Google Keyboard w/ Network Permission Revoked

Eirikr70

DeletedUser370 But until an open source and (by default) non-data-collecting keyboard app that can compete with Gboard comes along, I will be happily using Google's app.

Although FUTO keyboard is not yet able to compete with GBoard (at least in French) it seems to be on the right path.

AlphaElwedritsch

DeletedUser370 I personally use Gboard because it has great swiping and word suggestion features for both English and Norwegian, and because I trust that it respects its privacy settings. That first point might sound silly to some people, but it greatly reduces the time I spend on writing with my phone, and for example allows me to type posts in this forum much faster than when I'm using other keyboard apps without this functionality.

100% correct

[deleted]

Eirikr70

The telemetry sent by the Gboard application does not go directly to Google. Instead, the data goes through a service known as the Clearcut Logger within Google Play Services (35). The logger collects the received data and forwards it to Google's back-end servers in batches

So revoking the keyboard's network permission for a silent keyboard if used with the recommended Play Store is meaningless because it exfiltrates user data through IPC by default. Absolutely revolting. App scopes can't come soon enough.

Upon inspection of the content of these batch requests, it was evident that the logs originate from many sources... Gboard itself sends data through multiple log sources, however, the one which has been analysed as part of this research is LATIN_IME

Opting out of this setting reduced the LATIN_IME logs only to contain a single log entry, which consisted of a
timestamp

Shame they couldn't analyse all the logs, not just the LATIN_IME, to determine what else is still exfiltrated after opting out.

vagr

DeletedUser370

DeletedUser370 I personally use Gboard because it has great swiping and word suggestion features for both English and Norwegian, and because I trust that it respects its privacy settings. That first point might sound silly to some people, but it greatly reduces the time I spend on writing with my phone, and for example allows me to type posts in this forum much faster than when I'm using other keyboard apps without this functionality.

It doesn't sound silly at all to me. On my first outing with the GrapheneOS, I crashed and burned with the extreme settings, profiles and the keyboard among many other things the GOS offers and I reluctantly switched back to generic OS I was using at the time. I now use Graphene with Gboard and it couldn't be better. Your rationale is totally fine and that is exactly why I stuck to using Gboard in GOS. Although I don't use multiple languages the fact I can quickly type and get it over with is a big plus. I am not used to using phones the size of Pixels and I had a tough time getting used to it only because there is a working keyboard I can use in this GOS with network permissions revoked. Time, Swiping and Word suggestion are key features important to my workflow and like you said I will use the current keyboard until a usable open-source contender comes along with these features.
On that note, I tried FUTO and it is a great project. Whenever I can I try to contribute to their keyboard data but at the moment the swipe function is very limited and off by a margin that makes it unusable for me. I like their in-built speech-to-text and it works great. I use the app from time to time for that function and that keyboard remains a good secondary.
I just wish the stock GOS keyboard had the swipe function, if nothing else. One can hope!

0j923jd023j

vagr

vagr On that note, I tried FUTO and it is a great project. Whenever I can I try to contribute to their keyboard data but at the moment the swipe function is very limited and off by a margin that makes it unusable for me

as someone who also uses swipe type a lot in my phone because i feel its faster, what keyboard are you using now if not gboard?

vagr

0j923jd023j I use Futo every now and then. If I have to access online banking which isn't often, and always when I'm outside using the stock browser I tend to use the stock GrapheneOS keyboard.

Swiping just makes, using a phone as large as a Pixel, easy.

Rbr76711

I have been looking for an alternative to the stock keyboard. I seem to have difficulty hitting the correct key. After seeing this discussion I am giving FUTO a try. For now, works better for me over stock.

Vomitorius

Rbr76711 why Fossify is not an option?
https://f-droid.org/packages/org.fossify.keyboard/

LGgos

That dissertation was very informative reading.

I've been using Heliboard with the swipe library added as I find gesture typing so much faster, but find that it just doubles my typing time as it rarely types out the correct word compared to gboard and I'm constantly having to delete the word and type it in manually.

This settles my mind that Gboard isn't leaking anything of concern to my threat profile (others may vary) as long as the telemetry is switched off. Ironically I was considering Swiftkey under the logic of "at least it's not Google" but the dissertation was enough to tell me that it's far worse and lacks opt out. For all of Google's faults, it seems that at least for the keyboard they do respect your privacy choices

No one can know for sure and things might have changed since 2022 but I personally feel that using gboard with telemetry disabled will be a reasonable enough tradeoff for more accurate gesture typing.

Eirikr70

LGgos You might even be willing to deny network privilege to GBoard.

BeepBeep

LGgos
I tried for months to work with Heliboard but had the same experience. Very frustrating. My phone is configured to have access to the Play Store, so I have Gboard installed without either network access or GSF running in my secondary profile that I use for daily driving, and I don't use Gboard in the (typically inactive) profile which does have GSF. However, my tablet is completely Google free, and I don't want to depart from that. I switched to Futo keyboard, and for me it's noticeably better than Heliboard. I recall there being some negative politics voiced around Futo, but I need something private that works until there are other options. You might try Futo before feeding Google your data. [Thanks in advance for not yelling at me about Futo.]

LGgos

Eirikr70

From what I understand that makes no difference since it communicates via Google Play Services using IPC anyway

Eirikr70

LGgos The point is that apart from Google, none knows what it communicates to Google Play. Does it communicate to the same extent with Google Play as it would with the Google servers when network is allowed ?...

LGgos

Eirikr70 The paper you linked to seemed pretty good at breaking that down?

My interpretation is that it does all its telemetry communication through Google Play Services so the data allow/block for the keyboard app itself is probably just for things like voice typing. They said there was no evidence that the words typed or character frequency were leaving the device, and that the data batches were nothing of interest once telemetry was turned off. Which is good enough for me if no one has observed any change in behaviour of it in the past 3 years, but indeed I'll have a try at Futo before resorting to Gboard.

WestQuester

I am using Google Keyboard as well because I spend way too much time correcting typos with all the others. Network disabled, privacy settings on.

However, I'm not sure if the concerns over communication through Google Play Services is warranted or not. Being sandboxed means something and I don't think it's accurate to suspect that IPC means that apps can just send whatever they want between each other, otherwise I would think that would be a fundamentally concerning security issue, never mind privacy.

But I don't know for sure. I would love to know more about IPC and what is/isn't possible on the sandboxed versions in GOS.

Eirikr70

WestQuester IPC is just a contract between two apps to exchange data. If the two apps have "subscribed" that contract, the sandbox can't prevent them.

de0u

WestQuester I'm not sure if the concerns over communication through Google Play Services is warranted or not. Being sandboxed means something and I don't think it's accurate to suspect that IPC means that apps can just send whatever they want between each other, otherwise I would think that would be a fundamentally concerning security issue, never mind privacy.

The Android app sandbox doesn't mean "apps can't share any data at all ever". Apps are allowed to share all sorts of data, and IPC is an important part of how Android works. When a message app invokes a camera app to take a picture, that is IPC in action. And apps that use Google Play services routinely invoke those services via IPC.

WestQuester

de0u I never said that's what sandboxed means. Conversely, IPC doesn't mean apps can share whatever data they want either. Lots of assertions being made in this thread without anything to back it up. I've read a good bit on IPC but nothing that definitively answers my questions.

de0u

WestQuester IPC doesn't mean apps can share whatever data they want either.

That's pretty much what it's for. Here is some information about apps using intents to communicate.

It is true that IPC usually doesn't cross profile boundaries, though I think it might when there is clipboard sharing.

And there has been some talk of GrapheneOS adding a feature to filter IPC within a single profile.

But it is absolutely part of the Android design that apps can communicate via IPC about whatever they want to communicate about.

WestQuester Lots of assertions being made in this thread without anything to back it up.

So far I think you have made assertions without citing sources and I have cited sources. Also @Eirikr70 cited a source (Eirikr70).

WestQuester

de0u You just want to argue and you keep changing the assertion. Here's something to read:
https://discuss.grapheneos.org/d/12924-any-other-ways-to-secure-the-use-of-the-pixel-camera-and-gboard-from-ipc/2

Specifically, the GrapheneOS account, responding to this exact situation (the concern over Gboard without network permissions still communicating via IPC) said:

"These apps are not malware and are not exfiltrating sensitive data via network access in the first place unless you opt-in to sending usage data, so it's not really clear what you're aiming to accomplish by coming up with extreme ways they could do it as if they're malware colluding with other malware to bypass the permission model."

de0u

WestQuester Here's something to read:
https://discuss.grapheneos.org/d/12924-any-other-ways-to-secure-the-use-of-the-pixel-camera-and-gboard-from-ipc/2

I have read that. Note that it says:

"An app you grant the Contacts permission could share it with another app in the same profile. An app you give data could share it with another app in the same profile" and
"Apps in separate users can't communicate via standard IPC mechanisms and profile data is separate" (emphasis added) and
"Interprocess communication can be done via any access you've granted to shared resources or any access they have to shared resources by default."

I think all of that is very much in support of the notion that apps can share whatever they want via IPC within a user profile.

WestQuester The GrapheneOS account, responding to this exact situation (the concern over Gboard without network permissions still communicating via IPC) said:

"These apps are not malware and are not exfiltrating sensitive data via network access in the first place unless you opt-in to sending usage data [...]"

I expect that is true. But, assuming it's true, it's true because the app is not written to exfiltrate data if the option is set correctly. It is not because "being sandboxed means something" (the Android app sandbox is not stopping the data transfer) and it is not because there is some sort of IPC filtering stopping Gboard from sending data to Play.

The difference is relevant any time an app is installed that hasn't been inspected the way Gboard has, because apps can send whatever they want via IPC.

DeletedUser495

WestQuester if I were you, I would in no way downplay power and severity of IPC which is very hard if not outright impossible to root out, heavily affecting basic functionality of many apps, hence the postponement of long awaited IPC scopes.

de0u

WestQuester Here is an example of a user who was surprised to find that an app was using IPC to fetch advertisements from Google Play: https://discuss.grapheneos.org/d/9943-app-displaying-ads-without-any-permissions

« Previous Page Next Page »