Is it dangerous to use a third-party keyboard?

rty51940

Last month, Fcitx5 for Android was released. This is a complete game-changer for CJK users like me because it is the first fully functional FOSS keyboard that is capable of providing all three languages and its various input methods.

When I downloaded the keyboard and changed the On-screen keyboard from the GrapheneOS Keyboard to it, I got a warning that read This input method may be able to collect all the text you type, including personal data like passwords and credit card numbers. It comes from the app Fcitx5 for Android. Use this input method?. Does swapping my keyboard significantly increase my attack surface and jeopardize my security? Can I safely disregard the message since the keyboard is FOSS and does not require any permissions?

de0u

rty51940 This is a complete game-changer for CJK users like me because it is the first fully functional FOSS keyboard that is capable of providing all three languages and its various input methods.

Great news! I expect a lot of people will be happy.

rty51940 When I downloaded the keyboard and changed the On-screen keyboard from the GrapheneOS Keyboard to it, I got a warning that read This input method may be able to collect all the text you type, including personal data like passwords and credit card numbers.

Indeed.

rty51940 Does swapping my keyboard significantly increase my attack surface and jeopardize my security? Can I safely disregard the message since the keyboard is FOSS and does not require any permissions?

There is no rule that "FOSS code is inherently beneficent and safe", especially not for a young project. What matters is how many trained suspicious eyes have reviewed the code, which can happen for either FOSS or closed-source code.
It may well be that if you install this and don't give it network permission that it can't exfiltrate things you type (note that AOSP, from whence the message likely derives, doesn't have a network permission). However, that would depend on the code never having network permission after you type at it, i.e., temporarily enabling network permissions so it can download/update something would also let it exfiltrate things you had typed previously.
Keyboard apps might have other issues, since they offer be attack surface to somebody who has physical access to the device when the device is locked. That is, if there are sufficiently-bad bugs in a keyboard, they might leak information to somebody who knows that specific gestures might cause misbehavior.

The risk of using this particular keyboard app may be low (and you may have a generally low threat level). But the message is legitimately warning you of the plausible existence of genuine issues.

Murcielago

rty51940

Changing your keyboard significantly increases your attack surface, as the warning you quoted shows: "This input method may be able to collect all the text you type, including personal data like passwords and credit card numbers."

A good general overview of how virtual keyboards work, the associated risks and some tests (e.g. GBoard, OpenBoard, FlorisBoard - unfortunately Fcitx5 is not tested) can be found in this video by Naomi Brockwell.

Otherwise, de0u 0u has already summarized it well: FOSS is not automatically good nor secure and it's extremely helpful to not give the app network permissions after you start typing.

User2288

rty51940 Does swapping my keyboard significantly increase my attack surface and jeopardize my security? Can I safely disregard the message since the keyboard is FOSS and does not require any permissions?

Its ok to install keyboards. We all do it. That warning message is just a general warning msg.

Just be careful which keyboard you install. The risk of intentional or unintentional exploit is a reality. But such risk exists with all apps really.

N1b

23Sha-ger This is not absolutely true, apps can still send data through other installed apps with internet access if there is mutual consent between them. A good example is GBoard which might (or might not) send your keyboard inputs to Google through GMail, Google Maps or Play Services if any of these are installed. There is not much you can do against this mutual consent (you can use dedicated user profiles, but I assume the OP wants to use his keyboard app on all of them ).

rty51940 Regarding Fcitx5, there's no red flag except what has been said (young project, not many eyes on the code). There is no network permission demanded, no bad press, open source code and no trackers according to exodus (which doesn't mean there are no trackers, just not the obvious ones).

As always it depends on your threat model and use cases. If you benefit a lot from this app, I see no obvious reasons for you not to use it for now.

23Sha-ger

If the keyboard app doesn't require a network permission, it's pretty safe.
Since then it has no way to upload the data it collected, if any. This is true for all apps
in general, not just keyboards. I assume most keyboards do collect some data, at least
for typing suggestions and auto-correct, but they store this locally on the device.