Allowance of Third Party Keyboards in Android

Photo by — https://www.pexels.com/

Android devices allow us to use third party keyboards as the default key board. But are you aware that this might cause a potential security risk in your application?. Recently I got a security test feedback indicating my Android app allows replacing built-in keyboard apps with alternative third party keyboards.

These third party key boards can access all the data which user type including usernames, passwords, bank account numbers, credit card details as well as other personal and sensitive information. There might be a chance that they capture, leak or misuse these data they process.

But using the built-in keyboard or a third party keyboard is the choice of user. We should not block him from using his preferred input mode. According to my research, technically Android does not provide a way to change the default user input method behind user’s back. So Let’s talk about our options here.

• Build an In-App key board
• Warn user during app launch if he/she is using a third party keyboard.

Obviously 2nd option is the easiest and quickest solution. Here is how I handled it. Only When launching the application I check whether any alert should be given to the user on using third party keyboards.

1. NOTIFY_USER_ON_CUSTOM_KEYBOARD is used to store true/false value in shared preference based on the app already warned user or not.
2. If user is not notified already, use getSystemService(Context.INPUT_METHOD_SERVICE) to get InputMethodManager reference.
3. Get the list of installed input methods of the device.
4. Get the user’s default input method using Settings.Secure.getString( context.contentResolver, Settings.Secure.DEFAULT_INPUT_METHOD).
5. Check whether user’s default input method is installed in the device’s system image.
6. If yes, user is using built in keyboard so no alert is needed. If no, alert user for using third party keyboard.

Alerting the user each time they launch the app can be irritating and not so user friendly. NOTIFY_USER_ON_CUSTOM_KEYBOARD is used to store true/false value in shared preference based on app has already warned user or not. If app has already alerted user no need to alert him again on using third party key board in following app launchings.

Sources : https://stackoverflow.com/questions/8165618/how-to-check-if-the-native-hardware-keyboard-is-used/12557231#12557231