February 21, 2024

    Closing the Loophole of Custom Keyboards

    Custom keyboards are user controls that facilitate text entry in PCs, tablets, and mobile apps. They’re used worldwide and are especially helpful for languages with more characters than a standard Latin alphabet keyboard, such as Japanese, Chinese, and Korean. Custom keyboards are also necessary for app users with disabilities who may be unable to manually input text and require speech-based input options. More than 800 million people in China use third-party keyboard apps or custom keyboards.

    The widespread use of custom keyboards makes them a target for threat actors. A technology and security research group recently discovered that one of the largest custom keyboard apps, with a user base of 561 million, had a critical vulnerability — the app’s encryption system could be exploited to intercept and decrypt a user’s text entries.

    The research group disclosed the vulnerability to the app’s publisher before it could be exploited, but it raises a larger concern in the custom keyboard app space: How many custom keyboards have serious vulnerabilities waiting to be exploited?

    Threat actors can target custom keyboards in mobile apps, such as third-party keyboards, or target their control in an app to steal sensitive user information, potentially resulting in fraud and a damaged brand reputation for the app publisher. Let’s dig deeper into these third-party keyboards and how to protect your app against security risks.

    How do custom keyboards work in mobile apps?

    Android’s extensible input-method framework allows app publishers to install custom keyboards for alternative input methods like on-screen keyboards or speech input. The app’s users can then select their input method from the system settings and use it across their entire system. To add a custom keyboard to an Android app, you’d need to create an application containing a class that extends InputMethodService and a settings activity to pass options to the custom keyboard service.

    Custom keyboards also function similarly in iOS apps, and the OS even includes an Input Method Kit to streamline the development of input methods with less code than previously required.

    Many of the keyboards work by predicting the characters that a user is most likely to type and offering them as suggestions. Users can select the next character or continue typing to narrow down the suggestions. Some popular custom keyboards include features such as:

    • The ability to learn from a user’s typing habits to improve accuracy over time.
    • The option to switch between languages.

    Custom keyboards are widely used, and recent research suggests that this number is predicted to rise.

    How do custom keyboards impact mobile app security?

    Because of custom keyboards' widespread usage, it's important to consider how they impact mobile app security. To work correctly, custom keyboards need to access a considerable amount of user information, including what a user is typing while using an app. Even if a mobile app secures its own data, a custom keyboard’s access to sensitive information and its ability to intercept and decrypt keystrokes make it a security risk for mobile apps.

    Threat actors targeting apps via a custom keyboard can steal sensitive user information such as passwords, credit card numbers, and personal identifiable information (PII). For apps operating in highly regulated industries like financial services, this can lead to fraud and fines imposed by government organizations or industry regulators.

    These custom keyboard attacks can impact both the end user and the app publisher. Almost 30% of mobile app uninstalls are due to security/privacy issues.

    With the potential for fraud, data theft, and revenue and reputation loss for app publishers impacted by custom keyboard mobile app attacks, it’s clear that custom keyboard security should be a priority.

    What security measures do Android and iOS provide for custom keyboard threats?

    Both major mobile operating systems, Android and iOS, are aware of the security risks involved with custom keyboards and provide a few helpful security measures to protect against the potential threat:

    • Sandboxing: Custom keyboards are sandboxed, which means that they can only access a limited amount of data and resources on the device.
    • Code signing: Custom keyboards are code signed, which means that they can be verified to confirm that the source is trusted and that it hasn’t been tampered with since the last signing.
    • App review: apps that use custom keyboards must be reviewed by the app stores to ensure that they’re secure.

    While these security measures help protect app publishers from custom keyboard attacks, they aren’t foolproof. Sandboxing can fail when attackers use privilege escalation to break out of the sandbox. Also, the security measure can’t be leveraged for threat detection assistance, it can only be used for attack investigation. Because the security measures can be circumvented, app publishers using custom keyboards should take the necessary steps to protect their apps against custom keyboard security risks.

    How to protect a mobile app against custom keyboard security risks

    There are steps app publishers can take to protect their apps against custom keyboard security risks, including:

    Enabling the right level of Android protections: Often, custom keyboards go hand-in-hand with Android overlays. Custom keyboards appear as full or partial overlays for users accessing apps and inputting text in other languages. These overlays that appear on top of the app can be used in an overlay attack to steal sensitive user data, add malicious app requests without the user’s knowledge, or take control of the device. App publishers must use the proper APIs to protect their apps.

    Using a trusted custom keyboard SDK for app development: It’s important to use a custom keyboard SDK from trusted sources. Most SDKs include a software framework to simplify installation and integration for app developers. Given the prevalence of digital interactions through mobile platforms, they are particularly valuable in mobile app development. Using keyboard SDKs for your apps enhances in-app security, functionality, and user experience.

    Broadly speaking, a keyboard SDK empowers developers to incorporate security and custom features into their applications. It can be seamlessly integrated or combined with other programs to perform specific functions. An SDK serves as a bridge for programs or applications to interact with and manage resources provided by other software components.

    Once integrated into the main application, a keyboard SDK operates as a "keyboard extension." Upon installation, developers gain complete control over the functionalities offered by the SDK, enabling tailored customization to meet their application's unique requirements.

    How Guardsquare can help secure your app with secure custom keyboards

    The Secure Keyboard from Guardsquare is an optional add-on with a DexGuard (Android) /iXGuard (iOS) license. It is designed to strengthen the security of your application's keyboard, mitigating risks associated with user-installed custom keyboards that could compromise data security. This keyboard offers protection against malware threats like overlays, ensuring a secure environment while maintaining a seamless user experience as a fully functional keyboard.

    Compatible with iOS 12+ and Android API 21+, the keyboard is available as an Android and iOS SDK. The iOS SDK is delivered as a Swift Package, while the Android SDK is offered in Java and Kotlin. Users have the flexibility to personalize the keyboard's appearance, including theme colors, dark mode, audio, and haptic feedback settings, and customization for portrait and landscape modes, along with top bar customization.

    Additionally, the keyboard supports convenient typing features such as auto-correction, auto-learning, auto-capitalization, and multi-language support with configurable emoji options. With built-in protection against overlay attacks, Guardsquare's Secure Keyboard is a comprehensive solution that prioritizes both security and user customization.

    Executive Summary (TL;DR)

    • Custom keyboards are common user controls facilitating text entry in mobile apps. They are especially popular for non-Latin-based languages with thousands of characters (e.g., Chinese and Korean).
    • Because custom keyboards access a considerable amount of information in apps, they are targeted by threat actors for sensitive data theft, fraud, and malware.
    • Operating systems provide some protections for custom keyboard usage in mobile apps, but they aren’t foolproof, and app publishers need to take additional precautions to protect their apps from custom keyboard attacks.


    Want to learn more about protecting your mobile application from custom keyboard attacks?

    Contact a Guardsquare expert >

    Other posts you might be interested in