Your Keyboard App Sends Every Keystroke to a Server
Keyboard apps and utility apps collect more than you realize. What the permissions mean, which apps are the worst offenders, and what to use instead.
Key takeaways
- A 2024 Citizen Lab study found critical keystroke-exposure vulnerabilities in 8 of 9 major Chinese keyboard apps, potentially affecting up to 1 billion users.
- When iOS warns "developers are permitted to access, collect and transmit the data you type," that warning is literal. Full Access gives a keyboard unrestricted internet access to everything you type.
- SwiftKey sends your typed text to Microsoft's servers when Backup & Sync is on. Gboard uses federated learning, so your raw keystrokes stay local, but usage telemetry can still reach Google.
- Grammarly reads everything you write by design. That is the product. Whether you are comfortable with that depends on what you type.
- For Android, FlorisBoard and AnySoftKeyboard are open-source keyboards that request no internet permission. On iOS, the built-in keyboard cannot send anything without Full Access.
Fixes when it breaks. Workflows when it doesn't.
OpenClaw guides, configs, and troubleshooting notes. Every two weeks.
Key terms
Keystroke logging: Recording every key a user presses, including passwords, messages, and search queries. Keyboard apps are uniquely positioned to do this because they sit between your fingers and every app on your device.
Telemetry: Automated data sent from an app back to its developer. This can include usage statistics, error reports, or behavioral signals. Most apps collect some telemetry; the concern is when that telemetry includes what you type.
Local processing: Analysis performed entirely on your device rather than sent to a remote server. Gboard's federated learning is an example. Local processing means your raw text never leaves your phone.
Full Access (iOS): A permission level for third-party iOS keyboards that grants internet access. Without it, a keyboard is sandboxed with no network capability. Granting Full Access allows the developer to transmit anything typed through that keyboard.
End-to-end encryption: A method of encrypting data so only the sender and recipient can read it. Even if a keyboard app transmits keystrokes, strong end-to-end encryption would prevent a third party from intercepting them in transit.
Every third-party keyboard app on your phone can read everything you type. Passwords, messages, bank account numbers, search queries. Most send at least some of that data to remote servers. The permissions that enable this are buried in setup flows that most people tap through in seconds without reading.
What "full access" means on your keyboard
The phrase "full access" sounds like it means full features, but on iOS it means something specific: the keyboard app gets unrestricted internet access to everything you type. On Android, the same capability is granted silently at install time through the INTERNET permission, no popup required. Understanding what these permissions actually enable is how you make a real decision about which keyboard to trust on your phone.
On iOS, installing a third-party keyboard and tapping "Allow Full Access" triggers a warning from Apple. The warning reads: "If you enable Full Access, developers are permitted to access, collect and transmit the data you type, including things you have previously typed with this keyboard." That text is verbatim Apple documentation, unchanged since iOS 8. Without Full Access, a third-party keyboard on iOS cannot communicate with the internet at all. The moment you grant it, the app can send whatever you type to any server.
Android works differently, and in some ways the design is more permissive. The INTERNET permission on Android is a "normal" permission granted automatically at install time. No runtime popup appears. If a keyboard app lists the INTERNET permission in its manifest, it can make network requests from the moment you install it. You will not see a dialog asking whether that is okay. A 2015 Pew Research analysis found 83% of Android apps requested full network access. Most users have no idea this permission exists or what it enables.
The gap between iOS and Android matters here. On iOS, you can choose to install a keyboard without Full Access and guarantee it cannot phone home. On Android, if the keyboard app requests internet permission, it has it, and there is no practical way to restrict it without third-party tools.
What popular keyboard apps actually collect
SwiftKey (Microsoft)
SwiftKey's privacy approach centers on a feature called Backup & Sync. When you enable it, Microsoft's support documentation explains that "Language Modeling Data" is processed on their servers. That data is samples of what you type, used to power personalization and prediction across your devices. This is opt-in, and the SwiftKey support page notes that password fields are excluded.
Where it gets murkier is the "Help Microsoft improve SwiftKey" setting. If you have created a SwiftKey account and left this enabled, security researchers have noted that per the privacy policy, "small samples" of your typed text may be sent to Microsoft's servers. The exact volume and what qualifies as a "small sample" is not defined in the public documentation.
SwiftKey transmits this data over encrypted channels, and Microsoft states it is stored encrypted. Microsoft probably is not doing something malicious with this data. The real issue is that your typing samples sit on an external server, where they can be subpoenaed, breached, or used for purposes you did not agree to.
Gboard (Google)
Gboard handles this differently. Instead of sending your raw keystrokes to Google, Gboard trains a prediction model locally on your device and sends only the learned model weights back to Google's servers. Your actual text stays on your phone. That is a real technical distinction, not a marketing claim.
That said, Gboard is not data-free. Google's own Gboard Help page explains that if you opt into "Help improve Gboard," audio snippets from your voice input can be sent to and stored by Google for speech recognition training. Usage statistics, such as which emoji you use, can also be sent unless you disable that option. Telemetry still flows. It is less invasive than raw keystroke logging, but calling Gboard "private" requires ignoring what the rest of Google knows about you from search, Gmail, and Chrome running alongside it.
Grammarly keyboard
Grammarly's keyboard raises different questions because the data collection is baked into the product's purpose. Grammarly needs to read what you type to check it. That is what you downloaded it for.
Grammarly's support FAQ explicitly states it is not a keylogger and that it only processes text in fields where you have enabled it. The Grammarly Trust Center says the product does not fit the definition of a keylogger. It collects personal information like username and email, and the privacy policy covers what writing data is processed.
The honest framing: Grammarly's business model requires processing your writing on their servers. Their privacy policy and trust documentation describe what they do with that data. Whether you find that acceptable depends on whether you are comfortable writing confidential emails, legal documents, or personal messages through a third-party AI service's infrastructure.
The Citizen Lab research: 1 billion users exposed
In April 2024, the Citizen Lab at the University of Toronto published a report that put numbers on something the security community had suspected for years.
Researchers analyzed cloud-based pinyin keyboard apps (the input method used by roughly 76% of mainland Chinese keyboard users) from nine major vendors: Baidu, Honor, Huawei, iFlyTek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The finding: critical vulnerabilities existed in apps from 8 of the 9 vendors, allowing keystroke data transmitted to cloud servers to be exposed to network eavesdroppers. Most of these vulnerabilities could be exploited by a passive attacker, meaning someone sitting on the same network as the user without doing anything active.
This was the second report in a series. In August 2023, Citizen Lab had documented similar problems in Sogou, the keyboard used by roughly a third of Chinese smartphone users. Sogou had built its own encryption system called EncryptWall instead of using TLS, the standard protocol that has existed since 1999. Researchers broke EncryptWall.
Combined, the two reports estimated up to 1 billion users had been exposed. Citizen Lab noted that the Five Eyes intelligence alliance had previously exploited similar vulnerabilities in Chinese apps for surveillance purposes, and that these keyboard vulnerabilities could have been a vector for mass keystroke interception.
Most vendors patched the vulnerabilities after Citizen Lab's responsible disclosure. Some apps remained vulnerable at publication.
The structural issue is not unique to Chinese keyboards. Any cloud-based autocorrect or prediction service sends your keystrokes to a server somewhere. Whether that is a security problem depends entirely on how well the developer implemented the encryption. Sogou used homegrown crypto. It broke. That could happen anywhere.
It is not just keyboards: the utility app permission problem
Keyboard apps get the most attention when it comes to keystroke collection, but the pattern of utility apps requesting permissions that have nothing to do with their function is older and wider.
In December 2013, the FTC took action against the maker of Brightest Flashlight Free, one of the most downloaded Android apps at the time. The FTC's complaint stated that the app secretly collected GPS coordinates and device IDs and sold them to advertisers. The privacy policy falsely implied that data was only used to operate the app. A flashlight app. To turn on your LED.
Weather apps had their moment in 2018 and 2019. A Wall Street Journal investigation uncovered that Weather Forecast, World Weather Accurate Radar was collecting location data, email addresses, and IMEI numbers (the 15-digit unique hardware identifier assigned to every mobile device). Shortly after, the city of Los Angeles filed suit against The Weather Channel app, alleging it used location data it had collected for weather purposes to sell to advertisers.
Why does a weather app need your email or IMEI? It does not need them to show you weather. It needs them because the app is monetized through advertising SDKs that use this data to build profiles. The weather feature is a vehicle for data collection. The same dynamic applies to a wide range of free utility apps: calculators, QR scanners, file managers, and battery optimizers.
The permissions that enable this data collection are often bundled with legitimate functionality. An app that needs your location to show local weather also gets to keep that location logged continuously. An app that needs camera access for a QR scan often requests persistent camera access. The permission the user grants for a functional reason gets used for a commercial reason.
What to use instead
If you want a keyboard that does not phone home, the options are clear on Android and more limited on iOS.
On Android:
FlorisBoard is a free, open-source keyboard for Android 8.0 and up. It requests no internet permission. Its source code is publicly auditable on GitHub. It is still in active development, and some advanced features like full gesture typing are not yet complete, but for standard typing it works well. The keyboard is available on F-Droid.
AnySoftKeyboard is another open-source Android keyboard with multi-language support and themes. It does not require internet access for its core function and has been maintained for years. It is available on F-Droid and Google Play.
If you prefer to stick with a mainstream keyboard, Gboard with cloud sync and telemetry disabled is a middle ground. Go to Gboard settings, disable "Share Usage Statistics" and "Improve Voice and Typing," and do not sign into a Google account in Gboard. You lose some personalization features but retain the prediction quality of the on-device model.
On iOS:
The built-in iOS keyboard (the one Apple ships) cannot send data anywhere because it does not have Full Access. It never requests internet permission. It is not flashy, but it is private by design.
If you use a third-party keyboard on iOS, check whether it requires Full Access for its core functionality. Some keyboards work without it. If a keyboard requires Full Access for something you genuinely need (like cloud sync), read the privacy policy before granting it.
What to look for in any keyboard:
- Does the app request internet permission on Android or Full Access on iOS?
- Is the source code publicly available?
- Does the privacy policy explain specifically what typing data is sent, to whom, for how long, and whether it is sold?
- Is cloud sync optional or required?
If the answer to any of these questions is unclear or missing from the privacy policy, that is information.
How to audit your permissions right now
You do not need to reinstall anything to check what your current apps have access to.
On Android:
Go to Settings, then Privacy, then Permission Manager. This shows you every permission category (Location, Camera, Microphone, and others) and which apps have been granted each one. Tap any category to see the full list. You can revoke permissions directly from this screen. For keyboards specifically, look at whether your keyboard app appears under network-related categories or has access to contacts or location.
On iOS:
Go to Settings, then Privacy & Security. Review the main permission categories. For keyboards specifically, go to Settings, then General, then Keyboard, then Keyboards. Tap any third-party keyboard to see whether Full Access is enabled. You can toggle it off from this screen without uninstalling the keyboard.
The main things to look for:
- Does your keyboard have Full Access on iOS? If so, is there a specific reason you granted it?
- Does your flashlight, weather, or utility app have persistent location access? Downgrade it to "While Using" at minimum.
- Do any apps have microphone or camera access that you do not actively use?
Revoking permissions does not delete the app or your data. It just stops future collection. For utility apps where the permission was never necessary in the first place, revoking it has no functional downside.
FAQ
Does Gboard send my keystrokes to Google?
Gboard uses federated learning, which means your raw keystrokes are not sent to Google's servers. Instead, Gboard trains a local model on your device and sends only model weight updates, not the underlying text. However, Gboard can still send audio snippets to Google if you use voice input and consent to the "Help improve Gboard" option. Usage telemetry, such as emoji preferences, can also be sent unless you disable it in Gboard settings. Gboard is not keylogger-equivalent, but it is not data-free either.
Is Grammarly keyboard safe to use?
Grammarly keyboard reads your text because that is how the product works. Grammarly's support documentation explicitly states it is not a keylogger and only processes text in fields where you have enabled it. Whether it is "safe" depends on what you are writing. For general emails and work documents, most users accept the tradeoff. For legal correspondence, medical notes, or highly personal messages, routing that text through a third-party AI service's servers is a decision worth making consciously rather than by default.
What does "full access" mean for iPhone keyboards?
Full Access on iOS gives a third-party keyboard the ability to communicate with the internet. Without it, the keyboard operates in an isolated sandbox with no network access. Apple's own warning text states that with Full Access enabled, "developers are permitted to access, collect and transmit the data you type." That covers everything typed through that keyboard. The developer's privacy policy is the only thing governing what they do with it. Apple does not audit what keyboard developers actually collect.
How do I remove a keyboard app on Android?
Go to Settings, then General Management (or System on some devices), then Language and Input, then On-screen Keyboard. Tap the keyboard you want to remove and select Disable or Remove. If you installed it as a standalone app, you can also uninstall it from Settings, then Apps. Before removing it, make sure another keyboard is set as default so you are not left without input.
Are open-source keyboards actually private?
Open-source keyboards like FlorisBoard and AnySoftKeyboard are more verifiably private than closed-source alternatives because the code is publicly auditable. Anyone can inspect what network requests the app makes, what permissions it requests, and what data it stores. FlorisBoard requests no internet permission, which means it cannot transmit your keystrokes regardless of what the code says. That is a structural guarantee that no privacy policy can provide. The limitation is that open-source keyboards are typically maintained by small teams and may lack some features of commercial keyboards.
Evidence & Methodology
Research for this article drew on the following primary sources:
- Citizen Lab, "The Not-So-Silent Type: Vulnerabilities Across Keyboard Apps Reveal Keystrokes to Network Eavesdroppers" (April 2024): https://citizenlab.ca/research/vulnerabilities-across-keyboard-apps-reveal-keystrokes-to-network-eavesdroppers/
- Citizen Lab, Sogou keyboard vulnerabilities (2023), as reported in MIT Technology Review: https://www.technologyreview.com/2023/08/21/1078207/sogou-keyboard-app-security-loophole/
- Microsoft SwiftKey support documentation: https://support.microsoft.com/en-us/topic/microsoft-swiftkey-keyboard-privacy-questions-and-your-data-07e13677-6b38-4ad0-bad0-d41207cab6de
- Google Gboard Help, "Learn how Gboard gets better": https://support.google.com/gboard/answer/12373137
- arXiv, "Federated Learning of Gboard Language Models with Differential Privacy" (2023): https://arxiv.org/abs/2305.18465
- Grammarly, "Is Grammarly a keylogger?": https://support.grammarly.com/hc/en-us/articles/360003816032-Is-Grammarly-a-keylogger
- FTC enforcement action / Washington Post coverage of Brightest Flashlight Free (2013): https://www.washingtonpost.com/business/technology/flashlight-app-kept-users-in-the-dark-about-sharing-location-data-ftc/2013/12/05/1be26fa6-5dc7-11e3-be07-006c776266ed_story.html
- Gizmodo, Weather Channel lawsuit and Weather Forecast app coverage (2019): https://gizmodo.com/lawsuit-accuses-weather-channel-app-of-misleading-users-1831506990
- Android Developers, network permissions documentation: https://developer.android.com/develop/connectivity/network-ops/connecting
- FlorisBoard GitHub: https://github.com/florisboard/florisboard
Related resources
- Age Verification Laws Are Coming for Your Developer Tools (related: privacy and legal risk for developers)
- Clinejection AI Supply Chain Attack: What Actually Happened (related: supply chain trust in software)
Changelog
| Date | Change |
|---|---|
| 2026-03-24 | Initial draft |
Fixes when it breaks. Workflows when it doesn't.
OpenClaw guides, configs, and troubleshooting notes. Every two weeks.
