Ask HN: Would you trust encryption at the mobile keyboard layer?
7 comments
No. Every keypress is mirrored to my provider and to Google over ipsec and HTTPS tunnels. Fondle-slabs are not for secure transactions. Even turning off all forms of spell checking does not disable this behavior, just reduces it slightly. Most security controls and encryption on cell phones are placebos that can be bypassed with JTAG debugging. To see this dampen the LTE signal forcing everything onto wifi ipsec tunnels. Get on your router. Once seen it can not be unseen.
your problem statement is very vague; keyboard is part of physical security and there is zero expectation of anything being private from keyboard to the messenger app input channel; one way to prune this clear channel and to achieve some level of privacy is to expose a virtual keyboard ui that controlled by the app, and user provides input via mouse clicks.
That makes sense for transport and server-side privacy, but every mobile message exists somewhere before it reaches the messenger. On Android that place is often the keyboard/input layer.
Questions:
- Would you ever trust a keyboard for encryption-related workflows? - What would such a keyboard need to prove before you considered it safe? - Is privacy at the input layer useful, or does it create too much trust friction? - Is local-only/no-network enough, or would you need open source/audit?
No product link. I am trying to understand the threat model and UX objections.