Don’t install 3rd party keyboards for iOS if they require “full access”. It’s not worth the privacy and security trade offs.
With the release of iOS 8 in 2014, Apple created the ability for iOS users to install 3rd party keyboards on iPad and iPhone. Android users had been able to do this for a while and iOS users were excited to join in the fun.
The technical details today are the same as at launch, a 3rd party keyboard is either restricted or it has full access. Restricted keyboards have no network access and have strong security boundaries around them.
Full access keyboards are basically standalone applications that are allowed to enter information directly into other applications.
This means your keyboard can now send and receive information from network services, request access other iOS services like your Camera Roll & location, and anything else a normal application can do...with the same limitations as a normal application.
Apple puts two additional security restrictions on fully trusted keyboards, enforced via the App Store;
- all 3rd party keyboards must have a privacy policy (25.7)
- 3rd party keyboards can only “collect user activity to enhance the functionality of their keyboard extension” (25.8)
There’s a ton of wiggle room in these restrictions. The really only force the provider to put a bare minimum of thought into the larger issues of security and privacy. This leaves it up to the keyboard provider to decide what data they send to their service and what they do with that data.
There’s no denying that there are some really fun and really useful keyboards available. The majority of providers also aren’t releasing these keyboards with malicious intent. Unfortunately, when you use these keyboards you are trusting the vendor with nearly everything you type into your mobile device.
Is making it easier to find something or add a cute .gif worth that level of privacy invasion?
