What is "Full Access”?
When Apple introduced app extensions (custom keyboards, Today Widgets, etc.) each extension type came with reduced functionality and reduced permissions compared to a regular app. Apple's documentation describes a keyboard's limitations by saying:
"By default, a keyboard has no network access and cannot share a container with its containing app. To enable these things, set the value of the RequestsOpenAccess Boolean key in the Info.plist file to YES. Doing this expands the keyboard’s sandbox"The meaning of "expanded sandbox" and everything that Full Access enables is described here here. The TL;DR version is that Full Access is required for a keyboard to do anything other than very basic text input.
So why does PGP Everywhere need these extra permissions?
The ONLY reason the keyboard needs full access is to access the pgp keys stored in the main PGP Everywhere app. And to be clear, this only gives the keyboard access to data that is stored in the PGP Everywhere app. It does not give access to data that is stored in any other app- not even data from the app in which you are using the keyboard. Accessing these keys is, of course, a necessity for the keyboard to be able to encrypt/decrypt which is itself the core idea of PGP Everywhere. If it were possible to to request this storage permission without any of the other permissions, we would greatly prefer to do that, but they are all bundled together.
We do not use any of the other capabilities associated with full access. We do not store anything locally other than the PGP keys you save to the app and the passphrases you enter to use Touch Id. We do not make any network connections at all from the keyboard. The only network connections made in the Main app are to download and upload public keys to/from keyservers, and that is completely in the user's control. We do not even store or collect any crash reports or diagnostic information.
Why should I trust the PGP Everywhere Keyboard with Full Access?
This is the gist of the kind of question that we receive most often- people concerned about the alert Apple displays when you enable Full Access. The alert reads:
Full access allows the developer of this keyboard to transmit anything you type, including things you have previously typed with this keyboard. This could include sensitive information such as your credit card number or street address.The warning could be interpreted as a request for permission to transmit keystrokes in the same way that another app might request access to your camera, but that is not what's going on. In this case Apple is being abundantly cautious by explicitly warning the user about the worst case privacy scenario of a malicious developer. We applaud that intent, but think the wording here is a little misleading.
The wording of the warning implies that the developer immediately gets access to all your keystrokes past, present, and future, but that is not the case. What it really means is that the keyboard will have the potential to connect to the internet because that is one of the permissions included in Full Access (as described above). Our keyboard does not take advantage of that potential. Inherent with the ability to connect to the internet, in the worst case, is the possibility for a malicious developer to capture and transmit keystrokes, but it is not a guarantee and it is certainly not true of PGP Everywhere. The operative word in the warning is "allows". A more accurate reading of the warning would be "Full access potentially allows the developer...".
Think about it this way- even if you don't trust anything written on this page, you can at least read Apple's documentation and know that keystrokes are not automatically stored or sent when full access in enabled (if you don't trust Apple, then you have bigger problems). Knowing this, the amount of trust required to use the PGP Everywhere Keyboard is no greater than the amount of trust required by any other PGP app. You would give your clear text, private key, and passphrase to both this keyboard and any traditional app. The only difference is that Apple asks you explicitly if the keyboard may access local storage and the internet while a traditional app gets these permissions without asking. So, if you would feel comfortable using another PGP app on iOS or even feel comfortable using PGP Everywhere's main app, then you should be comfortable using the keyboard.
A more human note
On a more human and qualitative note, we simply have no interest in your data. The inspiration for creating this app was the increasing prevalence/awareness of surveillance and hacking in the past several years. The Idea was that if PGP were easier to use (i.e. you don’t have to switch between apps to use it), then more people would use it more often. As people concerned about privacy, we wouldn't want to do anything to purposefully undermine the tool we created. We also wouldn't want to be at risk of any kind of data leak or any kind of government request for data. If you have any further questions or concerns, please feel free to contact us below. And yes, we are considering going partially or fully open source.