The use of third-party keyboards is widespread, especially in the private sector. The spread is explained by the advantages of such extensions, as they facilitate the creation of longer texts on touchscreens of modern smartphones considerably, for example, by the following functions:
- Swiping gestures allows messages to be typed much faster
- Through powerful analysis algorithms, words can be proposed and easily adopted through autocompletion
- By providing speech recognition, texts are now recognized quite reliably
At first glance, these features may be helpful to increase productivity significantly. However, the risks involved in using the functions must not be disregarded.
Risks of use
The use of the above functions is questionable for the following reasons:
- The third-party keyboards are implemented as a system extension. Each entered text is captured by the extension and can (theoretically) leave the phone unfiltered. This may include confidential information, such as passwords.
- Recorded language in the case of speech recognition is rarely interpreted on the smartphone, but transmitted to the provider and translated there into text. Confidential information may also be affected here.
- Some vendors provide cloud functionality, which allows, for example, the results of the analysis algorithm to be synchronized across devices. Here, information will be transferred to the provider inevitably.
For example, Apple has already implemented some security measures in iOS that are reducing the abuse potential. It should be mentioned, for example, that third-party keyboards in password fields, whether be it on websites or in apps, cannot be used. Furthermore, the following measures are available:
- Use of managed app configuration prevents the use of third-party keyboards in all managed apps (ie apps used by the office)
- Prevent third-party keyboards by blacklisting them via the Mobile Device Management System (but this provides incomplete protection, since in reality, the blacklist can never fully contain all third-party keyboards)
If you want to use the advantages of a third-party keyboard as a company, in particular the use of swiping gestures, and at the same time ensure the confidentiality of data, there only possibility that remains is to develop a third-party keyboard on your own. There is the possibility then to influence the functionality itself.
A comprehensive analysis of the risks of third-party keyboards can be found in the Security of Third-Party Keyboard Apps on Mobile Devices