A keyboard app occupies the single most privileged position in your phone's data flow. Every message before it is encrypted, every search before it is submitted, every password before it is hashed: all of it passes through the keyboard as plaintext keystrokes. End-to-end encryption protects a message in transit, as we cover in what E2E encryption actually protects, but the keyboard sits upstream of the encryption. It sees what you typed, in the order you typed it, before any protective layer exists.
That does not make third-party keyboards malicious. Most are built by teams who understand exactly this responsibility. But it makes the keyboard a component where the difference between a careful vendor and a careless one is the difference between a tool and a wiretap.
What a keyboard can technically collect
On both major platforms, an input method sees the raw text you compose, the app you are typing into, and usually the text field's context (the operating system tells keyboards whether a field is an email address, a URL, or a password, so they can adjust layouts). Keyboards with network access can transmit any of this. Keyboards with cloud features (sync, personalized predictions, translation, GIF search) transmit some of it by design.
The platforms draw the lines differently:
- iOS installs third-party keyboards without network access by default. The keyboard runs sandboxed and offline until you grant "Allow Full Access," which opens network communication and shared storage with its container app. For password and other secure text fields, iOS switches back to the built-in system keyboard automatically, regardless of what you have installed.
- Android treats an input method editor (IME) like any other app: if it declares the internet permission, it has network access whenever active. Password fields still route through the active IME, which is why the enable-time warning is worded as bluntly as it is. Android 9 and later restrict some background behavior, but an active keyboard's view of your typing is essentially complete.
Permission prompts govern what an app may do at its worst moment, not what it does on an average day. A keyboard vendor's privacy policy can change after acquisition, and the app in your keyboard slot updates silently. You are trusting a supply chain, and every future owner of it, with your keystrokes.
When it has gone wrong
This is not a hypothetical risk profile. The keyboard category has a documented history of failures across every failure mode you would predict.
In December 2017, security researchers at Kromtech found a publicly exposed database belonging to ai.type, a popular Android keyboard. It contained personal data on more than 31 million users: names, phone numbers, locations, and in some records the contents of contact lists. The data existed on a server at all because the keyboard uploaded it. Two years later, the mobile security firm Upstream reported that ai.type was making unauthorized premium purchase attempts from users' devices.
In 2016, Microsoft's SwiftKey suspended its cloud sync service after users reported seeing strangers' email addresses appear in their own prediction suggestions: a cross-contamination bug in the personalization pipeline. In 2017, AdGuard researchers reported that GO Keyboard, with tens of millions of installs, transmitted personal data to remote servers and downloaded executable code at runtime, in violation of Play Store policy. And in 2015, a flaw in the keyboard preinstalled on Samsung devices (CVE-2015-2865) allowed an attacker in a network position to inject code through unencrypted keyboard language-pack updates.
Four different vendors, four different failure modes: deliberate over-collection, cloud sync leakage, covert behavior, and an insecure update channel. The common factor is the position of the component, not any one company's ethics.
Predictions are a keystroke database
Even a well-behaved cloud keyboard creates a second copy of your writing patterns. Personalized prediction works by building a model of what you type: names, addresses, recurring phrases, private vocabulary. When that model syncs across devices, your typing history lives server-side under whatever retention policy the vendor operates. It becomes one more database that can be breached, subpoenaed, or repurposed, joining the pattern we describe in the free apps privacy problem: when a free product needs revenue, accumulated user data is where it looks.
Your typing rhythm itself is also identifying. The timing between keystrokes is distinctive enough to fingerprint individuals, a technique covered in our post on keystroke dynamics. A keyboard is the one app that observes this signal continuously and everywhere.
Choosing sanely
The good news is that this is one of the few privacy problems with clean, low-effort fixes.
- Staying on the stock keyboard is a defensible default. The platform keyboard is maintained by the same vendor that already controls the operating system, so it adds no new party to your trust equation.
- If you want a third-party keyboard, prefer open source and offline. Keyboards like HeliBoard and FlorisBoard on Android request no internet permission at all, which converts the trust question into a verifiable property. No network permission means no exfiltration path, regardless of intent.
- On iOS, withhold Full Access unless a feature you actually use requires it. Without it, the keyboard cannot phone home.
- Turn off cloud personalization and sync if you use a mainstream keyboard, and clear the learned dictionary before selling or handing over a device.
- Audit the keyboard list. On Android, check Settings for enabled IMEs you do not remember adding; a stale keyboard from an old app is still a keyboard with the same privileges. Sideloaded or repackaged keyboards deserve the same suspicion as any app handling credentials, for the reasons covered in password manager security.
The keyboard test
A useful habit when evaluating any app: ask what the app is in a position to see, rather than what it promises to do. For most apps the answer is bounded. For a keyboard the answer is everything you type, which means the bar for adding one should be correspondingly high. A keyboard earns its place on your phone the same way any component earns a place in a secure system: by needing the least trust, not by asking for the most.