Tech by VICE

Your Keyboard App Is Hoarding Your Data

Third-party keyboard apps may offer better functionality than your phone’s default, but you might want to look at their privacy policies to see what they’re doing with your data.

by Salvador Rodriguez
May 11 2016, 12:00pm

Image: Adrianne Jeffries/Motherboard

These days, there's a keyboard for everything. You can swap out your iPhone or Android keyboards with more colorful options, with Gif keyboards, with keyboards that let you swipe instead of type or with keyboards that offer expanded lists of emoji. But just how safe are these pieces of software?

On the iPhone, for example, installing one of these alternative or third-party keyboards requires that users "allow full access." Giving a keyboard app full access to your device, lets those developers "transmit anything you type" using their software back to their servers. That's a tall task, and there are real privacy concerns that come with it.

"Everything you type is being processed by code that's not written by Apple. It's written by someone else," said Greg Brail, a data security expert with Apigee, an API management company. "Who is that 'someone else,' and what else could they do?"

What keyboard apps do with the data you type all depends on the developer, and you have to dive deep into these companies' privacy policies to figure out what they plan to do with your keystrokes. Some keyboard apps, such as the Bitmoji Keyboard, don't do much with your data beyond anonymizing it and using it to improve the product. This means that the experts at Bitmoji analyze the data of their users in bulk and then use that information to create new features or fix any issues that users may be encountering. But not all keyboard developers stop there.

"If all they're doing is transmitting data back to themselves so they can improve their product … maybe that's fine," said Tony Anscombe Sr., security evangelist with AVG Technologies, a security company. "But if they're sharing data with third parties or they're aggregating data for other purposes, maybe there are concerns that people should have."

It's especially concerning among keyboard apps that give users the ability to create accounts for the sake of personalizing the product. For example, logged in SwiftKey users let the keyboard analyze "the words and phrases" they use for the sake of "personalization" and "prediction synchronization," according to SwiftKey's privacy policy.

Gif Keyboard operates in a similar manner. This keyboard, which lets users quickly search for animated images, is free and does not show users advertisements, but one day, it might. The privacy policy for Riffsy, Gif Keyboard's parent company, states that the app collects data on user content and conduct. This data is used to recommend certain content to users, and that includes "targeted advertisements or other promotions." The privacy policy for Giphy Keys, which just launched this month, has similar wording.

"There certainly is a lot of aggregated data they could be gathering, at the very least, about what people search for and in what parts of the world they search for certain things," Brail said. "And I imagine this is how a lot of these companies expect to make their money."

And even among companies with no plans to share user data or use its data to target ads, there are concerns regarding just how much information they are collecting. "If somebody takes a look at what kind of keystrokes you were making, they can find out that you typed in a URL … and then they figure out the username that you typed in and the password," said Gerald Friedland, who works on technical privacy research at the International Computer Science Institute at Berkeley.

This is why Word Flow, a keyboard released by Microsoft earlier this year, makes it a point to state in its support page that the app is built to avoid logging sensitive information, including email addresses, phone numbers and credit card numbers (additionally, Word Flow lets users instantly shut off keystroke logging with the tap of a single button).

Another concern is how this data is kept secure. If a keyboard app is transferring data or keeping it in its servers unencrypted, hackers could easily break in and steal user information. Experts recommend that you read privacy policies and figure out how data is kept before installing a keyboard.

In general, figuring out how a company plans to make money with a keyboard app is a good way to figuring out whether you can trust that app. "If you can't work out how they're monetizing, maybe you're the way they're monetizing," Anscombe said.

Follow the author on Twitter.

Keyboard Apps
Word Flow