Why does the keyboard need "Full Access"?
An explanation of why you need to Allow Full Access and what Full Access really means
What is "Full Access"?
When Apple introduced app extensions (custom keyboards, Today Widgets, etc.) each extension type came with reduced functionality and reduced permissions compared to a regular app. Apple's documentation describes a keyboard's limitations by saying:
"By default, a keyboard has no network access and cannot share a container with its containing app. To enable these things, set the value of the RequestsOpenAccess Boolean key in the Info.plist file to YES. Doing this expands the keyboard’s sandbox"
The meaning of "expanded sandbox" and everything that Full Access enables is described here. The TL;DR version is that Full Access is required for a keyboard to do anything other than very basic text input.
So Why Does PGP Everywhere Need These Extra Permissions?
The ONLY reason the keyboard needs full access is to access the PGP keys stored in the main PGP Everywhere app. And to be clear, this only gives the keyboard access to data that is stored in the PGP Everywhere app. It does not give access to data that is stored in any other app - not even data from the app in which you are using the keyboard. Accessing these keys is, of course, a necessity for the keyboard to be able to encrypt/decrypt which is itself the core idea of PGP Everywhere. If it were possible to request this storage permission without any of the other permissions, we would greatly prefer to do that, but they are all bundled together.
Our philosophy is to give the user complete control over their data in the app. We strive to make it very clear when anything will be saved or transmitted. We also make all storage and transmission opt-in and off by default instead of opt-out. We do not store anything locally other than the PGP keys you save to the app, the passphrases you enter to use Face/Touch Id, and app settings. We do not make any network connections other than to interact with PGP keyservers and to (if the user allows it) send anonymized error/crash reports to help us fix bugs. All of these things are off by default and require you to take intentional action to enable them.
Why Should I Trust the PGP Everywhere Keyboard with "Full Access"?
This is the gist of the kind of question that we receive most often- people concerned about the alert Apple displays when you tap "Allow Full Access". The alert reads:
"Full access allows the developer of this keyboard to transmit anything you type, including things you have previously typed with this keyboard. This could include sensitive information such as your credit card number or street address."
The warning could be interpreted as a request for permission to transmit keystrokes in the same way that another app might request access to your camera, but that is not what's going on. In this case, Apple is being abundantly cautious by explicitly warning the user about the worst case privacy scenario of a malicious developer. We applaud that intent but think the wording here is a little misleading.
The wording of the warning implies that the developer immediately gets access to all your keystrokes past, present, and future, but that is not the case. What it really means is that the keyboard will have the potential to connect to the internet because that is one of the permissions included in "Full Access" (as described above). Our keyboard does not take advantage of that potential. Inherent with the ability to connect to the internet, in the worst case, is the possibility for a malicious developer to capture and transmit keystrokes, but it is not a guarantee and it is certainly not true of PGP Everywhere. The operative word in the warning is "allows". A more accurate reading of the warning would be "Full access potentially allows the developer...".
Think about it this way- even if you don't trust anything written on this page, you can at least read Apple's documentation and know that keystrokes are not automatically stored or sent when full access is enabled (if you don't trust Apple, then you have bigger problems). Knowing this, the amount of trust required to use the PGP Everywhere Keyboard is no greater than the amount of trust required by any other PGP app. You would give your clear text, private key, and passphrase to both this keyboard and any traditional app. The only difference is that Apple asks you explicitly if the keyboard may access local storage and the internet while a traditional app gets these permissions without asking. So, if you would feel comfortable using another PGP app on iOS or even feel comfortable using PGP Everywhere's main app, then you should be comfortable using the keyboard.
A More Human Note
On a more human and qualitative note, we have no interest in your data. The inspiration for creating this app was the increasing prevalence/awareness of surveillance and hacking in the past several years. The idea was that if PGP were easier to use (i.e. you don’t have to switch between apps to use it), then more people would use it more often. As people concerned about privacy, we wouldn't want to do anything to purposefully undermine the tool we created. We also wouldn't want to put ourselves in a position where we would be vulnerable to any kind of data leak or any kind of government request for data. The best way for us to avoid those situations is for us to not have any data at all. If you have any further questions or concerns, please feel free to contact us below.
Did this answer your question?