6

I'm currently running GrapheneOS on a Pixel 6a, and I have installed several alternative keyboards from F-Droid and the Play Store.

How isolated are keyboards in Android? When I enable a keyboard in the system settings I'm greeted with:

Attention

This input method may be able to collect all the text that you type, including personal data like passwords and credit card numbers. It comes from the app APPNAME. Use this input method?

This would imply that the keyboard has free reign to do whatever it wants with whatever I type into it. But if I go to "App permissions" in the settings menu, I see something different. Here are two different keyboards:

Keyboard Source Permissions
FlorisBoard F-Droid
  • Sensors
Microsoft SwiftKey Play Store
  • Network
  • Notifications
  • Sensors

It seems evident that, with network access, a malicious version of SwiftKey could upload everything that I type. But what about FlorisBoard (or other applications with only "Sensors" permissions)? I cannot prevent any keyboard from recording keystrokes*, but is Android's sandbox system sufficient to prevent the keyboard from exfiltrating whatever it may record?

* Technically there might be a way to configure the keyboard application how I want it and then block its ability to write to storage, but that's a different issue/goal/task. :-)

Improve this question
1

3 Answers 3

Reset to default
6

How isolated are keyboards in Android?

They are isolated much the same as any other Android app, other than they see all items (e.g., text) input through them, as that is their purpose.

This would imply that the keyboard has free reign to do whatever it wants with whatever I type into it.

Within the realm of Android's overall security framework, yes. A keyboard app is an app, and it is subject to the same limits and restrictions as any other Android app.

is Android's sandbox system sufficient to prevent the keyboard from exfiltrating whatever it may record?

No, but an app without network/Internet access will have a substantially harder time doing so. It would need to collaborate with some other app or system process, sending that app the information to exfiltrate. For example, there might be some security flaw in an Android system service for some particular device manufacturer that the app could exploit for exfiltration.

Again, this is not unique to keyboard apps.

and then block its ability to write to storage

Only with a custom build of Android, and even then it may be difficult to get the keyboard app to run properly.

Improve this answer
4
  • > It would need to collaborate with some other app or system process, sending that app the information to exfiltrate. To clarify this - there's really no extra permissions or consent required for the keyboard app to bind to another app (it knows about) and send data via Binder/Intent. Sure that would require cooperation by the other app to actually receive data and do something with it, but Android itself won't stop such collaboration.
    – Mavrik
    Commented Oct 26 at 17:32
  • @Mavrik: "there's really no extra permissions or consent required for the keyboard app to bind to another app (it knows about) and send data via Binder/Intent" -- that would depend on the other app. The other app needs an exposed API (Intentional or accidental), and the other app could use various Android techniques for limiting access to that API, such as the android:permission attribute.
    – CommonsWare
    Commented Oct 26 at 18:02
  • Yes, that's adressed with the "requires cooperation" part - an app cooperating to exfiltrate data from keyboard wouldn't restrict that access, would it? And the IPC permissions are not visible to users and are not easily verified without extra tools.
    – Mavrik
    Commented Oct 26 at 18:05
  • 1
    @Mavrik: All correct, but IMHO that is addressed by "No, but an app without network/Internet access will have a substantially harder time doing so". Personally, I am far less concerned with the cooperation scenario than I am the exploited security flaw scenario for cross-process exfiltration scenarios. But, either of those is more difficult than just having INTERNET permission in the keyboard app, for example.
    – CommonsWare
    Commented Oct 26 at 18:12
4

Android's permission system supposedly gives you the power to sandbox a keyboard application so that it cannot exfiltrate data, but the Android UI does not give you access to the full permissions system. Using adb and one of the system utilities (pm I believe), you can add or remove any of the huge set of permissions that Android normally lumps together as "automatically granted to apps that publish in their manifest that they want this".

The easier way to do this is with the App Ops app. It's in the Play Store, but needs either a rooted device, or assistance hooking up to adb, which can be provided by the Shizuku app (from the same authors as App Ops).

Improve this answer
1

If you block network permission you get 99% of the way. However it's practically very difficult to block all sidechannel forms of communication if there is another app which does have network permissions and they are designed to collude. For example, the keyboard app heats up the CPU so it throttles, and the throttling can be detected by the second app - that gives you one bit of entropy, repeat for more.

The bandwidth of these kinds of sidechannels are typically low, and in practice the colluding app needs to be targeted for this purpose. It's more difficult to direct a sidechannel at an app that is not expecting to receive it and make it do malicious things.

Unless you're a high value target or in the habit of running sketchy code, I wouldn't worry about it.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .