Hacker News new | past | comments | ask | show | jobs | submit login
iOS 13 bug grants third-party keyboards full access to iPhones (9to5mac.com)
77 points by electic on Sept 24, 2019 | hide | past | favorite | 27 comments

I know your title is from the title of the article, but it's pretty misleading.

Just to clear things up, it seems like the bug grants the "Full Access" permission to 3rd party keyboards which allows them to make network requests (phone home) based on what you are typing while you have that specific keyboard opened. It doesn't grant the keyboards full access to anything on your iPhone, which is what the title makes it sound like.

edit: Here is a link to the Apple support article, which is a little clearer: https://support.apple.com/en-us/HT210613

This article title is the IT equivalent of click bait.

If you think IT articles didn't have clickbait titles until now... oh boy.

I thought that was Google's keyboard has done since it was released. Correct?

Yes, but you need to grant it permission to do so. The bug here is that keyboards have this "full access" permission even when the user has denied it.

The stock iOS 13 keyboard has swipe now, which means that I don’t need a third party keyboard anymore, which I assume was sending everything I typed to some server for advertising purposes.

Unfortunately, QuickPath is available only for English keyboards.

Edit: my bad, this is not true, thanks for correcting. Still, only available for a few languages, so doesn't fully replace Gboard for all situations.

Not true:

> QuickPath language support: Support for English, Simplified Chinese, Spanish, German, French, Italian, and Portuguese is now included. [1]

[1] https://www.apple.com/ios/ios-13/features/

Interestingly, my keyboard switches between English and Spanish when using QuickPath, and I don't know how to turn it off!

You have to delete Spanish as a secondary language from your iPhone. (I had to do the same with Portuguese.)

Turns out it's not under Keyboard settings, it's under the language settings for your phone itself.

Thankfully, I was finally able to uninstall gboard (google's swipe keyboard). Don't know why it took Apple so long to implement swipe keyboard feature.

Agreed on 'what took them so long' but I am still using SwiftKey for now, because I find the Apple swype implementation isn't as reliable for me. And for some reason the Apple keyboard doesn't always have a backspace key. Which is weird and when it happens pretty frustrating.

I’ve done that too. However it seems Gboard is much better at correcting mistakes, especially for Asian languages.

I will admit to not actually looking at how third-party keyboards are implemented (specifically, how are security risks mitigated), but have always stayed away from them on instinct. For me, the potential value just doesn't outweigh risk.

Without “full access,” the API surface is basically nil and the keyboard is just a dumb app. With full access, the keyboard can phone home with everything you’re typing. Kudos to Apple for calling it “Allow Full Access” to make people sufficiently wary of it.

Can anyone recommend some great third-party keyboards that do not depend on the "full access" ability to phone home?

I looked for something like this several months ago (before Apple announce the feature would be in iOS 13). All I could find was the original Swype keyboard, which I’d downloaded years before. It’s no longer available for download by new customers, and the competitors all require full keyboard access, by my research.

What don’t you like about the stock keyboard that makes you want to use a third party keyboard instead?


When I switched to it I felt so liberated from the tyranny of autocorrect mistakes.

You can turn of auto correct and all the gimmicks like spell checking, predictive typing, smart punctuation and auto capitalisation for the stock keyboard by going to Settings > General > Keyboards

Yes, but a QWERTY touchscreen keyboard needs some smarts to be usable. MessagEase doesn't.

First we have a security issue in iOS 13.0 — a lock screen bypass vulnerability which isn’t easy to exploit — that should’ve been fixed before mass release. But Apple wanted iOS 13 to be out for all iOS users for the launch of the new iPhones 11. So we get iOS 13.1 in a week (Sep 24) from iOS 13.0.

Now we find that a much more severe issue with unexpectedly granting third party keyboards Full Access is yet to be fixed. Shouldn’t this issue take higher priority (not implying that the same teams work on all security issues)? This seems like a betrayal of trust. Nobody would expect a third party keyboard to get Full Access and transmit all keystrokes over the network unless they granted that permission.

Is Apple now planning to release iOS 13.1.1 or iOS 13.2 by September 30 with the fix for this and some more fixes for stability?

It seems like the beta testing cycle still going on for iOS 13.0.

Apple has focused on better performance over the last two years and shown good results (older devices don’t slow down as much with newer iOS releases as in the distant past), but stability and security both seem to have taken a hit within Apple’s technical abilities and processes, as is evident from the revelations, from Google’s Project Zero and others, in the last few months or so.

This isn’t “keyboard has access to everything” it’s “keyboard can make network requests” - now we can argue over whether that’s good or not (a lot of predictive keyboards use network requests to update for current events etc), but this seems by design whereas the seeing your contacts thing is clearly a bug.

I’m still unclear why the contacts DB isn’t class A data (eg wrapped by a key that is only available when the device is actually unlocked), I assume it’s perf related.

Anyway, feel free to say “accessing contacts from lock screen is a bug”, but for the keyboard stuff you need to compare to the android equivalents, which IIRC are even worse :-/

> I’m still unclear why the contacts DB isn’t class A data (eg wrapped by a key that is only available when the device is actually unlocked), I assume it’s perf related.

It probably has to do with the actual phone part of the device. When you receive a call while locked, you can’t show the contact name associated with that number if the contacts are locked behind the lock screen.

A good case for Face ID - I know an option allows it to hide notifications when it's locked, but I don't believe there's one to hide the contact's name.

You can get a sense of why contacts are not Class A by trying to use Notification Center after restarting your phone. The metadata is crucial for making lots of notifications useful.

13.1 released today

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact