#AnySoftKeyboard, installed from #FDroid, asks for access to Contacts. Was it compromised? (EDIT: Unlikely)
I don’t remember it asking me for Contacts before (but @lnxw37a2 does). [EDIT: I was] worried it may have been subject to a supply chain attack, and to be on the safe side, I uninstalled it.
It seems to be a mostly unmaintained app that I never use, but hadn’t uninstalled. This is the first new version since 2025/07/25, and before that, 2022/01/14 (the first version shipped by @fdroid).
I checked every version on F-Droid and they all have the contacts permission. Its a common request on software keyboards, because it lets it add the names of those in your contact list to the autocorrect dictionary. Its nice to avoid your keyboard wrongly correcting names.
It doesn’t have the network permission, so its not able to transmit any data it has. I don’t think this is an attack.
The app has a link to their privacy policy which explains what permissions it asks for, why, and affirms the app cannot transmit the data off the device. Last updated in 2017, and still matching the permissions of the current version. This isn’t an attack.