Secure in-app keyboard

A secure in-app keyboard for Android apps is a specialized keyboard designed to enhance security and privacy when users input sensitive information within a mobile application. Unlike standard keyboards, which might be susceptible to various forms of interception, a secure keyboard app is specifically engineered to mitigate these risks. By using a secure keyboard for Android, developers can prevent unauthorized access, reducing the risk of data breaches or theft. Many in-app secure keyboards also feature encryption and do not store user input, adding another layer of protection.

Keypress leaks

Left: Unprotected view. Right: Protected view leaking information through the keyboard.

In Android ≤11 the standard keyboard may leak information about keypresses.

The solution would be to use a dedicated keyboard for the application, and setting FLAG_SECURE on the keyboard. As a result, every time the user is typing, the keyboard would appear, and the screen would become black. However, this might not be convenient to happen everywhere in terms of UX.

A better solution could be to apply FLAG_SECURE only on specific edit text views. This can be done by filtering by a particular field ID, which can be obtained from the symbol list. For example:

Malicious keyboards

Malicious keyboards can replace the user's default keyboard entirely, leading to continuous keylogging. A dedicated secure in-app keyboard helps mitigate the risk. A secure keyboard on Android gives you greater control over your data and reduced exposure to third-party tracking. Integrating a secure keyboard for Android within financial or personal messaging apps, for example, can significantly enhance privacy and security.