Julian Joswig: IT Blog

Third-Party Keyboards in Enterprises - A quick analysis of risks

Written on 19. Dec 2017, 19:40

The use of third-party keyboards is widespread, especially in the private sector. The spread is explained by the advantages of such extensions, as they facilitate the creation of longer texts on touchscreens of modern smartphones considerably, for example, by the following functions:

  • Swiping gestures allows messages to be typed much faster
  • Through powerful analysis algorithms, words can be proposed and easily adopted through autocompletion
  • By providing speech recognition, texts are now recognized quite reliably
At first glance, these features may be helpful to increase productivity significantly. However, the risks involved in using the functions must not be disregarded.

Risks of use

The use of the above functions is questionable for the following reasons:
  • The third-party keyboards are implemented as a system extension. Each entered text is captured by the extension and can (theoretically) leave the phone unfiltered. This may include confidential information, such as passwords.
  • Recorded language in the case of speech recognition is rarely interpreted on the smartphone, but transmitted to the provider and translated there into text. Confidential information may also be affected here.
  • Some vendors provide cloud functionality, which allows, for example, the results of the analysis algorithm to be synchronized across devices. Here, information will be transferred to the provider inevitably.

Counter measures

For example, Apple has already implemented some security measures in iOS that are reducing the abuse potential. It should be mentioned, for example, that third-party keyboards in password fields, whether be it on websites or in apps, cannot be used. Furthermore, the following measures are available:
  • Use of managed app configuration prevents the use of third-party keyboards in all managed apps (ie apps used by the office)
  • Prevent third-party keyboards by blacklisting them via the Mobile Device Management System (but this provides incomplete protection, since in reality, the blacklist can never fully contain all third-party keyboards)
In conclusion, most vendors exclude the collection of personal information or explicitly deny data transfer in their privacy policy, but in reality it can not be ruled out that data transfer will take place, as the case of the ai.type Keyboard Hacks impressively showed. If you want to use the advantages of a third-party keyboard as a company, in particular the use of swiping gestures, and at the same time ensure the confidentiality of data, there only possibility that remains is to develop a third-party keyboard on your own. There is the possibility then to influence the functionality itself.

Further information

A comprehensive analysis of the risks of third-party keyboards can be found in theĀ Security of Third-Party Keyboard Apps on Mobile Devices article.

Julian Joswig

Julian Joswig Facebook Julian Joswig LinkedIn Julian Joswig Twitter Julian Joswig XING

About this Blog

What is the content of this blog, you may ask? My name is Julian Joswig and I am a big fan of IT and technology (mainly Linux, servers, networks and all related topics). Sometimes I almost bite my teeth on difficult issues. But if I have found a solution, I want to share it with the world. Professionally, I work as a management consultant in Germany with a focus on IT and business.

Newest Articles:

Article Archive:

Twitter Timeline: