Apple to Patch Bug Granting Full Access to 3rd-Party Keyboards

Apple is readying a fix for a bug that could grant full access to third-party keyboards for its mobile devices, including iPhone and iPad.

The company posted an alert on its support page about an issue with iOS 13 and iPadOS that affects third-party keyboards users may have installed for the iPhone, iPad or iPod touch.

“Apple has discovered a bug in iOS 13 and iPadOS that can result in keyboard extensions being granted full access even if you haven’t approved this access,” the company wrote in the alert. “The issue will be fixed soon in an upcoming software update.”
Third-party keyboards have two modes in which they can run in iOS–entirely standalone, without access to external services, or with full access to provide additional features through network access, according to Apple.

The bug does not impact Apple’s built-in keyboards, nor does it impact third-party keyboards that don’t make use of full access, the company said.

While users wait for the patch, Apple advised users to check their third-party keyboard in Settings on their devices.

The bug is not the first found in the most recent release of iOS, the system that runs Apple’s ubiquitously popular mobile devices.

In July, Jose Rodriguez, an Apple enthusiast based in Spain, alerted users to an iPhone lock screen bypass in iOS 13—which at that point was in pre-release versions–that could enable an attacker to access victims’ address books. Data that could fall prey to unauthorized access included their contacts’ names, email addresses, phone numbers, mailing addresses and more, he said. Rodriguez also had previously discovered other security flaws in iPhones.

The discovery of vulnerabilities in the early days of the latest iOS release—which just came out on Thursday–have led some to criticize Apple for what appears to be inattention to security in the latest version of its mobile OS.

“So there’s a lock screen exploit in iOS 13, a keyboard access bug, and what else?” Tweeted Tom Warren, senior editor at U.K.-based science and culture website The Verge. “Apple focused on quality with iOS 12, and then totally dropped the ball with iOS 13.”

Users also are questioning Apple’s rather slow pace at fixing bugs in the new OS. Though Rodriguez told the company about the lock-screen bug in July, it wasn’t patched until last week. Similarly, Apple did not provide a timeframe for when the latest keyboard bug would be patched, referring only to an upcoming update.

“I mean, at least the screenshot bug I’ve had since before last year is finally fixed,” Tweeted freelance reporter Timothy J. Seppala in response to Warren’s Twitter comment about the bug fix. Warren sarcastically replied, “Progress.”

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our freeThreatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts.Click here to register.