Apple’s new mobile operating system update, iOS8, now allows users to install third-party keyboards. While the ability to install and use third-party keyboards has been available on Android phones, the expansion to Apple devices will significantly expand the keyboards’ availability.
Third-party keyboards are undeniably popular. Swiftkey Keyboard was downloaded more than one million times within 24 hours of going live in the Apple Appstore. Other popular keyboards, like Fleksy and Swype, aren’t far behind, with more and more users discovery and adopting them every day.
The concern over the use of third-party keyboards began when, after installing and enabling a third-party keyboard, iOS 8 users received a notification:
Full access allows the developer of this keyboard to transmit anything you type, including things you have previously typed with this keyboard. This could include sensitive information such as your credit card number or street address.
In short, enabling “full access” allows the keyboard to communicate with the app downloaded to the phone. Such communication is typically innocuous, however, it does mean that the keyboard can do anything that an app can do, including send information over the internet.
Danger, Will Robinson?
The dangers of allowing access to important and sensitive data, by any app, requires significant thought and consideration. After all, you don’t always know who may be on the receiving end of that data, or how good their security may be.
With more and more employers allow employees to access company email, intranets and other sensitive data from their smartphones and tablets, the likelihood of unintended access increases. Of course, BYOD policies were created to help mitigate these risks. However, its important for those policies to keep up with keep up with, and understand, new risks.
Third-party keyboards are one new risk that deserves some thought and consideration. Just think for a moment about how often you (and likely your employees) type sensitive information into smartphones and tablets. You almost certainly type in log-ins and passwords. There’s also a good chance you type in your credit card information on a regular basis as well. And you may even be typing sensitive emails and other documents directly on your phone.
At the moment, all of the major third-party keyboard developers are ensuring users that they do not intend to keep or abuse the information received onto their servers from employees’ smartphones.
For me, that’s all well and good, and I hope that doesn’t change. But, as many recent events have shown, things don’t always work out the way they were intended. Many Facebook users were angered when the tech company manipulated the information presented to them in an experiment on how the their moods were affected by the information in their streams. And even more people were affected when Target, Home Depot and other companies were hacked, leading to countless credit card numbers being compromised.
While the current crop of third-party keyboard developers may wish to keep data typed into their keyboards private, things may change. A new popular third-party keyboard may come along, who sees data mined from its users as a viable revenue stream. Or an enterprising hacker may realize that a great deal of important data passes through third-party keyboard servers each day, and find a way to access it. Either way, the safety of sensitive information is somewhat questionable.
In the end, while its not entirely clear whether third-party keyboards are a current threat to your business’s security, given the significant amount of sensitive information passing through those developers’ services, it doesn’t seem worth the risk.