how to introduce a hypothesis in a lab report

Lab Report Format: Step-by-Step Guide & Examples

Saul Mcleod, PhD

Editor-in-Chief for Simply Psychology

BSc (Hons) Psychology, MRes, PhD, University of Manchester

Saul Mcleod, PhD., is a qualified psychology teacher with over 18 years of experience in further and higher education. He has been published in peer-reviewed journals, including the Journal of Clinical Psychology.

Learn about our Editorial Process

Olivia Guy-Evans, MSc

Associate Editor for Simply Psychology

BSc (Hons) Psychology, MSc Psychology of Education

Olivia Guy-Evans is a writer and associate editor for Simply Psychology. She has previously worked in healthcare and educational sectors.

On This Page:

In psychology, a lab report outlines a study’s objectives, methods, results, discussion, and conclusions, ensuring clarity and adherence to APA (or relevant) formatting guidelines.

A typical lab report would include the following sections: title, abstract, introduction, method, results, and discussion.

The title page, abstract, references, and appendices are started on separate pages (subsections from the main body of the report are not). Use double-line spacing of text, font size 12, and include page numbers.

The report should have a thread of arguments linking the prediction in the introduction to the content of the discussion.

This must indicate what the study is about. It must include the variables under investigation. It should not be written as a question.

Title pages should be formatted in APA style .

The abstract provides a concise and comprehensive summary of a research report. Your style should be brief but not use note form. Look at examples in journal articles . It should aim to explain very briefly (about 150 words) the following:

• Start with a one/two sentence summary, providing the aim and rationale for the study.
• Describe participants and setting: who, when, where, how many, and what groups?
• Describe the method: what design, what experimental treatment, what questionnaires, surveys, or tests were used.
• Describe the major findings, including a mention of the statistics used and the significance levels, or simply one sentence summing up the outcome.
• The final sentence(s) outline the study’s “contribution to knowledge” within the literature. What does it all mean? Mention the implications of your findings if appropriate.

The abstract comes at the beginning of your report but is written at the end (as it summarises information from all the other sections of the report).

Introduction

The purpose of the introduction is to explain where your hypothesis comes from (i.e., it should provide a rationale for your research study).

Ideally, the introduction should have a funnel structure: Start broad and then become more specific. The aims should not appear out of thin air; the preceding review of psychological literature should lead logically into the aims and hypotheses.

• Start with general theory, briefly introducing the topic. Define the important key terms.
• Explain the theoretical framework.
• Summarise and synthesize previous studies – What was the purpose? Who were the participants? What did they do? What did they find? What do these results mean? How do the results relate to the theoretical framework?
• Rationale: How does the current study address a gap in the literature? Perhaps it overcomes a limitation of previous research.
• Aims and hypothesis. Write a paragraph explaining what you plan to investigate and make a clear and concise prediction regarding the results you expect to find.

There should be a logical progression of ideas that aids the flow of the report. This means the studies outlined should lead logically to your aims and hypotheses.

Do be concise and selective, and avoid the temptation to include anything in case it is relevant (i.e., don’t write a shopping list of studies).

USE THE FOLLOWING SUBHEADINGS:

Participants

• How many participants were recruited?
• Say how you obtained your sample (e.g., opportunity sample).
• Give relevant demographic details (e.g., gender, ethnicity, age range, mean age, and standard deviation).
• State the experimental design .
• What were the independent and dependent variables ? Make sure the independent variable is labeled and name the different conditions/levels.
• For example, if gender is the independent variable label, then male and female are the levels/conditions/groups.
• How were the IV and DV operationalized?
• Identify any controls used, e.g., counterbalancing and control of extraneous variables.
• List all the materials and measures (e.g., what was the title of the questionnaire? Was it adapted from a study?).
• You do not need to include wholesale replication of materials – instead, include a ‘sensible’ (illustrate) level of detail. For example, give examples of questionnaire items.
• Include the reliability (e.g., alpha values) for the measure(s).
• Describe the precise procedure you followed when conducting your research, i.e., exactly what you did.
• Describe in sufficient detail to allow for replication of findings.
• Be concise in your description and omit extraneous/trivial details, e.g., you don’t need to include details regarding instructions, debrief, record sheets, etc.
• Assume the reader has no knowledge of what you did and ensure that he/she can replicate (i.e., copy) your study exactly by what you write in this section.
• Write in the past tense.
• Don’t justify or explain in the Method (e.g., why you chose a particular sampling method); just report what you did.
• Only give enough detail for someone to replicate the experiment – be concise in your writing.
• The results section of a paper usually presents descriptive statistics followed by inferential statistics.
• Report the means, standard deviations, and 95% confidence intervals (CIs) for each IV level. If you have four to 20 numbers to present, a well-presented table is best, APA style.
• Name the statistical test being used.
• Report appropriate statistics (e.g., t-scores, p values ).
• Report the magnitude (e.g., are the results significant or not?) as well as the direction of the results (e.g., which group performed better?).
• It is optional to report the effect size (this does not appear on the SPSS output).
• Avoid interpreting the results (save this for the discussion).
• Make sure the results are presented clearly and concisely. A table can be used to display descriptive statistics if this makes the data easier to understand.
• DO NOT include any raw data.
• Follow APA style.

Use APA Style

• Numbers reported to 2 d.p. (incl. 0 before the decimal if 1.00, e.g., “0.51”). The exceptions to this rule: Numbers which can never exceed 1.0 (e.g., p -values, r-values): report to 3 d.p. and do not include 0 before the decimal place, e.g., “.001”.
• Percentages and degrees of freedom: report as whole numbers.
• Statistical symbols that are not Greek letters should be italicized (e.g., M , SD , t , X 2 , F , p , d ).
• Include spaces on either side of the equals sign.
• When reporting 95%, CIs (confidence intervals), upper and lower limits are given inside square brackets, e.g., “95% CI [73.37, 102.23]”
• Outline your findings in plain English (avoid statistical jargon) and relate your results to your hypothesis, e.g., is it supported or rejected?
• Compare your results to background materials from the introduction section. Are your results similar or different? Discuss why/why not.
• How confident can we be in the results? Acknowledge limitations, but only if they can explain the result obtained. If the study has found a reliable effect, be very careful suggesting limitations as you are doubting your results. Unless you can think of any c onfounding variable that can explain the results instead of the IV, it would be advisable to leave the section out.
• Suggest constructive ways to improve your study if appropriate.
• What are the implications of your findings? Say what your findings mean for how people behave in the real world.
• Suggest an idea for further research triggered by your study, something in the same area but not simply an improved version of yours. Perhaps you could base this on a limitation of your study.
• Concluding paragraph – Finish with a statement of your findings and the key points of the discussion (e.g., interpretation and implications) in no more than 3 or 4 sentences.

Reference Page

The reference section lists all the sources cited in the essay (alphabetically). It is not a bibliography (a list of the books you used).

In simple terms, every time you refer to a psychologist’s name (and date), you need to reference the original source of information.

If you have been using textbooks this is easy as the references are usually at the back of the book and you can just copy them down. If you have been using websites then you may have a problem as they might not provide a reference section for you to copy.

References need to be set out APA style :

Author, A. A. (year). Title of work . Location: Publisher.

Journal Articles

Author, A. A., Author, B. B., & Author, C. C. (year). Article title. Journal Title, volume number (issue number), page numbers

A simple way to write your reference section is to use Google scholar . Just type the name and date of the psychologist in the search box and click on the “cite” link.

Next, copy and paste the APA reference into the reference section of your essay.

Once again, remember that references need to be in alphabetical order according to surname.

Psychology Lab Report Example

Quantitative paper template.

Quantitative professional paper template: Adapted from “Fake News, Fast and Slow: Deliberation Reduces Belief in False (but Not True) News Headlines,” by B. Bago, D. G. Rand, and G. Pennycook, 2020,  Journal of Experimental Psychology: General ,  149 (8), pp. 1608–1613 ( https://doi.org/10.1037/xge0000729 ). Copyright 2020 by the American Psychological Association.

Qualitative paper template

Qualitative professional paper template: Adapted from “‘My Smartphone Is an Extension of Myself’: A Holistic Qualitative Exploration of the Impact of Using a Smartphone,” by L. J. Harkin and D. Kuss, 2020,  Psychology of Popular Media ,  10 (1), pp. 28–38 ( https://doi.org/10.1037/ppm0000278 ). Copyright 2020 by the American Psychological Association.

Writing Studio

Writing a lab report: introduction and discussion section guide.

In an effort to make our handouts more accessible, we have begun converting our PDF handouts to web pages. Download this page as a PDF:   Writing a Lab Report Return to Writing Studio Handouts

Part 1 (of 2): Introducing a Lab Report

The introduction of a lab report states the objective of the experiment and provides the reader with background information. State the topic of your report clearly and concisely (in one or two sentences). Provide background theory, previous research, or formulas the reader should know. Usually, an instructor does not want you to repeat whatever the lab manual says, but to show your understanding of the problem.

Questions an Effective Lab Report Introduction Should Answer

What is the problem.

Describe the problem investigated. Summarize relevant research to provide context, key terms, and concepts so that your reader can understand the experiment.

Why is it important?

Review relevant research to provide a rationale for the investigation. What conflict, unanswered question, untested population, or untried method in existing research does your experiment address? How will you challenge or extend the findings of other researchers?

What solution (or step toward a solution) do you propose?

Briefly describe your experiment : hypothesis , research question , general experimental design or method , and a justification of your method (if alternatives exist).

Tips on Composing Your Lab Report’s Introduction

• Move from the general to the specific – from a problem in research literature to the specifics of your experiment.
• Engage your reader – answer the questions: “What did I do?” “Why should my reader care?”
• Clarify the links between problem and solution, between question asked and research design, and between prior research and the specifics of your experiment.
• Be selective, not exhaustive, in choosing studies to cite and the amount of detail to include. In general, the more relevant an article is to your study, the more space it deserves and the later in the introduction it appears.
• Ask your instructor whether or not you should summarize results and/or conclusions in the Introduction.
• “The objective of the experiment was …”
• “The purpose of this report is …”
• “Bragg’s Law for diffraction is …”
• “The scanning electron microscope produces micrographs …”

Part 2 (of 2): Writing the “Discussion” Section of a Lab Report

The discussion is the most important part of your lab report, because here you show that you have not merely completed the experiment, but that you also understand its wider implications. The discussion section is reserved for putting experimental results in the context of the larger theory. Ask yourself: “What is the significance or meaning of the results?”

Elements of an Effective Discussion Section

What do the results indicate clearly? Based on your results, explain what you know with certainty and draw conclusions.

Interpretation

What is the significance of your results? What ambiguities exist? What are logical explanations for problems in the data? What questions might you raise about the methods used or the validity of the experiment? What can be logically deduced from your analysis?

Tips on the Discussion Section

1. explain your results in terms of theoretical issues..

How well has the theory been illustrated? What are the theoretical implications and practical applications of your results?

For each major result:

• Describe the patterns, principles, and relationships that your results show.
• Explain how your results relate to expectations and to literature cited in your Introduction. Explain any agreements, contradictions, or exceptions.
• Describe what additional research might resolve contradictions or explain exceptions.

2. Relate results to your experimental objective(s).

If you set out to identify an unknown metal by finding its lattice parameter and its atomic structure, be sure that you have identified the metal and its attributes.

3. Compare expected results with those obtained.

If there were differences, how can you account for them? Were the instruments able to measure precisely? Was the sample contaminated? Did calculated values take account of friction?

4. Analyze experimental error along with the strengths and limitations of the experiment’s design.

Were any errors avoidable? Were they the result of equipment?  If the flaws resulted from the experiment design, explain how the design might be improved. Consider, as well, the precision of the instruments that were used.

5. Compare your results to similar investigations.

In some cases, it is legitimate to compare outcomes with classmates, not in order to change your answer, but in order to look for and to account for or analyze any anomalies between the groups. Also, consider comparing your results to published scientific literature on the topic.

The “Introducing a Lab Report” guide was adapted from the University of Toronto Engineering Communications Centre and University of Wisconsin-Madison Writing Center.

The “Writing the Discussion Section of a Lab Report” resource was adapted from the University of Toronto Engineering Communications Centre and University of Wisconsin-Madison Writing Center.

Last revised: 07/2008 | Adapted for web delivery: 02/2021

In order to access certain content on this page, you may need to download Adobe Acrobat Reader or an equivalent PDF viewer software.

Have a language expert improve your writing

Run a free plagiarism check in 10 minutes, automatically generate references for free.

• Knowledge Base
• Methodology
• How to Write a Strong Hypothesis | Guide & Examples

How to Write a Strong Hypothesis | Guide & Examples

Published on 6 May 2022 by Shona McCombes .

A hypothesis is a statement that can be tested by scientific research. If you want to test a relationship between two or more variables, you need to write hypotheses before you start your experiment or data collection.

Table of contents

What is a hypothesis, developing a hypothesis (with example), hypothesis examples, frequently asked questions about writing hypotheses.

A hypothesis states your predictions about what your research will find. It is a tentative answer to your research question that has not yet been tested. For some research projects, you might have to write several hypotheses that address different aspects of your research question.

A hypothesis is not just a guess – it should be based on existing theories and knowledge. It also has to be testable, which means you can support or refute it through scientific research methods (such as experiments, observations, and statistical analysis of data).

Variables in hypotheses

Hypotheses propose a relationship between two or more variables . An independent variable is something the researcher changes or controls. A dependent variable is something the researcher observes and measures.

In this example, the independent variable is exposure to the sun – the assumed cause . The dependent variable is the level of happiness – the assumed effect .

Prevent plagiarism, run a free check.

Step 1: ask a question.

Writing a hypothesis begins with a research question that you want to answer. The question should be focused, specific, and researchable within the constraints of your project.

Step 2: Do some preliminary research

Your initial answer to the question should be based on what is already known about the topic. Look for theories and previous studies to help you form educated assumptions about what your research will find.

At this stage, you might construct a conceptual framework to identify which variables you will study and what you think the relationships are between them. Sometimes, you’ll have to operationalise more complex constructs.

Step 3: Formulate your hypothesis

Now you should have some idea of what you expect to find. Write your initial answer to the question in a clear, concise sentence.

Step 4: Refine your hypothesis

You need to make sure your hypothesis is specific and testable. There are various ways of phrasing a hypothesis, but all the terms you use should have clear definitions, and the hypothesis should contain:

• The relevant variables
• The specific group being studied
• The predicted outcome of the experiment or analysis

Step 5: Phrase your hypothesis in three ways

To identify the variables, you can write a simple prediction in if … then form. The first part of the sentence states the independent variable and the second part states the dependent variable.

In academic research, hypotheses are more commonly phrased in terms of correlations or effects, where you directly state the predicted relationship between variables.

If you are comparing two groups, the hypothesis can state what difference you expect to find between them.

Step 6. Write a null hypothesis

If your research involves statistical hypothesis testing , you will also have to write a null hypothesis. The null hypothesis is the default position that there is no association between the variables. The null hypothesis is written as H 0 , while the alternative hypothesis is H 1 or H a .

Hypothesis testing is a formal procedure for investigating our ideas about the world using statistics. It is used by scientists to test specific predictions, called hypotheses , by calculating how likely it is that a pattern or relationship between variables could have arisen by chance.

A hypothesis is not just a guess. It should be based on existing theories and knowledge. It also has to be testable, which means you can support or refute it through scientific research methods (such as experiments, observations, and statistical analysis of data).

A research hypothesis is your proposed answer to your research question. The research hypothesis usually includes an explanation (‘ x affects y because …’).

A statistical hypothesis, on the other hand, is a mathematical statement about a population parameter. Statistical hypotheses always come in pairs: the null and alternative hypotheses. In a well-designed study , the statistical hypotheses correspond logically to the research hypothesis.

Cite this Scribbr article

If you want to cite this source, you can copy and paste the citation or click the ‘Cite this Scribbr article’ button to automatically add the citation to our free Reference Generator.

McCombes, S. (2022, May 06). How to Write a Strong Hypothesis | Guide & Examples. Scribbr. Retrieved 22 April 2024, from https://www.scribbr.co.uk/research-methods/hypothesis-writing/

Is this article helpful?

Shona McCombes

Other students also liked, operationalisation | a guide with examples, pros & cons, what is a conceptual framework | tips & examples, a quick guide to experimental design | 5 steps & examples.

• How To Find Articles with Databases
• How To Evaluate Articles
• How To Read A Scientific Paper
• How To Interpret Data
• How To Write A Lab Report
• How To Write A Scientific Paper
• Get More Help
• Reference: Encyclopedia, Handbooks & Dictionaries
• Research Tools: Databases, Protocols & Citation Locators
• E-Journal Lists by Subject
• Scholarly vs Popular
• Search Tips
• Open Resources
• E-Journal lists by subject
• Develop a Research Question

Writing Lab Reports

Writing lab reports follows a straightforward and structured procedure. It is important to recognize that each part of a lab report is important, so take the time to complete each carefully. A lab report is broken down into eight sections: title, abstract, introduction, methods and materials, results, discussion, conclusion, and references. 

• Ex: "Determining the Free Chlorine Content of Pool Water"
• Abstracts are a summary of the experiment as a whole and should familiarize the reader with the purpose of the research. 
• Abstracts will always be written last, even though they are the first paragraph of a lab report. 
• Not all lab reports will require an abstract. However, they are often included in upper-level lab reports and should be studied carefully. 
• Why was the research done or experiment conducted?
• What problem is being addressed?
• What results were found?
• What are the meaning of the results?
• How is the problem better understood now than before, if at all?

Introduction

• The introduction of a lab report discusses the problem being studied and other theory that is relevant to understanding the findings. 
• The hypothesis of the experiment and the motivation for the research are stated in this section. 
• Write the introduction in your own words. Try not to copy from a lab manual or other guidelines. Instead, show comprehension of the experiment by briefly explaining the problem.

Methods and Materials

• Ex: pipette, graduated cylinder, 1.13mg of Na, 0.67mg Ag
• List the steps taken as they actually happened during the experiment, not as they were supposed to happen. 
• If written correctly, another researcher should be able to duplicate the experiment and get the same or very similar results. 
• The results show the data that was collected or found during the experiment. 
• Explain in words the data that was collected.
• Tables should be labeled numerically, as "Table 1", "Table 2", etc. Other figures should be labeled numerically as "Figure 1", "Figure 2", etc. 
• Calculations to understand the data can also be presented in the results. 
• The discussion section is one of the most important parts of the lab report. It analyzes the results of the experiment and is a discussion of the data. 
• If any results are unexpected, explain why they are unexpected and how they did or did not effect the data obtained. 
• Analyze the strengths and weaknesses of the design of the experiment and compare your results to other similar experiments.
• If there are any experimental errors, analyze them.
• Explain your results and discuss them using relevant terms and theories.
• What do the results indicate?
• What is the significance of the results?
• Are there any gaps in knowledge?
• Are there any new questions that have been raised?
• The conclusion is a summation of the experiment. It should clearly and concisely state what was learned and its importance.
• If there is future work that needs to be done, it can be explained in the conclusion.
• If using any outside sources to support a claim or explain background information, those sources must be cited in the references section of the lab report. 
• In the event that no outside sources are used, the references section may be left out. 

Other Useful Sources

• The Lab Report
• Sample Laboratory Report #2
• Some Tips on Writing Lab Reports
• Writing a Science Lab Report
• << Previous: How To Interpret Data
• Next: How To Write A Scientific Paper >>
• Last Updated: Mar 8, 2024 2:26 PM
• URL: https://guides.libraries.indiana.edu/STEM

Social media

• Instagram for Herman B Wells Library
• Facebook for IU Libraries

Additional resources

Featured databases.

• Resource available to authorized IU Bloomington users (on or off campus) OneSearch@IU
• Resource available to authorized IU Bloomington users (on or off campus) Academic Search (EBSCO)
• Resource available to authorized IU Bloomington users (on or off campus) ERIC (EBSCO)
• Resource available to authorized IU Bloomington users (on or off campus) Nexis Uni
• Resource available without restriction HathiTrust Digital Library
• Databases A-Z
• Resource available to authorized IU Bloomington users (on or off campus) Google Scholar
• Resource available to authorized IU Bloomington users (on or off campus) JSTOR
• Resource available to authorized IU Bloomington users (on or off campus) Web of Science
• Resource available to authorized IU Bloomington users (on or off campus) Scopus
• Resource available to authorized IU Bloomington users (on or off campus) WorldCat

IU Libraries

• Diversity Resources
• About IU Libraries
• Alumni & Friends
• Departments & Staff
• Jobs & Libraries HR
• Intranet (Staff)
• IUL site admin

How to Write a Lab Report

Lab Reports Describe Your Experiment

• Chemical Laws
• Periodic Table
• Projects & Experiments
• Scientific Method
• Biochemistry
• Physical Chemistry
• Medical Chemistry
• Chemistry In Everyday Life
• Famous Chemists
• Activities for Kids
• Abbreviations & Acronyms
• Weather & Climate
• Ph.D., Biomedical Sciences, University of Tennessee at Knoxville
• B.A., Physics and Mathematics, Hastings College

Lab reports are an essential part of all laboratory courses and usually a significant part of your grade. If your instructor gives you an outline for how to write a lab report, use that. Some instructors require a lab report to be included in a lab notebook , while others will request a separate report. Here's a format for a lab report you can use if you aren't sure what to write or need an explanation of what to include in the different parts of the report.

A lab report is how you explain what you did in ​your experiment, what you learned, and what the results meant.

Lab Report Essentials

Not all lab reports have title pages, but if your instructor wants one, it would be a single page that states:​

• The title of the experiment.
• Your name and the names of any lab partners.
• Your instructor's name.
• The date the lab was performed or the date the report was submitted.

The title says what you did. It should be brief (aim for ten words or less) and describe the main point of the experiment or investigation. An example of a title would be: "Effects of Ultraviolet Light on Borax Crystal Growth Rate". If you can, begin your title using a keyword rather than an article like "The" or "A".

Introduction or Purpose

Usually, the introduction is one paragraph that explains the objectives or purpose of the lab. In one sentence, state the hypothesis. Sometimes an introduction may contain background information, briefly summarize how the experiment was performed, state the findings of the experiment, and list the conclusions of the investigation. Even if you don't write a whole introduction, you need to state the purpose of the experiment, or why you did it. This would be where you state your hypothesis .

List everything needed to complete your experiment.

Describe the steps you completed during your investigation. This is your procedure. Be sufficiently detailed that anyone could read this section and duplicate your experiment. Write it as if you were giving direction for someone else to do the lab. It may be helpful to provide a figure to diagram your experimental setup.

Numerical data obtained from your procedure usually presented as a table. Data encompasses what you recorded when you conducted the experiment. It's just the facts, not any interpretation of what they mean.

Describe in words what the data means. Sometimes the Results section is combined with the Discussion.

Discussion or Analysis

The Data section contains numbers; the Analysis section contains any calculations you made based on those numbers. This is where you interpret the data and determine whether or not a hypothesis was accepted. This is also where you would discuss any mistakes you might have made while conducting the investigation. You may wish to describe ways the study might have been improved.

Conclusions

Most of the time the conclusion is a single paragraph that sums up what happened in the experiment, whether your hypothesis was accepted or rejected, and what this means.

Figures and Graphs

Graphs and figures must both be labeled with a descriptive title. Label the axes on a graph, being sure to include units of measurement. The independent variable is on the X-axis, the dependent variable (the one you are measuring) is on the Y-axis. Be sure to refer to figures and graphs in the text of your report: the first figure is Figure 1, the second figure is Figure 2, etc.

If your research was based on someone else's work or if you cited facts that require documentation, then you should list these references.

• How to Format a Biology Lab Report
• Science Lab Report Template - Fill in the Blanks
• How to Write a Science Fair Project Report
• How to Write an Abstract for a Scientific Paper
• Six Steps of the Scientific Method
• How To Design a Science Fair Experiment
• Understanding Simple vs Controlled Experiments
• Make a Science Fair Poster or Display
• What Is an Experiment? Definition and Design
• How to Organize Your Science Fair Poster
• What Are the Elements of a Good Hypothesis?
• Scientific Method Lesson Plan
• The 10 Most Important Lab Safety Rules
• How to Write a Film Review
• 6 Steps to Writing the Perfect Personal Essay

Princeton Correspondents on Undergraduate Research

How to Write An Effective Lab Report

Whether you are in lab for general chemistry, independent work, or senior thesis, almost all lab experiments will be followed up with a lab report or paper. Although it should be relatively easy to write about an experiment you completed, this is often the most difficult part of lab work, especially when the results are unexpected. In this post, I will outline the components of a lab report while offering tips on how to write one.

Understand Your Experiments Thoroughly

Before you begin writing your draft, it is important that you understand your experiment, as this will help you decide what to include in your paper. When I wrote my first organic chemistry lab report, I rushed to begin answering the discussion questions only to realize halfway through that I had a major conceptual error. Because of this, I had to revise most of what I had written so far, which cost me a lot of time. Know what the purpose of the lab is, formulate the hypothesis, and begin to think about the results you are expecting. At this point, it is helpful to check in with your Lab TA, mentor, or principal investigator (PI) to ensure that you thoroughly understand your project. 

The abstract of your lab report will generally consist of a short summary of your entire report, typically in the same order as your report. Although this is the first section of your lab report, this should be the last section you write. Rather than trying to follow your entire report based on your abstract, it is easier if you write your report first before trying to summarize it.

Introduction and Background

The introduction and background of your report should establish the purpose of your experiment (what principles you are examining), your hypothesis (what you expect to see and why), and relevant findings from others in the field. You have likely done extensive reading about the project from textbooks, lecture notes, or scholarly articles. But as you write, only include background information that is relevant to your specific experiments. For instance, over the summer when I was still learning about metabolic engineering and its role in yeast cells, I read several articles detailing this process. However, a lot of this information was a very broad introduction to the field and not directly related to my project, so I decided not to include most of it. 

This section of the lab report should not contain a step-by-step procedure of your experiments, but rather enough details should be included so that someone else can understand and replicate what you did. From this section, the reader should understand how you tested your hypothesis and why you chose that method. Explain the different parts of your project, the variables being tested, and controls in your experiments. This section will validate the data presented by confirming that variables are being tested in a proper way.

You cannot change the data you collect from your experiments; thus the results section will be written for you. Your job is to present these results in appropriate tables and charts. Depending on the length of your project, you may have months of data from experiments or just a three-hour lab period worth of results. For example, for in-class lab reports, there is usually only one major experiment, so I include most of the data I collect in my lab report. But for longer projects such as summer internships, there are various preliminary experiments throughout, so I select the data to include. Although you cannot change the data, you must choose what is relevant to include in your report. Determine what is included in your report based on the goals and purpose of your project.

Discussion and Conclusion

In this section, you should analyze your results and relate your data back to your hypothesis. You should mention whether the results you obtained matched what was expected and the conclusions that can be drawn from this. For this section, you should talk about your data and conclusions with your lab mentors or TAs before you begin writing. As I mentioned above, by consulting with your mentors, you will avoid making large conceptual error that may take a long time to address.

There is no correct order for how to write a report, but it is generally easier to write some sections before others. For instance, because your results cannot be changed, it is easier to write the results section first. Likewise, because you also cannot change the methods you used in your experiment, it is helpful to write this section after writing your results. Although there are multiple ways to write and format a lab report or research paper, the goals of every report are the same: to describe what you did, your results, and why they are significant. As you write, keep your audience and these goals in mind.

— Saira Reyes, Engineering Correspondent

Share this:

• Share on Tumblr

Scientific Reports

What this handout is about.

This handout provides a general guide to writing reports about scientific research you’ve performed. In addition to describing the conventional rules about the format and content of a lab report, we’ll also attempt to convey why these rules exist, so you’ll get a clearer, more dependable idea of how to approach this writing situation. Readers of this handout may also find our handout on writing in the sciences useful.

Background and pre-writing

Why do we write research reports.

You did an experiment or study for your science class, and now you have to write it up for your teacher to review. You feel that you understood the background sufficiently, designed and completed the study effectively, obtained useful data, and can use those data to draw conclusions about a scientific process or principle. But how exactly do you write all that? What is your teacher expecting to see?

To take some of the guesswork out of answering these questions, try to think beyond the classroom setting. In fact, you and your teacher are both part of a scientific community, and the people who participate in this community tend to share the same values. As long as you understand and respect these values, your writing will likely meet the expectations of your audience—including your teacher.

So why are you writing this research report? The practical answer is “Because the teacher assigned it,” but that’s classroom thinking. Generally speaking, people investigating some scientific hypothesis have a responsibility to the rest of the scientific world to report their findings, particularly if these findings add to or contradict previous ideas. The people reading such reports have two primary goals:

• They want to gather the information presented.
• They want to know that the findings are legitimate.

Your job as a writer, then, is to fulfill these two goals.

How do I do that?

Good question. Here is the basic format scientists have designed for research reports:

• Introduction

Methods and Materials

This format, sometimes called “IMRAD,” may take slightly different shapes depending on the discipline or audience; some ask you to include an abstract or separate section for the hypothesis, or call the Discussion section “Conclusions,” or change the order of the sections (some professional and academic journals require the Methods section to appear last). Overall, however, the IMRAD format was devised to represent a textual version of the scientific method.

The scientific method, you’ll probably recall, involves developing a hypothesis, testing it, and deciding whether your findings support the hypothesis. In essence, the format for a research report in the sciences mirrors the scientific method but fleshes out the process a little. Below, you’ll find a table that shows how each written section fits into the scientific method and what additional information it offers the reader.

Thinking of your research report as based on the scientific method, but elaborated in the ways described above, may help you to meet your audience’s expectations successfully. We’re going to proceed by explicitly connecting each section of the lab report to the scientific method, then explaining why and how you need to elaborate that section.

Although this handout takes each section in the order in which it should be presented in the final report, you may for practical reasons decide to compose sections in another order. For example, many writers find that composing their Methods and Results before the other sections helps to clarify their idea of the experiment or study as a whole. You might consider using each assignment to practice different approaches to drafting the report, to find the order that works best for you.

What should I do before drafting the lab report?

The best way to prepare to write the lab report is to make sure that you fully understand everything you need to about the experiment. Obviously, if you don’t quite know what went on during the lab, you’re going to find it difficult to explain the lab satisfactorily to someone else. To make sure you know enough to write the report, complete the following steps:

• What are we going to do in this lab? (That is, what’s the procedure?)
• Why are we going to do it that way?
• What are we hoping to learn from this experiment?
• Why would we benefit from this knowledge?
• Consult your lab supervisor as you perform the lab. If you don’t know how to answer one of the questions above, for example, your lab supervisor will probably be able to explain it to you (or, at least, help you figure it out).
• Plan the steps of the experiment carefully with your lab partners. The less you rush, the more likely it is that you’ll perform the experiment correctly and record your findings accurately. Also, take some time to think about the best way to organize the data before you have to start putting numbers down. If you can design a table to account for the data, that will tend to work much better than jotting results down hurriedly on a scrap piece of paper.
• Record the data carefully so you get them right. You won’t be able to trust your conclusions if you have the wrong data, and your readers will know you messed up if the other three people in your group have “97 degrees” and you have “87.”
• Consult with your lab partners about everything you do. Lab groups often make one of two mistakes: two people do all the work while two have a nice chat, or everybody works together until the group finishes gathering the raw data, then scrams outta there. Collaborate with your partners, even when the experiment is “over.” What trends did you observe? Was the hypothesis supported? Did you all get the same results? What kind of figure should you use to represent your findings? The whole group can work together to answer these questions.
• Consider your audience. You may believe that audience is a non-issue: it’s your lab TA, right? Well, yes—but again, think beyond the classroom. If you write with only your lab instructor in mind, you may omit material that is crucial to a complete understanding of your experiment, because you assume the instructor knows all that stuff already. As a result, you may receive a lower grade, since your TA won’t be sure that you understand all the principles at work. Try to write towards a student in the same course but a different lab section. That student will have a fair degree of scientific expertise but won’t know much about your experiment particularly. Alternatively, you could envision yourself five years from now, after the reading and lectures for this course have faded a bit. What would you remember, and what would you need explained more clearly (as a refresher)?

Once you’ve completed these steps as you perform the experiment, you’ll be in a good position to draft an effective lab report.

Introductions

How do i write a strong introduction.

For the purposes of this handout, we’ll consider the Introduction to contain four basic elements: the purpose, the scientific literature relevant to the subject, the hypothesis, and the reasons you believed your hypothesis viable. Let’s start by going through each element of the Introduction to clarify what it covers and why it’s important. Then we can formulate a logical organizational strategy for the section.

The inclusion of the purpose (sometimes called the objective) of the experiment often confuses writers. The biggest misconception is that the purpose is the same as the hypothesis. Not quite. We’ll get to hypotheses in a minute, but basically they provide some indication of what you expect the experiment to show. The purpose is broader, and deals more with what you expect to gain through the experiment. In a professional setting, the hypothesis might have something to do with how cells react to a certain kind of genetic manipulation, but the purpose of the experiment is to learn more about potential cancer treatments. Undergraduate reports don’t often have this wide-ranging a goal, but you should still try to maintain the distinction between your hypothesis and your purpose. In a solubility experiment, for example, your hypothesis might talk about the relationship between temperature and the rate of solubility, but the purpose is probably to learn more about some specific scientific principle underlying the process of solubility.

For starters, most people say that you should write out your working hypothesis before you perform the experiment or study. Many beginning science students neglect to do so and find themselves struggling to remember precisely which variables were involved in the process or in what way the researchers felt that they were related. Write your hypothesis down as you develop it—you’ll be glad you did.

As for the form a hypothesis should take, it’s best not to be too fancy or complicated; an inventive style isn’t nearly so important as clarity here. There’s nothing wrong with beginning your hypothesis with the phrase, “It was hypothesized that . . .” Be as specific as you can about the relationship between the different objects of your study. In other words, explain that when term A changes, term B changes in this particular way. Readers of scientific writing are rarely content with the idea that a relationship between two terms exists—they want to know what that relationship entails.

Not a hypothesis:

“It was hypothesized that there is a significant relationship between the temperature of a solvent and the rate at which a solute dissolves.”

Hypothesis:

“It was hypothesized that as the temperature of a solvent increases, the rate at which a solute will dissolve in that solvent increases.”

Put more technically, most hypotheses contain both an independent and a dependent variable. The independent variable is what you manipulate to test the reaction; the dependent variable is what changes as a result of your manipulation. In the example above, the independent variable is the temperature of the solvent, and the dependent variable is the rate of solubility. Be sure that your hypothesis includes both variables.

Justify your hypothesis

You need to do more than tell your readers what your hypothesis is; you also need to assure them that this hypothesis was reasonable, given the circumstances. In other words, use the Introduction to explain that you didn’t just pluck your hypothesis out of thin air. (If you did pluck it out of thin air, your problems with your report will probably extend beyond using the appropriate format.) If you posit that a particular relationship exists between the independent and the dependent variable, what led you to believe your “guess” might be supported by evidence?

Scientists often refer to this type of justification as “motivating” the hypothesis, in the sense that something propelled them to make that prediction. Often, motivation includes what we already know—or rather, what scientists generally accept as true (see “Background/previous research” below). But you can also motivate your hypothesis by relying on logic or on your own observations. If you’re trying to decide which solutes will dissolve more rapidly in a solvent at increased temperatures, you might remember that some solids are meant to dissolve in hot water (e.g., bouillon cubes) and some are used for a function precisely because they withstand higher temperatures (they make saucepans out of something). Or you can think about whether you’ve noticed sugar dissolving more rapidly in your glass of iced tea or in your cup of coffee. Even such basic, outside-the-lab observations can help you justify your hypothesis as reasonable.

Background/previous research

This part of the Introduction demonstrates to the reader your awareness of how you’re building on other scientists’ work. If you think of the scientific community as engaging in a series of conversations about various topics, then you’ll recognize that the relevant background material will alert the reader to which conversation you want to enter.

Generally speaking, authors writing journal articles use the background for slightly different purposes than do students completing assignments. Because readers of academic journals tend to be professionals in the field, authors explain the background in order to permit readers to evaluate the study’s pertinence for their own work. You, on the other hand, write toward a much narrower audience—your peers in the course or your lab instructor—and so you must demonstrate that you understand the context for the (presumably assigned) experiment or study you’ve completed. For example, if your professor has been talking about polarity during lectures, and you’re doing a solubility experiment, you might try to connect the polarity of a solid to its relative solubility in certain solvents. In any event, both professional researchers and undergraduates need to connect the background material overtly to their own work.

Organization of this section

Most of the time, writers begin by stating the purpose or objectives of their own work, which establishes for the reader’s benefit the “nature and scope of the problem investigated” (Day 1994). Once you have expressed your purpose, you should then find it easier to move from the general purpose, to relevant material on the subject, to your hypothesis. In abbreviated form, an Introduction section might look like this:

“The purpose of the experiment was to test conventional ideas about solubility in the laboratory [purpose] . . . According to Whitecoat and Labrat (1999), at higher temperatures the molecules of solvents move more quickly . . . We know from the class lecture that molecules moving at higher rates of speed collide with one another more often and thus break down more easily [background material/motivation] . . . Thus, it was hypothesized that as the temperature of a solvent increases, the rate at which a solute will dissolve in that solvent increases [hypothesis].”

Again—these are guidelines, not commandments. Some writers and readers prefer different structures for the Introduction. The one above merely illustrates a common approach to organizing material.

How do I write a strong Materials and Methods section?

As with any piece of writing, your Methods section will succeed only if it fulfills its readers’ expectations, so you need to be clear in your own mind about the purpose of this section. Let’s review the purpose as we described it above: in this section, you want to describe in detail how you tested the hypothesis you developed and also to clarify the rationale for your procedure. In science, it’s not sufficient merely to design and carry out an experiment. Ultimately, others must be able to verify your findings, so your experiment must be reproducible, to the extent that other researchers can follow the same procedure and obtain the same (or similar) results.

Here’s a real-world example of the importance of reproducibility. In 1989, physicists Stanley Pons and Martin Fleischman announced that they had discovered “cold fusion,” a way of producing excess heat and power without the nuclear radiation that accompanies “hot fusion.” Such a discovery could have great ramifications for the industrial production of energy, so these findings created a great deal of interest. When other scientists tried to duplicate the experiment, however, they didn’t achieve the same results, and as a result many wrote off the conclusions as unjustified (or worse, a hoax). To this day, the viability of cold fusion is debated within the scientific community, even though an increasing number of researchers believe it possible. So when you write your Methods section, keep in mind that you need to describe your experiment well enough to allow others to replicate it exactly.

With these goals in mind, let’s consider how to write an effective Methods section in terms of content, structure, and style.

Sometimes the hardest thing about writing this section isn’t what you should talk about, but what you shouldn’t talk about. Writers often want to include the results of their experiment, because they measured and recorded the results during the course of the experiment. But such data should be reserved for the Results section. In the Methods section, you can write that you recorded the results, or how you recorded the results (e.g., in a table), but you shouldn’t write what the results were—not yet. Here, you’re merely stating exactly how you went about testing your hypothesis. As you draft your Methods section, ask yourself the following questions:

• How much detail? Be precise in providing details, but stay relevant. Ask yourself, “Would it make any difference if this piece were a different size or made from a different material?” If not, you probably don’t need to get too specific. If so, you should give as many details as necessary to prevent this experiment from going awry if someone else tries to carry it out. Probably the most crucial detail is measurement; you should always quantify anything you can, such as time elapsed, temperature, mass, volume, etc.
• Rationale: Be sure that as you’re relating your actions during the experiment, you explain your rationale for the protocol you developed. If you capped a test tube immediately after adding a solute to a solvent, why did you do that? (That’s really two questions: why did you cap it, and why did you cap it immediately?) In a professional setting, writers provide their rationale as a way to explain their thinking to potential critics. On one hand, of course, that’s your motivation for talking about protocol, too. On the other hand, since in practical terms you’re also writing to your teacher (who’s seeking to evaluate how well you comprehend the principles of the experiment), explaining the rationale indicates that you understand the reasons for conducting the experiment in that way, and that you’re not just following orders. Critical thinking is crucial—robots don’t make good scientists.
• Control: Most experiments will include a control, which is a means of comparing experimental results. (Sometimes you’ll need to have more than one control, depending on the number of hypotheses you want to test.) The control is exactly the same as the other items you’re testing, except that you don’t manipulate the independent variable-the condition you’re altering to check the effect on the dependent variable. For example, if you’re testing solubility rates at increased temperatures, your control would be a solution that you didn’t heat at all; that way, you’ll see how quickly the solute dissolves “naturally” (i.e., without manipulation), and you’ll have a point of reference against which to compare the solutions you did heat.

Describe the control in the Methods section. Two things are especially important in writing about the control: identify the control as a control, and explain what you’re controlling for. Here is an example:

“As a control for the temperature change, we placed the same amount of solute in the same amount of solvent, and let the solution stand for five minutes without heating it.”

Structure and style

Organization is especially important in the Methods section of a lab report because readers must understand your experimental procedure completely. Many writers are surprised by the difficulty of conveying what they did during the experiment, since after all they’re only reporting an event, but it’s often tricky to present this information in a coherent way. There’s a fairly standard structure you can use to guide you, and following the conventions for style can help clarify your points.

• Subsections: Occasionally, researchers use subsections to report their procedure when the following circumstances apply: 1) if they’ve used a great many materials; 2) if the procedure is unusually complicated; 3) if they’ve developed a procedure that won’t be familiar to many of their readers. Because these conditions rarely apply to the experiments you’ll perform in class, most undergraduate lab reports won’t require you to use subsections. In fact, many guides to writing lab reports suggest that you try to limit your Methods section to a single paragraph.
• Narrative structure: Think of this section as telling a story about a group of people and the experiment they performed. Describe what you did in the order in which you did it. You may have heard the old joke centered on the line, “Disconnect the red wire, but only after disconnecting the green wire,” where the person reading the directions blows everything to kingdom come because the directions weren’t in order. We’re used to reading about events chronologically, and so your readers will generally understand what you did if you present that information in the same way. Also, since the Methods section does generally appear as a narrative (story), you want to avoid the “recipe” approach: “First, take a clean, dry 100 ml test tube from the rack. Next, add 50 ml of distilled water.” You should be reporting what did happen, not telling the reader how to perform the experiment: “50 ml of distilled water was poured into a clean, dry 100 ml test tube.” Hint: most of the time, the recipe approach comes from copying down the steps of the procedure from your lab manual, so you may want to draft the Methods section initially without consulting your manual. Later, of course, you can go back and fill in any part of the procedure you inadvertently overlooked.
• Past tense: Remember that you’re describing what happened, so you should use past tense to refer to everything you did during the experiment. Writers are often tempted to use the imperative (“Add 5 g of the solid to the solution”) because that’s how their lab manuals are worded; less frequently, they use present tense (“5 g of the solid are added to the solution”). Instead, remember that you’re talking about an event which happened at a particular time in the past, and which has already ended by the time you start writing, so simple past tense will be appropriate in this section (“5 g of the solid were added to the solution” or “We added 5 g of the solid to the solution”).
• Active: We heated the solution to 80°C. (The subject, “we,” performs the action, heating.)
• Passive: The solution was heated to 80°C. (The subject, “solution,” doesn’t do the heating–it is acted upon, not acting.)

Increasingly, especially in the social sciences, using first person and active voice is acceptable in scientific reports. Most readers find that this style of writing conveys information more clearly and concisely. This rhetorical choice thus brings two scientific values into conflict: objectivity versus clarity. Since the scientific community hasn’t reached a consensus about which style it prefers, you may want to ask your lab instructor.

How do I write a strong Results section?

Here’s a paradox for you. The Results section is often both the shortest (yay!) and most important (uh-oh!) part of your report. Your Materials and Methods section shows how you obtained the results, and your Discussion section explores the significance of the results, so clearly the Results section forms the backbone of the lab report. This section provides the most critical information about your experiment: the data that allow you to discuss how your hypothesis was or wasn’t supported. But it doesn’t provide anything else, which explains why this section is generally shorter than the others.

Before you write this section, look at all the data you collected to figure out what relates significantly to your hypothesis. You’ll want to highlight this material in your Results section. Resist the urge to include every bit of data you collected, since perhaps not all are relevant. Also, don’t try to draw conclusions about the results—save them for the Discussion section. In this section, you’re reporting facts. Nothing your readers can dispute should appear in the Results section.

Most Results sections feature three distinct parts: text, tables, and figures. Let’s consider each part one at a time.

This should be a short paragraph, generally just a few lines, that describes the results you obtained from your experiment. In a relatively simple experiment, one that doesn’t produce a lot of data for you to repeat, the text can represent the entire Results section. Don’t feel that you need to include lots of extraneous detail to compensate for a short (but effective) text; your readers appreciate discrimination more than your ability to recite facts. In a more complex experiment, you may want to use tables and/or figures to help guide your readers toward the most important information you gathered. In that event, you’ll need to refer to each table or figure directly, where appropriate:

“Table 1 lists the rates of solubility for each substance”

“Solubility increased as the temperature of the solution increased (see Figure 1).”

If you do use tables or figures, make sure that you don’t present the same material in both the text and the tables/figures, since in essence you’ll just repeat yourself, probably annoying your readers with the redundancy of your statements.

Feel free to describe trends that emerge as you examine the data. Although identifying trends requires some judgment on your part and so may not feel like factual reporting, no one can deny that these trends do exist, and so they properly belong in the Results section. Example:

“Heating the solution increased the rate of solubility of polar solids by 45% but had no effect on the rate of solubility in solutions containing non-polar solids.”

This point isn’t debatable—you’re just pointing out what the data show.

As in the Materials and Methods section, you want to refer to your data in the past tense, because the events you recorded have already occurred and have finished occurring. In the example above, note the use of “increased” and “had,” rather than “increases” and “has.” (You don’t know from your experiment that heating always increases the solubility of polar solids, but it did that time.)

You shouldn’t put information in the table that also appears in the text. You also shouldn’t use a table to present irrelevant data, just to show you did collect these data during the experiment. Tables are good for some purposes and situations, but not others, so whether and how you’ll use tables depends upon what you need them to accomplish.

Tables are useful ways to show variation in data, but not to present a great deal of unchanging measurements. If you’re dealing with a scientific phenomenon that occurs only within a certain range of temperatures, for example, you don’t need to use a table to show that the phenomenon didn’t occur at any of the other temperatures. How useful is this table?

As you can probably see, no solubility was observed until the trial temperature reached 50°C, a fact that the text part of the Results section could easily convey. The table could then be limited to what happened at 50°C and higher, thus better illustrating the differences in solubility rates when solubility did occur.

As a rule, try not to use a table to describe any experimental event you can cover in one sentence of text. Here’s an example of an unnecessary table from How to Write and Publish a Scientific Paper , by Robert A. Day:

As Day notes, all the information in this table can be summarized in one sentence: “S. griseus, S. coelicolor, S. everycolor, and S. rainbowenski grew under aerobic conditions, whereas S. nocolor and S. greenicus required anaerobic conditions.” Most readers won’t find the table clearer than that one sentence.

When you do have reason to tabulate material, pay attention to the clarity and readability of the format you use. Here are a few tips:

• Number your table. Then, when you refer to the table in the text, use that number to tell your readers which table they can review to clarify the material.
• Give your table a title. This title should be descriptive enough to communicate the contents of the table, but not so long that it becomes difficult to follow. The titles in the sample tables above are acceptable.
• Arrange your table so that readers read vertically, not horizontally. For the most part, this rule means that you should construct your table so that like elements read down, not across. Think about what you want your readers to compare, and put that information in the column (up and down) rather than in the row (across). Usually, the point of comparison will be the numerical data you collect, so especially make sure you have columns of numbers, not rows.Here’s an example of how drastically this decision affects the readability of your table (from A Short Guide to Writing about Chemistry , by Herbert Beall and John Trimbur). Look at this table, which presents the relevant data in horizontal rows:

It’s a little tough to see the trends that the author presumably wants to present in this table. Compare this table, in which the data appear vertically:

The second table shows how putting like elements in a vertical column makes for easier reading. In this case, the like elements are the measurements of length and height, over five trials–not, as in the first table, the length and height measurements for each trial.

• Make sure to include units of measurement in the tables. Readers might be able to guess that you measured something in millimeters, but don’t make them try.
• Don’t use vertical lines as part of the format for your table. This convention exists because journals prefer not to have to reproduce these lines because the tables then become more expensive to print. Even though it’s fairly unlikely that you’ll be sending your Biology 11 lab report to Science for publication, your readers still have this expectation. Consequently, if you use the table-drawing option in your word-processing software, choose the option that doesn’t rely on a “grid” format (which includes vertical lines).

How do I include figures in my report?

Although tables can be useful ways of showing trends in the results you obtained, figures (i.e., illustrations) can do an even better job of emphasizing such trends. Lab report writers often use graphic representations of the data they collected to provide their readers with a literal picture of how the experiment went.

When should you use a figure?

Remember the circumstances under which you don’t need a table: when you don’t have a great deal of data or when the data you have don’t vary a lot. Under the same conditions, you would probably forgo the figure as well, since the figure would be unlikely to provide your readers with an additional perspective. Scientists really don’t like their time wasted, so they tend not to respond favorably to redundancy.

If you’re trying to decide between using a table and creating a figure to present your material, consider the following a rule of thumb. The strength of a table lies in its ability to supply large amounts of exact data, whereas the strength of a figure is its dramatic illustration of important trends within the experiment. If you feel that your readers won’t get the full impact of the results you obtained just by looking at the numbers, then a figure might be appropriate.

Of course, an undergraduate class may expect you to create a figure for your lab experiment, if only to make sure that you can do so effectively. If this is the case, then don’t worry about whether to use figures or not—concentrate instead on how best to accomplish your task.

Figures can include maps, photographs, pen-and-ink drawings, flow charts, bar graphs, and section graphs (“pie charts”). But the most common figure by far, especially for undergraduates, is the line graph, so we’ll focus on that type in this handout.

At the undergraduate level, you can often draw and label your graphs by hand, provided that the result is clear, legible, and drawn to scale. Computer technology has, however, made creating line graphs a lot easier. Most word-processing software has a number of functions for transferring data into graph form; many scientists have found Microsoft Excel, for example, a helpful tool in graphing results. If you plan on pursuing a career in the sciences, it may be well worth your while to learn to use a similar program.

Computers can’t, however, decide for you how your graph really works; you have to know how to design your graph to meet your readers’ expectations. Here are some of these expectations:

• Keep it as simple as possible. You may be tempted to signal the complexity of the information you gathered by trying to design a graph that accounts for that complexity. But remember the purpose of your graph: to dramatize your results in a manner that’s easy to see and grasp. Try not to make the reader stare at the graph for a half hour to find the important line among the mass of other lines. For maximum effectiveness, limit yourself to three to five lines per graph; if you have more data to demonstrate, use a set of graphs to account for it, rather than trying to cram it all into a single figure.
• Plot the independent variable on the horizontal (x) axis and the dependent variable on the vertical (y) axis. Remember that the independent variable is the condition that you manipulated during the experiment and the dependent variable is the condition that you measured to see if it changed along with the independent variable. Placing the variables along their respective axes is mostly just a convention, but since your readers are accustomed to viewing graphs in this way, you’re better off not challenging the convention in your report.
• Label each axis carefully, and be especially careful to include units of measure. You need to make sure that your readers understand perfectly well what your graph indicates.
• Number and title your graphs. As with tables, the title of the graph should be informative but concise, and you should refer to your graph by number in the text (e.g., “Figure 1 shows the increase in the solubility rate as a function of temperature”).
• Many editors of professional scientific journals prefer that writers distinguish the lines in their graphs by attaching a symbol to them, usually a geometric shape (triangle, square, etc.), and using that symbol throughout the curve of the line. Generally, readers have a hard time distinguishing dotted lines from dot-dash lines from straight lines, so you should consider staying away from this system. Editors don’t usually like different-colored lines within a graph because colors are difficult and expensive to reproduce; colors may, however, be great for your purposes, as long as you’re not planning to submit your paper to Nature. Use your discretion—try to employ whichever technique dramatizes the results most effectively.
• Try to gather data at regular intervals, so the plot points on your graph aren’t too far apart. You can’t be sure of the arc you should draw between the plot points if the points are located at the far corners of the graph; over a fifteen-minute interval, perhaps the change occurred in the first or last thirty seconds of that period (in which case your straight-line connection between the points is misleading).
• If you’re worried that you didn’t collect data at sufficiently regular intervals during your experiment, go ahead and connect the points with a straight line, but you may want to examine this problem as part of your Discussion section.
• Make your graph large enough so that everything is legible and clearly demarcated, but not so large that it either overwhelms the rest of the Results section or provides a far greater range than you need to illustrate your point. If, for example, the seedlings of your plant grew only 15 mm during the trial, you don’t need to construct a graph that accounts for 100 mm of growth. The lines in your graph should more or less fill the space created by the axes; if you see that your data is confined to the lower left portion of the graph, you should probably re-adjust your scale.
• If you create a set of graphs, make them the same size and format, including all the verbal and visual codes (captions, symbols, scale, etc.). You want to be as consistent as possible in your illustrations, so that your readers can easily make the comparisons you’re trying to get them to see.

How do I write a strong Discussion section?

The discussion section is probably the least formalized part of the report, in that you can’t really apply the same structure to every type of experiment. In simple terms, here you tell your readers what to make of the Results you obtained. If you have done the Results part well, your readers should already recognize the trends in the data and have a fairly clear idea of whether your hypothesis was supported. Because the Results can seem so self-explanatory, many students find it difficult to know what material to add in this last section.

Basically, the Discussion contains several parts, in no particular order, but roughly moving from specific (i.e., related to your experiment only) to general (how your findings fit in the larger scientific community). In this section, you will, as a rule, need to:

Explain whether the data support your hypothesis

• Acknowledge any anomalous data or deviations from what you expected

Derive conclusions, based on your findings, about the process you’re studying

• Relate your findings to earlier work in the same area (if you can)

Explore the theoretical and/or practical implications of your findings

Let’s look at some dos and don’ts for each of these objectives.

This statement is usually a good way to begin the Discussion, since you can’t effectively speak about the larger scientific value of your study until you’ve figured out the particulars of this experiment. You might begin this part of the Discussion by explicitly stating the relationships or correlations your data indicate between the independent and dependent variables. Then you can show more clearly why you believe your hypothesis was or was not supported. For example, if you tested solubility at various temperatures, you could start this section by noting that the rates of solubility increased as the temperature increased. If your initial hypothesis surmised that temperature change would not affect solubility, you would then say something like,

“The hypothesis that temperature change would not affect solubility was not supported by the data.”

Note: Students tend to view labs as practical tests of undeniable scientific truths. As a result, you may want to say that the hypothesis was “proved” or “disproved” or that it was “correct” or “incorrect.” These terms, however, reflect a degree of certainty that you as a scientist aren’t supposed to have. Remember, you’re testing a theory with a procedure that lasts only a few hours and relies on only a few trials, which severely compromises your ability to be sure about the “truth” you see. Words like “supported,” “indicated,” and “suggested” are more acceptable ways to evaluate your hypothesis.

Also, recognize that saying whether the data supported your hypothesis or not involves making a claim to be defended. As such, you need to show the readers that this claim is warranted by the evidence. Make sure that you’re very explicit about the relationship between the evidence and the conclusions you draw from it. This process is difficult for many writers because we don’t often justify conclusions in our regular lives. For example, you might nudge your friend at a party and whisper, “That guy’s drunk,” and once your friend lays eyes on the person in question, she might readily agree. In a scientific paper, by contrast, you would need to defend your claim more thoroughly by pointing to data such as slurred words, unsteady gait, and the lampshade-as-hat. In addition to pointing out these details, you would also need to show how (according to previous studies) these signs are consistent with inebriation, especially if they occur in conjunction with one another. To put it another way, tell your readers exactly how you got from point A (was the hypothesis supported?) to point B (yes/no).

Acknowledge any anomalous data, or deviations from what you expected

You need to take these exceptions and divergences into account, so that you qualify your conclusions sufficiently. For obvious reasons, your readers will doubt your authority if you (deliberately or inadvertently) overlook a key piece of data that doesn’t square with your perspective on what occurred. In a more philosophical sense, once you’ve ignored evidence that contradicts your claims, you’ve departed from the scientific method. The urge to “tidy up” the experiment is often strong, but if you give in to it you’re no longer performing good science.

Sometimes after you’ve performed a study or experiment, you realize that some part of the methods you used to test your hypothesis was flawed. In that case, it’s OK to suggest that if you had the chance to conduct your test again, you might change the design in this or that specific way in order to avoid such and such a problem. The key to making this approach work, though, is to be very precise about the weakness in your experiment, why and how you think that weakness might have affected your data, and how you would alter your protocol to eliminate—or limit the effects of—that weakness. Often, inexperienced researchers and writers feel the need to account for “wrong” data (remember, there’s no such animal), and so they speculate wildly about what might have screwed things up. These speculations include such factors as the unusually hot temperature in the room, or the possibility that their lab partners read the meters wrong, or the potentially defective equipment. These explanations are what scientists call “cop-outs,” or “lame”; don’t indicate that the experiment had a weakness unless you’re fairly certain that a) it really occurred and b) you can explain reasonably well how that weakness affected your results.

If, for example, your hypothesis dealt with the changes in solubility at different temperatures, then try to figure out what you can rationally say about the process of solubility more generally. If you’re doing an undergraduate lab, chances are that the lab will connect in some way to the material you’ve been covering either in lecture or in your reading, so you might choose to return to these resources as a way to help you think clearly about the process as a whole.

This part of the Discussion section is another place where you need to make sure that you’re not overreaching. Again, nothing you’ve found in one study would remotely allow you to claim that you now “know” something, or that something isn’t “true,” or that your experiment “confirmed” some principle or other. Hesitate before you go out on a limb—it’s dangerous! Use less absolutely conclusive language, including such words as “suggest,” “indicate,” “correspond,” “possibly,” “challenge,” etc.

Relate your findings to previous work in the field (if possible)

We’ve been talking about how to show that you belong in a particular community (such as biologists or anthropologists) by writing within conventions that they recognize and accept. Another is to try to identify a conversation going on among members of that community, and use your work to contribute to that conversation. In a larger philosophical sense, scientists can’t fully understand the value of their research unless they have some sense of the context that provoked and nourished it. That is, you have to recognize what’s new about your project (potentially, anyway) and how it benefits the wider body of scientific knowledge. On a more pragmatic level, especially for undergraduates, connecting your lab work to previous research will demonstrate to the TA that you see the big picture. You have an opportunity, in the Discussion section, to distinguish yourself from the students in your class who aren’t thinking beyond the barest facts of the study. Capitalize on this opportunity by putting your own work in context.

If you’re just beginning to work in the natural sciences (as a first-year biology or chemistry student, say), most likely the work you’ll be doing has already been performed and re-performed to a satisfactory degree. Hence, you could probably point to a similar experiment or study and compare/contrast your results and conclusions. More advanced work may deal with an issue that is somewhat less “resolved,” and so previous research may take the form of an ongoing debate, and you can use your own work to weigh in on that debate. If, for example, researchers are hotly disputing the value of herbal remedies for the common cold, and the results of your study suggest that Echinacea diminishes the symptoms but not the actual presence of the cold, then you might want to take some time in the Discussion section to recapitulate the specifics of the dispute as it relates to Echinacea as an herbal remedy. (Consider that you have probably already written in the Introduction about this debate as background research.)

This information is often the best way to end your Discussion (and, for all intents and purposes, the report). In argumentative writing generally, you want to use your closing words to convey the main point of your writing. This main point can be primarily theoretical (“Now that you understand this information, you’re in a better position to understand this larger issue”) or primarily practical (“You can use this information to take such and such an action”). In either case, the concluding statements help the reader to comprehend the significance of your project and your decision to write about it.

Since a lab report is argumentative—after all, you’re investigating a claim, and judging the legitimacy of that claim by generating and collecting evidence—it’s often a good idea to end your report with the same technique for establishing your main point. If you want to go the theoretical route, you might talk about the consequences your study has for the field or phenomenon you’re investigating. To return to the examples regarding solubility, you could end by reflecting on what your work on solubility as a function of temperature tells us (potentially) about solubility in general. (Some folks consider this type of exploration “pure” as opposed to “applied” science, although these labels can be problematic.) If you want to go the practical route, you could end by speculating about the medical, institutional, or commercial implications of your findings—in other words, answer the question, “What can this study help people to do?” In either case, you’re going to make your readers’ experience more satisfying, by helping them see why they spent their time learning what you had to teach them.

Works consulted

We consulted these works while writing this handout. This is not a comprehensive list of resources on the handout’s topic, and we encourage you to do your own research to find additional publications. Please do not use this list as a model for the format of your own reference list, as it may not match the citation style you are using. For guidance on formatting citations, please see the UNC Libraries citation tutorial . We revise these tips periodically and welcome feedback.

American Psychological Association. 2010. Publication Manual of the American Psychological Association . 6th ed. Washington, DC: American Psychological Association.

Beall, Herbert, and John Trimbur. 2001. A Short Guide to Writing About Chemistry , 2nd ed. New York: Longman.

Blum, Deborah, and Mary Knudson. 1997. A Field Guide for Science Writers: The Official Guide of the National Association of Science Writers . New York: Oxford University Press.

Booth, Wayne C., Gregory G. Colomb, Joseph M. Williams, Joseph Bizup, and William T. FitzGerald. 2016. The Craft of Research , 4th ed. Chicago: University of Chicago Press.

Briscoe, Mary Helen. 1996. Preparing Scientific Illustrations: A Guide to Better Posters, Presentations, and Publications , 2nd ed. New York: Springer-Verlag.

Council of Science Editors. 2014. Scientific Style and Format: The CSE Manual for Authors, Editors, and Publishers , 8th ed. Chicago & London: University of Chicago Press.

Davis, Martha. 2012. Scientific Papers and Presentations , 3rd ed. London: Academic Press.

Day, Robert A. 1994. How to Write and Publish a Scientific Paper , 4th ed. Phoenix: Oryx Press.

Porush, David. 1995. A Short Guide to Writing About Science . New York: Longman.

Williams, Joseph, and Joseph Bizup. 2017. Style: Lessons in Clarity and Grace , 12th ed. Boston: Pearson.

You may reproduce it for non-commercial use if you use the entire handout and attribute the source: The Writing Center, University of North Carolina at Chapel Hill

Make a Gift

• Science Notes Posts
• Contact Science Notes
• Todd Helmenstine Biography
• Anne Helmenstine Biography
• Free Printable Periodic Tables (PDF and PNG)
• Periodic Table Wallpapers
• Interactive Periodic Table
• Periodic Table Posters
• How to Grow Crystals
• Chemistry Projects
• Fire and Flames Projects
• Holiday Science
• Chemistry Problems With Answers
• Physics Problems
• Unit Conversion Example Problems
• Chemistry Worksheets
• Biology Worksheets
• Periodic Table Worksheets
• Physical Science Worksheets
• Science Lab Worksheets
• My Amazon Books

Lab Report Format – How to Write a Laboratory Report

A science laboratory experiment isn’t truly complete until you’ve written the lab report. You may have taken excellent notes in your laboratory notebook, but it isn’t the same as a lab report. The lab report format is designed to present experimental results so they can be shared with others. A well-written report explains what you did, why you did it, and what you learned. It should also generate reader interest, potentially leading to peer-reviewed publication and funding.

Sections of a Lab Report

There is no one lab report format. The format and sections might be specified by your instructor or employer. What really matters is covering all of the important information.

Label the sections (except the title). Use bold face type for the title and headings. The order is:

You may or may not be expected to provide a title page. If it is required, the title page includes the title of the experiment, the names of the researchers, the name of the institution, and the date.

The title describes the experiment. Don’t start it with an article (e.g., the, an, a) because it messes up databases and isn’t necessary. For example, a good title might be, “Effect of Increasing Glucose Concentration on Danio rerio Egg Hatching Rates.” Use title case and italicize the scientific names of any species.

Introduction

Sometimes the introduction is broken into separate sections. Otherwise, it’s written as a narrative that includes the following information:

• State the purpose of the experiment.
• State the hypothesis.
• Review earlier work on the subject. Refer to previous studies. Cover the background so a reader understands what is known about a subject and what you hope to learn that is new.
• Describe your approach to answering a question or solving a problem. Include a theory or equation, if appropriate.

This section describes experimental design. Identify the parameter you changed ( independent variable ) and the one you measured ( dependent variable ). Describe the equipment and set-up you used, materials, and methods. If a reader can’t picture the apparatus from your description, include a photograph or diagram. Sometimes this section is broken into “Materials” and “Methods.”

Your lab notebook contains all of the data you collected in the experiment. You aren’t expected to reproduce all of this in a lab report. Instead, provide labelled tables and graphs. The first figure is Figure 1, the second is Figure 2, etc. The first graph is Graph 1. Refer to figures and graphs by their figure number. For some experiments, you may need to include labelled photographs. Cite the results of any calculations you performed, such as slope and standard deviation. Discuss sources of error here, including instrument, standard, and random errors.

Discussion or Conclusions

While the “Results” section includes graphs and tables, the “Discussion” or “Conclusions” section focuses on what the results mean. This is where you state whether or not the objective of the experiment was met and what the outcome means.  Propose reasons for discrepancies between expected and actual outcomes. Finally, describe the next logical step in your research and ways you might improve on the experiment.

References or Bibliography

Did you build upon work conducted by someone else? Cite the work. Did you consult a paper relating to the experiment? Credit the author. If you’re unsure whether to cite a reference or not, a good rule of thumb is to include a reference for any fact not known to your audience. For some reports, it’s only necessary to list publications directly relating to your procedure and conclusions.

The Tone of a Lab Report

Lab reports should be informative, not entertaining. This isn’t the place for humor, sarcasm, or flowery prose. A lab report should be:

• Concise : Cover all the key points without getting crazy with the details.
• Objective : In the “Conclusions” section, you can propose possible explanations for your results. Otherwise, keep your opinions out of the report. Instead, present facts and an analysis based on logic and math.
• Critical : After presenting what you did, the report focuses on what the data means. Be on the lookout for sources of error and identify them. Use your understanding of error to determine how reliable your results are and gauge confidence in your conclusions.

Related Posts

• Phoenix College

Lab Report Writing

• Introduction
• Lab Report Style
• Lab Report Format

Introduction of Your Lab Report

Test yourself (introduction).

• Materials and Methods
• Discussion/Conclusion

The introduction of your lab report is a chance for you to "hook" the reader and preview the important details you'll be talking about in the later sections of the paper. It's kind of like the first paragraph in a short story or the first act of a play. While the abstract was a very short summary of the entire paper, the introduction will be a longer section with more detail. It could be anywhere from three or four paragraphs to a couple pages long, depending on the complexity of the topic and, of course, the requirements of your instructor. Here are some tips for organizing your introduction :

• Start off with a very broad introduction to the topic. For instance, let's say you are writing a lab report about an experiment where you tested the effect of temperature on the enzyme catalase. You should start the introduction by talking about what enzymes are and how they work.
• Next, narrow down the introduction to talk more specifically about the topic you are investigating, and why the study you did was so important. In the catalase example, you should now talk specifically about what the catalase enzyme does, where it is found, how it works, and why it is important enzyme to study how temperature affects this enzyme.
• The introduction should also include a literature review t hat discusses what is already known about the topic. This where you will summarize the research you have done about your topic. Make sure you properly cite all of the sources you used in your research.
• Finally, state the purpose of the study, the hypothesis you tested in your study, and/or the question(s) you were trying to answer.

The introduction should not include details about the procedures you used in your study. Save these for the Materials and Methods section. You should also leave out the results, which will go in the Results section.

Introduction Osteoporotic fractures , particularly hip fractures, constitute a large and growing problem worldwide, in both women and men, with a profound impact on quality of life [1] and mortality [2]. The fracture risk is influenced both by the genetic constitution and by environmental factors, with lifestyle becoming more important with increasing age [3]. Physical activity, one conceivable and modifiable risk factor, can prevent fractures by improving muscle mass and balance, and by increasing skeletal strength, and thus reducing the risk of injurious falls [4,5]. However, the clinical relevance regarding exercise for maintaining or improving bone mineral density in adult men cannot be determined from existing studies [6,7]. The investigation of the effects of physical activity on the most important outcome—fracture risk—should ideally be evaluated in a randomized study , but this design is unlikely to ever be well performed owing to methodological issues, e.g., study size, compliance, drop-outs, blinding and long-term follow-up. Therefore, it is not surprising that there are no randomized trials in this area. Although moderate levels of leisure physical activity, such as walking, are associated with a substantially lower risk of hip fracture in postmenopausa l women [8], data from prospective observational fracture studies in men are inconsistent. Whereas some studies in men report significant reductions in risk with a high physical activity [9–12], others do not [13–17]. Lack of validation and the absence of regular assessment of physical activity during follow-up may be factors that explain these contradictory results. The analyses in the positive reports have involved few osteoporotic fractures, and no consistent dose-response pattern has been detected. In addition, only a few studies have taken possible confounding by poor health into account, and in none of the studies has it been considered that changes in physical activity and other lifestyle habits might have occurred during follow-up. Thus, it is uncertain whether, to what extent, and at what level physical activity influences the risk of osteoporotic fractures in men. This study therefore investigated the impact of physical activity on the risk of fracture in a population-based cohort of men followed over a 35-y period. EXPLANATION OF EXAMPLE In the first paragraph of this introduction we learned some general information about bone fractures. The second paragraph narrowed the discussion down to talk specifically about how exercise is related to bone fractures. The third paragraph tells us why the current study is so important. The final paragraph starts off with a literature review telling us what sorts of previous studies have been performed on this topic. The last sentence then gives us the purpose of the current study.  The numbers in brackets are citations for papers that would be listed at the end of the paper, in the References or Works Cited section. Hover your cursor over highlighted terms for the definition.

What information should be included in the Introduction of a lab report?  Which of these answers are correct?

a. The purpose of the study b. General information about the topic being investigated c. Specific details about how the study was done d. The conclusions you have made based on the results of your study e. A literature review that summarizes what is already known about the topic.

A, B, E The introduction should not include details about procedures, results, or conclusions. These will be included in later sections of the paper

Click on the question, to see the answer.

• << Previous: Lab Report Format
• Next: Materials and Methods >>
• Last Updated: Jan 13, 2022 10:50 AM
• URL: https://phoenixcollege.libguides.com/LabReportWriting

Purdue Online Writing Lab Purdue OWL® College of Liberal Arts

Writing the Experimental Report: Overview, Introductions, and Literature Reviews

Welcome to the Purdue OWL

This page is brought to you by the OWL at Purdue University. When printing this page, you must include the entire legal notice.

Copyright ©1995-2018 by The Writing Lab & The OWL at Purdue and Purdue University. All rights reserved. This material may not be published, reproduced, broadcast, rewritten, or redistributed without permission. Use of this site constitutes acceptance of our terms and conditions of fair use.

Experimental reports (also known as "lab reports") are reports of empirical research conducted by their authors. You should think of an experimental report as a "story" of your research in which you lead your readers through your experiment. As you are telling this story, you are crafting an argument about both the validity and reliability of your research, what your results mean, and how they fit into other previous work.

These next two sections provide an overview of the experimental report in APA format. Always check with your instructor, advisor, or journal editor for specific formatting guidelines.

General-specific-general format

Experimental reports follow a general to specific to general pattern. Your report will start off broadly in your introduction and discussion of the literature; the report narrows as it leads up to your specific hypotheses, methods, and results. Your discussion transitions from talking about your specific results to more general ramifications, future work, and trends relating to your research.

Experimental reports in APA format have a title page. Title page formatting is as follows:

• A running head and page number in the upper right corner (right aligned)
• A definition of running head in IN ALL CAPS below the running head (left aligned)
• Vertically and horizontally centered paper title, followed by author and affiliation

Please see our sample APA title page .

Crafting your story

Before you begin to write, carefully consider your purpose in writing: what is it that you discovered, would like to share, or would like to argue? You can see report writing as crafting a story about your research and your findings. Consider the following.

• What is the story you would like to tell?
• What literature best speaks to that story?
• How do your results tell the story?
• How can you discuss the story in broad terms?

During each section of your paper, you should be focusing on your story. Consider how each sentence, each paragraph, and each section contributes to your overall purpose in writing. Here is a description of one student's process.

Briel is writing an experimental report on her results from her experimental psychology lab class. She was interested in looking at the role gender plays in persuading individuals to take financial risks. After her data analysis, she finds that men are more easily persuaded by women to take financial risks and that men are generally willing to take more financial risks.

When Briel begins to write, she focuses her introduction on financial risk taking and gender, focusing on male behaviors. She then presents relevant literature on financial risk taking and gender that help illuminate her own study, but also help demonstrate the need for her own work. Her introduction ends with a study overview that directly leads from the literature review. Because she has already broadly introduced her study through her introduction and literature review, her readers can anticipate where she is going when she gets to her study overview. Her methods and results continue that story. Finally, her discussion concludes that story, discussing her findings, implications of her work, and the need for more research in the area of gender and financial risk taking.

The abstract gives a concise summary of the contents of the report.

• Abstracts should be brief (about 100 words)
• Abstracts should be self-contained and provide a complete picture of what the study is about
• Abstracts should be organized just like your experimental report—introduction, literature review, methods, results and discussion
• Abstracts should be written last during your drafting stage

Introduction

The introduction in an experimental article should follow a general to specific pattern, where you first introduce the problem generally and then provide a short overview of your own study. The introduction includes three parts: opening statements, literature review, and study overview.

Opening statements: Define the problem broadly in plain English and then lead into the literature review (this is the "general" part of the introduction). Your opening statements should already be setting the stage for the story you are going to tell.

Literature review: Discusses literature (previous studies) relevant to your current study in a concise manner. Keep your story in mind as you organize your lit review and as you choose what literature to include. The following are tips when writing your literature review.

• You should discuss studies that are directly related to your problem at hand and that logically lead to your own hypotheses.
• You do not need to provide a complete historical overview nor provide literature that is peripheral to your own study.
• Studies should be presented based on themes or concepts relevant to your research, not in a chronological format.
• You should also consider what gap in the literature your own research fills. What hasn't been examined? What does your work do that others have not?

Study overview: The literature review should lead directly into the last section of the introduction—your study overview. Your short overview should provide your hypotheses and briefly describe your method. The study overview functions as a transition to your methods section.

You should always give good, descriptive names to your hypotheses that you use consistently throughout your study. When you number hypotheses, readers must go back to your introduction to find them, which makes your piece more difficult to read. Using descriptive names reminds readers what your hypotheses were and allows for better overall flow.

In our example above, Briel had three different hypotheses based on previous literature. Her first hypothesis, the "masculine risk-taking hypothesis" was that men would be more willing to take financial risks overall. She clearly named her hypothesis in the study overview, and then referred back to it in her results and discussion sections.

Thais and Sanford (2000) recommend the following organization for introductions.

• Provide an introduction to your topic
• Provide a very concise overview of the literature
• State your hypotheses and how they connect to the literature
• Provide an overview of the methods for investigation used in your research

Bem (2006) provides the following rules of thumb for writing introductions.

• Write in plain English
• Take the time and space to introduce readers to your problem step-by-step; do not plunge them into the middle of the problem without an introduction
• Use examples to illustrate difficult or unfamiliar theories or concepts. The more complicated the concept or theory, the more important it is to have clear examples
• Open with a discussion about people and their behavior, not about psychologists and their research

• Departments and Units
• Majors and Minors
• LSA Course Guide
• LSA Gateway

Search: {{$root.lsaSearchQuery.q}}, Page {{$root.page}}

• Accessibility
• Undergraduates
• Instructors
• Alums & Friends

• ★ Writing Support
• Minor in Writing
• First-Year Writing Requirement
• Transfer Students
• Writing Guides
• Peer Writing Consultant Program
• Upper-Level Writing Requirement
• Writing Prizes
• International Students
• ★ The Writing Workshop
• Dissertation ECoach
• Fellows Seminar
• Dissertation Writing Groups
• Rackham / Sweetland Workshops
• Dissertation Writing Institute
• Guides to Teaching Writing
• Teaching Support and Services
• Support for FYWR Courses
• Support for ULWR Courses
• Writing Prize Nominating
• Alums Gallery
• Commencement Archive
• Giving Opportunities
• How Do I Present Findings From My Experiment in a Report?
• How Do I Make Sure I Understand an Assignment?
• How Do I Decide What I Should Argue?
• How Can I Create Stronger Analysis?
• How Do I Effectively Integrate Textual Evidence?
• How Do I Write a Great Title?
• What Exactly is an Abstract?
• What is a Run-on Sentence & How Do I Fix It?
• How Do I Check the Structure of My Argument?
• How Do I Write an Intro, Conclusion, & Body Paragraph?
• How Do I Incorporate Quotes?
• How Can I Create a More Successful Powerpoint?
• How Can I Create a Strong Thesis?
• How Can I Write More Descriptively?
• How Do I Incorporate a Counterargument?
• How Do I Check My Citations?

See the bottom of the main Writing Guides page for licensing information.

Many believe that a scientist’s most difficult job is not conducting an experiment but presenting the results in an effective and coherent way. Even when your methods and technique are sound and your notes are comprehensive, writing a report can be a challenge because organizing and communicating scientific findings requires patience and a thorough grasp of certain conventions. Having a clear understanding of the typical goals and strategies for writing an effective lab report can make the process much less troubling.

General Considerations

It is useful to note that effective scientific writing serves the same purpose that your lab report should. Good scientific writing explains:

• The goal(s) of your experiment
• How you performed the experiment
• The results you obtained
• Why these results are important

While it’s unlikely that you’re going to win the Nobel Prize for your work in an undergraduate laboratory course, tailoring your writing strategies in imitation of professional journals is easier than you might think, since they all follow a consistent pattern. However, your instructor has the final say in determining how your report should be structured and what should appear in each section. Please use the following explanations only to supplement your given writing criteria, rather than thinking of them as an indication of how all lab reports must be written.

In Practice

The Structure of a Report

The traditional experimental report is structured using the acronym “IMRAD” which stands for I ntroduction, M ethods, R esults and D iscussion. The “ A ” is sometimes used to stand for A bstract. For help writing abstracts, please see Sweetland’s resource entitled “What is an abstract, and how do I write one?”

Introduction: “What am I doing here?” The introduction should accomplish what any good introduction does: draw the reader into the paper. To simplify things, follow the “inverted pyramid” structure, which involves narrowing information from the most broad (providing context for your experiment’s place in science) to the most specific (what exactly your experiment is about). Consider the example below.

Most broad: “Caffeine is a mild stimulant that is found in many common beverages, including coffee.”

Less broad: “Common reactions to caffeine use include increased heart rate and increased respiratory rate.”

Slightly more specific (moving closer to your experiment): Previous research has shown that people who consume multiple caffeinated beverages per day are also more likely to be irritable.

Most specific (your experiment): This study examines the emotional states of college students (ages 18-22) after they have consumed three cups of coffee each day.

See how that worked? Each idea became slightly more focused, ending with a brief description of your particular experiment. Here are a couple more tips to keep in mind when writing an introduction:

• Include an overview of the topic in question, including relevant literature A good example: “In 1991, Rogers and Hammerstein concluded that drinking coffee improves alertness and mental focus (citation 1991).
• Explain what your experiment might contribute to past findings A good example: “Despite these established benefits, coffee may negatively impact mood and behavior. This study aims to investigate the emotions of college coffee drinkers during finals week.”
• Keep the introduction brief There’s no real advantage to writing a long introduction. Most people reading your paper already know what coffee is, and where it comes from, so what’s the point of giving them a detailed history of the coffee bean? A good example: “Caffeine is a psychoactive stimulant, much like nicotine.” (Appropriate information, because it gives context to caffeine—the molecule of study) A bad example: “Some of the more popular coffee drinks in America include cappuccinos, lattés, and espresso.” (Inappropriate for your introduction. This information is useless for your audience, because not only is it already familiar, but it doesn’t mention anything about caffeine or its effects, which is the reason that you’re doing the experiment.)
• Avoid giving away the detailed technique and data you gathered in your experiment A good example: “A sample of coffee-drinking college students was observed during end-of-semester exams.” ( Appropriate for an introduction ) A bad example: “25 college students were studied, and each given 10oz of premium dark roast coffee (containing 175mg caffeine/serving, except for Folgers, which has significantly lower caffeine content) three times a day through a plastic straw, with intervals of two hours, for three weeks.” ( Too detailed for an intro. More in-depth information should appear in your “Methods” or “Results” sections. )

Methods: “Where am I going to get all that coffee…?”

A “methods” section should include all the information necessary for someone else to recreate your experiment. Your experimental notes will be very useful for this section of the report. More or less, this section will resemble a recipe for your experiment. Don’t concern yourself with writing clever, engaging prose. Just say what you did, as clearly as possible. Address the types of questions listed below:

• Where did you perform the experiment? (This one is especially important in field research— work done outside the laboratory.)
• How much did you use? (Be precise.)
• Did you change anything about them? (i.e. Each 5 oz of coffee was diluted with 2 oz distilled water.)
• Did you use any special method for recording data? (i.e. After drinking coffee, students’ happiness was measured using the Walter Gumdrop Rating System, on a scale of 1-10.)
• Did you use any techniques/methods that are significant for the research? (i.e. Maybe you did a double blinded experiment with X and Y as controls. Was your control a placebo? Be specific.)
• Any unusual/unique methods for collecting data? If so, why did you use them?

After you have determined the basic content for your “methods” section, consider these other tips:

• Decide between using active or passive voice

There has been much debate over the use of passive voice in scientific writing. “Passive voice” is when the subject of a sentence is the recipient of the action.

• For example: Coffee was given to the students.

“Active voice” is when the subject of a sentence performs the action.

• For example: I gave coffee to the students.

The merits of using passive voice are obvious in some cases. For instance, scientific reports are about what is being studied, and not about YOU. Using too many personal pronouns can make your writing sound more like a narrative and less like a report. For that reason, many people recommend using passive voice to create a more objective, professional tone, emphasizing what was done TO your subject. However, active voice is becoming increasingly common in scientific writing, especially in social sciences, so the ultimate decision of passive vs. active voice is up to you (and whoever is grading your report).

• Units are important When using numbers, it is important to always list units, and keep them consistent throughout the section. There is a big difference between giving someone 150 milligrams of coffee and 150 grams of coffee—the first will keep you awake for a while, and the latter will put you to sleep indefinitely. So make sure you’re consistent in this regard.
• Don’t needlessly explain common techniques If you’re working in a chemistry lab, for example, and you want to take the melting point of caffeine, there’s no point saying “I used the “Melting point-ometer 3000” to take a melting point of caffeine. First I plugged it in…then I turned it on…” Your reader can extrapolate these techniques for him or herself, so a simple “Melting point was recorded” will work just fine.
• If it isn’t important to your results, don’t include it No one cares if you bought the coffee for your experiment on “3 dollar latte day”. The price of the coffee won’t affect the outcome of your experiment, so don’t bore your reader with it. Simply record all the things that WILL affect your results (i.e. masses, volumes, numbers of trials, etc).

Results: The only thing worth reading?

The “results” section is the place to tell your reader what you observed. However, don’t do anything more than “tell.” Things like explaining and analyzing belong in your discussion section. If you find yourself using words like “because” or “which suggests” in your results section, then STOP! You’re giving too much analysis.

A good example: “In this study, 50% of subjects exhibited symptoms of increased anger and annoyance in response to hearing Celine Dion music.” ( Appropriate for a “results” section—it doesn’t get caught up in explaining WHY they were annoyed. )

In your “results” section, you should:

• Display facts and figures in tables and graphs whenever possible. Avoid listing results like “In trial one, there were 5 students out of 10 who showed irritable behavior in response to caffeine. In trial two…” Instead, make a graph or table. Just be sure to label it so you can refer to it in your writing (i.e. “As Table 1 shows, the number of swear words spoken by students increased in proportion to the amount of coffee consumed.”) Likewise, be sure to label every axis/heading on a chart or graph (a good visual representation can be understood on its own without any textual explanation). The following example clearly shows what happened during each trial of an experiment, making the trends visually apparent, and thus saving the experimenter from having to explain each trial with words.
• Identify only the most significant trends. Don’t try to include every single bit of data in this section, because much of it won’t be relevant to your hypothesis. Just pick out the biggest trends, or what is most significant to your goals.

Discussion: “What does it all mean?”

The “discussion” section is intended to explain to your reader what your data can be interpreted to mean. As with all science, the goal for your report is simply to provide evidence that something might be true or untrue—not to prove it unequivocally. The following questions should be addressed in your “discussion” section:

• Is your hypothesis supported? If you didn’t have a specific hypothesis, then were the results consistent with what previous studies have suggested? A good example: “Consistent with caffeine’s observed effects on heart rate, students’ tendency to react strongly to the popping of a balloon strongly suggests that caffeine’s ability to heighten alertness may also increase nervousness.”
• Was there any data that surprised you? Outliers are seldom significant, and mentioning them is largely useless. However, if you see another cluster of points on a graph that establish their own trend, this is worth mentioning.
• Are the results useful? If you have no significant findings, then just say that. Don’t try to make wild claims about the meanings of your work if there is no statistical/observational basis for these claims—doing so is dishonest and unhelpful to other scientists reading your work. Similarly, try to avoid using the word “proof” or “proves.” Your work is merely suggesting evidence for new ideas. Just because things worked out one way in your trials, that doesn’t mean these results will always be repeatable or true.
• What are the implications of your work? Here are some examples of the types of questions that can begin to show how your study can be significant outside of this one particular experiment: Why should anyone care about what you’re saying? How might these findings affect coffee drinkers? Do your findings suggest that drinking coffee is more harmful than previously thought? Less harmful? How might these findings affect other fields of science? What about the effects of caffeine on people with emotional disorders? Do your findings suggest that they should or should not drink coffee?
• Any shortcomings of your work? Were there any flaws in your experimental design? How should future studies in this field accommodate for these complications. Does your research raise any new questions? What other areas of science should be explored as a result of your work?

Resources: Hogg, Alan. "Tutoring Scientific Writing." Sweetland Center for Writing. University of Michigan, Ann Arbor. 3/15/2011. Lecture. Swan, Judith A, and George D. Gopen. "The Science of Scientific Writing." American Scientist . 78. (1990): 550-558. Print. "Scientific Reports." The Writing Center . University of North Carolina, n.d. Web. 5 May 2011. http://www.unc.edu/depts/wcweb/handouts/lab_report_complete.html

• Information For
• Prospective Students
• Current Students
• Faculty and Staff
• Alumni and Friends
• More about LSA
• How Do I Apply?
• LSA Magazine
• Student Resources
• Academic Advising
• Global Studies
• LSA Opportunity Hub
• Social Media
• Update Contact Info
• Privacy Statement
• Report Feedback

• Scientific Lab Reports
• Understanding the Assignment
• Need a Topic?
• Evaluating Sources
• Brainstorming Strategies
• Drafting Strategies
• Thesis Formulation
• Introductions
• Conclusions
• Show Don't Tell
• Expand Your Draft
• Flow & Lexical Coherence
• Revision Checklist
• Introduction to Style and Grammar
• Apostrophes
• Article Usage for ESL Learners
• Capitalization
• Clarity: Get Rid of Nominalizations
• Cohesion: Does my Paragraph Flow?
• Commas and Colons
• Conciseness
• Confusing Words
• Parallel Structure
• Passive Voice
• Quotation Marks
• Run-on Sentences
• Subject-Verb Agreement
• Writing Mechanics
• Other Styles
• Art History This link opens in a new window
• Programming Lab Reports

Writing a Lab Report

Link to other resources.

• Screenwriting
• Publication Opportunities
• Meet with a Tutor This link opens in a new window

Academic Resource Center Hours :

Monday-Thursday: 8:00 AM-6:00 PM

Friday: 8:00 AM-4:00 PM

Phone Number : 310-338-2847

Email :  [email protected]

www.lmu.edu/arc

We are located in Daum Hall on the 2nd floor!

Writing a scientific lab report is significantly different from writing for other classes like philosophy, English, and history. The most prominent form of writing in biology, chemistry, and environmental science is the lab report, which is a formally written description of results and discoveries found in an experiment. College lab reports should emulate and follow the same formats as reports found in scholarly journals, such as Nature , Cell , and The American Journal of Biochemistry .

Report Format

Title: The title says what you did. It should be brief (aim for ten words or less) and describe the main point of the experiment or investigation.

• Example:  Caffeine Increases Amylase Activity in the Mealworm ( Tenebrio molitar).
• If you can, begin your title using a keyword rather than an article like “The” or “A.”

Abstract: An abstract is a very concise summary of the purpose of the report, data presented, and major conclusions in about 100 - 200 words.  Abstracts are also commonly required for conference/presentation submissions because they summarize all of the essential materials necessary to understand the purpose of the experiment. They should consist of a background sentence , an introduction sentence , your hypothesis/purpose of the experiment, and a sentence about the results and what this means.

Introduction: The introduction of a lab report defines the subject of the report, provides background information and relevant studies, and outlines scientific purpose(s) and/or objective(s).

• The introduction is a place to provide the reader with necessary research on the topic and properly cite sources used.
• Summarizes the current literature on the topic including primary and secondary sources.
• Introduces the paper’s aims and scope.
• States the purpose of the experiment and the hypothesis.

Materials and Methods: The materials and methods section is a vital component of any formal lab report. This section of the report gives a detailed account of the procedure that was followed in completing the experiment as well as all important materials used. (This includes bacterial strains and species names in tests using living subjects.)

• Discusses the procedure of the experiment in as much detail as possible.
• Provides information about participants, apparatus, tools, substances, location of experiment, etc.
• For field studies, be sure to clearly explain where and when the work was done.
• It must be written so that anyone can use the methods section as instructions for exact replications.
• Don’t hesitate to use subheadings to organize these categories.
• Practice proper scientific writing forms. Be sure to use the proper abbreviations for units. Example: The 50mL sample was placed in a 5ºC room for 48hrs.

Results: The results section focuses on the findings, or data, in the experiment, as well as any statistical tests used to determine their significance.

• Concentrate on general trends and differences and not on trivial details.
• Summarize the data from the experiments without discussing their implications (This is where all the statistical analyses goes.)
• Organize data into tables, figures, graphs, photographs, etc.  Data in a table should not be duplicated in a graph or figure. Be sure to refer to tables and graphs in the written portion, for example, “Figure 1 shows that the activity....”
• Number and title all figures and tables separately, for example, Figure 1 and Table 1 and include a legend explaining symbols and abbreviations. Figures and graphs are labeled below the image while tables are labeled above.

  Discussion: The discussion section interprets the results, tying them back to background information and experiments performed by others in the past.This is also the area where further research opportunities shold be explored.

• Interpret the data; do not restate the results.
• Observations should also be noted in this section, especially anything unusual which may affect your results.

For example, if your bacteria was incubated at the wrong temperature or a piece of equipment failed mid-experiment, these should be noted in the results section.

• Relate results to existing theories and knowledge.This can tie back to your introduction section because of the background you provided.
• Explain the logic that allows you to accept or reject your original hypotheses.
• Include suggestions for improving your techniques or design, or clarify areas of doubt for further research.

Acknowledgements and References: A references list should be compiled at the end of the report citing any works that were used to support the paper. Additionally, an acknowledgements section should be included to acknowledge research advisors/ partners, any group or person providing funding for the research and anyone outside the authors who contributed to the paper or research.

General Tips

• In scientific papers, passive voice is perfectly acceptable. On the other hand, using “I” or “we” is not.

          Incorrect: We found that caffeine increased amylase levels in Tenebrio molitar.  Correct: It was discovered that caffeine increased amylase levels in Tenebrio molitar.   

• It is expected that you use as much formal (bland) language and scientific terminology as you can. There should be no emphasis placed on “expressing yourself” or “keeping it interesting”; a lab report is not a narrative.
• In a lab report, it is important to get to the point. Be descriptive enough that your audience can understand the experiment, but strive to be concise.
• << Previous: Programming Lab Reports
• Next: Screenwriting >>
• Last Updated: Mar 14, 2024 12:00 PM
• URL: https://libguides.lmu.edu/writing

• Science & Math
• Sociology & Philosophy
• Law & Politics

How to Write Hypothesis for Lab Report

• How to Write Hypothesis for…

What Is a Real Hypothesis?

A hypothesis is a tentative statement that proposes a possible explanation for some phenomenon or event. A useful hypothesis is a testable statement that may include a prediction.

When Are Hypotheses Used?

The keyword is testable. That is, you will perform a test of how two variables might be related. This is when you are doing a real experiment. You are testing variables. Usually, a hypothesis is based on some previous observations such as noticing that in November many trees undergo color changes in their leaves and the average daily temperatures are dropping. Are these two events connected? How?

Any laboratory procedure you follow without a hypothesis is really not an experiment. It is just an exercise or demonstration of what is already known.

How Are Hypotheses Written?

• Chocolate may cause pimples.
• Salt in soil may affect plant growth.
• Plant growth may be affected by the color of the light.
• Bacterial growth may be affected by temperature.
• Ultraviolet light may cause skin cancer.
• The temperature may cause leaves to change color.

All of these are examples of hypotheses because they use the tentative word “may.”. However, their form is not particularly useful. Using the word may do not suggest how you would go about proving it. If these statements had not been written carefully, they may not have even been hypotheses at all. For example, if we say “Trees will change color when it gets cold.” we are making a prediction. Or if we write, “Ultraviolet light causes skin cancer.” could be a conclusion. One way to prevent making such easy mistakes is to formalize the form of the hypothesis.

Formalized Hypotheses example: If the incidence of skin cancer is related to exposure levels of ultraviolet light , then people with a high exposure to uv light will have a higher frequency of skin cancer.

If leaf color change is related to temperature , then exposing plants to low temperatures will result in changes in leaf color .

Notice that these statements contain the words, if and then. They are necessary for a formalized hypothesis. But not all if-then statements are hypotheses. For example, “If I play the lottery, then I will get rich.” This is a simple prediction. In a formalized hypothesis, a tentative relationship is stated. For example, if the frequency of winning is related to the frequency of buying lottery tickets . “Then” is followed by a prediction of what will happen if you increase or decrease the frequency of buying lottery tickets. If you always ask yourself that if one thing is related to another, then you should be able to test it.

Formalized hypotheses contain two variables. One is “independent” and the other is “dependent.” The independent variable is the one you, the “scientist” control, and the dependent variable is the one that you observe and/or measure the results. In the statements above the dependent variable is underlined and the independent variable is underlined and italicized .

The ultimate value of a formalized hypothesis is it forces us to think about what results we should look for in an experiment.

For the “ If, Then, Because ” hypothesis…you would use: “ IF pigs and humans share the same nutritional behaviors, THEN their internal organs should look relatively the same BECAUSE of similar function and composure.” That is an example. For the “If, Then, Because” you should follow this guideline:

IF X and Y both do or share this, THEN this should be found/confirmed, BECAUSE of this fact or logical assumption.

Example Question : How does the type of liquid (water, milk, or orange juice) given to a plant affect how tall the plant will grow? Hypothesis : If the plant is given water then the plant will grow the tallest because water helps the plant absorb the nutrients that the plant needs to survive.

Related Posts

• Energy Content of Food Lab Report Answers
• Phet Projectile Motion Lab: Lab Answers
• Magnesium Oxide: Percent Yield Lab Report
• How to Write a Formal Laboratory Report
• Physics: Lab Report Style

Author:  William Anderson (Schoolworkhelper Editorial Team)

Tutor and Freelance Writer. Science Teacher and Lover of Essays. Article last reviewed: 2022 | St. Rosemary Institution © 2010-2024 | Creative Commons 4.0

16 Comments

How would I write a hypothesis about a flying pig lab?

your lab hypothesis should have been written before the experiment. The purpose of the hypothesis was to create a testable statement in which your experimental data would either support or reject. Having a hypothesis based on a logical assumption (regardless of whether your data supports it) is still correct. If there is a disagreement between your hypothesis and experimental data it should be addressed in the discussion.

So you can go ahead an choose a hypothesis for either increase or decrease of adipogenesis after the inducement of insulin and not be wrong….as long as it is correctly formatted (see examples above).

Hey, I am having trouble writing my hypothesis.. I am supposed to write a hypothesis about how much adipogenesis was produced after the inducement of insulin. However, after proceeding with the experiments the results were On/Off .. meaning it will increase, decrease, increase, etc.. so it wasnt a constant result. It was supposed to be increasing.

please help!!!

this is very helpful but i don’t know how i would structure my hypothesis. i’m supposed to come up with a hypothesis related to the topic ‘how does mass effect the stopping distance of a cart?’. Could you help?

Thank you so much, it really help alot.:)

This is a rather difficult usage of this construct. It would most likely follow

“If the empirical formula of (enter compound’s name) is (enter compound’s formula) then it would be expected that combustion of _________ would yield _________, because (enter your rationale)

Need more background info.

For the “If, then, because” hypothesis I am doing an experiment to determine the empirical formula by using combustion but I am unsure on how to formulate the hypothesis using this structure.

For the “If, Then, Because” hypothesis…you would use: “IF pigs and humans share the same nutritional behaviors, THEN their internal organs should look relatively the same BECAUSE of similar function and composure.” That is an example. For the “If, Then, Because” you should follow this guideline:

Thanks, really helpful. Just one question, what about the ‘because’ part? right after the ‘if’ and ‘then’ parts?

I really need help for onion skin lab hypothesis for class

@Lauren An if/and statement is not usually apart of the convention. What exactly do you need help with?

Is there such thing as a if/and statement? I am in 8th grade science an I need to know for my lab report due tomorrow.HELP!!!!

Would have been better if more examples were given

If the purpose of your lab is “To obtain dissecting skills in an observational lab,” you can’t really formulate a testable hypothesis for that. I’ll assume you are doing some kind of pig or frog dissection. Often teachers give general outlines of skills that students are meant to ascertain from an experiment which aren’t necessarily what the actual experiment is directly testing. Obviously to do the dissection lab you need to obtain dissection skills but testing that would be rather subjective unless the teacher provided you with standards or operationally defined “dissecting skills”. If I were you, I would obviously mention it in the introduction of your lab but I am not sure if your teacher wants you to actually format it as a hypothesis; you can ask your teacher for clarification. If making a hypothesis from each purpose was some arbitrary exercise assigned to you then, it could look like this:

“If a student has successful acquired dissection skills, then they will be able to complete this observational lab with satisfactory competence because they utilized these newly acquired skills.”

For the “If, Then, Because” hypothesis…you pretty much have it. You would modify what you posted: “IF pigs and humans share the same nutritional behaviors, THEN their internal organs should look relatively the same BECAUSE of similar function and composure.” That is an example. For the “If, Then, Because” you should follow this guideline:

Thanks for this, it proved to be helpful. However, I do have a few questions. Obviously different teachers or instructors have their own requirements for their classes. How would you write an appropriate Question to follow each purpose in your lab report? For example: If the purpose was, “To obtain dissecting skills in an observational lab,” what question could you formulate with the purpose? (which is answered in the hypothesis)

And if a teacher requires the hypothesis to be in the format “If, Then, Because” how should this be written? I can actively complete the if and then, but I’m unsure how to incorporate the “because’ statement. For example, “If pigs and humans share the same nutritional behaviors, then their internal organs should function comparably and look relatively the same.” (how do i incorporate because?)

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Post comment

• Customer Reviews
• Extended Essays
• IB Internal Assessment
• Theory of Knowledge
• Literature Review
• Dissertations
• Essay Writing
• Research Writing
• Assignment Help
• Capstone Projects
• College Application
• Online Class

How to Write an Introduction for a Lab Report: A Guide for Students

by  Antony W

September 5, 2021

Take it from us when we say that writing an introduction for a lab report can be just as hard as writing the report itself.

While it boils down to establishing the learning context and the primary goal of the lab, and at the same time giving a hypothesis for the experimental procedures, this section can be a lot harder to put together than any other part of the report.

Here's perhaps the most challenging part about introducing a lab report:

It's a one-paragraph piece of test, which has to cover so many elements of the report, with the most important information appearing at the very top.

Don't worry if you’re currently struggling to write the introduction for your lab report – or if you don't know how to do it. That's because in this guide, you'll learn how to write the best introduction for your lab report.

Why is an Introduction Important in a Lab Report?

The introduction of a lab report offers readers a preview of the most important details that you’ll address in the other sections of the paper. It provides a background to the work in the report and unveils the objectives of the proposed work to bring out the context of the real life application of the study outside the experiment.

Unlike in essay writing, where the introduction is as short as one paragraph, the introduction for a lab report tends to be longer. The length can be anything between four paragraphs and a few pages long depending on factors such as the complexity of the topic, the brief provided by your instructor, and the depth of the topic in question.

It’s important to mind your audience when writing an introduction for a lab report. Many of your readers may not be familiar with the discipline under study. In that case, it may be necessary to explain technical terms for clarity. You should do that in the introduction.

What Should I Include in the Introduction of a Lab Report?

The introduction of your lab report should show three key pieces of information to meet the standards of your professor. These are:

• The purpose of the study
• Comprehensive and concise information about the topic under investigation
• A literature review about the topic

Don’t include specific details about the methodology of the study in this section of the assignment; this will go into the method section. Furthermore, the introduction should NOT feature the conclusions that you have made based on the studies that you’ve conducted; leave this for the results section of the report.

A Guide to Writing a Good Introduction for a Laboratory Report

To write a good introduction for a lab report:

Start with a Broad Introduction

The first step to writing an introduction for your lab report is to look at the topic from a broad spectrum. This gives you a perfect idea on how to approach the assignment.

Let’s say your instructor wants you to conduct an experiment and write a lab report about the effects of temperature on catalase enzyme.

For the introduction, a reasonable approach would be to talk about enzymes in general. You can describe what they’re, how to make them, and how they work.

Further, the introduction should clearly describe the background of the science, give the reason for the study, and explain whom the experiment will benefit

Narrow Down the Introduction

The next step is to narrow down your introduction to a specific top. In the case of our example above, you’ll need to focus more on why the catalase enzyme is important, how it works, and where it comes from. By narrowing down the topic, it becomes easy for you to study exactly how temperature affects the catalase enzyme.

Work on the Literature Review

The introduction for your lab report must include a literature review, where you discuss what people already know about the subject under investigation.

It’s important to cite all the sources you used in your research. Also, make sure you summarize the research that you have done on the topic to make your description clear.

Don’t worry if you’ve never written a literature review before. You can check our guide to writing a literature review to learn more.

Describe the Goal of the Study

Conclude the introduction for the lab report by giving a clear description of the study. As a reader goes through your writing, they should be able to tell what hypothesis you tested during the study and know the questions you were trying to answer.

The Elements of a Strong Introduction for a Lab Report

A strong introduction for a lab report is the one that:

• Easily established the primary context of the lab by clearly stating what it’s about and giving the necessary background to the lab by providing relevant information about the context of the study
• Clearly describes the primary goal of the lab experiment by highlighting the objectives of the experiment. This is where you tell the reader whether the study was to determine, test, or measure something.
• Offers hypothesis for the experiment if there’s any by stating the hypothesis and examining the reasoning behind that hypothesis.

Tips to Write a Good Introduction for a Laboratory Report

Below are some tips you can sue to write a comprehensive introduction for a lab report:

• Use the lab notes to understand the topic under investigation, but don’t copy content from it. Instead, write the introduction in your own words.
• Brief lab reports may not require introductions. If this is the case, you should go straight to the aim or statement of the study.
• Don’t hesitate to introduce relevant laws, theorem, or equations in the introduction if any
• If there are relevant theories that harmoniously link to the study, explain them in details
• Don’t shy away from consulting your instructor if you’re not sure about some part of the introduction to lab report

Now that you know how to write a good introduction for your report, it shouldn’t be hard for you to handle this part of the assignment. Still, feel free to contact us here   if you need more help.

About the author 

Antony W is a professional writer and coach at Help for Assessment. He spends countless hours every day researching and writing great content filled with expert advice on how to write engaging essays, research papers, and assignments.

• PRO Courses Guides New Tech Help Pro Expert Videos About wikiHow Pro Upgrade Sign In
• EDIT Edit this Article
• EXPLORE Tech Help Pro About Us Random Article Quizzes Request a New Article Community Dashboard This Or That Game Popular Categories Arts and Entertainment Artwork Books Movies Computers and Electronics Computers Phone Skills Technology Hacks Health Men's Health Mental Health Women's Health Relationships Dating Love Relationship Issues Hobbies and Crafts Crafts Drawing Games Education & Communication Communication Skills Personal Development Studying Personal Care and Style Fashion Hair Care Personal Hygiene Youth Personal Care School Stuff Dating All Categories Arts and Entertainment Finance and Business Home and Garden Relationship Quizzes Cars & Other Vehicles Food and Entertaining Personal Care and Style Sports and Fitness Computers and Electronics Health Pets and Animals Travel Education & Communication Hobbies and Crafts Philosophy and Religion Work World Family Life Holidays and Traditions Relationships Youth
• Browse Articles
• Learn Something New
• Quizzes Hot
• This Or That Game New
• Train Your Brain
• Explore More
• Support wikiHow
• About wikiHow
• Log in / Sign up
• Education and Communications
• Science Writing

How to Write a Scientific Lab Report: Basic Format & Key Parts

Last Updated: March 12, 2024 Fact Checked

This article was co-authored by Bess Ruff, MA . Bess Ruff is a Geography PhD student at Florida State University. She received her MA in Environmental Science and Management from the University of California, Santa Barbara in 2016. She has conducted survey work for marine spatial planning projects in the Caribbean and provided research support as a graduate fellow for the Sustainable Fisheries Group. This article has been fact-checked, ensuring the accuracy of any cited facts and confirming the authority of its sources. This article has been viewed 153,326 times.

If you've just finished an experiment in your physics class, you might have to write a report about it. This may sound intimidating, but it's actually a simple process that helps you explain your experiment and your results to your teacher and anyone else who is interested in learning about it. Once you know what sections to include in your report and what writing techniques to use, you'll be able to write a great physics lab report in no time.

Including the Proper Sections

• Your name and the name of your partner(s)
• The title of your experiment
• The date you conducted the experiment
• Your teacher's name
• Information that identifies which class you are in

• Keep your abstract brief and note the purpose of the experiment, the hypothesis, and any major findings.

• If a diagram will help your audience understand your procedure, include it in this section.
• You may be tempted to write this as a list, but it's best to stick to paragraph form.
• Some teachers may require a separate section on the materials and apparatuses that were used to conduct the experiment.
• If you are following instructions from a lab book, do not just copy the steps from the book. Explain the procedure in your own words to demonstrate that you understand how and why you are collecting each piece of data.

• You may include graphs or charts that highlight the most important pieces of data here as well, but do not begin to analyze the data quite yet.
• Explain any reasonable uncertainties that may appear in your data. No experiment is completely free of uncertainties, so ask your teacher if you're not sure what to include.
• Always include uncertainty bars in your graphs if the uncertainties of the data are known.
• Also discuss any potential sources of error and how those errors may have affected your experiment.

• Some teachers may allow you to include your calculations in the data section of our report.

• Include information about how your results compare to your expectations or hypothesis, what implications these results have for the world of physics, and what further experiments could be conducted to learn more about your results.
• You can also include your own ideas for improving upon the experiment.
• Be sure to include any graphs that would be appropriate to illustrate your analysis of the data and help your readers better understand it. [8] X Research source
• Some teachers may request that you create two separate analysis and conclusion sections.

Using the Correct Writing Techniques

• Bullet pointed lists are not appropriate for most sections of your report. You may be able to use them for short sections like your materials and apparatuses list.
• Keep in mind that one of the main objectives of your lab report is to guide others in recreating your experiment. If you can't clearly explain what you did and how you did it, no one will ever be able to reproduce your results.

• Active sentences are usually easier to understand than passive sentences, so try to minimize your use of the passive voice whenever possible. For example, if you wrote, "These results are easily reproducible by anyone who has the correct equipment," try changing it to "Anyone who has the correct equipment should be able to reproduce these results." The passive voice is not always wrong, so don't be afraid to leave a sentence in the passive voice if you think it makes more sense that way.

• Don't jump ahead and discuss the results of the experiment before you get to that section. Just because you understand everything that happened with your experiment, does not mean your readers will. You need to walk them through it step by step.
• Cut out any sentences that don't add anything of substance to your report. Your readers will only get frustrated if they have to read through a bunch of fluff in order to find your main point.

• For example, instead of writing, "I noticed that the data we gathered was not consistent with our previous results," write, "The data is not consistent with the previous results."
• It may be tricky to maintain active voice when writing in third person, so it’s okay to use passive voice if it makes more sense to do so.

• The past tense is appropriate for discussing your procedure and the results of past experiments.

Community Q&A

• Try not to make your sentences too long or difficult. Even complex information can be written out in a way that is easy to understand. Thanks Helpful 8 Not Helpful 0
• Your teacher may have a slightly different way of breaking up the sections, so it's always a good idea to ask. Be sure to include any additional sections that your teacher specifically requests. Thanks Helpful 5 Not Helpful 0
• If there were multiple parts to your experiment, you might want to consider doing a mini report for each section so your readers can easily follow along with your data and results for each part before moving on to the next one. Thanks Helpful 1 Not Helpful 0

You Might Also Like

• ↑ https://www.baylor.edu/content/services/document.php/110769.pdf
• ↑ https://centers.njit.edu/introphysics/physics-lab-report-guidelines/
• ↑ https://physics.unc.edu/undergraduate/courses-credits-placement/sample-report/
• ↑ https://ruby.fgcu.edu/courses/mfauerba/Physics_Procedure_for_Writing_a_Physics_Lab_Report.htm
• ↑ https://guides.lib.purdue.edu/c.php?g=352816&p=2377936
• ↑ https://academicguides.waldenu.edu/writingcenter/writingprocess/proofreading

About This Article

To write a physics lab report, start by putting together a cover sheet with your name, and the title and date of the experiment. Then, include an abstract, or summary of your report, followed by your objective, procedures, and methods. After you’ve talked about how the experiment was conducted, present your raw data, and provide any important calculations used with the data. Next, write an analysis of your data, and a conclusion to explain what you've learned. Finally, complete the report by writing up your references. For tips from our Science reviewer on how to make your report sound as professional as possible, read on! Did this summary help you? Yes No

• Send fan mail to authors

Reader Success Stories

Aisha Awwal

Jan 8, 2022

Did this article help you?

Mandila Noah

Sep 27, 2017

Apr 25, 2017

Kia Sparkle

Sep 20, 2017

Emmanuel Sirmah

Nov 1, 2017

Featured Articles

Trending Articles

Watch Articles

• Terms of Use
• Privacy Policy
• Do Not Sell or Share My Info
• Not Selling Info

Don’t miss out! Sign up for

wikiHow’s newsletter

The not-so-silent type Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers

阅读本报告的简体中文版摘要 | 閱讀本報告的繁體中文版摘要 | Read the Report on Github

Key findings

• We analyzed the security of cloud-based pinyin keyboard apps from nine vendors — Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi — and examined their transmission of users’ keystrokes for vulnerabilities.
• Our analysis revealed critical vulnerabilities in keyboard apps from eight out of the nine vendors in which we could exploit that vulnerability to completely reveal the contents of users’ keystrokes in transit. Most of the vulnerable apps can be exploited by an entirely passive network eavesdropper.
• Combining the vulnerabilities discovered in this and our previous report analyzing Sogou’s keyboard apps, we estimate that up to one billion users are affected by these vulnerabilities. Given the scope of these vulnerabilities, the sensitivity of what users type on their devices, the ease with which these vulnerabilities may have been discovered, and that the Five Eyes have previously exploited similar vulnerabilities in Chinese apps for surveillance, it is possible that such users’ keystrokes may have also been under mass surveillance.
• We reported these vulnerabilities to all nine vendors. Most vendors responded, took the issue seriously, and fixed the reported vulnerabilities, although some keyboard apps remain vulnerable.
• We conclude our report by summarizing our recommendations to various stakeholders to attempt to reduce future harm from apps which might feature similar vulnerabilities.

Introduction

Typing logographic languages such as Chinese is more difficult than typing alphabetic languages, where each letter can be represented by one key. There is no way to fit the tens of thousands of Chinese characters that exist onto a single keyboard. Despite this obvious challenge, technologies have developed which make typing in Chinese possible. To enable the input of Chinese characters, a writer will generally use a keyboard app with an “Input Method Editor” (IME). IMEs offer a variety of approaches to inputting Chinese characters, including via handwriting, voice, and optical character recognition (OCR). One popular phonetic input method is Zhuyin , and shape or stroke -based input methods such as Cangjie or Wubi are commonly used as well. However, used by nearly 76% of mainland Chinese keyboard users, the most popular way of typing in Chinese is the pinyin method , which is based on the pinyin romanization of Chinese characters.

All of the keyboard apps we analyze in this report fall into the category of input method editors (IMEs) that offer pinyin input. These keyboard apps are particularly interesting because they have grown to accommodate the challenge of allowing users to type Chinese characters quickly and easily. While many keyboard apps operate locally, solely within a user’s device, IME-based keyboard apps often have cloud features which enhance their functionality. Because of the complexities of predicting which characters a user may want to type next, especially in logographic languages like Chinese, IMEs often offer “cloud-based” prediction services which reach out over the network. Enabling “cloud-based” features in these apps means that longer strings of syllables that users type will be transmitted to servers elsewhere. As many have previously pointed out , “cloud-based” keyboards and input methods can function as vectors for surveillance and essentially behave as keyloggers. While the content of what users type is traveling from their device to the cloud, it is additionally vulnerable to network attackers if not properly secured. This report is not about how operators of cloud-based IMEs read users’ keystrokes, which is a phenomenon that has already been extensively studied and documented. This report is primarily concerned with the issue of protecting this sensitive data from network eavesdroppers.

In this report, we analyze the security of cloud-based pinyin keyboard apps from nine vendors: Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. We examined these apps’ transmission of users’ keystrokes for vulnerabilities. Our analysis revealed critical vulnerabilities in keyboard apps from eight out of the nine vendors — all but Huawei — in which we could exploit that vulnerability to completely reveal the contents of users’ keystrokes in transit.

Between this report and our Sogou report , we estimate that close to one billion users are affected by this class of vulnerabilities. Sogou, Baidu, and iFlytek IMEs alone comprise over 95% of the market share for third-party IMEs in China, which are used by around a billion people . In addition to the users of third party keyboard apps, we found that the default keyboards on devices from three manufacturers (Honor, OPPO, and Xiaomi) were also vulnerable to our attacks. Devices from Samsung and Vivo also bundled a vulnerable keyboard, but it was not used by default. In 2023, Honor, OPPO, and Xiaomi alone comprised nearly 50% of the smartphone market in China.

Having the capability to read what users type on their devices is of interest to a number of actors — including government intelligence agencies that operate globally — because it may encompass exceptionally sensitive information about users and their contacts including financial information, login credentials such as usernames or passwords, and messages that are otherwise end-to-end encrypted. Given the known capabilities of state actors, and that Five Eyes agencies have previously exploited similar vulnerabilities in Chinese apps for the express purpose of mass surveillance, it is possible that we were not the first to discover these vulnerabilities and that they have previously been exploited on a mass scale for surveillance purposes.

We reported these issues to all eight of the vendors in whose keyboards we found vulnerabilities. Most vendors responded, took the issue seriously, and fixed the reported vulnerabilities, although some keyboard apps remain vulnerable. Users should keep their apps and operating systems up to date. We recommend that they consider switching from a cloud-based keyboard app to one that operates entirely on-device if they are concerned about these privacy issues.

The remainder of this report is structured as follows. In the “ Related work ” section, we outline previous security and privacy research that has been conducted on IME apps and past research which relates to issues of encryption in the Chinese app ecosystem. In “ Methodology ”, we describe the reverse engineering tools and techniques we used to analyze the above apps. In the “ Findings ” section, we explain the vulnerabilities we discovered in each app and (where applicable) how we exploited these vulnerabilities. In “ Coordinated disclosure ”, we discuss how we reported the vulnerabilities we found to the companies and their responses to our outreach. Finally, in “ Discussion ”, we reflect on the impact of the vulnerabilities we discovered, how they came to be, and ways that we can avoid similar problems in the future. We provide recommendations to all stakeholders in this systemic privacy and security failure, including users, IME and keyboard developers, operating systems, mobile device manufacturers, app store operators, International standards bodies, and security researchers.

Related work

There has been much work analyzing East Asian apps for their security and privacy properties. As examples from outside of China, researchers studied LINE , a Japanese-developed app, and KakaoTalk , a South Korean-developed app, finding that they have faults in their end-to-end encryption implementations. When it comes to Chinese software, the Citizen Lab has previously revealed privacy and security issues in several Chinese web browsers , and identified vulnerabilities in the Zoom video conferencing platform and the MY2022 Olympics app . Unfortunately, even developers of extremely popular apps often overlook implementing proper security measures and protecting user privacy.

Some work has been concerned specifically with the privacy issues with cloud-based keyboard apps. As the technology powering keyboard apps became more popular and sophisticated, awareness of the potential security risks associated with these apps grew. Two main areas of concern have received the most attention from security researchers when it comes to cloud-based keyboard apps: whether user data is secure in the cloud servers and whether it is secure in transit as it moves from the user’s device to a cloud server.

Some researchers have expressed concern over companies handling sensitive keystroke data and have made attempts to ameliorate the risk of the cloud server being able to record what you typed. In 2013, the Japanese government published concerns it had with privacy regarding the Baidu IME, particularly the cloud input function. Researchers have also been concerned with surveillance via other “cloud-based” IMEs , like iFlytek’s voice input. While there has been a push to develop privacy-aware cloud-based IMEs that would keep user data secret, they are not widely used. While it is concerning what companies might do with user keystroke data, our research pertains to the security of user keystroke data before it even reaches cloud servers and who else other than the cloud operator may be able to read it.

Other research has studied the leakage of sensitive information when user keystroke data is in transit between a user’s device to a remote cloud server. If not properly encrypted, data can be intercepted and collected by network eavesdroppers. In 2015 security researchers proposed and evaluated a system to identify keystroke leakages in IME traffic, revealing that at least one IME was transmitting sensitive data without encrypting it at all. Another investigation in the same year showed that the most popular IME, Sogou, was sending users’ device identifiers in the clear. In our 2023 report we exposed Sogou falling short once more, finding that Sogou allowed network eavesdroppers to read what users were typing—as they typed—in any application. All of these discoveries point to developers of these applications overlooking the importance of transport security to protect user data from network attackers.

While previous work studying the security of keystroke network data in transit investigates single keyboard apps at a time, our report is the first to holistically evaluate the network security of the cloud-based keyboard app landscape in China.

Methodology

We analyzed the Android and, if present, the iOS and Windows versions of keyboard apps from the following keyboard app vendors: Tencent, Baidu, iFlytek, Samsung, Huawei, Xiaomi, OPPO, Vivo, and Honor. The first three — Tencent, Baidu, and iFlytek — are software developers of keyboard apps whereas the remaining six — Samsung, Huawei, Xiaomi, OPPO, Vivo, and Honor — are mobile device manufacturers who either developed their own keyboard apps or include one or more of the other three developers’ keyboard apps preinstalled on their devices. We selected these nine vendors because we identified them as having integrated cloud recommendation functionality into their products and because they are popularly used. To procure the versions we analyzed, between August and November, 2023, we downloaded the latest versions of them from their product websites, the Apple App Store, or, in the case of the apps developed or bundled by mobile device manufacturers, by procuring a mobile device that has the app preinstalled on the ROM . In the case that we obtained the app as pre-installed on a mobile device, we ensured that the device’s apps and operating system were fully updated before beginning analysis of its apps. The devices we obtained were intended for the mainland Chinese market, and, when device manufacturers had two editions of their device, a Chinese edition and a global edition, we analyzed the Chinese edition.

To better understand whether these vendors’ keyboard apps securely implemented their cloud recommendation functionality, we analyzed them to determine whether they sufficiently encrypted users’ typed keystrokes. To do so, we used both static and dynamic analysis methods. We used jadx to decompile and statically analyze Dalvik bytecode and IDA Pro to decompile and statically analyze native machine code. We used frida to dynamically analyze the Android and iOS versions and IDA Pro to dynamically analyze the Windows version. Finally, we used Wireshark and mitmproxy to perform network traffic capture and analysis.

To prepare for our dynamic analysis of each keyboard app, after installing it, we enabled the pinyin input if it was not already enabled. The keyboards we analyzed generally prompted users to enable cloud functionality after installation or on first use. In such cases, we answered such prompts in the affirmative or otherwise enabled cloud functionality through the mobile device’s or app’s settings.

In our analysis, we assume a fairly conservative threat model. For most of our attacks, we assume a passive network eavesdropper that monitors network packets that are sent from a user’s keyboard app to a keyboard app’s cloud server. In one of our attacks, specifically against apps using Tencent’s Sogou API , we allow the adversary to be active in a limited way in that the adversary may additionally transmit network traffic to the cloud server but does not necessarily have to be a machine-in-the-middle ( MITM ) or spoof messages from the user in a layer 3 sense. In all of our attacks, the adversary also has access to a copy of the client software, but the server is a black box.

We note that, as neither Apple’s nor Google’s keyboard apps have a feature to transmit keystrokes to cloud servers for cloud-based recommendations, we did (and could) not analyze these keyboards for the security of this feature. However, we observed that none of the mobile devices that we analyzed included Google’s keyboard, Gboard, preinstalled, either. This finding likely results from Google’s exit from China reportedly due to the company’s failure to comply with China’s pervasive censorship requirements.

Among the nine vendors whose apps we analyzed, we found that there was only one vendor, Huawei, in whose apps we could not find any security issues regarding the transmission of users’ keystrokes. For each of the remaining eight vendors, in at least one of their apps, we discovered a vulnerability in which keystrokes could be completely revealed by a passive network eavesdropper (see Table 1 for details).

Pre-installed keyboard developer

Table 1: Summary of vulnerabilities discovered in popular keyboards and in keyboards pre-installed on popular phones. * Default keyboard app on our test device. † Both QQ Pinyin and Sogou IME are developed by Tencent; in this report we analyzed QQ Pinyin and found the same issues as we had in Sogou IME .

The ease with which the keystrokes in these apps could be revealed varied. In one app, Samsung Keyboard, we found that the app performed no encryption whatsoever. Some apps appeared to internally use Sogou’s cloud functionality and were vulnerable to an attack which we previously published . Most vulnerable apps failed to use asymmetric cryptography and mistakenly relied solely on home-rolled symmetric encryption to protect users’ keystrokes.

The remainder of this section details further analysis of the apps we analyzed from each vendor and, when present, their vulnerabilities.

We have previously analyzed one Tencent keyboard app, Sogou, in a previous report . We were motivated by our previous findings analyzing Sogou to analyze another Tencent keyboard app, QQ Pinyin. We analyzed QQ Pinyin on Android and Windows. We found that the Android version (8.6.3) and Windows version (6.6.6304.400) of this software communicated to similar cloud servers as Sogou and contained the same vulnerabilities to those which we previously reported in Sogou IME (see Table 2 for details).

Table 2: The versions of QQ Pinyin that we analyzed.

We analyzed Baidu IME for Windows, Android, and iOS. We found that Baidu IME for Windows includes a vulnerability which allows network eavesdroppers to decrypt network transmissions. This means third parties can obtain sensitive personal information including what users have typed. We also found privacy and security weaknesses in the encryption used by the Android and iOS versions of Baidu IME (see Table 3 for details).

Table 3: The versions of Baidu IME that we analyzed.

The Android version transmitted keystrokes information via UDP packets to udpolimeok.baidu.com and that the Windows and iOS versions transmitted keystrokes to udpolimenew.baidu.com . The two mobile versions that we analyzed, namely the Android and iOS versions, transmitted these keystrokes according to a stronger protocol, whose payload begins with the bytes 0x04 0x00. The Windows version transmitted these keystrokes according to a weaker protocol, whose UDP payload begins with the bytes 0x03 0x01. We henceforth refer to these protocols as the BAIDUv4.0 and BAIDUv3.1 protocols, respectively. In the remainder of this section we detail multiple weaknesses in the BAIDUv4.0 protocol used by the Android and iOS versions and explain how a network eavesdropper can decrypt the contents of keystrokes transmitted by the BAIDUv3.1 protocol.

Weaknesses in BAIDUv4.0 protocol

To encrypt keystroke information, the BAIDUv4.0 protocol uses elliptic-curve Diffie-Hellman and a pinned server public key ( pk s ) to establish a shared secret key for use in a modified version of AES .

Upon opening the keyboard, before the first outgoing BAIDUv4.0 protocol message is sent, the application randomly generates a client Curve25519 public-private key pair, which we will call ( pk c , sk c ). Then, a Diffie-Hellman shared secret k is generated using sk c and a pinned public key pk s . To send a message with plaintext P , the application reuses the first 16 bytes of pk c as the initialization vector (IV) for symmetric encryption, and k is used as the symmetric encryption key. The resulting symmetric encryption of P is then sent along with pk c to the server. The server can then obtain the same Diffie-Hellman shared secret k from pk c and sk s , the private key corresponding to pk s , to decrypt the ciphertext.

The BAIDUv4.0 protocol symmetrically encrypts data using a modified version of AES, which symbols in the code indicate Baidu has called AESv3 . Compared to ordinary AES, AESv3 has a built-in cipher mode and padding. AESv3’s built-in cipher mode mixes bytes differently and uses a modified counter (CTR) mode which we call Baidu CTR (BCTR) mode, illustrated in Figure 1.

Generally speaking, any CTR cipher mode involves combining an initialization vector v with the value i of some counter, whose combination we shall notate as v + i . Most commonly, the counter value used for block i is simply i , i.e., it begins at zero and increments for each subsequent block, and AESv3’s implementation follows this convention. There is no standard way to compute v + i in CTR mode, but the way that BCTR combines v and i is by adding i to the left-most 32-bits of v , interpreting this portion of v and i in little-endian byte order. If the sum overflows, then no carrying is performed on bytes to the right of this 32-bit value. The implementation details we have thus far described do not significantly deviate from a typical CTR implementation. However, where BCTR mode differs from ordinary CTR mode is in how the value v + i is used during encryption. In ordinary CTR mode, to encrypt block i with key k , you would compute

In BCTR mode, to encrypt block i , you compute

As we will see later, this deviation will have implications for the security of the algorithm.

While ordinarily CTR mode does not require the final block length to be a multiple of the cipher’s block size (in the case of AES, 16 bytes), due to Baidu’s modifications, BCTR mode no longer automatically possesses this property but rather achieves it by employing ciphertext stealing . If the final block length n is less than 16, AESv3’s implementation encrypts the final 16 byte block by taking the last (16 – n ) bytes of the penultimate ciphertext block and prepending them to the n bytes of the ultimate plaintext block. The encryption of the resultant block fills the last (16 – n ) bytes of the penultimate ciphertext block and the n bytes of the final ciphertext block. Note, however, that this practice only works when the plaintext consists of at least two blocks. Therefore, if there exists only one plaintext block, then AESv3 right-zero-pads that block to be 16 bytes.

Privacy issues with key and IV re-use

Since the IV and key are both directly derived from the client key pair, the IV and key are reused until the application generates a new key pair. This only happens when the application restarts, such as when the user restarts the mobile device, the user switches to a different keyboard and back, or the keyboard app is evicted from memory. From our testing, we have observed the same key and IV in use for over 24 hours. There are various issues that arise from key and IV reuse.

Re-using the same IV and key means that the same inputs will encrypt to the same encrypted ciphertext. Additionally, due to the way the block cipher is constructed, if blocks in the same positions of the plaintexts are the same, they will encrypt to the same ciphertext blocks. As an example, if the second block of two plaintexts are the same, the second block of the corresponding ciphertexts will be the same.

Weakness in cipher mode

The electronic codebook (ECB) cipher mode is notorious for having the undesirable property that equivalent plaintext blocks encrypt to equivalent ciphertext blocks, allowing patterns in the plaintext to be revealed in the ciphertext (see Figure 2 for an illustration).

While BCTR mode used by Baidu does not as flagrantly reveal patterns to the same extent as ECB mode, there do exist circumstances in which patterns in the plaintext can still be revealed in the ciphertext. Specifically, there exist circumstances in which there exists a counter-like pattern in the plaintext which can be revealed by the ciphertext (see Figure 3 for an example). These circumstances are possible due to the fact that (IV + i ) is XORed with each plaintext block i and then encrypted, unlike ordinary CTR mode which encrypts (IV + i ) and XORs it with the plaintext. Thus, when using BCTR mode, if the plaintext exhibits similar counting patterns as (IV + i ), then for multiple blocks the value ((IV + i ) XOR plaintext block i ) may be equivalent and thus encrypt to an equivalent ciphertext.

Other privacy and security weaknesses

There are other weaknesses in the custom encryption protocol designed by Baidu IME that are not consistent with the expected standards for a modern encryption protocol used by hundreds of millions of devices.

Forward secrecy issues with static Diffie-Hellman

The use of a pinned static server key means that the cipher is not forward secret , a property of other modern network encryption ciphers like TLS. If the server key is ever revealed, any past message where the shared secret was generated with that key can be successfully decrypted.

Lack of message integrity

There are no cryptographically secure message integrity checks, which means that a network attacker may freely modify the ciphertext. There is a CRC32 checksum calculated and included with the plaintext data, but a CRC32 checksum does not provide cryptographic integrity, as it is easy to generate CRC32 checksum collisions. Therefore, modifying the ciphertext may be possible. In combination with the issue concerning key and IV reuse, this protocol may be vulnerable to a swapped block attack.

Vulnerability in BAIDUv3.1 protocol

The BAIDUv3.1 protocol is weaker than the BAIDUv4.0 protocol and contains a critical vulnerability that allows an eavesdropper to decrypt any messages encrypted with it. The protocol in the versions of Baidu’s keyboard apps that we analyzed encrypts keystrokes using a modified version of AES which we call AESv2 , as we believe it to be the predecessor cipher to Baidu’s AESv3. When a keyboard app uses the BAIDUv3.1 protocol with the AESv2 cipher, we say that it uses the BAIDUv3.1+AESv2 scheme. Normally, AES when used with a 128-bit key performs 10 rounds of encryption on each block. However, we found that AESv2 uses only 9 rounds but is otherwise equivalent to AES encryption with a 128-bit key.

The BAIDUv3.1+AESv2 scheme encrypts keystrokes using AESv2 in the following manner. First, a key is derived according to a fixed function (see Figure 4). Note that the function takes no input nor references any external state and thus always generates the same static key k f = “ \xff\x9e\xd5H\x07Z\x10\xe4\xef\x06\xc7.\xa7\xa2\xf26 ”.

To encrypt a protobuf -serialized message, the BAIDUv3.1 protocol first snappy -compresses it, forming a compressed buffer. The 32-bit, little-endian length of this compressed message is then prepended to the compressed buffer, forming the plaintext. A randomly generated 128-bit key k m is used to encrypt the plaintext using AESv2 in ECB mode. The resulting ciphertext is stored in bytes 44 until the end of the final UDP payload. Key k f is used to encrypt k m using AESv2 in ECB mode. The resulting ciphertext is stored in bytes 28 until 44 of the final UDP payload.

We found that these encrypted protobuf serializations include our typed keystrokes as well as the name of the application into which we were typing them (see Figure 5).

A vulnerability exists in the BAIDUv3.1+AESv2 scheme that allows a network eavesdropper to decrypt the contents of these messages. Since AES is a symmetric encryption algorithm, the same key used to encrypt a message can also be used to decrypt it. Since k f is fixed, any network eavesdropper with knowledge of k f , such as from performing the same analysis of the app as we performed, can decrypt k m and thus can decrypt the plaintext contents of each message encrypted in the manner described above. As we found that users’ keystrokes and the names of the applications they were using were sent in these messages, a network eavesdropper who is eavesdropping on a user’s network traffic can observe what that user is typing and into which application they are typing it by taking advantage of this vulnerability.

We analyzed iFlytek (also called xùnfēi from the pinyin of 讯飞) IME on Android, iOS, and Windows. We found that iFlytek IME for Android includes a vulnerability which allows network eavesdroppers to recover the plaintext of insufficiently encrypted network transmissions, revealing sensitive information including what users have typed (see Table 4 for details).

Table 4: The versions of Xunfei IME analyzed.

The Android version of iFlytek IME encrypts the payload of each HTTP request sent to pinyin.voicecloud.cn with the following algorithm. Let s be the current time in seconds since the Unix epoch at the time of the request. For each request, an 8-byte encryption key is then derived by first performing the following computation:

The 8-byte key k is then derived from x as the lowest 8 ASCII-encoded digits of x , left-padded with leading zeroes if necessary, in big-endian order. In Python, the above can be summarized by the following expression:

The payload of the request is then padded with PKCS#7 padding and then encrypted with DES using key k in ECB mode. The value s is transmitted in the HTTP request in the clear as a GET parameter named “time”.

Since DES is a symmetric encryption algorithm, the same key used to encrypt a message can also be used to decrypt it. Since k can be easily derived from s and since s is transmitted in the clear in every HTTP request encrypted by k , any network eavesdropper can easily decrypt the contents of each HTTP request encrypted in the manner described above. (Since s is simply the time in single second resolution, it also stands to reason that a network eavesdropper would have general knowledge of s in any case.)

We found that users’ keystrokes were transmitted in a protobuf serialization and encrypted in this manner (see Figure 6). Therefore, a network eavesdropper who is eavesdropping on a user’s network traffic can observe what that user is typing by taking advantage of this vulnerability.

Finally, the DES encryption algorithm is an older encryption algorithm with known weaknesses, and the ECB block cipher mode is a simplistic and problematic cipher mode. The use of each of these technologies is problematic in itself and opens the Android version of iFlytek IME’s communications to additional attacks.

We analyzed Samsung Keyboard on Android as well as the versions of Sogou IME and Baidu IME that Samsung bundled with our test device, an SM-T220 tablet running ROM version T220CHN4CWF4. We found that Samsung Keyboard for Android and Samsung’s bundled version Baidu IME includes a vulnerability that allows network eavesdroppers to recover the plaintext of insufficiently encrypted network transmissions, revealing sensitive information including what users have typed (see Table 5 for details).

Table 5: The keyboards analyzed on our Samsung test device .

Samsung Keyboard (com.samsung.android.honeyboard)

We found that when using Samsung Keyboard on the Chinese edition of a Samsung device and when Pinyin is chosen as Samsung Keyboard’s input language, Samsung Keyboard transmits keystroke data to the following URL in the clear via HTTP POST:

http://shouji.sogou.com/web_ime/mobile_pb.php?durtot=339&h=8f2bc112-bbec-3f96-86ca-652e98316ad8&r=android_oem_samsung_open&v=8.13.10038.413173&s=&e=&i=&fc=0&base=dW5rbm93biswLjArMC4w&ext_ver=0

The keystroke data is contained in the request’s HTTP payload in a protobuf serialization (see Figure 7 below).

The device on which we were testing was fully updated on the date of testing (October 7, 2023) in that it had all OS updates applied and had all updates from the Samsung Galaxy Store applied.

Since Samsung Keyboard transmits keystroke data via plain, unencrypted HTTP and since there is no encryption applied at any other layer, a network eavesdropper who is monitoring a Samsung Keyboard user’s network traffic can easily observe that user’s keystrokes if that user is using the Chinese edition of the ROM with the Pinyin input language selected.

When using the global edition of the ROM or when using a non-Pinyin input language, we did not observe the Samsung keyboard communicating with cloud servers.

百度输入法 (“Baidu IME”, com.baidu.input)

We found that the version of Baidu IME bundled with our Samsung test device transmitted keystroke information via UDP packets to udpolimenew.baidu.com . This version of Baidu IME used the BAIDUv3.1 protocol that we describe in the Baidu section earlier but with a different cipher and compression algorithm as indicated in each transmission’s header. In the remainder of this section we explain how a network eavesdropper can, just like with AESv2, decrypt the contents of messages encrypted using a scheme we call BAIDUv3.1+AESv1 (see Table 6).

Table 6: Summary of ciphers used across different Baidu protocols.

Samsung’s bundled version of Baidu IME encrypts keystrokes using a modified version of AES which we name AESv1 , as we believe it to be the predecessor to Baidu’s AESv2. When encrypting, AESv1’s key expansion is like that of standard AES, except, on each but the first subkey, the order of the subkey’s bytes are additionally permuted. Furthermore, on the encryption of each block, the bytes of the block are additionally permuted in two locations, once near the beginning of the block’s encryption immediately after the block has been XOR’d by the first subkey and again near the end of the block’s encryption immediately before S-box substitution. Aside from complicating our analysis, we are not aware of these modifications altering the security properties of AES, and we have developed an implementation of this algorithm to both encrypt and decrypt messages given a plaintext or ciphertext and a key.

Samsung’s bundled version of Baidu IME encrypts keystrokes by applying AESv1 in electronic codebook ( ECB ) mode in the following manner. First, the app uses the fixed 128-bit key, k f = “ \xff\x9e\xd5H\x07Z\x10\xe4\xef\x06\xc7.\xa7\xa2\xf26 ”, to encrypt another, generated, key, k m . The fixed key k f is the same key the BAIDUv3.1 protocol uses for AESv2 (see Figure 4). The encryption of k m is stored in bytes 64 until 80 of each UDP packet’s payload. The key k m is then used to encrypt the remainder of a zlib-compressed message payload, which is stored at byte 80 until the end of the UDP payload. We found that the encrypted payload included, in a binary container format which we did not recognize, our typed keystrokes as well as the name of the application into which we were typing them (see Figure 8).

A vulnerability exists in the BAIDUv3.1+AESv1 scheme that allows a network eavesdropper to decrypt the contents of these messages. Since AES, including AESv1, is a symmetric encryption algorithm, the same key used to encrypt a message can also be used to decrypt it. Since k f is hard-coded, any network eavesdropper with knowledge of k f can decrypt k m and thus decrypt the plaintext contents of each message encrypted in the manner described above. As we found that users’ keystrokes and the names of the applications they were using were sent in these messages, a network eavesdropper who is eavesdropping on a user’s network traffic can observe what that user is typing and into which application they are typing it by taking advantage of this vulnerability.

Additionally, in the version of Baidu Input Method distributed by Samsung, we found that key k m was not securely generated using a secure pseudorandom number generator ( secure PRNG ). Instead, it was seeded using a custom-designed PRNG that we believe to have poor security properties, and, instead of using a high entropy seed, the PRNG generating k m was seeded using the message plaintext. However, even without these weaknesses in the generation of k m , the protocol is already completely insecure to network eavesdroppers as described in the previous paragraphs.

We analyzed the keyboards preinstalled on our Huawei Mate 50 Pro test device. We found no vulnerabilities in the manner of transmission of users’ keystrokes in the versions of Huawei’s keyboard apps that we analyzed (see Table 7 for details). Specifically, Huawei used TLS to encrypt keystrokes in each version that we analyzed.

Table 7: The versions of the Huawei keyboard apps analyzed.

We analyzed the keyboards preinstalled on our Xiaomi Mi 11 test device. We found that they all include vulnerabilities that allow network eavesdroppers to decrypt network transmissions from the keyboards (see Table 8 for details). This means that network eavesdroppers can obtain sensitive personal information, including what users have typed.

Table 8: The versions of the Xiaomi keyboard apps analyzed.

In this section we detail vulnerabilities in three different keyboard apps included with MIUI 14.0.31 in which users’ keystrokes can be, if necessary, decrypted, and read by network eavesdroppers.

百度输入法小米版 (“Baidu IME Xiaomi Version”, com.baidu.input_mi)

We found that Xiaomi’s Baidu-based keyboard app encrypts keystrokes using the BAIDUv3.1+AESv2 scheme which we detailed previously. When the app’s messages are decrypted and deserialized, we found that they include our typed keystrokes as well as the name of the application into which we were typing them (see Figure 9).

Like we explained previously, a vulnerability exists in the BAIDUv3.1+AESv2 scheme that allows a network eavesdropper to decrypt the contents of these messages. As we found that users’ keystrokes and the names of the applications they were using were sent in these messages, a network eavesdropper who is eavesdropping on a user’s network traffic can observe what that user is typing and into which application they are typing it by taking advantage of this vulnerability.

搜狗输入法小米版 (“Sogou IME Xiaomi Version”, com.sohu.inputmethod.sogou.xiaomi)

The Sogou-based keyboard app is subject to a vulnerability which we have already publicly disclosed in Sogou IME (搜狗输入法) in which a network eavesdropper can decrypt and recover users’ transmitted keystrokes. Please see the corresponding details in this report for full details. Tencent responded by securing Sogou IME transmissions using TLS, but we found that Xiaomi’s Sogou-based keyboard had not been fixed.

讯飞输入法小米版 (“iFlytek IME Xiaomi Version”, com.iflytek.inputmethod.miui)

Similar to iFlytek’s own IME for Android, we found that Xiaomi’s iFlytek keyboard app used the same faulty encryption. We found that users’ keystrokes were sent to pinyin.voicecloud.cn and encrypted in this manner.

{“p”:{“m”:53,”f”:0,”l”:0},”i”:”nihaoniba”}

Therefore, a network eavesdropper who is eavesdropping on a user’s network traffic can observe what that user is typing by taking advantage of this vulnerability (see Figure 10).

We analyzed the keyboard apps preinstalled on our OPPO OnePlus Ace test device. We found that they all include vulnerabilities that allow network eavesdroppers to decrypt network transmissions from the keyboards (see Table 9 for details). This means that network eavesdroppers can obtain sensitive personal information, including what users have typed.

Table 9: The versions of the OPPO keyboard apps analyzed.

In this section we detail vulnerabilities in two different keyboard apps included with MIUI 14.0.31 in which users’ keystrokes can be, if necessary, decrypted, and read by network eavesdroppers.

百度输入法定制版 (“Baidu IME Custom Version”, com.baidu.input_oppo)

We found that OPPO’s Baidu-based keyboard app encrypts keystrokes using the BAIDUv3.1+AESv2 scheme which we detailed previously. When the app’s messages are decrypted and deserialized, we found that they include our typed keystrokes as well as the name of the application into which we were typing them (see Figure 11).

搜狗输入法定制版 (“Sogou IME Custom Version”, com.sohu.inputmethod.sogouoem)

The Sogou-based keyboard app is subject to a vulnerability which we have already publicly disclosed in Sogou IME (搜狗输入法) in which a network eavesdropper can decrypt and recover users’ transmitted keystrokes. Please see the corresponding details in this report for full details. Tencent responded by securing Sogou IME transmissions using TLS, but we found that OPPO’s Sogou-based keyboard had not been fixed.

We analyzed the keyboard apps preinstalled on our Vivo Y78+ test device. We found that the Sogou-based one includes vulnerabilities that allow network eavesdroppers to decrypt network transmissions from the keyboards (see Table 10 for details). This means that network eavesdroppers can obtain sensitive personal information, including what users have typed.

Table 10: The versions of the Vivo keyboard apps analyzed.

The Sogou-based keyboard app is subject to a vulnerability which we have already publicly disclosed in Sogou IME (搜狗输入法) in which a network eavesdropper can decrypt and recover users’ transmitted keystrokes. Please see the corresponding details in this report for full details. Tencent responded by securing Sogou IME transmissions using TLS, but we found that Vivo’s Sogou-based keyboard had not been fixed.

We analyzed the keyboard apps preinstalled on our Honor Play7T test device. We found that the Baidu-based one includes vulnerabilities that allow network eavesdroppers to decrypt network transmissions from the keyboards (see Table 11 for details). This means that network eavesdroppers can obtain sensitive personal information, including what users have typed.

Table 11: The versions of the Honor keyboard apps analyzed.

We found that Honor’s Baidu-based keyboard app encrypts keystrokes using the BAIDUv3.1+AESv2 scheme which we detailed previously. When the app’s messages are decrypted and deserialized, we found that they include our typed keystrokes as well as the name of the application into which we were typing them (see Figure 12).

As of April 1, 2024, “Baidu IME Honor Version”, the default IME on the Honor device we tested, is still vulnerable to passive decryption. We also discovered that on our Play7T device, there was no way to update “Baidu IME Honor Version” through the device’s app store. In responding to our disclosures, Honor asked us to disclose to Baidu and that it was Baidu’s responsibility to patch this issue.

Other affected keyboard apps

Given our limited resources to analyze apps, we were not able to analyze every cloud-based keyboard app available. Nevertheless, given that these vulnerabilities appeared to affect APIs that were used by multiple apps, we wanted to approximate the total number of apps affected by these vulnerabilities.

We began by searching VirusTotal , a database of software and other files that have been uploaded for automated virus scanning, for Android apps which reference the string “get.sogou.com”, the API endpoint used by Sogou IME, as these apps may require additional investigation to determine whether they are vulnerable. Excluding apps that we analyzed above, this search yielded the following apps:

com.sohu.sohuvideo

com.tencent.docs

com.sogou.reader.free

com.sohu.inputmethod.sogou.samsung

com.sogou.text

com.sogou.novel

com.sogo.appmall

com.blank_app

com.sohu.inputmethod.sogou.nubia

com.sogou.androidtool

com.sohu.inputmethod.sogou.meizu

com.sohu.inputmethod.sogou.zte

sogou.mobile.explorer.hmct

sogou.mobile.explorer

com.sogou.translatorpen

com.sec.android.inputmethod.beta

com.sohu.inputmethod.sogou.meitu

com.sec.android.inputmethod

sogou.mobile.explorer.online

com.sohu.sohuvideo.meizu

com.sohu.inputmethod.sogou.oem

com.sogou.map.android.maps

sogou.llq.online

com.sohu.inputmethod.sogou.coolpad

com.sohu.inputmethod.sogou.chuizi

com.sogou.toptennews

com.sogou.recmaster

com.meizu.flyme.input

We have not analyzed these apps and thus cannot conclude that they are necessarily vulnerable, or even keyboard apps, but we provide this list to help reveal the possible scope of the vulnerabilities that we discovered. When we disclosed this list to Tencent, Tencent requested an additional three months to fix the vulnerabilities before we publicly disclosed this list, suggesting credence to the idea that apps in this list are largely vulnerable. Similarly, after excluding apps that we had already analyzed, the following are other Android apps which reference the strings “udpolimenew.baidu.com” or “udpolimeok.baidu.com”, the API endpoints used by Baidu Input Method:

• com.adamrocker.android.input.simeji
• com.facemoji.lite.xiaomi.gp
• com.facemoji.lite.xiaomi
• com.preff.kb.xm
• com.facemoji.lite.transsion
• com.txthinking.brook
• com.facemoji.lite.vivo
• com.baidu.input_huawei
• com.baidu.input_vivo
• com.baidu.input_oem
• com.preff.kb.op
• com.txthinking.shiliew
• mark.via.gp
• com.qinggan.app.windlink
• com.baidu.mapauto

These findings suggest that a large ecosystem of apps may be affected by the vulnerabilities that we discovered in this report.

Coordinated disclosure

We reported the vulnerabilities that we discovered to each vendor in accordance with our vulnerability disclosure policy . All companies except Baidu, Vivo, and Xiaomi responded to our disclosures. Baidu fixed the most serious issues we reported to them shortly after our disclosure, but Baidu has yet to fix all issues that we reported to them. The mobile device manufacturers whose preinstalled keyboard apps we analyzed fixed issues in their apps except for their Baidu apps, which either only had the most serious issues addressed or, in the case of Honor, did not address any issues (see Table 12 for details). Regarding QQ Pinyin, Tencent indicated that “with the exception of end-of-life products, we aim to finalize the upgrade for all active products to transmit EncryptWall requests via HTTPS by the conclusion of Q1 [2024]”, but, as of April 1, 2024, we have not seen any fixes to this product. Tencent may consider QQ Pinyin end-of-life as it has not received updates since 2020, although we note that it is still available for download. For timelines and full correspondence of our disclosures to each vendor, please see the Appendix .

* Default keyboard app on our test device. † Both QQ Pinyin and Sogou IME are developed by Tencent; in this report we analyzed QQ Pinyin and found the same issues as we had in Sogou IME .

Table 12: Status of vulnerabilities after disclosure as of April 1, 2024.

To summarize, we no longer have working exploits against any products except Honor’s keyboard app and Tencent’s QQ Pinyin. Baidu’s keyboard apps on other devices continue to contain weaknesses in their cryptography which we are unable to exploit at this time to fully decrypt users’ keystrokes in transit.

Barriers to users receiving security updates

Users can receive updates to their keyboard apps on their phones’ app stores, and such updates typically install in the background without user intervention. In our testing, updating keyboard apps was typically performed without friction. However, in some cases, a user may need to also ensure that they have fully updated their operating system before they will receive the fixes to our reported vulnerabilities for their keyboard app through the app store. In the case of the Honor device we tested, there was no update mechanism for the default keyboard used by the operating system through the app store. Honor devices bundled with a vulnerable version of the keyboard will remain vulnerable to passive decryption. In the case of the Samsung Galaxy Store, we found that on our device a user must sign in with a Samsung account before receiving security updates to their keyboard app. In the case the user does not have a Samsung account, then they must create one. We believe that installing important security updates should be frictionless, and we recommend that Samsung and app stores in general not require the registration of a user account before receiving important security updates.

We also learned from communication with Samsung’s security team that our test device had been artificially stuck on an older version of Baidu IME (version 8.5.20.4) compared to the one in the Samsung Galaxy Store. This is because, although the test device was using a Chinese ROM, we were prevented from receiving updates to Baidu IME because the app was geographically unavailable in Canada, where we were testing from. Samsung addressed this issue by adding Baidu’s keyboard app to the global market. Generally speaking, we recommend that Samsung and other app stores do not geoblock security updates to apps that are already installed.

Language barriers in responsible disclosures

We suspect that a language barrier may have prevented iFlytek from responding to our initial disclosure in English. After we did not receive a response for one month, we re-sent the same disclosure e-mail, but with a subject line and one-sentence summary in simplified Chinese. iFlytek responded within three days of this second email and promptly fixed the issues we noted. All future disclosure emails to the Chinese mobile device manufacturers were then written with Chinese subject lines and a short summary in Chinese. Though obvious in hindsight, we encourage security researchers to consider if the company to which they are disclosing uses a different language than the researcher. We suggest submitting vulnerability disclosures, at the very least, with short summaries and email subject lines in the official language of the company’s jurisdiction to prevent similar delays as we may have encountered in disclosure timelines.

Limitations

In this report we detail vulnerabilities relating to the security of the transmission of users’ keystrokes in multiple keyboard apps. In this work we did not perform a full audit of any app or make any attempt to exhaustively find every security vulnerability in any software. Our report concerns analyzing keyboard apps for a class of vulnerabilities that we discovered, and the absence of our reporting of other vulnerabilities should not be considered evidence of their absence.

In this section we discuss the impact of the vulnerabilities that we found, speculate as to the factors that gave rise to them, and conclude by introducing possible ways to systemically prevent such vulnerabilities from arising in the future.

Impact of these vulnerabilities

The scope of these severe vulnerabilities cannot be understated: until this and our previous Sogou report , the majority of Chinese mobile users’ keystrokes were decryptable by network adversaries. The keyboards we studied comprise over 95% of the third-party IME market share, which is estimated to be over 780 million users by marketing agencies. In addition, the three phone manufacturers which pre-installed and by default used vulnerable keyboard apps comprise nearly 50% of China’s smartphone market.

The vulnerabilities that we discovered would be inevitably discovered by anyone who thinks to look for them. Furthermore, the vulnerabilities do not require technological sophistication to exploit. With the exception of the vulnerability affecting many Sogou-based keyboard apps that we previously discovered , all of the vulnerabilities that we covered in this report can be exploited entirely passively without sending any additional network traffic. This also means any existing logs of network data sent by these keyboards can be decrypted in the future. As such, we might wonder, are these vulnerabilities actively under mass exploitation?

While many governments may possess sophisticated mass surveillance capabilities, the Snowden revelations gave us unique insight into the capabilities of the United States National Security Agency (NSA) and more broadly the Five Eyes . The revelations disclosed , among other programs, an NSA program called XKEYSCORE for collecting and searching Internet data in realtime across the globe (see Figure 13). Leaked slides describing the program specifically reveal only a few examples of XKEYSCORE plugins. However, one was a plugin that was written by a Five Eyes team to take advantage of vulnerabilities in the cryptography of Chinese-developed UC Browser to enable the Five Eyes to collect device identifiers, SIM card identifiers, and account information pertaining to UC Browser users (see Figure 14 for an illustration).

The similarity of the vulnerability exploited by this XKEYSCORE plugin and the vulnerabilities described in this report are uncanny, as they are all vulnerabilities in the encryption of sensitive data transmissions in software predominantly used by Chinese users. Given the known capabilities of XKEYSCORE, we surmise that the Five Eyes would have the capability to globally surveil the keystrokes of all of the keyboard apps that we analyzed with the exception of Sogou and the apps licensing its software. This single exception exists because Sogou cannot be monitored passively and would require sending packets to Sogou servers. Such communications would be measurable at Sogou’s servers and at other vantage points, potentially revealing the Five Eyes’s target(s) of surveillance to Sogou or Chinese network operators. Therefore, targets of outdated Sogou software would be undesirable victims of mass surveillance, even if such non-passive measurements were within the known capabilities of XKEYSCORE or other Five Eyes programs.

Given the enormous intelligence value of knowing what users are typing, we can conclude that not only do the NSA and more broadly the Five Eyes have the capabilities to mass exploit the vulnerabilities we found but also the strong motivation to exploit them. If the Five Eyes’ capabilities are an accurate reflection of the capabilities and motivations of other governments, then we can assume that many other governments are also capable and motivated to mass exploit these vulnerabilities. The only remaining question is whether any government had knowledge of these vulnerabilities. If they did not have such knowledge before our original report analyzing Sogou, they may have acquired after it in the same way that our original research inspired us to look at similar keyboard apps for analogous vulnerabilities. Unfortunately, short of future government leaks, we may never know if or to what extent any state actors mass exploited these vulnerabilities.

Even though we disclosed the vulnerabilities to vendors, some vendors failed to fix the issues that we reported. Moreover, users of devices which are out of support or that otherwise no longer receive updates may continue to be vulnerable. As such, many users of these apps may continue to be under mass surveillance for the foreseeable future.

How did these vulnerabilities arise

We analyzed a broad sample of Chinese keyboard apps, finding that they are almost universally vulnerable to having their users’ keystrokes being decrypted by network eavesdroppers. Yet there is no common library or a single implementation flaw responsible for these vulnerabilities. While some of the keyboard apps did license their code from other companies, our overall findings can only be explained by a large number of developers independently making the same kind of mistake. As such, we might ask, how could such a large number of independent developers almost universally make such a critical mistake?

One attempt to answer this question is to suggest that these were not mistakes at all but deliberate backdoors introduced by the Chinese government. However, this hypothesis is rather weak. First, user keystroke data is already being sent to servers within Chinese legal jurisdiction, and so the Chinese government would have access to such data anyways. Second, the vulnerabilities that we found give the ability not just to the Chinese government to decrypt transmitted keystrokes but to any other actor as well. In an ideal backdoor, the Chinese government would want the desirable property that only they have access to the backdoor. Finally, the Chinese government has made strides to study and improve the data security of apps developed and used in China, attempting to prevent and fix the very sort of vulnerabilities which we discovered. For instance, a 2020 report from CNCERT/CC found that 60 percent of the 50 banking applications that they investigated did not encrypt any user data transmitted over the network, among a litany of other common security issues.

Were Chinese app developers skeptical of using cryptographic standards perceived as “Western”? Countries such as China and Russia have their own encryption standards and ciphers . To our knowledge none of the faulty encryption implementations that we analyzed adhered to any sort of known standard in any country, and each appeared to be home-rolled ciphers. However, it is possible that Asian developers are less inclined to use encryption standards that they fear may contain backdoors such as the potential Dual_EC_DRBG backdoor .

Perhaps Chinese app developers could be skeptical of standards such as SSL/TLS as well. The TLS ecosystem has also only become nearly-universal in the past decade . Especially before broad oversight of certificate authorities became commonplace, there were many valid criticisms of the SSL/TLS ecosystem. In 2011, digital rights organizations EFF and Access Now were both concerned about the certificate authority (CA) infrastructure underpinning SSL/TLS transport encryption. Even today, the vast majority of root certificates trusted by major OSes and browsers are operated by certificate authorities based in the Global North. We also note that all of the IMEs containing vulnerabilities were first released before 2013 and likely had a need for secure network transmission before SSL/TLS became the de-facto standard for strong transport encryption.

Still, it has been a decade since the Snowden leaks demonstrated the global, urgent, and practical need for strong encryption of data-in-transit in 2013, and the TLS ecosystem has largely stabilized, with CA root lists of many major browsers and OSes controlled by voting bodies and certificate transparency deployed. As of 2024, almost 95% of web traffic from users of Firefox in the United States is traveling over HTTPS . In addition, the speed in which both iFlytek and Sogou switched to TLS demonstrates that making the change to standard TLS is not necessarily a time or resource issue. Even if skepticism towards SSL/TLS explains the reluctance to adopt it in the early 2010s, we are not sure why there is much more inertia in the Chinese Internet ecosystem against making the switch to TLS.

Finally, mobile devices and other operating systems are still incapable of guaranteeing the security of data under transmission, despite iOS and Android having introduced restrictions into their APIs. For instance, iOS 9 implemented App Transport Security , a policy placing restrictions on the ability to transmit data without TLS. However, there are two limitations of this technology. First, an app can specify exceptions to this policy in its Info.plist resource. Second, the policy affects high level APIs and leaves communications over lower level socket-based APIs unregulated. Similar to iOS, Android 9 disables cleartext traffic using certain high level APIs by default , but an app may exclude specific domains or avoid the policy by using lower level APIs.

Can we systemically address these vulnerabilities?

Individually analyzing apps for this class of vulnerabilities and individually reporting issues discovered is limited in the scale of apps that it can fix. First, while we can attempt to manually analyze some of the most popular keyboard apps, we will never be able to analyze every app at large. Second, we might not be able to predict which apps to look at in the first place. For instance, before we analyzed Sogou and the keyboard apps featured in this report, we never would have expected that their network transmissions would be so easily vulnerable to interception. In light of the limitations of the methods that we employed in this report, in the remainder of this section we discuss possibilities for how we might systematically or wholesale address apps which transmit sensitive data over networks without sufficient encryption.

By security researchers paying more attention to the Chinese Internet

There appears to be a general failure of researchers to analyze Chinese apps and the Chinese Internet ecosystem at large, despite its size and influence. The Google Play Store and Apple App Store ecosystems, for instance, are commonly studied by privacy researchers, but many Chinese app stores are overlooked, despite that many popular Chinese apps have more users than their counterparts on the Google Play Store. While the vulnerabilities that we discovered were not all trivial to find and many took substantial analysis to attack, most would have been inevitably discovered by any researcher analyzing these apps for data security. A researcher studying network traffic from users of Chinese devices could also have identified strange, non-standard traffic.

By using app store enforcement

One might call on app stores to enforce the use of sufficient encryption to protect sensitive data in transit. App stores already have a number of rules that they enforce through a combination of automated and manual review. Calling on app stores to enforce sufficient encryption of in-transit sensitive data is tempting given the resources of the companies operating the app stores. However, failing any other innovation, the same scaling issues that apply to other researchers studying these apps will apply to those working for these companies.

By using device permission models

On Android devices, installing any keyboard, regardless of whether or how it communicates with servers over the Internet, brings up a pop-up with the following text:

This input method may be able to collect all the text you type, including personal data like passwords and credit card numbers.

The wording of these warning messages is overbroad and does not necessarily help users distinguish between keyboards that transmit keystrokes over the network, keyboards that transmit keystrokes insecurely (using something other than standard TLS) over the network, and keyboards that do not transmit any data at all.

iOS devices, on the other hand, sandbox their keyboards by default. There is a “Full Access” or “open access” permission that must be explicitly granted to keyboards before they have network access, among other privileges. Without this permission, third-party keyboards cannot transmit network data . We recommend Android also adopt a more fine-grained permission model for keyboards.

Furthermore, the vulnerable apps that we studied transmit data using low level socket APIs versus higher level APIs that require the usage of TLS or HTTPS. One might desire that separate system calls be designed for TLS or HTTPS traffic in addition to the lower level socket system calls so that devices could implement an UNSAFE_INTERNET permission that would be required for apps to use the lower level system calls while still allowing TLS-encrypted traffic for apps that do not have this permission.

While this approach may have some merit, it also has certain drawbacks. It makes sense for situations where apps are untrustworthy and the operating system is completely trustworthy, but there are common situations where the operating system could be not as or even less trustworthy than apps that it is running. One common case would be a user who is running an up-to-date app on an out of date operating system, possibly because the user’s device is no longer receiving operating system updates. In such a case, the app’s implementation of TLS is more likely to be secure than that of the operating system. Furthermore, a user’s operating system may be compromised by malware or otherwise be untrustworthy in itself. Introducing a TLS system call would centralize the encryption of all sensitive data and grant the operating system easy visibility into all unencrypted data. In any case, innovating in areas of encryption is an important right of application developers, and it may not make sense to stifle apps like Signal because of their use of end-to-end or other novel encryption by requiring them to obtain an UNSAFE_INTERNET permission.

One might alternatively desire for apps at large to not be able to access the Internet at all. Instead of an UNSAFE_INTERNET permission, what about introducing an INTERNET permission to govern all Internet socket access, similar to the “Full Access” permission which iOS already applies to keyboard apps? Android devices in fact already have such a permission that apps must request to use Internet (AF_INET) sockets, but it is not a permission that is exposed to ordinary users either in the Google Play Store or through any stock Android user interface, and it is automatically granted when installing an app. Unfortunately, given all of the interprocess communication (IPC) vehicles on modern smart devices, restricting Internet socket access may not guarantee that the app could not communicate over the Internet (e.g., through Google Play services). GrapheneOS , an open source Android-based operating system, implements a NETWORK permission. However, denying this permission can lead to surprising results where apps can still communicate with the Internet via IPC with other apps. As such, we recommend that both the developers of Android and iOS work toward a meaningful INTERNET permission that would adequately inform users of whether an app communicates over the Internet.

By international standards bodies better engaging with Chinese developers

We encourage International standards bodies like the IETF to continue to engage and outreach Chinese Internet companies and engineers in good faith to further reduce friction in cross-linguistic knowledge transfer. The presence of these similar but independent vulnerabilities demonstrate that there is a friction in the transfer and implementation of knowledge between the English-speaking cryptography community and the Chinese cryptography community. For instance, Schneier’s Law or the oft-repeated mantra “don’t roll your own crypto” may be common knowledge to cryptographers trained in English, but perhaps lost in translation. A lag across linguistic boundaries means that general information like the recent stabilization of TLS and webPKI infrastructure may travel more slowly, and updating encryption software to reflect new information may lag even further behind. One other possible example of this phenomenon is that, according to Firefox Telemetry , up until 2020, the Japanese Internet ecosystem also significantly lagged behind the global average in HTTPS adoption.

Although protocols put out by IETF and other International standards bodies can be far from bulletproof , these bodies can still help facilitate international communication about the current state-of-the-art in protocol encryption. The burden of cross-linguistic and cross-cultural exchange on technical standards falls on global standards bodies. Western media outlets and researchers tend to uniformly attribute the actions and participation of private Chinese companies within standards bodies to government actors seeking sovereignty over Internet standards. While skepticism may be warranted in certain cases , there is also research that challenges a simplistic and overbroad narrative. As a single data point, we note that we did not find these issues in Huawei’s keyboards, whose employees are often noted as especially active participants in IETF standard-setting.

By using automated static or dynamic analysis

There has been a failure of automated tools to detect insecure traffic at large. Longitudinal TLS telemetry has largely been focused on web-based perspectives (i.e., how many domains support TLS or how many web connections are encrypted by TLS ?), and the mobile perspective is often overlooked, despite the increasing dominance of mobile traffic globally. Although there are some research projects that survey TLS usage in Android mobile apps at scale, there is no public longitudinal data from these projects (i.e., they are run as one-off studies), and many focus on the Google Play’s Android ecosystem, thereby excluding the Chinese mobile Internet. There is perhaps a need for public longitudinal TLS telemetry for popular mobile applications globally, via automated static or dynamic analysis at scale.

By using attestations in app stores

Another way for users to gain visibility into the security and privacy properties of their apps is through the use of developer attestations, such as the ones that appear in data safety sections in many popular app stores. Both the Apple App Store and the Google Play Store collect and display such attestations to varying extents, including attestations as to what data an app collects (if any) and with whom it is shared (if anyone). Additionally, the Play Store allows developers the opportunity to attest to performing “encryption in transit” (see Figure 15 for an example). These attestations allow users to clearly see what security and privacy properties an app’s developer claims it to have and, like privacy policies, they provide means of redress if violated.

We wanted to evaluate whether the apps that we analyzed lived up to their attestations concerning their encryption in the app stores in which they are available. Among the apps that we analyzed, only Baidu IME was available in the Play Store. At the time of this writing, it does not attest to its data being encrypted in transit. Although other apps that we analyzed were available in Apple’s App Store, to our knowledge, this store does not display an attestation for whether the app encrypts data in transit. As such, across both the Google Play and the Apple App stores, attestations were insufficient for compelling the keyboard apps’ developers to implement proper encryption or in providing users any opportunity for redress.

In light of the above findings, we believe that users would benefit from the following recommendations: (1) that app store operators require developers to attest to whether or not an app encrypts data in transit, (2) that app store operators display not only when developers attest to all data being encrypted in transit but also display a warning when they fail to, and (3) that app store operators require apps in certain sensitive categories, such as keyboard apps, to either positively attest to encrypting all data in transit or to attest to not transmitting any data at all.

Since most of the apps that we found perform some type of encryption, even if it were wholly inadequate, one might wonder if attesting that data is merely “encrypted” is enough, since the data arguably did have some manner of encryption applied to it during transit. The Play Store provides some guidance on this topic. Under the question — “How should I encrypt data in transit?” — the documentation notes : “You should follow best industry standards to safely encrypt your app’s data in transit. Common encryption protocols include TLS (Transport Layer Security) and HTTPS.”

Another issue with attestations is that they provide no guarantee that an app behaves as its developers attest, as developers can, after all, make false attestations. While we wish that attestations could guarantee that an app sufficiently implements proper cryptography to the same extent that a permission system can guarantee an app does not use a microphone, false attestations provide an opportunity for redress. For instance, apps which are found to violate attestations would be subject to removal from app stores. Furthermore, apps which violate attestations could be subject to fines by regulatory bodies such as the FTC. Finally, apps which violate the attestation could be liable to civil suits.

While the apps we analyzed were predominantly available from Chinese app stores, we equally recommend that Chinese app stores adopt these recommendations in addition to the Apple App Store and the Google Play Store. Moreover, while this report focuses on the problem of poor encryption practices as it applies to Chinese apps, the problem to varying extents applies to apps of all other provenances.

Summary of recommendations

We conclude our report by summarizing our recommendations to multiple stakeholders.

Recommendations to security researchers

• Researchers should analyze more apps from the East Asian app ecosystem and from other popular ecosystems which may be outside of their own locale.
• Researchers should develop better static and dynamic analysis techniques to recognize the types of vulnerabilities that we discovered in this report at scale.
• Researchers submitting vulnerability disclosures to a company should include short summaries and email subject lines in the official language of the company’s jurisdiction.

Recommendations to international standards bodies

• International standards bodies should continue to engage with security engineers from Chinese Internet companies.

Recommendations to app store operators

• App stores should not require account registration as a condition to receive security updates.
• App stores should not geoblock security updates.
• App stores should allow developers to attest to all data being transmitted with encryption, similar to the ability in the Google Play Store.
• App stores should display not only when developers attest to all data being encrypted in transit but also display a warning when they fail to.
• App stores should require apps in certain sensitive categories, such as keyboard apps, to either positively attest to encrypting all data in transit or to attest to not transmitting any data at all.

Recommendations to keyboard app developers

• Use well-tested and standard encryption protocols, like TLS or QUIC.
• Make every attempt to provide features on-device without requiring transmitting sensitive data to cloud servers.

Recommendations to mobile operating system developers

• Android should implement sandboxing by default for keyboard apps, similar to iOS, that prevents a keyboard from transmitting network traffic among other activities until a user grants the app full access.
• The developers of Android and iOS should work toward a meaningful INTERNET permission that would adequately inform users of whether any app communicates over the Internet.

Recommendations to device manufacturers

• Conduct security audits of third-party keyboards that you intend to pre-install by default on your operating systems.

Recommendations to users

• Users of Honor’s pre-installed keyboard or users of QQ pinyin should switch keyboards immediately.
• Users of any Sogou, Baidu, or iFlytek keyboard, including the versions that are bundled or pre-installed on operating systems, should ensure their keyboards and operating systems are up-to-date.
• Users of any Baidu IME keyboard should consider switching to a different keyboard or disabling the “cloud-based” feature.
• Users with privacy concerns should not enable “cloud-based” features on their keyboards or IMEs or should switch to a keyboard that does not offer “cloud-based” prediction.
• iOS users with privacy concerns should not enable “Full Access” for their keyboards or IMEs.

Acknowledgments

We would like to thank Jedidiah Crandall, Jakub Dalek, Pellaeon Lin, and Sarah Scheffler for their guidance and review of this report. Research for this project was supervised by Ron Deibert.

Known affected software

We recommend that all users keep their operating systems and apps, including keyboard apps, up to date. If you use any of the following software, we especially recommend you update to the most recent version of your OS and application. As of April 1, 2024, the following software has fixes available:

Separately installed, third-party keyboards

• Sogou IME / 搜狗输入法 for Android and Windows
• Baidu IME / 百度输入法 for Windows (this software has only been partially fixed, see below)
• iFlytek IME / 讯飞输入法 for Android

Pre-installed on Samsung devices with Chinese edition ROM

• Samsung Keyboard
• Baidu IME / 百度输入法

Pre-installed on Xiaomi devices with Chinese edition ROM

• Sogou IME Xiaomi Version / 搜狗输入法小米版
• iFlytek IME Xiaomi Version / 讯飞输入法小米版

Pre-installed on OPPO devices with Chinese edition ROM

• Sogou IME Custom Version / 搜狗输入法定制版

Pre-installed on Vivo devices with Chinese edition ROM

The following software does not use TLS and may still contain weaknesses:

• Baidu IME / 百度输入法 for Android, Windows, and iOS
• Baidu IME Xiaomi Version / 百度输入法小米版
• Baidu IME Custom Version / 百度输入法定制版

The following software has not been fixed and is easily exploitable, and we suggest that users switch to another keyboard entirely:

• QQ Pinyin IME / QQ拼音输入法 for Android and Windows

Pre-installed on Honor devices with Chinese edition ROM

• Baidu IME Honor Version / 百度输入法荣耀版

Disclosure timelines

We sent the following via email:

To: [email protected], [email protected]

Subject: Security issue in Baidu Input Method

To Whom It May Concern:

The Citizen Lab is an academic research group based at the Munk School of Global Affairs & Public Policy at the University of Toronto in Toronto, Canada.

We analyzed Baidu Input Method as part of our ongoing work analyzing popular mobile and desktop apps for security and privacy issues. We found that Baidu Input Method for Windows includes a vulnerability which allows network eavesdroppers to decrypt network transmissions. This means third parties can obtain sensitive personal information including what users have typed. We also found privacy and security weaknesses in the encryption used by the Android and iOS versions of Baidu Input Method. To address these issues, we suggest using HTTPS or TLS rather than custom-designed network protocols. For further details, please see the attached document .

The Citizen Lab is committed to research transparency and will publish details regarding the security vulnerabilities it discovers in the context of its research activities, absent exceptional circumstances, on its website: https://citizenlab.ca/ .

If no response is received to this disclosure, the Citizen Lab will publish details regarding the security vulnerability on its website after 15 calendar days from the date of this communication. In other words, where there is no response from you, Citizen Lab will publish details regarding the vulnerability after October 18 2023.

If a substantive response is received (which excludes, for example, an auto reply) to this disclosure within 15 calendar days from the date of this communication, the Citizen Lab will provide you with 45 calendar days from the date of this communication to fix (whether in whole or in part) the vulnerability before publicly disclosing the issue. In other words, where we do receive a substantive response from you, the Citizen Lab will publish details regarding the vulnerability after November 17 2023.

We reserve the right to publish details regarding the vulnerability to the general public before the expiry of the 45 calendar days set out above in the following situations: (1) you have disclosed the vulnerability to the general public, (2) you have patched the vulnerability, (3) you have taken the position that there is no security vulnerability, or (4) the Citizen Lab observes the vulnerability is under active exploitation.

All communications associated with this disclosure may be included in the Citizen Lab’s public disclosure of this vulnerability.

Please communicate what steps you will take to address the vulnerability that we have described, and please provide the timeline you decide upon for the implementation of fixes.

Finally, upon implementation of any fixes, we ask that you communicate the full extent of the vulnerability to the Citizen Lab.

Should you have any questions about our findings please let us know. We can be reached at this email address: [email protected].

The Citizen Lab

Subject: Security issues in Baidu Input Method / 百度输入法高危漏洞

多伦多大学的研究人员发现许多手机预装的百度输入法存在高危漏洞，让网络攻击者可以直接看到用户输入的内容。同时也发现百度输入法的安卓版、iOS版、和Windows版存在另外与安全相关的问题，建议切换到TLS。本文用英文解释了研究人员发现漏洞的细节。

We analyzed Baidu Input Method as part of our ongoing work analyzing popular mobile and desktop apps for security and privacy issues. We found multiple third-party apps using the Baidu Input Method API include a vulnerability which allows network eavesdroppers to decrypt network transmissions. This means third parties can obtain sensitive personal information including what users have typed. We also found privacy and security weaknesses in the encryption used by the Windows, Android, and iOS versions of Baidu Input Method. To address these issues, we suggest using HTTPS or TLS rather than custom-designed network protocols. For further details, please see the attached document.

If no response is received to this disclosure, the Citizen Lab will publish details regarding the security vulnerability on its website after 15 calendar days from the date of this communication. In other words, where there is no response from you, Citizen Lab will publish details regarding the vulnerability after December 7 2023.

If a substantive response is received (which excludes, for example, an auto reply) to this disclosure within 15 calendar days from the date of this communication, the Citizen Lab will provide you with 45 calendar days from the date of this communication to fix (whether in whole or in part) the vulnerability before publicly disclosing the issue. In other words, where we do receive a substantive response from you, the Citizen Lab will publish details regarding the vulnerability after January 6 2024.

To: [email protected]

Subject: Security issues in Honor keyboard / 荣耀百度输入法高危漏洞

总结：多伦多大学的研究人员发现荣耀预装的百度输入法使用的加密协议有高危漏洞，让网路攻击者可以直接看到用户输入的内容。本文用英文解释了研究人员发现高危漏洞的细节。

We analyzed Honor pre-installed keyboard apps as part of our ongoing work analyzing popular mobile and desktop apps for security and privacy issues. We found that the Baidu-based one includes vulnerabilities that allow network eavesdroppers to decrypt network transmissions. This means third parties can obtain sensitive personal information including what users have typed. To address these issues, we suggest using HTTPS or TLS rather than custom-designed network protocols. For further details, please see the attached document.

If no response is received to this disclosure, the Citizen Lab will publish details regarding the security vulnerability on its website after 15 calendar days from the date of this communication. In other words, where there is no response from you, Citizen Lab will publish details regarding the vulnerability after December 7 2023

If a substantive response is received (which excludes, for example, an auto reply) to this disclosure within 15 calendar days from the date of this communication, the Citizen Lab will provide you with 45 calendar days from the date of this communication to fix (whether in whole or in part) the vulnerability before publicly disclosing the issue. In other words, where we do receive a substantive response from you, the Citizen Lab will publish details regarding the vulnerability after January 6 2024

We received the following email:

From: security <[email protected]>

Subject: 答复: Security issues in Honor keyboard / 荣耀百度输入法高危漏洞

DEAR Citizen Lab

Thank you very much for your concern about the security of Honor.

Honor always attaches great importance to the security of products and services. In order to respond to your security concerns immediately,

we have set up a professional vulnerability response team to serve you and set up an email ([email protected]) for quick response.

We are analyzing the impact of these security issue and will reach a conclusion as soon as possible.

Once again thank you for your concern about the security of Honor. If you have any questions, feel free to contact us through this email at any time.

Honor Security Response Center

Thank you very much for your report and your patience.

After our analysis. Baidu is a vendor of Honor, we relied on the vendor to patch this issue. We recommend that you submit this issue to Baidu and negotiate a disclosure plan with Baidu.

We sent the following email:

To: security <[email protected]>

Subject: Re: Security issues in Honor keyboard / 荣耀百度输入法高危漏洞

Dear Honor Security Response Center,

We have tried disclosing these issues to Baidu, but Baidu has been so far unresponsive to our disclosures.

We would like to note that our Honor Play7T device is still using an older version (v8.2.501.1) of the com.baidu.input_hihonor app. While the latest version of Baidu’s keyboard does not address all of the issues that we have reported, it does contain fixes for the most serious issues. Therefore, we recommend updating the com.baidu.input_hihonor app to the latest version of Baidu’s keyboard.

To: [email protected]

Subject: Security issue in Xunfei Input Method

We analyzed Xunfei Input Method on Android as part of our ongoing work analyzing popular mobile and desktop apps for security and privacy issues. We found that Xunfei Input Method for Android includes a vulnerability which allows network eavesdroppers to recover the plaintext of insufficiently encrypted network transmissions, revealing sensitive information including what users have typed.

For further details, please see the attached document.

If no response is received to this disclosure, the Citizen Lab will publish details regarding the security vulnerability on its website after 15 calendar days from the date of this communication. In other words, where there is no response from you, Citizen Lab will publish details regarding the vulnerability after September 23, 2023.

If a substantive response is received (which excludes, for example, an auto reply) to this disclosure within 15 calendar days from the date of this communication, the Citizen Lab will provide you with 45 calendar days from the date of this communication to fix (whether in whole or in part) the vulnerability before publicly disclosing the issue. In other words, where we do receive a substantive response from you, the Citizen Lab will publish details regarding the vulnerability after October 23, 2023.

To: [email protected]

We analyzed Xunfei Input Method on Android as part of our ongoing work analyzing popular mobile and desktop apps for security and privacy issues. We found that Xunfei Input Method for Android includes a vulnerability which allows network eavesdroppers to recover the plaintext of insufficiently encrypted network transmissions, revealing sensitive information including what users have typed. For further details, please see the attached document .

On September 8 2023 we attempted to disclose these vulnerabilities to [email protected], an email address listed on the product’s Web page, but we have not received a response. If you are not able to process vulnerability disclosures for this product, please ensure that this disclosure is delivered to someone who can.

If no response is received to this disclosure, the Citizen Lab will publish details regarding the security vulnerability on its website after 15 calendar days from the date of this communication. In other words, where there is no response from you, Citizen Lab will publish details regarding the vulnerability after October 10, 2023.

If a substantive response is received (which excludes, for example, an auto reply) to this disclosure within 15 calendar days from the date of this communication, the Citizen Lab will provide you with 45 calendar days from the date of this communication to fix (whether in whole or in part) the vulnerability before publicly disclosing the issue. In other words, where we do receive a substantive response from you, the Citizen Lab will publish details regarding the vulnerability after November 9, 2023.

To: [email protected], [email protected]

Subject: 讯飞输入法高危漏洞

多伦多大学的研究人员发现讯飞输入法使用的加密协议存在高危漏洞，让网路攻击者可以直接看到用户输入的内容。本文用英文解释了研究人员发现高危漏洞的细节。

On September 8 2023 we attempted to disclose these vulnerabilities to [email protected], and on September 25 2023 we attempted to disclose these vulnerabilities to [email protected]. We have not received a response to these emails. If you are not able to process vulnerability disclosures for this product, please ensure that this disclosure is delivered to someone who can.

Subject: Feedback on Xunfei Input Method issue

Hello The Citizen Lab,

Sorry for the delay.

Thank you for your detailed report and responsible disclosure on this issue.

We have analyzed your report and confirmed this is mainly due to server-side improper configuration in Xunfei Input Method that causes data transmission to use the HTTP protocol which can be eavesdropped. For the DES encryption algorithm used, is the result of considering the trade-off between performance and security under massive requests condition. As you mentioned in the mitigation part, data transmission is secure under the HTTPS protocol.

We implemented the fix on November 4th, that is, changing the improperly configured HTTP protocol on the server side to HTTPS, and it has taken effect.

November 4, 2023: Latest report received

November 4, 2023: Fix implemented

Because this is an improper configuration on the server side, the client will not be affected after the server is fixed. So there is no specific APK version extent of the vulnerability.

Best Regards,

Iflytek Team

To: [email protected]

Subject: Security issues in OPPO keyboards / OPPO预装的输入法高危漏洞

总结：多伦多大学的研究人员发现OPPO所有预装的中文输入法使用的加密协议有高危漏洞，让网路攻击者可以直接看到用户输入的内容。本文用英文解释了研究人员发现高危漏洞的细节。

We analyzed OPPO pre-installed keyboard apps as part of our ongoing work analyzing popular mobile and desktop apps for security and privacy issues. We found two that include vulnerabilities that allow network eavesdroppers to decrypt network transmissions. This means third parties can obtain sensitive personal information including what users have typed. To address these issues, we suggest using HTTPS or TLS rather than custom-designed network protocols. For further details, please see the attached document.

From: OPPO安全中心 <[email protected]>

Subject: 回复: Security issues in OPPO keyboards / OPPO预装的输入法高危漏洞

The Citizen Lab:

The email has been received. We will transfer it to the corresponding team for content analysis and confirmation. We will reply to the content in a timely manner. Thank you very much for your feedback!

Dear Citizen Lab Team,

Thank you once again for your attention and contribution to the safety of our products.

In response to the security vulnerability you reported, our OPPO Security Team has swiftly taken a series of measures. We particularly emphasize that for the Sogou Input Method OPPO Custom Edition, the related security issues have been comprehensively resolved and fixed on the latest ColorOS 14 system.

However, considering the wide range of our product models and numerous versions, to ensure that every device receives equal levels of security updates and maintenance, we need more time to thoroughly implement these fixes. Our team is working hard to ensure that all devices running older versions of ColorOS will also receive this important update as soon as possible.

In the meantime, the repair work for the Baidu Input Method OPPO Custom Edition is also proceeding intensely. Currently, this application is still in the internal testing phase. Our engineers are making every effort to ensure that it meets our high standards in terms of security and stability. Our goal is to complete the testing and release the update as soon as possible, ensuring the safety of all our users. We plan to comprehensively update and push both Baidu and Sogou Input Method OPPO Custom Editions by Q1 2024.

We understand that as a technology company, protecting the security and privacy of user data is our primary task. Therefore, OPPO is always committed to continuously improving the security performance of our products and services. We will continue to maintain close cooperation with security research institutions like Citizen Lab, working together to enhance the security standards of the entire industry.

Should you have any questions about our security measures or progress, please feel free to contact us.

Thank you again for your understanding, support, and cooperation.

OPPO Security Team

It has been over a week since our response. I am not sure if this has answered your questions. If you need further assistance, please contact me!

December 18 2023We sent the following via email:

Subject: Re: Security issues in OPPO keyboards / OPPO预装的输入法高危漏洞

Dear OPPO Security Team,

Thank you for your response. We are happy to hear that fixes are underway for your products. Our test device runs ColorOS 13.1, so we are currently unable to test the fix for Sogou Input Method OPPO Custom Edition for ColorOS 14, but please notify us when you have released the fix for ColorOS 13.1 so that we can test it.

Similarly, please let us know when the fix for Baidu Input Method OPPO Custom Edition is available so that we can test it as well.

Sincerely thank you for your attention and contribution to the safety of our products.

Regarding the two time points mentioned in the email, we will inform you via email when the actual repair is made. You are also welcome to conduct testing to help us improve the security level of OPPO products and services.

OPPO Security Emergency Response Center

To: [email protected]

Subject: Security issue in Samsung Keyboard

We analyzed Samsung Keyboard on Android as part of our ongoing work analyzing popular mobile and desktop apps for security and privacy issues. We found that Samsung Keyboard for Android includes a vulnerability which allows network eavesdroppers to recover the plaintext of insufficiently encrypted network transmissions, revealing sensitive information including what users have typed. For further details, please see the attached document.

If no response is received to this disclosure, the Citizen Lab will publish details regarding the security vulnerability on its website after 15 calendar days from the date of this communication. In other words, where there is no response from you, Citizen Lab will publish details regarding the vulnerability after October 31, 2023.

If a substantive response is received (which excludes, for example, an auto reply) to this disclosure within 15 calendar days from the date of this communication, the Citizen Lab will provide you with 45 calendar days from the date of this communication to fix (whether in whole or in part) the vulnerability before publicly disclosing the issue. In other words, where we do receive a substantive response from you, the Citizen Lab will publish details regarding the vulnerability after November 30. 2023.

From: Samsung Mobile Security <[email protected]>

Subject: RE: Security issue in Samsung Keyboard

​​Dear Citizen Lab,

We appreciate you for bringing this issue to our attention.

We have forwarded this issue to our development team and we will work with them to immediately investigate this issue.

And we will let you know when we have further updates or questions regarding this issue.

In the meantime, if you are interested in our rewards program, you may also visit our official site below and report this through our rewards program.

Also note that you need to submit through “Create Report” in below page in order to be eligible for the rewards program:

https://security.samsungmobile.com/securityReporting.smsb

Thank you very much.

Very Respectfully,

Samsung Mobile Security

Subject: RE: RE: Security issue in Samsung Keyboard

Dear Citizen Lab,

We’d like to share an update on this report.

We had immediately shared this report with Sogou; and we’re closely working with Sogou team to receive a patch so that we can update the Chinese HoneyBoard.apk by the end of November.

When the expected schedule is determined, we will provide an update immediately.

Subject: RE: RE: RE: Security issue in Samsung Keyboard

We’d like to share updates on this report again.

We have completed our analysis and started rolling patches of Samsung Keyboard for Chinese models since November 21.

Due to different versions of Samsung Keyboard by One UI version, there are various versions of Samsung Keyboard updated for this issue as listed below:

– One UI 5.1.1 : 5.7.00.45, One UI 5.1 : 5.6.10.42, One UI 5.0 : 5.6.00.52

– One UI 4.1.1 : 5.5.00.58, One UI 4.1 : 5.4.85.5, One UI 4.0 : 5.4.60.49

– One UI 3.1.1, One UI 3.1/One UI 3.0 : 5.3.70.1

Depending on the version of One UI of the device, appropriate Samsung Keyboard version can be downloaded and updated from Galaxy Store.

As the planned disclosure is just around the corner, we expect that you might have completed preparing the article to be disclosed. So, we’d greatly appreciate if you share the article with us ahead of the disclosure.

Subject: Re: RE: RE: Security issue in Samsung Keyboard

Dear Samsung Mobile Security,

Thank you for your response. We have not yet observed the app update on our test device, which is still running version 5.7.00.35 of the Samsung Keyboard. Should we have received the update by now? If not, can you provide a timeline for when we should expect the update?

Subject: RE: Re: RE: RE: Security issue in Samsung Keyboard

When we checked the device you tested, SM-T220/T220ZCS4CWF4, we confirmed that it is based on OneUI 5.1.

However, the version 5.7.00.35 of Samsung Keyboard you shared is for OneUI 5.1.1.

So, we’d like to ask whether you installed the Samsung Keyboard APK using side loading or not.

And please can you try again to update Samsung Keyboard since the update schedule might be different with your regions, carrier or device model.

You can also check the update with keyboard settings below.

– Keyboard -> settings -> Samsung Keyboard Information

To: Samsung Mobile Security <[email protected]>

Subject: Re: Re: RE: RE: Security issue in Samsung Keyboard

Thank you for your response. We first observed version 5.7.00.45 of Samsung Keyboard on December 6, and we can confirm that it fixes our reported issue. With regards to the discrepancy you noted between the originally reported version of OneUI (5.1) and our most recently reported version (5.1.1), this is because we have updated the device to 5.1.1 since our original disclosure.

However, we have an additional security issue to disclose to you in a different keyboard bundled with the SM-T220 device: Baidu Input Method ( please see the attached document ). We believe that the version of Baidu Input Method included on the SM-T220 device is out of date compared to the version available directly from Baidu’s Website, and we observed that the app does not seem to have updates available for it in the Galaxy Store. Unlike the version included on the SM-T220 device, the version of Baidu Input Method available on Baidu’s website uses a stronger encryption protocol that is not trivially broken, but it still has weaknesses which we have previously reported to Baidu ( see additional attached document for the weaknesses in the latest version ). Baidu to this date has been unresponsive to our disclosures.

If no response is received to this disclosure, the Citizen Lab will publish details regarding the security vulnerability on its website after 15 calendar days from the date of this communication. In other words, where there is no response from you, Citizen Lab will publish details regarding the vulnerability after December 27 2023.

If a substantive response is received (which excludes, for example, an auto reply) to this disclosure within 15 calendar days from the date of this communication, the Citizen Lab will provide you with 45 calendar days from the date of this communication to fix (whether in whole or in part) the vulnerability before publicly disclosing the issue. In other words, where we do receive a substantive response from you, the Citizen Lab will publish details regarding the vulnerability after January 26 2024.

Subject: RE:(5) Security issue in Samsung Keyboard

Thank you for sharing additional report regarding Samsung Keyboard.

We always appreciate your valuable reports and we will let you know when we have further updates or questions regarding this issue.

Subject: RE:(6) Security issue in Samsung Keyboard

While reviewing the report about Baidu IME, we’d like to ask you to share us an exact version information of the device you tested.

Subject: Re: (6) Security issue in Samsung Keyboard

Our device is a Galaxy Tab A7 Lite (SM-T220). The tablet was initially One UI 5.1 (T220ZCS4CWF4/T220CHN4CWF4) which we have OTA-updated to T220ZCU4CWI3/T220CHN4CWI3 and then T220ZCS5CWK1/T220CHN5CWK1 as the updates became available for our device. The version of Baidu Input Method was 8.5.20.4 and is reportedly stored in /data/app/BaiduInput/BaiduInput.apk. Please also see the attached screenshots ( 1 , 2 , 3 , 4 ).

From: [email protected]

Subject: (7) Security issue in Samsung Keyboard

We’d like to share an update on the report about BaiduIME.

Our analysis showed that patched BaiduIME had already been registered to Google PlayStore and Chinese Galaxy Store.

However, the device you tested is a Chinese model which doesn’t preload any Google Application including PlayStore. And, in accordance with the store policy, Chinese devices outside of China region cannot access to Chinese Galaxy Store. Our investigation shows that accessing the store from outside of China was the reason your device couldn’t receive any update of BaiduIME.

Subsequently, we have worked with Baidu to provide the latest version of BaiduIME to the Global Galaxy Store, and we confirm that the latest patched BaiduIME has been registered to Global Galaxy Store.

So we’d like to get your confirmation whether the vulnerability was addressed after updating BaiduIME on your side.

Subject: Re: (7) Security issue in Samsung Keyboard

Thank you for your response. We can confirm on our test device that the app is updating to a more recent version and that it uses a newer cryptographic protocol that is not as trivially broken. However, even the newer cryptographic protocol used in the updated version from the Galaxy Store and even in the latest version of Baidu Input Method available on Baidu’s website still contains weaknesses. We have previously reported to Baidu (see attached document for the weaknesses in the latest version). Baidu to this date has been unresponsive to our disclosures.

In an upcoming report, we plan to publish these issues discovered in the version of Baidu Input Method distributed by Samsung and which occur more broadly in Baidu Input Method’s custom protocol governing the privacy of millions of users’ keystrokes. Our recommendation would be for Baidu Input Method to utilize a standard, well-tested network encryption protocol such as HTTPS, TLS, or QUIC rather than their own custom protocol, which is not on par with modern cryptographic standards. Sogou and other vendors have switched to TLS to encrypt keystrokes in their keyboard apps following our reporting of similar issues to them.

Subject: Re: (8) Security issue in Samsung Keyboard

Thank you very much for working with us on this issue.

We will check about it and update you soon.

In the meantime, since your finding is analyzed with version 11.7.19.9, please can you confirmed that BaiduIME(version 12.1.6.1) in Galaxy Store also affected with this vulnerability?

Thank you for your response. We have also analyzed 12.1.6.1 which we downloaded from the Galaxy Store and found that it uses the same weak cryptographic protocol.

Subject: RE: Re: (8) Security issue in Samsung Keyboard

We appreciate you for sharing an update with us.

As you mentioned, it’s a common vulnerability of Baidu for Android, iOS and Windows, and we are worried that pointing out and mentioning Samsung in your upcoming report could be misleading as if there is a greater risk in Samsung devices.

We also asked Baidu to share any update on your finding, but we also haven’t heard any update from them either. As such, we have concerns of mentioning Samsung in your report of Baidu application.

We hope you understand our concerns and reflect them in your report.

When we have any update from Baidu, we will immediately share it with you.

We submitted the following through the Tencent Security Portal:

As part of our ongoing work analyzing popular mobile and desktop apps for security and privacy issues, we previously reported vulnerabilities in Sogou Input Method which enabled network eavesdroppers to decrypt transmitted keystroke data. See here for the details of the previous report: https://en.security.tencent.com/index.php/report/detail/73788 . We have since found similar vulnerabilities in related products which also transmit keystroke data to Sogou servers, which we detail below.

# QQ Pinyin

We analyzed QQ Pinyin on Android and Windows. We found that the Windows version (6.6.6304.400) and Android version (8.6.3) of this software contain similar vulnerabilities to those which we previously reported in Sogou Input Method.

# Samsung Keyboard (com.samsung.android.honeyboard)

We analyzed Samsung Keyboard (com.samsung.android.honeyboard) version 5.6.10.26 for Android and found that it transmits keystroke data to http://shouji.sogou.com completely in the clear without any encryption. We have also reported this issue to Samsung, who indicated that they are already working with the Sogou team on patching this issue.

# 搜狗输入法小米版 (com.sohu.inputmethod.sogou.xiaomi)

We analyzed 搜狗输入法小米版 (com.sohu.inputmethod.sogou.xiaomi) version 10.32.21.202210221903 for Android and found that it contains similar vulnerabilities to those which we previously reported in Sogou Input Method. We are also in the process of disclosing this issue to Xiaomi.

# 搜狗输入法定制版 (com.sohu.inputmethod.sogouoem)

We analyzed 搜狗输入法定制版 (com.sohu.inputmethod.sogouoem) version 8.32.0322.2305171502 for Android and found that it contains similar vulnerabilities to those which we previously reported in Sogou Input Method. We are also in the process of disclosing this issue to Oppo.

# 搜狗输入法定制版 (com.sohu.inputmethod.sogou.vivo)

We analyzed 搜狗输入法定制版 (com.sohu.inputmethod.sogou.vivo) version 10.32.13023.2305191843 for Android and found that it contains similar vulnerabilities to those which we previously reported in Sogou Input Method. We are also in the process of disclosing this issue to Vivo.

# Other apps

The following are other Android apps which reference the string “get.sogou.com”, the API endpoint used by Sogou Input Method, which may require additional investigation:

Note that we are not reporting that we have discovered vulnerabilities in the above list of apps. We are merely providing this list for your convenience so that you may more easily investigate and fix issues in other apps which may be using the Sogou Input Method API in an insecure manner.

# Background

The Citizen Lab is committed to research transparency and will publish details regarding the security vulnerabilities it discovers in the context of its research activities, absent exceptional circumstances, on its website: https://citizenlab.ca/.

# Next steps

Please communicate what steps you will take to address the vulnerability that we have described, and please provide the timeline you decide upon for the implementation of fixes. Finally, upon implementation of any fixes, we ask that you communicate the full extent of the vulnerability to the Citizen Lab. Should you have any questions about our findings please let us know. We can also be reached at this email address: [email protected].

We received the following through the Tencent Security Portal (we also received it via an email):

To Whom It May Concern,

We are in receipt of your communication dated November 23, 2023, and appreciate Citizen Lab’s reporting of potential vulnerabilities in Sogou Input Method and related products, and agreement to withhold any public disclosure through at least January 6, 2024 to avoid malicious exploits and to ensure that the matter may be investigated and, to the extent necessary, patched.

We confirm that the vulnerability related to a CBC padding oracle attack had been fixed at the time of Citizen Lab’s previous report. In the meantime, we have been working with our partners to ensure upgraded versions will send EncryptWall requests using HTTPS.

We are actively reviewing the remaining products listed in your communication and aim to provide further updates in a timely manner. We value our industry partners and security researchers working with us in a responsible and coordinated manner to mitigate risks and uphold system security and user privacy to keep businesses and users safe.

Sogou Input Method Team

We received the following email (a similar message was received via the Tencent Security Portal):

From: security(腾讯安全应急响应中心) <[email protected]>

Subject: Reply：From Sogou Input Method team

Further to our December 6, 2023, e-mail, we write to provide an update regarding the reported vulnerabilities in Sogou Input Method and related products referenced in your report dated November 23, 2023. Please note that the reported vulnerability related to a CBC padding oracle attack had already been fixed at the time of Citizen Lab’s previous report in August.

We can confirm that we have issued and provided upgraded versions that send EncryptWall requests using HTTPS, for the following products identified as having potential vulnerabilities:

Regarding QQ Pinyin on Windows and other Android apps that utilize the string “get.sogou.com,” with the exception of end-of-life products, we aim to finalize the upgrade for all active products to transmit EncryptWall requests via HTTPS by the conclusion of Q1, and respectfully request Citizen Lab to refrain from any public disclosure during this time to prevent potential malicious exploits.

We value our industry partners and security researchers who work with us to keep businesses and users safe by helping to mitigate risk, maintain system security, and protect user privacy.

To: security(腾讯安全应急响应中心) <[email protected]>

Subject: Re: Reply：From Sogou Input Method team

Dear Sogou Input Method Team,

Thank you for your January 5 2024 email.

We can confirm that we will not publicly disclose our findings before March 31 2024

Citizen Lab

To: [email protected]

Subject: Security issues in Vivo keyboard / 维沃搜狗输入法高危漏洞

总结：多伦多大学的研究人员发现维沃预装的搜狗输入法使用的加密协议有高危漏洞，让网路攻击者可以直接看到用户输入的内容。本文用英文解释了研究人员发现高危漏洞的细节。

We analyzed Vivo pre-installed keyboard apps as part of our ongoing work analyzing popular mobile and desktop apps for security and privacy issues. We found that the Sogou-based one includes vulnerabilities that allow network eavesdroppers to decrypt network transmissions. This means third parties can obtain sensitive personal information including what users have typed. To address these issues, we suggest using HTTPS or TLS rather than custom-designed network protocols. For further details, please see the attached document .

To: [email protected]

Subject: Security issues in Xiaomi keyboards / 维沃搜狗输入法高危漏洞

总结：多伦多大学的研究人员发现小米所有预装的中文输入法使用的加密协议有高危漏洞，让网路攻击者可以直接看到用户输入的内容。本文用英文解释了研究人员发现高危漏洞的细节。

We analyzed three Xiaomi keyboard apps as part of our ongoing work analyzing popular mobile and desktop apps for security and privacy issues. We found that they all include vulnerabilities that allow network eavesdroppers to decrypt network transmissions. This means third parties can obtain sensitive personal information including what users have typed. To address these issues, we suggest using HTTPS or TLS rather than custom-designed network protocols. For further details, please see the attached document .

If no response is received to this disclosure, the Citizen Lab will publish details regarding the security vulnerability on its website after 15 calendar days from the date of this communication. In other words, where there is no response from you, Citizen Lab will publish details regarding the vulnerability after November 18 2023.

If a substantive response is received (which excludes, for example, an auto reply) to this disclosure within 15 calendar days from the date of this communication, the Citizen Lab will provide you with 45 calendar days from the date of this communication to fix (whether in whole or in part) the vulnerability before publicly disclosing the issue. In other words, where we do receive a substantive response from you, the Citizen Lab will publish details regarding the vulnerability after December 18 2023.

Privacy Policy

Unless otherwise noted this site and its contents are licensed under a Creative Commons Attribution 2.5 Canada license.