Reputation: 2153
Security Concerns for Keyboard input
I am aiming to find out different security concerns that can occur on Android devices .One of them is the Keyboard Interception
Following are my findings
a) If i am not using a third party IME (keyboard), i am sure that no application can intercept the keys that i have entered.
b)If i am using a third party IME app, this app can get whatever i have typed and may forward it to some other app/ upload it to the net etc.
Both above points are valid for a Non Rooted as well as a Rooted phone.
If i am using the standard keyboard (Android or that provided by firmware), it is impossible to intercept key events unless the firmware is modified Links i refereed are One and Two
What will happen if i plug in an external keyboard like we do on a Galaxy tab 2. When we type using this keyboard on the EditText on Activity at top, is it guaranteed that no one else can intercept the key presses(Rooted/Non rooted phones and without Firmware change)? I hope that the IME security rules given in Android Documentation here under Security Section apply for external keyboards too.
I recently found the DoMobile ShareKeyboard app on Market, it enables input through Computer keyboard using Wifi/GPRS on an Android device. Here obviously user is using a 3rd party IME so its completely insecure in cases where security is a major concern.
Please correct me if i am wrong in the points i mentioned.
Upvotes: 1
Views: 3219
Answers (2)
Reputation: 2309
a)You can't be sure. The original keyboard came with your device was made by your device manufacturer but might be modded until it got in your hands(by operators, resellers, rom modders, or just your boss)- its incredibly easy. From my personal experience, firmware developers usually dont remember to clean debug information from their IME app, and all your keys(and even touch input) is printed in the logger.
b)Actually this might just be a more secure solution. you get it from Google Market, so you know nobody touched it in the way. These apps are also made by people who's expertise is building IME and therefore they'll know better how to improve its security and performance.
If your device is rooted you have no chance protecting your privacy at all, apps which will use root permissions will be able to read your keys from the lowest level possible - like /dev/input/eventX kernel input device not event talk about reading the Android key dispatcher which is also easy.
External keyboard is not different from virtual keyboard, its keys can be intercepted via the active IME app.
If your security is important to you, use official firmware, dont root your device, and use a good proven IME app from the Market which have security considered.
Upvotes: 1
Reputation: 1007296
When we type using this keyboard on the EditText on Activity at top, is it guaranteed that no one else can intercept the key presses(Rooted/Non rooted phones and without Firmware change)?
Yes, if the OS is the one handling the keyboard.
Upvotes: 1
Related Questions
- Root detection Implementation can be bypassed using Magisk hide : Android App vulnerability
- Android root access
- Android - Protecting the privacy of users with a keyboard app
- Android Custom Keyboard Password Logging
- Root detection methodology in android which cannot be bypassed
- How to handle android keyboard actions
- Accessing event input nodes in Android withour rooting
- Secure application data
- Need root to execute shell command "input keyevent <#>" through an app at runtime?
- root access side effects