You basically agree to send keystrokes to a server

Oct 1, 2014 08:01 GMT  ·  By

Be careful what third-party keyboard you use with your iOS 8 device. A prompt to “allow full access” reveals that the developer of that keyboard has the right to record anything that you type.

Apps like SwiftKey will also transmit to their server things that you have already typed on that phone. Scary, to say the least.

Choose your apps carefully

Of course, developers like SwiftKey are reliable. They state their intentions loud and clear. But other developers may not be so straightforward about their intentions. Apple notes in the App Extension Programming Guide that it’s the developer’s responsibility to refrain from using keystrokes against the user.

“A network-enabled keyboard and its containing app can send keystroke data to your server, which enables you to apply your computing resources to such features as touch-event processing and input prediction. If you employ this capability, do not store received keystroke or voice data beyond the time needed to provide text back to the user or to provide features that you explain to the user.”

The guidelines then expressly state, “Each keyboard capability associated with network access carries responsibilities on your part as a developer, as indicated in Table 11-2. In general, treat user data with the greatest possible respect and do not use it for any purpose that is not obvious to the user.”

To allow or not to allow “full access”

iOS 8 is equally clear about the matter. Whenever you download and install a third-party keyboard app that needs server-side processing, you’re required to visit the Settings pane and enable it. When you do that, a prompt appears to accept or deny the implications.

This is what it says (emphasis ours): “Allow Full Access for [app name] Keyboards? Full access allows the developer of this keyboard to transmit anything you type, including things you have previously typed with this keyboard. This could include sensitive information such as your credit card number or street address.”

While the App Store password prompt is left out of the equation, for obvious reasons, the keyboard does record strokes from other apps, like password managers, task managers, e-wallets, etc. Until they get the necessary updates to avoid these benevolent “keyloggers,” you need to be really careful what information you input using a third-party keyboard in iOS 8.

And remember this: regardless of how safe a developer may appear to be, you can never be 100% sure their servers won’t be attacked by hackers.