With the release of iOS 8 in September 2014, Apple joined Google and enabled the use of third-party mobile keyboards to provide enhanced functionality, emoticons, support multiple languages, and enable new methods for entering data. So what’s the issue? These new keyboards open a new avenue for recording keystrokes and much, much more.
In order to use one of these third-party mobile keyboards, the user must agree to the terms and conditions and then set permissions for the keyboards. These permissions are very important to understand as they have privacy and thus security implications. In short, these keyboards in some instances require the user to grant what’s known as “Full Access.” This full access means the keyboard app requires access to the Internet to communicate with server-side apps that will exist in the cloud or the developer’s network to provide an enhanced functionality that’s often more appealing than a basic keyboard.
Keystrokes are recorded to assist the third-parties with analytics and auto completion algorithms. The multiple language characters, the many fonts, emoticons, and other fanciful features all reside on a server-side app. In other words, they are not local. They are off board - on someone’s server - someone you, the user, the Director of Security, the CISO, do not know. Thus, exposing your keystrokes to parties unknown is very real.
The “SwiftKey” keyboard, which has been downloaded more than 10 million times from Google Play, is one example of an Android third-party mobile keyboard that requests full access. When a user allows this access, the user risks sharing their keystrokes with parties unknown. It must also be realized that in some cases, full internet access is not required; a keyboard can store all keystrokes to a file that other applications could possibly access. Or, it could automatically alter bank account numbers while being entered so that a specific one is entered instead (e.g. in fund transferal situations).