#AnySoftKeyboard, installed from #FDroid, asks for access to Contacts. Was it compromised? (EDIT: Unlikely)
I don’t remember it asking me for Contacts before (but @lnxw37a2 does). [EDIT: I was] worried it may have been subject to a supply chain attack, and to be on the safe side, I uninstalled it.
It seems to be a mostly unmaintained app that I never use, but hadn’t uninstalled. This is the first new version since 2025/07/25, and before that, 2022/01/14 (the first version shipped by @fdroid).
Seems to be because of this feature
The app also can’t connect to internet so it’s safe
It’s not my preferred keyboard, so I haven’t used it in a while. But as I remember, it was abandoned for a little while, and then there was a beta branch that was in development for some time. It’s had somewhat regular development, so maybe this is its first official release in a while. While it is off-putting that it asks for contact access right away, I suspect that is so that contact names can be included in your word suggestions. It’s a fairly common keyboard feature.
Seems I was going off half-cocked, out of an overabundance of caution. #MeaCulpa. I thought it would be worse if I ignored my strypey-senses tingling and said nothing, then it turned out it was compromised.
We need to be cautious in this age of copious vibe coding;
https://forum.f-droid.org/t/f-droid-policy-on-libre-ai/
I do think @fdroid crew need to do due diligence when apps appear to be abandoned, then revived. They probably do, but any links to policies and processes on this would be a great way to put my mind at rest.
#HatTip to the @fdroid threadiverse community, and others, for offering such rapid and thorough clarifications. Many thanks to @lnxw37a2 @hildegarde @alienghic @plm00 @Axolotl_cpp.
Thanks also to @tootbrute @kurikai for offering suggestions for other soft keyboard apps, and to @snek_boi for reminding me to format the first sentence of my Mastodon post so it becomes a good title in the threadiverse post.
I checked every version on F-Droid and they all have the contacts permission. Its a common request on software keyboards, because it lets it add the names of those in your contact list to the autocorrect dictionary. Its nice to avoid your keyboard wrongly correcting names.
It doesn’t have the network permission, so its not able to transmit any data it has. I don’t think this is an attack.
The app has a link to their privacy policy which explains what permissions it asks for, why, and affirms the app cannot transmit the data off the device. Last updated in 2017, and still matching the permissions of the current version. This isn’t an attack.
It sounds really concerning.
So that your title is read easily, you may consider editing it. To me it appears truncated.
Maybe something like
AnySoftKeyboard, installed through FDroid, asked for access to my contacts. Could the app be compromised?
or something like that could work?
@snek_boi
> [post title] appears truncated.I need to remember when posting from Mastodon that the first Y characters of my post are used by @LemmyDev communities as the post title : P Truth is, many people won’t even know they are also posting to the threadiverse.
I get that this title automation is better than no title. But are post titles editable by community mods, so they can remove truncated text and clarify as needed? If not, that might be a good feature.
@snek_boi
> So that your title is read easily, you may consider editing itThanks for pulling me up on that, done. Also noted Linux Walt’s clarification, based on the version on his device. Hopefully you can see my reply to him.
futo keyboard is not bad
Cool, I just installed a new version of CoMaps!
@artyom
> Cool, I just installed a new version of CoMaps!This strikes me as a chatbot style reply, chatty and positive, but completely out of context. Your profile doesn’t flag you as a bot, which is the convention in the fediverse.
If you are a bot, your operator needs to state that clearly in your profile, or will fall foul of @rimu. Who takes a dim view of such things, and rightly so.
If you are a human, context is king! Love your enthusiasm, but might have been better as its own post ; )
BTW @rimu, my apologies again for unloading on you with both barrels last night. I stand by my objection to the way Stanton was being dogpiled, but in hindsight I was just as merciless to you as I saw people being to him. Which was not only hypocritical, but *not* good de-escalation on my part, quite the opposite.
I’ve got some intense stuff going on of late, and struggling with sleep dep. But that’s my problem and my responsibility, not yours, or anyone else’s. I hope you can accept my apology
It’s cool man, don’t worry about it.
