An update that Apple will soon release for iOS 13 and iPadOS should resolve an issue that leads to third-party keyboard apps getting elevated permissions without the user’s approval.
In an advisory released on September 24 — first spotted by TechCrunch — Apple informed customers that it’s working on an update that should fix the issue.
The company explained that third-party keyboard extensions can run completely standalone and not access any external services, or they can request “full access” permissions, which enables them to provide extra features by connecting to a remote server.
However, there is a bug that leads to keyboards being granted full access permissions even if the user has not approved it. iPhone, iPad and iPod touch devices are affected.
A malicious keyboard app could exploit this, for example, to monitor everything that a user types and send it back to a remote server without the victim knowing as they have not been asked to grant full access permissions to the app.
“This issue does not impact Apple’s built-in keyboards. It also doesn’t impact third-party keyboards that don’t make use of full access. The issue will be fixed soon in an upcoming software update,” Apple said.
The tech giant informed users that they can check their devices for potentially affected third-party keyboards by going to Settings -> General -> Keyboard -> Keyboards.
These types of bugs can pose a serious security risk, but in this case the risk of exploitation for malicious purposes is relatively low. Attackers would have to develop a malicious keyboard extension, get Apple to approve it, and then convince the targeted user to install and use it.
The issue was discovered just days after iOS 13 was officially released, giving potential attackers only a small window for exploitation before the problem is fixed by Apple. Furthermore, the latest version of the mobile operating system supports swipe typing, which is one of the main reasons many users opted for third-party keyboards.
Related: Many iOS Developers Don’t Use Encryption: Report
Related: Google Researchers Find Remotely Exploitable Vulnerabilities in iOS
Related: iOS Vulnerabilities Allowed Attackers to Remotely Hack iPhones for Years