Grammarly iOS Keyboard - Unboxing
Grammarly is a lovely writing assistant. Twenty million people use the tool across the globe according to the statistics available on the site. I use it too. No complaints, it does its job quite well, and I am a happy user. The only thing that always worried me is the Grammarly iOS Keyboard. As an iOS engineer, I know how easily you can collect different data, sensitive information, and even do not ask users about the consent. So, let’s check what is inside the Grammarly iOS application.
- Grammarly iOS uses at least three trackers (Adjust, AppsFlyer, Internal analytics)
- Grammarly Keyboard has access to keystrokes, sensitive data, and able to send them over the network
Grammarly.ipa file it is clear that they are using Facebook SDKs:
Yes, they are using Facebook as a Sign In/Sign Up provider, and Facebook explicitly said that this is the only way to authorise users. From the Facebook Platform Policy:
Section 8. Login
Point 2. Native iOS and Android apps that implement Facebook Login must use our official SDKs for login.
The only concern here is the way how Facebook treats users and applications that use their SDKs. During 2020, Facebook already damaged a lot of application twice. Check The big Facebook crash of 2020 and the problem of third-party SDK creep by Guilherme Rambo.
This framework also ships with the application, and it seems that this is the engine the Grammarly uses for spell and grammar checks. Some exported functions from the framework, just as an example:
No surprises here. There are at least three trackers within the application:
- Adjust - Maximize the impact of your mobile marketing!
- AppsFlyer - Attribute every app install to a marketing campaign and media source!
- Internal tracker located by the https://f-log-mobile-ios.grammarly.io address
Also, worth to mention that NSAllowsArbitraryLoads is disabled for the application. This is good, at least there is no way to send the data to additional third-party services, etc. According to the documentation:
A Boolean value indicating whether App Transport Security restrictions are disabled for all network connections. Disabling ATS means that unsecured HTTP connections are allowed.
Grammarly Custom Keyboard
There is a helpful guide from Apple about custom keyboards - Designing for User Trust:
For keyboards, the following three areas are especially important for establishing and maintaining user trust:
- Safety of keystroke data. Users want their keystrokes to go to the document or text field they’re typing into, and not to be archived on a server or used for purposes that are not obvious to them.
- Appropriate and minimized use of other user data. If your keyboard employs other user data, such as from Location Services or the Address Book database, the burden is on you to explain and demonstrate the benefit to your users.
- Accuracy. Accuracy in converting input events to text is not a privacy issue per se but it impacts trust: With every word typed, users see the accuracy of your code.
To design for trust, first consider whether to request open access. Although open access makes many things possible for a custom keyboard, it also increases your responsibilities.
And the Grammarly iOS Keyboard uses the Open Access by default. To demonstrate the difference, this is a table with significant capabilities and restrictions for both modes:
|Open access off (default)||Open access on|
|No shared container with containing app||Keyboard can access Location Services and Address Book, with user permission|
|No access to file system apart from keyboard’s own container||Keyboard and containing app can employ a shared container|
|No ability to participate directly or indirectly in iCloud, Game Center, or In-App Purchase||Keyboard can send keystrokes and other input events for server-side processing|
So, the Grammarly iOS application has access to a lot of things. And what is more important, is able to send keystrokes to the server.
To illustrate the situation with trackers and the Open Access, let’s check which requests are initiated when the Grammarly iOS Keyboard is enabled on your iOS device.
When you open the Spotlight and Grammarly is the default keyboard, you see the following sequence of requests:
All the requests made with the
GRKeyboardExtension/220.127.116.11 CFNetwork/1185.2 Darwin/20.0.0 user-agent. Also, all the end-points use Certificate Pinning, so, there is no easy way to check the body of the requests. But it is not the point for the article.
To illustrate the point, I recorded a video with network activity. Main takeaways are:
- Connections to https://gnar.grammarly.com and https://f-log-mobile-ios.grammarly.com are active all the way when you use the keyboard
- It seems that all the actions (when you select a word to fix) are sent to Adjust
And yes, the sequence is the same for Safari when you fill in credentials, etc. But do not worry, Apple does not allow to use custom keyboards to fill in passwords. Though, for usernames, phones, emails, etc. Grammarly sends the requests above.
- We do not and will not sell your information. We don’t help companies advertise their products to you.
- We use a small number of trusted third parties to help provide our products.
But on the other hand, there is a Does Grammarly share my Information? section that states:
We only disclose Personal Data to third parties when we have your explicit consent to share your Personal Data.
Standard words, usual phrases. I am not a specialist in this field, but I did not find an option to opt-out in the mobile application.
To be clear, I do not think that Grammarly steals your passwords, selling the data, trying to spy on sensitive information intentionally. I am a user of their services for two years and will continue to use it. With one exception - no more Grammarly iOS Keyboard application on my iOS devices. This is too much.
Software I used
- nm tool - lists the symbols from object files
- otool - displays specified parts of object files or libraries
- ProxyMan - Modern and Delightful Web Debugging Proxy
Checked by Grammarly