Skip to content ↓ | Skip to navigation ↓


I’ve been an iPhone user for quite a while… starting with the iPhone 4, I upgraded to the 4S, the 5, and, now, the 6.

With the iPhone 6, I’ve spent a good deal of time investigating the features of iOS 8, something I didn’t do when I upgraded my iPhone 5 because it was already setup and ready to go.

One of the features I discovered allows for custom keyboards. I stumbled across this when I found a Kickstarter project for one of these custom keyboards. I immediately jumped on the bandwagon. I bought the keyboard at a high enough level that I gained access to the beta and was intrigued when I saw a bullet point that said, “Private and Secure  you don’t need to enable ‘Full Access.’”

This is where I became confused and I had to start digging. It turns out that custom keyboards can have “Full Access” or “Open Access” enabled or disabled. The difference? Every keystroke you type is sent to a server controlled by the keyboard developer.

Think about that for a second. Let it really sink in. With iOS 8, Apple has provided a keystroke logger API that’s easy to use, allows for rapid application development, and qualifies for distribution via the AppStore.

Now, Apple put a little bit of thought into this process: if an application has a text entry field that’s labeled as secureTextEntry, then the system keyboard is provided rather than the custom keyboard. This includes all password fields in Safari. It does not, however, include credit card fields (since they don’t have a distinct type) nor does it include email.

If you have a BYOD policy, you may want to consider if you allow custom keyboards or if you allow Full Access for custom keyboards. While it’s not a policy you can easily enforce, you could still write it into your security policy. In the end, it’s worth pointing out to end users who may not be aware of the security implications of installing a custom keyboard.

I, for one, won’t be using a custom keyboard with full access enabled anytime soon—that concept is simply too scary to consider.


Related Articles:


picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service  for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.

picThe Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Title image courtesy of ShutterStock

Tripwire University
  • Khürt

    Good thing a standard warning is displayed by iOS 8 when the keyboards are granted "full access" to enable their entire sets of features.

  • Anonymous

    This is how Android has operated for years, why the sudden fear now it's happening on iOS?