Most users believe their passwords are safe as long as they don’t click suspicious links. In practice, however, there are apps that — with our consent — can see what we type or what appears on the screen.
They are not illegal, and they are not necessarily malicious, but if they are misused or fall into the wrong hands, they can open the door to serious security breaches.
The most dangerous category is not some obscure app, but something many people use every day: third-party keyboards.
Popular examples:
- emoji keyboards
- GIF keyboards
- keyboards with “smart” predictions
- custom keyboards with themes and colors
They have been installed on hundreds of millions of devices worldwide.
A keyboard:
- “sees” everything you type
- works across all apps
- is active in email, social media, and e-banking
- has access to names, usernames, and passwords
In many cases, it requests:
- full access
- internet connectivity
- the ability to send data to servers
This doesn’t mean that all keyboards record passwords — but it does mean that, technically, they can.
Users download them because:
- they want emojis and GIFs
- they like personalization
- they find them convenient
- they’re recommended by the app store
The critical point is that permissions are granted once, but access is continuous.
The risk increases when:
- the keyboard is from an unknown developer
- it asks for full access without explanation
- it’s combined with other permissions (e.g. accessibility)
- it isn’t updated frequently
- it has poor privacy reviews
In such cases, the following have been documented worldwide:
- data leaks
- keystroke logging
- targeted scams
- account compromises
Android
- Keyboards can have broader access
- Users often don’t check which keyboard is active
- More flexibility → greater risk
iPhone
- iOS is more restrictive
- However, if “Full Access” is granted to a keyboard, it can send data off the device and sync what you type
- Check which keyboard you’re using
- Settings → Keyboard
- If it’s not the system default, review it
- Check whether it has “Full Access”
- If yes, see who the developer is
- If you don’t recognize them → remove it
Avoid using third-party keyboards for:
- e-banking
- corporate accounts
✔ Delete keyboards you don’t use
✔ Use the operating system’s default keyboard
✔ Disable “Full Access” where it isn’t necessary
✔ Don’t install keyboards from unknown developers
✔ Enable 2FA on all critical accounts