The introduction of custom keyboards has been one of the most significant additions to iOS since its inception. Prior to iOS 8, one could only use the stock iOS keyboard in all the applications. Third party keyboards, if available, were only limited to usage within the particular app. With iOS 8 Extensions, Apple has finally removed this limitation, which means that now you can use your favorite keyboard throughout the system. In this article, we’ll discuss about the security concerns related to using third party keyboards on iOS, and guide you to ensure safe usage of such apps.
Network-enabled keyboards (Full Access)
Third party keyboard apps implement Apple’s pre-defined Custom Keyboard Extension in order to be accessible through all the apps. This ensures that cross-interaction with other apps are only limited to text-input. iOS also automatically switches to the native keyboard whenever the selected input is a password field; hence ensuring that third party keyboards can’t process passwords at all.
Apple permits developers to create third party keyboards with or without network access (full access). When network access is turned off (default), third party keyboard features are only restricted to basic operations (like autocorrect, spellcheck, etc.). Using third party keyboards in non-networked mode ensures that your keystrokes are only sent to the textfield you’re typing into, and don’t leave the device through any other channel.
But custom keyboards may, to enhance their functionality, ask for full access and fetch additional information such as Location, Address book or keystroke data. There are several scenarios in which third party keyboards may require access to such data in order to provide a better user experience. For example, a keyboard may use your location and address book data for providing you personalized word suggestions based the names of your contacts or nearby places. Keystroke data may be analyzed to provide enhanced word predictions based on your input text. For these reasons, custom keyboards may have an option to “Allow full access” in their settings menu. Some custom keyboards don’t even work unless full access is granted to them.
“Although network access makes many things possible for a custom keyboard, it also increases your [developer’s] responsibilities.” ~ Apple Inc.
The above line is an extract from Apple’s iOS Developer Library, where they specifically advise developers not to store keystroke data from users who allow Full Access to their custom keyboard apps. Still, some third party keyboards might send keystroke data to an external server to improve app functionality. Even though Apple does not allow the use of third party keyboards in specific input fields (such as passwords), there may be instances where confidential information might be typed in normal text fields (for example, conversations in instant messaging apps, credit card details in notes, etc.) and such situations, your sensitive data is accessible to a third party source, which might not guarantee its protection. Even if the developer doesn’t intend to misuse this information, it is also vulnerable to attacks from other sources. Hence, any event of keystroke data collection by third party keyboards might be regarded as a threat to your privacy and security.
Knowing the potential risk involved in using third party keyboards, you should consider whether you really need a custom keyboard. If you do decide to use it though, you might want to take the following precautions in order to ensure safety of your confidential information as an end user:
Disable Full Access
If you wish to regularly use a particular third party keyboard, ensure that Full Access is disabled for it, and keep them turned off in future. Some keyboards may locally collect you keystrokes, and send all the information back to a remote server later on, when you allow full access to it. But your favorite third party keyboard might not function without Full Access permissions, or might require full access for using the special features you installed the app for. If that’s the case, switching to the native keyboard might be a better option when you’re dealing with sensitive information.
By default, full access is disabled for third party keyboards. If you want to ensure that full access is turned off for your custom keyboard, go through the following steps:
- Go to Settings >> General >> Keyboard >> Keyboards. Installed third party keyboards will be listed here.
- Select a particular third party keyboard from the list and check if the “Allow Full Access” option is disabled or not. If it is enabled, turn off the option to disable Full access for your keyboard.
Switch to native keyboard before typing sensitive information
iOS will automatically switch your keyboard to the stock one when you type into password fields or phone number fields. But make sure you also manually switch to the stock keyboard when you’re typing sensitive data in normal input fields, even if “Allow Full Access” is turned off. This is because locally stored data may be sent online if access is even allowed later on.
To switch from a third party keyboard to the default iOS keyboard, follow the steps provided below:
- Tap on any text input field to reveal the currently selected keyboard.
- If it’s a custom one, tap or hold the Globe key at the bottom row until it switches to the next keyboard, or reveals a list of available keyboards.
- If the list is displayed, select your default language keyboard, for example, English (US). Otherwise, repeatedly tap or hold the Globe key until the default keyboard is selected.
Apple has considered various security aspects while providing custom keyboard support on iOS 8. There is very little chance that the above situation may occur in reality. Still, to ensure safety of your data, you should be aware of all possible ways in which privacy thefts might happen. If you follow the above precautions at all times, using third party keyboards on iOS 8 should not bother you.