desktop files wrapping around your apps, ptrace your apps, you name it. Sandboxing as in Flatpak can stop this sort of thing, but if you run an app outside such a sandbox, and it’s malicious, game over.

    •  ReversalHatchery   ( @ReversalHatchery@beehaw.org ) 
      310 months ago

      Wayland’s core protocol doesn’t allow it, but extensions to enable things like global hotkeys can almost certainly be used for shenanigans.

      But does it work without prompting the user?
      Also, I’m not too familiar with how it works, but afaik global hotkeys on KDE are implemented by the display server/compositor/whatever it’s called itself, and not sourced out to a different program.

      Also, if the keylogger is running under your user account, it can insert crafted .desktop files wrapping around your apps, ptrace your apps, you name it.

      Well, that’s an interesting point, I haven’t thought about that.

      •  argv_minus_one   ( @argv_minus_one@beehaw.org ) 
        310 months ago

        But does it work without prompting the user?
        Also, I’m not too familiar with how it works, but afaik global hotkeys on KDE are implemented by the display server/compositor/whatever it’s called itself, and not sourced out to a different program.

        Right, but they’re configured by an unprivileged program: the settings app. Presumably, a keylogger can pretend to be the settings app.

        •  ReversalHatchery   ( @ReversalHatchery@beehaw.org ) 
          210 months ago

          Presumably, a keylogger can pretend to be the settings app.

          Couldn’t the display server check if the app is actually the settings app by looking at it’s executable’s location? Not sure how reliable that is, but if it is, it could check if it is coming from somewhere in /usr that is also not writable by the current user.

          •  argv_minus_one   ( @argv_minus_one@beehaw.org ) 
            210 months ago

            The display server has no way of verifying the process ID on the other end of the Unix-domain socket connection, and therefore cannot verify the executable image. It also cannot verify that the settings app hasn’t had any malicious code injected with ptrace, LD_PRELOAD, or the like, since the injected code can remove any traces of that before connecting to the display server.