> While many keyboard apps operate locally, solely within a user’s device, IME-based keyboard apps often have cloud features which enhance their functionality. Because of the complexities of predicting which characters a user may want to type next, especially in logographic languages like Chinese, IMEs often offer “cloud-based” prediction services which reach out over the network. Enabling “cloud-based” features in these apps means that longer strings of syllables that users type will be transmitted to servers elsewhere
Interesting. Testing this myself I have an uleFone running Android and when I pull up the text messaging interface there is a load of isakmp traffic to t-mobile and it continuously talks to Google AS15169 over HTTPS I assume for RCS. Every character I type creates a burst of isakmp vpn traffic. LTE over Wifi
I've not installed any keyboard apps, this is the bog standard uleFone. This happens even if I disable smart-reply and I always disable the Let others know when I am typing. I must be missing a setting somewhere. It's odd that if RCS uses Google over HTTPS then I dont know why it sends so many packets for each character I type to TMO over their VPN / isakmp especially since I have not sent a message. The isakmp packet rate is reduced slightly if I disable spell checking which allowed me to change more settings that were greyed out.
I guess my question is why would my phone mirror all my keypresses to both TMO over their VPN and to Google over RCS in bigger bursts vs keypress, all without my actually sending a message? It appears that to debug this I have to install Magisk to use my Squid SSL Bump proxy but I doubt that will help my with the isakmp traffic unless they bootstrap the preshared secret over HTTPS on a domain not using public key pinning which Google has on several subdomains.
When Apple announced third-party keyboard support for the iPhone, the implementation annoyingly reverted to Apple's own keyboard for password or other "sensitive" entries, specifically to mitigate this problem.
Wouldn't refusing network access for keyboards be a better solution, on Android majority of open source keyboard apps don't have network permission at all.
This is my dream scenario, stock Android and iOS having the feature to disable network access for apps.
It's such a simple, quality of life improvement for certain apps that I know I never want to phone home for any reason outside of 'cloud centric' features. Blocking traffic and DNS requests by hand is time-consuming, and new servers / connections can prop up at anytime without one's knowledge, not to mention you might block a domain for a specific app but need it for another (star.c10r.facebook.com for example, which also blocks Meta AI research websites).
I kind of get why they wouldn't, such as unexpected behaviour, sweet data collection and license checking, but man. At least a handful of custom ROMs and local-VPN privacy apps on Android allows for this.
Yes, this is what I meant by local VPN privacy app (didn't find the right words admittedly, as it's not a standalone firewall per say and unfortunately cannot be used in tandem with a real VPN tunnel), excellent one though!
> Samsung Keyboard on Android, which transmits keystroke data via plain, unencrypted HTTP
Why is the keyboard sending any data at all? Is it essentially keylogging to Samsung servers or am I misinterpreting this?
reply