I’ve never had a desire to change the stock keyboard on iOS. When the announcement was made at WWDC 2014, I thought that it was an interesting feature, but not one I would ever want to use. That changed when I saw the teaser page for PopKey, a keyboard that allowed you to paste animated GIFs straight into your conversations. That made me think about keyboards in a different way and how developers might create interesting keyboards that aren’t just improved ways of typing.
As it turns out, PopKey isn’t very good. It doesn’t have search, watermarks the images, requires you to create an account and give over your phone number, and it was beaten by Riffsy which is actually better.
Anyway, the problem I’ve seen over and over again is that these keyboards require “Full Access”. This is a feature that basically enables the keyboard to talk to its host app and to the internet. The reason you might want this for a keyboard is that it might do auto-correct (iOS 8 keyboards do not have access to the Apple auto-correct algorithms) and therefore does some processing in an app or in the cloud. With Riffsy and PopKey, this is obviously required in order that it can download the GIFs from the internet. The real issue isn’t that it requires this access, but that Apple puts up this message when you enable it:
“This could include sensitive information such as your credit card number or street address” - could they make that sound any scarier?
I’ve seen numerous people tweeting at PopKey asking them why it requires this access and how they won’t use the app until that requirement is turned off (which obviously won’t work - it needs internet access). I engaged a few in conversation and, even after I explained how it worked, the message I got back was “I don’t trust it”. I’ve even chatted to a few iOS developers who refuse to install a GIF keyboard because of that warning!
The basic problem is that the alert message you see is almost too scary and doesn’t give enough information. It was obviously written for what Apple expected; text keyboards. I’m not sure of a complete solution but as a start it needs to make it clearer that only things you type in that keyboard can be (potentially) seen by the developer. You don’t type anything in a GIF keyboard so the developers, if they are logging everything, can only see what stupid images you are sending. In addition, 3rd party apps can block custom keyboards from showing on sensitive screens (i.e. when entering your master password in 1Password or entering your pin in a banking app) and password fields automatically disable 3rd party apps (try it in Safari to see).
It is developers that will suffer for this. End users are already up in arms about privacy and demanding keyboards not use this feature whilst clients don’t necessarily understand what is going on and just see the negative feedback. I’ve been approached by a number of prospective clients to build these keyboards and so far I’ve put them off by showing them the ‘Full Keyboard Access’ search on Twitter.
It seems to me to that Apple are treating the keyboard as a power feature and expect people to understand how it works under the hood. Seeing as some security savvy developers are cautious about installing these things, I think Apple has a lot of improvements to make in the way keyboards are installed, especially if it is to avoid negative fallout from end users who think that developers can steal your credit card number with an emoji keyboard. It’s good to be cautious about these things, but at the moment people are completely paranoid due to the installation process.