I know your title is from the title of the article, but it's pretty misleading.
Just to clear things up, it seems like the bug grants the "Full Access" permission to 3rd party keyboards which allows them to make network requests (phone home) based on what you are typing while you have that specific keyboard opened. It doesn't grant the keyboards full access to anything on your iPhone, which is what the title makes it sound like.
The stock iOS 13 keyboard has swipe now, which means that I don’t need a third party keyboard anymore, which I assume was sending everything I typed to some server for advertising purposes.
Thankfully, I was finally able to uninstall gboard (google's swipe keyboard). Don't know why it took Apple so long to implement swipe keyboard feature.
Agreed on 'what took them so long' but I am still using SwiftKey for now, because I find the Apple swype implementation isn't as reliable for me. And for some reason the Apple keyboard doesn't always have a backspace key. Which is weird and when it happens pretty frustrating.
I will admit to not actually looking at how third-party keyboards are implemented (specifically, how are security risks mitigated), but have always stayed away from them on instinct. For me, the potential value just doesn't outweigh risk.
Without “full access,” the API surface is basically nil and the keyboard is just a dumb app. With full access, the keyboard can phone home with everything you’re typing. Kudos to Apple for calling it “Allow Full Access” to make people sufficiently wary of it.
I looked for something like this several months ago (before Apple announce the feature would be in iOS 13). All I could find was the original Swype keyboard, which I’d downloaded years before. It’s no longer available for download by new customers, and the competitors all require full keyboard access, by my research.
You can turn of auto correct and all the gimmicks like spell checking, predictive typing, smart punctuation and auto capitalisation for the stock keyboard by going to Settings > General > Keyboards
First we have a security issue in iOS 13.0 — a lock screen bypass vulnerability which isn’t easy to exploit — that should’ve been fixed before mass release. But Apple wanted iOS 13 to be out for all iOS users for the launch of the new iPhones 11. So we get iOS 13.1 in a week (Sep 24) from iOS 13.0.
Now we find that a much more severe issue with unexpectedly granting third party keyboards Full Access is yet to be fixed. Shouldn’t this issue take higher priority (not implying that the same teams work on all security issues)? This seems like a betrayal of trust. Nobody would expect a third party keyboard to get Full Access and transmit all keystrokes over the network unless they granted that permission.
Is Apple now planning to release iOS 13.1.1 or iOS 13.2 by September 30 with the fix for this and some more fixes for stability?
It seems like the beta testing cycle still going on for iOS 13.0.
Apple has focused on better performance over the last two years and shown good results (older devices don’t slow down as much with newer iOS releases as in the distant past), but stability and security both seem to have taken a hit within Apple’s technical abilities and processes, as is evident from the revelations, from Google’s Project Zero and others, in the last few months or so.
This isn’t “keyboard has access to everything” it’s “keyboard can make network requests” - now we can argue over whether that’s good or not (a lot of predictive keyboards use network requests to update for current events etc), but this seems by design whereas the seeing your contacts thing is clearly a bug.
I’m still unclear why the contacts DB isn’t class A data (eg wrapped by a key that is only available when the device is actually unlocked), I assume it’s perf related.
Anyway, feel free to say “accessing contacts from lock screen is a bug”, but for the keyboard stuff you need to compare to the android equivalents, which IIRC are even worse :-/
> I’m still unclear why the contacts DB isn’t class A data (eg wrapped by a key that is only available when the device is actually unlocked), I assume it’s perf related.
It probably has to do with the actual phone part of the device. When you receive a call while locked, you can’t show the contact name associated with that number if the contacts are locked behind the lock screen.
A good case for Face ID - I know an option allows it to hide notifications when it's locked, but I don't believe there's one to hide the contact's name.
You can get a sense of why contacts are not Class A by trying to use Notification Center after restarting your phone. The metadata is crucial for making lots of notifications useful.
Just to clear things up, it seems like the bug grants the "Full Access" permission to 3rd party keyboards which allows them to make network requests (phone home) based on what you are typing while you have that specific keyboard opened. It doesn't grant the keyboards full access to anything on your iPhone, which is what the title makes it sound like.
edit: Here is a link to the Apple support article, which is a little clearer: https://support.apple.com/en-us/HT210613