Keyboard isolation in Android
I'm currently running GrapheneOS on a Pixel 6a, and I have installed several alternative keyboards from F-Droid and the Play Store.
How isolated are keyboards in Android? When I enable a keyboard in the system settings I'm greeted with: Attention This input method may be able to collect all the text that you type, including personal data like passwords and credit card numbers. It comes from the app APPNAME. Use this input method?
This would imply that the keyboard has free reign to do whatever it wants with whatever I type into it.
But if I go to "App permissions" in the settings menu I see something different.
For FlorisBoard (from F-Droid) I see the following permissions granted:
- Sensors
But for Microsoft SwiftKey I see the following permissions granted:
- Network
- Notifications
- Sensors
It seems evident that, with network access, a malicious version of SwiftKey could upload everything that I type. But what about FlorisBoard (or other applications with only "Sensors" permissions)? I cannot prevent any keyboard from recording keystrokes*, but is Android's sandbox system sufficient to prevent the keyboard from exfiltrating whatever it may record?
* Technically there might be a way to configure the keyboard application how I want it and then block its ability to write to storage, but that's a different issue/goal/task :-)
