I was taking a look at the Naomi Wu situation (A Chinese DIY tech youtuber who went missing after being watched by the government) and in one part they mentioned that she was concerned about her privacy, so started using Signal, but had a default chinese keyboard that had a keylogger and the police had looked into what she was talking on there.
I’m not sure if it was a mobile only thing, but it was mentioned that the keyboard app was used in like 70% por chinese smarthphones.
Now, I use AnySoftKey and refuse to use default keyboard apps, but how far can we reach on the keyboard security thing? Is typing on a computer or using a physical keyboard on a mobile device 100% safe? I think the keyboard issue is often overlooked and would like to know what recommendations your have? Or what should be known more?
It is very wise to use a FOSS keyboard app, because if you think about it a keyboard app would probably be the thing on your phone that knows the most about you. I don’t mean that to fear monger, it’s just a thought. Plus if you look at events in the past few years like swiftkey’s little user data error it gives you an idea of how privacy invasive they could or could already be.
Good recommendations for an app?
FlorisBoard or Openboard
+1 for FlorisBoard
OpenBoard (specifically the fork by Helium314 that supports gesture typing) is what I prefer.
I can’t seem to find this on fdroid, github, etc. Mind sharing a link?
Upon other recommendations here I have gone with open board. Its pretty sweet after a bit of configuring.
Gotta get used to it though, my muscle memory will take a bit to adapt!!
Holy shit I didn’t know she was missing.
I guess advocating open source is enough to be imprisoned.
Keyboard is absolutely a thing to be careful with. On Android mobile, use OpenBoard for example. On computer, if you use Linux, also install kloak [https://github.com/Whonix/kloak], a tool that slightly delays randomly your keystrokes to help you hide your typing pattern that can definitively identify you
So, that makes your typing worse so you can’t be identified?
Not worse, but less repeatable. You don’t see any difference in typing, it just help reduce fingerprinting
No, it randomizes the key timing. It also doesn’t address stylometry so you can still be identified, but it helps. I made a browser addon that does the same thing. https://addons.mozilla.org/en-US/firefox/addon/private-keyboard/
Hey, I wanted to ask if you could make your browser extension for chromium based browser? I use Brave as my main browser for different reasons and I would love to have your extension also for Brave, since I care a lot about, I also would install the file manually if you won’t publish it in Chrome Store.
Hey, I’m currently stretched pretty thin on projects so it will be quite some time before i’m able to port it, however I appreciate the interest. If you or anyone you know is willing to port it, i would appreciate help.
I was partly inspiried by this extension for chrome: https://chrome.google.com/webstore/detail/keyboard-privacy/aoeboeflhhnobfjkafamelopfeojdohk
However I am not sure if it is open source and i don’t think its maintained anymore. It is a good starting point regardless.
Hm okay, sadly my knowledge about making browser extensions is almost zero, so I won’t be rly a help :') and thanks for the link, I tried it, but I definitly prefer yours. I will be patient until you got the time to do port your extension, good luck with your projects!
Who exactly can view my typing pattern?
Absolutely every website you visit or app you use, if they track such info of course.
deleted by creator
That’s not juicy enough to reveal they’re listening.
deleted by creator
Hahaha… 😁
I used to use Gboard with a firewall that isolates the app so that it can never connect to the internet. Though that was in the past and I’m not sure if that is even effective. So I just switched to a open source keyboard in FDroid
Removed by mod
This sentence kinda highlights how outlandishly dystopic the whole thing is.
Yeah, I used RethinkDNS’s Firewall. It’s pretty good.
Apps can communicate with each other even without Internet access, this mean GBoard could just connect to Google Play Services or any other Google User/System App and share the data over that way.
This will 100% still share everything you type with Google
Probably a good place to ask. Are there any FOSS keyboard apps for Android with swipe typing?
AnySoftKeyboard is FOSS and supports gesture typing. It has not been updated in a while and I find it buggy.
Helium314’s OpenBoard fork is FOSS but supports Google’s proprietary gesture typing library.
FlorisBoard is FOSS and supports gesture typing, but does not have word predictions. It is being worked on.
Removed by mod
I use FlorisBoard - but it’s under heavy development at the moment, as the dev is doing a complete rewrite… autocorrect isn’t implemented yet, but swipe/gesture typing is.
There is another one that has swipe typing and autocorrect but can’t recall the name at the moment
OpenBoard
Yes, but you need this fork for swiping gestures.
https://github.com/erkserkserks/openboard
The reason is easy, the libary for swiping is propetary, FOSS projects won’t use it and cut this feature.
Thanks for the suggestion. I have used this keyboard for about a day now and I love it. I didn’t expect much going in but it actually has a lot of features and options.
Florisboard on FDroid.
And dont ever use any Stock Android, its all spyware. Thats simply the truth. At best its “only” Google. Samsung was the worst of the ones I tried, regarding bloatware, but Huawei and Xiami are also horrible and you dont need anything fancy but a keylogger keyboard.
If you go to the Florisboard git hub their is an easy route to install it via Google play, if you can’t use fdroid or side load apps for any reason. It basically involves signing up to “beta test” the app which you then get in Google Play as normal.
This may be an important route on some parts of the world.
I think in these parts of the world you need the Huawei app gallery. And I hope all Androids allow sideloading?
And dont ever use any Stock Android, its all spyware.
Also reboots your device if you try and revoke permissions from Google Play Services
Removed by mod
I’m rooted using an FP3 (essentially stock, only a single preinstalled manufacturer app).
Revoking location permissions from Play Services reboots the device immediately (previously this didn’t happen - the permissions would be revoked as expected, and things dependent on Google’s location API would fail as expected) so I assume a GMS update was pushed via play store resulting in this reboot problem
Removed by mod
A while ago I read about a study where they showed how they recreated typed text on a computer keyboard based on the sound the keys made, using AI. I can’t seem to find the post right now tho.
There was a video by Youtuber The Morpheus, dont find it but here is a news article
This was also something I’m sure the BBC covered before but regarding pin code entry devices
Removed by mod
I mean if you’re that concerned get a thinkpad X200, libre boot it, and run qubes OS
Removed by mod
Qbues on whonix is even better
This Tails if you dont got the time
So, the keyboard is important, and is one thing; but one must not overlook that on touch devices, software keyboards run on top of operating systems, and hardware, too.
Actual keyboards made of physical keys/domes/switches, embedded controllers, and USB chips/cables, even if they seemingly present a similar attack surface (after all, they are also connected to hardware with an operating system), are practically harder to compromise.
Yes, in both cases, the operating system has access to the information (be it via the USB subsystem, or via the touch/input subsystem, etc), and the hardware too; but computer hardware is more heterogeneous, more modular and standardized, and “auditable” operating systems are much more common, and readily deployable. Heck, it is entirely possible to run open hardware and open software (including the toolchain to build said software) with a computer; but the same for mobile devices is very much uncharted territory.
The result is that even with our best effort, a mobile device is at the very best a black box, with an unlocked bootloader, a community provided recovery and operating system, often downloaded from random file hosting services, and built with toolchains of variable quality with several proprietary components.
This is not ideal, and it is the best case scenario. In many cases, people run the stock recovery/operating system, and simply sideload software on a device they do not even have root access to.
The takeaway here, is that while nothing is perfect, and there is always an attack surface, using unpredictable components (e.g. standardized, modular), with unpredictable software (e.g. dozen of different operating system families, each with their own version and qwirks), while also having a community of technologists auditing the code (even if only a handful of developers, there is much less risk of them all organizing towards a harmful goal than with a team of employees from a company ultimately led by a single person), practically provides a significantly different environment.
And unless you’re an embedded engineer/genius able to design bug-free (g’luck) PCBs from open hardware ICs (so you can have them made via your vendor of choice) and simple components, and then use software you, or people you trust, audited, you have to recognize that you can only do “less bad”.Less bad being a dev-friendly device (old Google pixels come to mind, not sure if they’re still like that), installing lineage, /e/ or another alternative system on it, and using software from f-droid (like AnySoftKeyboard - the one I am actually using for typing this).
That, or you decide to trust the reputable (YMMV) company of your choice with your digital life, identity, and data. Many pros I know in infosec go for Apple. It is true that, at least for professional use cases, with companies in the US or in western Europe, it arguably makes sense.
I use familiar Gboard with the network permission toggled off.
Use grapheneos, lineageos or something similar. Those contain the AOSP keyboard instead of the google keyboard.
I think the keyboard issue is often overlooked and would like to know what recommendations your have? Or what should be known more?
Overlooked? Not really, for years I have never used built-in keyboard from stock rom, keyboards from goolag store or goolag board.
Most people stick with non-foss keyboards just because it’s convenient
I can’t lie, gboard is incredible, especially since I use two languages, and I don’t have to switch the language every time, it just figures out which language to autocorrect to. switched to open board either way, but I do miss the convenience of gboard
This was my experience with SwiftKey. Used it since before Microsoft got it, but recently switched to Simple Keyboard and I really do miss how SwiftKey worked.
