#AnySoftKeyboard, installed from #FDroid, asks for access to Contacts. Was it compromised? (EDIT: Unlikely)
I don’t remember it asking me for Contacts before (but @lnxw37a2 does). [EDIT: I was] worried it may have been subject to a supply chain attack, and to be on the safe side, I uninstalled it.
It seems to be a mostly unmaintained app that I never use, but hadn’t uninstalled. This is the first new version since 2025/07/25, and before that, 2022/01/14 (the first version shipped by @fdroid).
Seems I was going off half-cocked, out of an overabundance of caution. #MeaCulpa. I thought it would be worse if I ignored my strypey-senses tingling and said nothing, then it turned out it was compromised.
We need to be cautious in this age of copious vibe coding;
https://forum.f-droid.org/t/f-droid-policy-on-libre-ai/
I do think @fdroid crew need to do due diligence when apps appear to be abandoned, then revived. They probably do, but any links to policies and processes on this would be a great way to put my mind at rest.
#HatTip to the @fdroid threadiverse community, and others, for offering such rapid and thorough clarifications. Many thanks to @lnxw37a2 @hildegarde @alienghic @plm00 @Axolotl_cpp.
Thanks also to @tootbrute @kurikai for offering suggestions for other soft keyboard apps, and to @snek_boi for reminding me to format the first sentence of my Mastodon post so it becomes a good title in the threadiverse post.