In this study, we present WindTalker, a novel and practical keystroke inference framework that can be used to infer the sensitive keystrokes on a mobile device through WiFi-based side-channel information. WindTalker is motivated from an observation that keystrokes on mobile devices will lead to different hand coverage and the finger motions, which will introduce a unique interference to the multi-path signals and can be reflected by the channel state information (CSI). An attacker can exploit the strong correlation between the CSI fluctuation and the keystrokes to infer the user's password input. Compared with the previous keystroke inference approaches, WindTalker neither deploys external equipment physically close to the target device nor compromises the target device. Instead, it employs a more practical setting by deploying a free public WiFi hotspot and collects the CSI data from the target device as long as the device is connected to the hotspot. In addition, to improve inference accuracy and efficiency, it analyzes the WiFi traffic to selectively collect CSI only for the sensitive period where password entering occurs. WindTalker can be implemented without the requirement of visually seeing the target device, or installing any malware on the device. We tested Windtalker on several mobile phones and performed a detailed case study to evaluate the practicality of the password inference towards Alipay, the largest mobile payment platform in the world. Furthermore, we proposed a novel CSI obfuscation countermeasure to thwart the inference attack. The evaluation results show that the performance of WindTalker can be dramatically reduced by adopting the proposed countermeasures.