Smartphone Keyboards Are a Privacy Nightmare

Both Android and the iPhone allow you to replace the standard keyboard with a third-party one. By its very nature, though, a keyboard has full access to everything you type on it—from private messages to passwords and credit card numbers. Some of the keyboard’s data is often sent over the internet, where it could be stolen—or even abused by the keyboard’s developer.

This isn’t theoretical, either: this has already happened. And it’s exactly why we have a problem trusting third-party smartphone keyboards.

The ai.type and SwiftKey Leaks

Ai.type is a popular keyboard for Android and the iPhone that claims over 40 million users worldwide. On December 5, 2017, the personal data of over 31 million customers leaked online. Their database server was literally left alone without a password to protect it, so anyone could access the information.

In additional to phone numbers, names, and email addresses, text typed using the keyboard was also stolen. The company had promised never to “learn” from password fields, but ZDNet “saw one table containing more than 8.6 million entries of text that had been entered using the keyboard, which included private and sensitive information, like phone numbers, web search terms, and in some cases concatenated email addresses and corresponding passwords.”

This isn’t the first time a keyboard has inadvertently leaked data. The popular SwiftKey keyboard had a data leak after it was purchased by Microsoft. The SwiftKey keyboard began suggesting private email addresses to other SwiftKey users, when those email addresses should never have been exposed.

Why Keyboards Are So Dangerous

Third-party keyboards are so dangerous because they want to be “smart”. Keyboards aren’t content to just live entirely on your phone and allow you to enter letters. Instead, they try to perform advanced text prediction and personalized autocorrect. To personalize your experience, they often upload data about how and what you type to the company’s servers.

This certainly makes things more convenient, but as with all things, convenience often comes at the cost of privacy. The problem is that keyboards have access to so much. When you trust a third-party keyboard, you’re giving an application a very deep level of access to your phone, including everything you type. You should seriously consider whether you trust the company who creates the keyboard to treat your data responsibly and actually secure its servers. For example, you may trust Google’s Gboard keyboard if you already trust Google with your Gmail account and other personal information, but an smaller, lesser-known company named ai.type apparently was not deserving of trust at all.

It’s tough, of course—we might say that Microsoft’s SwiftKey is more trustworthy than ai.type, but SwiftKey has also had its issues in the past. When you use a third-party keyboard, you’re accepting a certain level of risk because any issues with the keyboard’s servers could cause problems for you. So it’s up to you to decide: is using a third-party keyboard worth that risk?

Keyboards Can Be More Secure on iPhones…If You Give Up Features

The above advice applies to both Android and iPhone, but there’s a special quirk on iPhone. While Android allows all keyboards access to the internet because the “Internet” permission has been hidden from the Play Store, Apple’s iOS denies internet access to keyboards by default. To give a third-party keyboard internet access after installing it, you have to head to Settings > [Keyboard App Name] > Keyboards and enable the “Allow Full Access” option.



This makes iPhone and iPad keyboards much more secure to install and use without any privacy worries—as long as you don’t manually give them full access. The trouble is that many third-party keyboards are only useful because of this internet access—perhaps they fetch data like GIFs or links from the internet, or perhaps their more advanced personalization and recommendations only work with access to the cloud.

Once you’ve enabled “Full Access” for a keyboard on iOS, all bets are off and you’re just as at risk as you are on Android. There are some exceptions—for example, iOS doesn’t allow third-party keyboards to function in operating system password fields. But you’d largely be in just as much trouble as you would have been if you installed the same keyboard on an Android phone. That’s why Apple warns you so strongly when you try to give a keyboard full access.

Ultimately, it’s your call whether you want to install a third-party keyboard or not. But you should think twice. If you must have a third-party keyboard, we’d at least recommend trying to hunt down keyboards from trusted companies like Google and Microsoft rather than smaller developers you’ve never heard of. They still won’t be perfect, but at least you know who you’re dealing with.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Twitter.