19

I wanted to send out a message containing some non-Latin characters on my Android phone. When I tried to change the keyboard input method, a warning came out:

ATTENTION

This input method may be able to collect all the text that you type, including personal data like passwords and credit card numbers. It comes from the app [Google App/Google Pinyin/SwiftKey/etc]. Use this input method?

Given that passwords are highly sensitive data, does it make any sense to give explicit consent to a possibility that Google may collect all my passwords and other personal data? Given the recent high profile NSA spying, how do I know if Google does indeed collect my passwords? If it is not collecting my personal data, why should such explicit consent be obtained from me?

Is there any workaround on an Android phone?

Question Overflow
  • 5,220
  • 6
  • 27
  • 48
  • Google Keyboard collects the text you type to improve user experience by improving their word suggestion/correction. It only means that the keyboard *can't distinguish* if the text is sensitive or not when the user types it (perhaps it does, by checking the type of text input, but I'm not sure). Whether if Google really collects your password or not, I'd see the message as *transparency* from Google, better than not telling anyone and be sued when it's uncovered. For workaround, just use any keyboard app that doesn't have network permission. – Andrew T. Nov 09 '15 at 04:33

6 Answers6

10

Valid concern for both Android and iOS now that Apple has enabled third-party keyboard options there.

For Android, there are several security solutions with firewalls that enable you to cut off network access to particular applications, even if full network access is allowed in the permissions of those apps. Some require root access and I cannot personally attest to the efficacy of these applications, but several work with vanilla Android and are very well regarded. That said, "well regarded" doesn't mean secure—these apps pose the same threats as the ones you're trying to restrict. If it functions without root access, then—for reasons beyond my familiarity with the platform—they require full network access themselves. For apps that do require root access, they get root access which is even worse (and the act of rooting itself poses a significant security risk for that reason). I suppose it's a question of which entity you trust more: Google vs. a third-party developer. This can easily spiral into a debate over which entity would be most fearful of the law and bad press, but of course that is not sound as a sole consideration in the scope of information security; an attack prevented today is better than an attack today, justice served tomorrow.

Not the easiest task to remove Google connectivity from your phone altogether, and the keyboard isn't going to be the bottleneck in a hypothetical breach on their part. Notwithstanding, there are keyboards that require neither root access nor any network access at all, although the user experience may prove dissatisfying/insufficient for your purposes. You can try Keymonk Keyboard which does not require any network access, but judging by the reviews it probably would not work that well for your purposes. One other option is to use something like LastPass or DashLane which I believe act as input methods like a keyboard does. Something brewing with 1Password that is worth looking into: they will fill in passwords without use of the clipboard (clipboard sniffing is another valid concern of this same nature, perhaps an even greater threat at the moment). All of those apps I listed could have their own ulterior motives.

At the end of the day, trust is more or less a (sad) fact of comfortable smartphone use today, and it can be difficult to determine who deserves it/who will respect privacy/whose infringements are most benign.

AJAr
  • 1,682
  • 1
  • 9
  • 19
  • Thanks, I agree with the sentiments expressed. There seem to be little that can be done, except switching back to a non-smart phone. Many people would gladly trade security and privacy for usability. It is just a matter of time when another scandal blows up and hopefully provide that much needed wake-up call. – Question Overflow Feb 19 '15 at 09:19
  • iOS handles this better IMO. It has several limitations designed to limit the damage a third party keyboard can do. You have to explicitly and manually enable network access for each keyboard. It also reverts to the built in apple keyboard for secure situations such as entering your password for itunes/app store etc. I've got several third party keyboards installed on my iPhone and haven't allowed any of them full access. Only one that I have tried has refused to work without that. – Evan Steinbrenner Nov 09 '16 at 00:10
4

I'm going to up the paranoia just a tad here and say that sniffing the network is no guarantee that the keyboard is not compromised.

Were I to be coding a keyboard to steal data I would not do the transmission openly, I would hide in plain sight, batch the data up and piggyback it out with other data streams, perhaps when the app was updated to add a cool new emoji or something that I could do frequently without raising suspicion.

Feeling safe because you don't see each key-press or word, SSL or not, transmitted in real time is a mistake. Best approach would be to audit the code or have some sort of trusted third party do so. I realize that this is not practical for most users, I simply don't want anyone running around with a false sense of security based on not seeing something blatant in the air.

Lighty
  • 2,368
  • 1
  • 23
  • 36
Chuck Mattern
  • 41
  • 1
4

With Android (and I believe iOS now), third party keyboards can be downloaded and used with other apps. Google has no way of enforcing that the third-party software is not recording your keystrokes during its operation. So as a way to cover themselves they give a blanket warning whenever the keyboard is changed.

This is why the warning explicitly tells you what app the keyboard is from. It ensures that you understand what input you're choosing, and double checks with the user that you're aware of the risks of a third-party keyboard application.

The work around comes down to know and trusting what application you're using for your keyboard. If you don't trust HackingYourKeyboardApp then I wouldn't suggest switching to that keyboard. If you're really curious you could perform some network analysis by using Wireshark to capture traffic from your phone. Google is most likely using SSL/TLS so you'll have to use something like Fiddler in order to see the plaintext traffic that is being sent out.

That can become a bit complicated so you might try using the Android emulator with Fiddler. It can be setup to use Fiddler and would just use your normal ethernet connection. Don't have to worry about pesky wireless protocols.

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
3

It obtains explicit consent because the phone does not know whether or not the keyboard sends data to anyone. So, it asks for that consent on any keyboard you download. It's almost certainly an anti-lawsuit disclaimer.

If you want to test for yourself whether the data goes anywhere, download Fiddler (on your desktop/laptop), point your phone at it and start doing some typing! You'll probably have to decode SSL by installing a certificate on your phone from Fiddler.

Though in reality, you can be reasonably sure that the apps are fine because someone else will have tested them. Naturally that's not guarantee, but it's "good enough" in most cases.

AlexH
  • 1,168
  • 6
  • 8
  • 3
    I'd say that relying on "someone else in the world" to do all the security stuff for you (and everybody else) is a very weak presumption. While, at the same time, I'd say that counting on general tracking tendencies by generally any public or private corporation is very solid presumption to start with. Everybody needs data, or at least everybody feels they need it. – userfuser May 25 '15 at 14:50
1

Have a look at this analysis of unnecessary permissions available to Google Keyboard. This is a Trojan, according to the definition. Why would a keyboard app need full Internet access and the permission to download additional files? This page explains how to disable Google Keyboard.

fraber
  • 111
  • 3
  • 2
    Why does it need network and file access? Word completion and spellcheck dictionaries. – Ben Mar 07 '16 at 16:03
  • Well, kindof. Why doesn't it distribute these files during installation or updates? – fraber Mar 08 '16 at 19:06
  • Because they are user-configurable, and presumably kept in sync across devices somehow. A spell checker would be annoying without "add word" and training your autocorrect is a fairly standard feature. That said, a keyboard should be able to function without those features as well. – Ben Mar 08 '16 at 22:19
  • Ok, we could have a discussion about the technical aspects. But that's not the point. I believe this will become a major PR disaster for Google if mainstream media picks up. At least the German (I'm German...) Spiegel.de etc. are looking for this type of "ammunition" for Google bashing. And with certain reason... I would reduce the permissions ASAP if I were a Google product manager :-) – fraber Mar 09 '16 at 11:15
  • "Why would a keyboard app need full Internet access and the permission to download additional files?" because it's a swiping keyboard and it needs to know sentences you commonly type in order to accurately figure out what you're swiping. "Learn from Google apps and services and your typed data to improve suggestions." And to download dictionaries for different languages. And it does "Sync learned words" with your gmail account. – endolith Oct 15 '16 at 03:32
  • Why would google try to spy on your keystrokes and risk their reputation on that? They already have the gmail communication that includes lots of mails to/from non-gmail users, and google search terms, and, and .. . – Roland Nov 16 '17 at 11:54
  • @Roland: Let's assume you work via VPN. So Google (and the therefore NSA) would get these VPN passwords. This is just one case out of many, and I'm talking about a white-hat environment. – fraber Nov 17 '17 at 18:00
  • Very, very true, but beside my point – Roland Nov 19 '17 at 17:45
-3

In my opinion, Google's Gboard keyboard is the safest and most secure Android keyboard so long so you get the latest copy straight from the Google Play Store, and not from a third party website, because that copy of Gboard could be infected since it wasn't scanned by Google themselves.

Third party Android keyboards straight from the Play Store should still be safe, but I'd rather be safe than sorry, and only use the latest version of Gboard straight from the Google Play Store.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Anonymous Android Expert
  • 1
  • 1
    This reads like an ad. And just because it is on the Play Store does not mean that input is not sent to a central server for analysis (in fact, for some apps, this is exactly what happens). – schroeder Aug 16 '18 at 10:28