Apple Developers Found Third-Party Keyboard Vulnerability in iOS

by Brendan Smith
September 28, 2019

With the release of iOS 13.1, Apple discovered a vulnerability affecting third-party keyboards in iOS 13 and iPadOS.

Third-party keyboards for iOS are applications that are designed to work completely autonomously, without access to any external services, or with “full access” to additional functions (for example, spell checking), which requires access to the network. In theory, this allows keyboard developers to store keystroke data or everything the user types on their servers, including messages, passwords, and so on.

As it turned out, due to a bug, such third-party keyboards could be granted full access, even if the user did not directly approve of this. The problem was discovered by Apple developers themselves.

“Third-party keyboard extensions in iOS can be designed to run entirely standalone, without access to external services, or they can request “full access” to provide additional features through network access. Apple discovered a bug in iOS 13 and iPadOS. This can result in keyboard extensions being granted full access even if you haven’t approved this access”, — report Apple specialists.

So far, developers have not revealed almost any details of the vulnerability. It is not even known which versions of iOS are subject to a bug. It is only reported that users of third-party keyboards on iPhone, iPad or iPod touch are at risk.

“This issue does not impact Apple’s built-in keyboards. It also doesn’t impact third-party keyboards that don’t make use of full access. The issue will be fixed soon in an upcoming software update”, — ensures Apple.

The developers promise to fix the bug as quickly as possible. You can check which keyboards are installed on the device in the settings: General->Keyboard->Keyboards.

How to avoid problems?

If you’ve purposely avoided granting full access, you might want to temporarily delete third-party keyboards. And it should go without saying, but don’t install alternate keyboards that you don’t trust.

Read also: Selfie apps installed over 1.5 million times traced users and showed ads

Crucially, Apple prevents third-party developers from recording your passwords by always switching to the default iOS keyboard in password fields even when you’re using something like Gboard for everything else.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Cybersecurity analyst with 15+ years digging into malware and threats, from early days reverse-engineering trojans to leading incident responses for mid-sized firms.

At Gridinsoft, I handle peer-reviewed breakdowns of stuff like AsyncRAT ransomware—last year, my guides helped flag 200+ variants in real scans, cutting cleanup time by 40% for users. Outside, I write hands-on tutorials on howtofix.guide, like step-by-step takedowns of pop-up adware using Wireshark and custom scripts (one post on VT alternatives got 5k reads in a month).

Certified CISSP and CEH, I’ve run webinars for 300+ pros on AI-boosted stealers—always pushing for simple fixes that stick, because nobody has time for 50-page manuals. Tools of the trade: Splunk for hunting, Ansible for automation, and a healthy dose of coffee to outlast the night shifts.

View all posts

Leave a Reply

Sending