Which open-source Android keyboards are available on F‑Droid and how do their permissions compare to Play Store versions?

1. Which open‑source keyboards appear on F‑Droid and how F‑Droid represents them

F‑Droid hosts multiple open‑source input methods and documents each package’s metadata and permissions: AnySoftKeyboard is listed with builds and permission notes for contact access across versions ^[1], Hacker’s Keyboard appears as an AOSP‑derived keyboard with the underlying Gingerbread permissions noted ^[2], FlorisBoard is presented as a privacy‑oriented, open‑source keyboard with F‑Droid‑built packages ^{[3] [11]}, Unexpected Keyboard is listed with boot and vibrator permissions ^[4], HeliBoard/Heliboard is described as privacy‑conscious and operating entirely offline (no INTERNET permission) ^{[5] [9]}, and lighter options like Tiny Keyboard are distributed in third‑party F‑Droid repositories with explicit notes about missing network permission ^[6]; community writeups and F‑Droid indexes also point to OpenBoard, Simple Keyboard and Indic Keyboard among alternatives ^[7].

2. Permission patterns on F‑Droid builds: common themes and concrete examples

F‑Droid listings show concrete permissions for each packaged build and often indicate whether the artifact was built and signed by F‑Droid or by the original developer, a practice F‑Droid uses to tie binaries back to source tarballs ^{[1] [4] [3]}. Examples: AnySoftKeyboard’s F‑Droid entries document READ_CONTACTS in several historical builds ^[1], FlorisBoard’s F‑Droid build notes a vibrator control permission and an Android dynamic‑receiver flag ^[3], Unexpected Keyboard lists BOOT‑START and vibrator control ^[4], and HeliBoard is explicitly advertised as not requesting INTERNET — making it “100% offline” by design ^{[5] [9]}. Tiny Keyboard’s F‑Droid/IzzyOnDroid note emphasizes the absence of network permission to relieve tracking concerns ^[6].

3. How these compare to Play Store versions and proprietary keyboards

Independent reviews and technical checks show a pattern where Play Store or commercial keyboards may include analytics and network access that F‑Droid or offline forks omit; for example, investigator reporting found Typewise’s Play Store builds include AppsFlyer analytics while an “offline” build removes INTERNET permission ^[8]. That pattern — Play builds bundling telemetry vs. F‑Droid/offline builds stripping network access — holds for several apps but cannot be assumed universally without per‑build inspection, and direct side‑by‑side manifests for every keyboard are not exhaustively covered by the supplied sources ^{[8] [3] [5]}.

4. The security caveat: permission lists don’t eliminate systemic risk

Even with minimal manifest permissions, keyboards are in a uniquely sensitive position because any input method can access typed content; platform‑level issues or inter‑process cooperation can enable exfiltration without obvious manifest permissions, as security discussion notes: exploits in system services or IPC interactions can be abused and some attack vectors don’t require extra permissions visible to users ^[10]. Thus the absence of INTERNET in a manifest reduces the risk of easy remote exfiltration but does not guarantee immunity to advanced or OS‑level threats ^{[10] [5]}.

5. Practical takeaway and trade‑offs between privacy and convenience

F‑Droid builds and forks give users transparent source‑to‑binary chains and often publish reduced permission sets (F‑Droid‑built or developer‑built artifacts are annotated), which makes choosing a less networked keyboard realistic ^{[1] [3] [4]}. Conversely, Play Store versions and commercial keyboards may justify network permissions for features and analytics — that yields convenience and richer suggestions at the cost of potential telemetry ^{[8] [9]}. The supplied reporting does not enumerate every keyboard’s Play Store manifest, so definitive per‑app comparisons require inspecting each app’s Play listing or APK side‑by‑side with the F‑Droid package.