Following the recent release of iOS 13 and iPadOS, Apple has issued a critical security advisory regarding an unpatched vulnerability affecting third-party keyboard applications. This warning is particularly relevant for users of iPhones and iPads, as it presents a significant risk to personal data security.
The issue arises from the way third-party keyboard extensions operate. Generally, these keyboards must be granted “full access” to utilize certain features that require internet connectivity. However, Apple’s advisory states that due to this vulnerability, some third-party keyboards may potentially gain unauthorized “full access” rights, allowing them to capture keystrokes regardless of user permissions. This flaw does not impact Apple’s built-in keyboards or third-party keyboards that do not require full access capabilities.
This breach specifically affects users who have installed popular third-party keyboard apps like Gboard, Grammarly, and SwiftKey, which typically request full access for enhanced functionality. While these applications are generally designed with user privacy in mind, the current vulnerability raises concerns about the potential for data misuse in situations where users believe they have declined such permissions.
To assess whether any installed third-party keyboard apps on an affected device have improperly achieved full access, users can navigate to Settings, then General, followed by Keyboard, and finally Keyboards. Apple has assured customers that it is in the process of developing a fix that will be included in an upcoming software update.
In the context of cybersecurity frameworks, this incident could involve tactics outlined in the MITRE ATT&CK Matrix. Potential tactics at play may include initial access, where third-party apps seek to circumvent user denials, as well as persistence, representing the keyboard apps’ continued access after the user has attempted to revoke permission. Notably, the ability of an app to misuse permissions raises concerns about privilege escalation, as developers could bypass user security settings.
Until Apple implements a resolution, users are advised to consider temporarily uninstalling any third-party keyboards from their devices to mitigate the potential for data breaches. This precautionary measure stands as a temporary, albeit effective, strategy to protect sensitive information in the interim.
As this situation continues to evolve, it is crucial for business owners and tech-savvy professionals to stay informed about potential cybersecurity risks associated with third-party applications and to routinely assess the permissions granted to such software.