
iOS 13 bug grants third-party keyboards full access to iPhones - electic
https://9to5mac.com/2019/09/24/ios-13-bug-grants-third-party-keyboards-full-access-to-iphones-even-when-users-have-it-turned-off/
======
nyc640
I know your title is from the title of the article, but it's pretty
misleading.

Just to clear things up, it seems like the bug grants the "Full Access"
permission to 3rd party keyboards which allows them to make network requests
(phone home) based on what you are typing while you have that specific
keyboard opened. It doesn't grant the keyboards full access to anything on
your iPhone, which is what the title makes it sound like.

edit: Here is a link to the Apple support article, which is a little clearer:
[https://support.apple.com/en-us/HT210613](https://support.apple.com/en-
us/HT210613)

~~~
zadokshi
This article title is the IT equivalent of click bait.

~~~
allset_
If you think IT articles didn't have clickbait titles until now... oh boy.

------
parsimo2010
The stock iOS 13 keyboard has swipe now, which means that I don’t need a third
party keyboard anymore, which I assume was sending everything I typed to some
server for advertising purposes.

~~~
drdaeman
Unfortunately, QuickPath is available only for English keyboards.

Edit: my bad, this is not true, thanks for correcting. Still, only available
for a few languages, so doesn't fully replace Gboard for all situations.

~~~
saagarjha
Interestingly, my keyboard switches between English and Spanish when using
QuickPath, and I don't know how to turn it off!

~~~
crazygringo
You have to delete Spanish as a secondary language from your iPhone. (I had to
do the same with Portuguese.)

Turns out it's not under Keyboard settings, it's under the language settings
for your phone itself.

------
mmgutz
Thankfully, I was finally able to uninstall gboard (google's swipe keyboard).
Don't know why it took Apple so long to implement swipe keyboard feature.

~~~
rootusrootus
Agreed on 'what took them so long' but I am still using SwiftKey for now,
because I find the Apple swype implementation isn't as reliable for me. And
for some reason the Apple keyboard doesn't always have a backspace key. Which
is weird and when it happens pretty frustrating.

------
notmyfuture
I will admit to not actually looking at how third-party keyboards are
implemented (specifically, how are security risks mitigated), but have always
stayed away from them on instinct. For me, the potential value just doesn't
outweigh risk.

~~~
paggle
Without “full access,” the API surface is basically nil and the keyboard is
just a dumb app. With full access, the keyboard can phone home with everything
you’re typing. Kudos to Apple for calling it “Allow Full Access” to make
people sufficiently wary of it.

------
fouc
Can anyone recommend some great third-party keyboards that do not depend on
the "full access" ability to phone home?

~~~
CarVac
MessagEase.

When I switched to it I felt so liberated from the tyranny of autocorrect
mistakes.

~~~
kevingrahl
You can turn of auto correct and all the gimmicks like spell checking,
predictive typing, smart punctuation and auto capitalisation for the stock
keyboard by going to Settings > General > Keyboards

~~~
CarVac
Yes, but a QWERTY touchscreen keyboard needs some smarts to be usable.
MessagEase doesn't.

------
newscracker
First we have a security issue in iOS 13.0 — a lock screen bypass
vulnerability which isn’t easy to exploit — that should’ve been fixed before
mass release. But Apple wanted iOS 13 to be out for all iOS users for the
launch of the new iPhones 11. So we get iOS 13.1 in a week (Sep 24) from iOS
13.0.

Now we find that a much more severe issue with unexpectedly granting third
party keyboards Full Access is yet to be fixed. Shouldn’t this issue take
higher priority (not implying that the same teams work on all security
issues)? This seems like a betrayal of trust. Nobody would expect a third
party keyboard to get Full Access and transmit all keystrokes over the network
unless they granted that permission.

Is Apple now planning to release iOS 13.1.1 or iOS 13.2 by September 30 with
the fix for this and some more fixes for stability?

It seems like the beta testing cycle still going on for iOS 13.0.

Apple has focused on better performance over the last two years and shown good
results (older devices don’t slow down as much with newer iOS releases as in
the distant past), but stability and security both seem to have taken a hit
within Apple’s technical abilities and processes, as is evident from the
revelations, from Google’s Project Zero and others, in the last few months or
so.

~~~
olliej
This isn’t “keyboard has access to everything” it’s “keyboard can make network
requests” - now we can argue over whether that’s good or not (a lot of
predictive keyboards use network requests to update for current events etc),
but this seems by design whereas the seeing your contacts thing is clearly a
bug.

I’m still unclear why the contacts DB isn’t class A data (eg wrapped by a key
that is only available when the device is actually unlocked), I _assume_ it’s
perf related.

Anyway, feel free to say “accessing contacts from lock screen is a bug”, but
for the keyboard stuff you need to compare to the android equivalents, which
IIRC are even worse :-/

~~~
colejohnson66
> I’m still unclear why the contacts DB isn’t class A data (eg wrapped by a
> key that is only available when the device is actually unlocked), I assume
> it’s perf related.

It probably has to do with the actual phone part of the device. When you
receive a call while locked, you can’t show the contact name associated with
that number if the contacts are locked behind the lock screen.

~~~
judge2020
A good case for Face ID - I know an option allows it to hide notifications
when it's locked, but I don't believe there's one to hide the contact's name.

