20.5k unique visitors in the last 3 days

Android Keyboard App Leaks Data of 31mn Users

There was no password protection nor encryption to stop people accessing personal data stored on a server run by one of the founders of app firm AI.type.

Passwords are not perfect, but it is still a good idea to use them. There was no password protecting a server run by Eitan Fitusi, co-founder of AI.type, a customizable on-screen keyboard. This meant anyone could access the company’s database of user records, a serious failure discovered by Kromtech Security Center which was then reported by ZDNet.

Over 577 gigabytes of sensitive data were leaked about 31mn customers of AI.type. The breach only affected the Android customers of AI.type because data about Apple users was stored on a different server.

The breach also revealed just how much personal data was being grabbed by the greedy app. The privacy policy of the app makes it clear that the free version collects more data than the paid version, and that this data is monetized through advertising. However, it is hard to understand why AI.type was collecting:

  • the IMSI and IMEI numbers for each device
  • the IP address and name of the customer’s internet provider, if connected to Wi-Fi
  • information about the user’s contacts, including phone numbers and email addresses
  • lists of the apps installed on each device, including banking apps

The ZDNet report highlighted the huge difference between what AI.type said about privacy and how the business behaved in real life.

…AI.type says on its website that user’s privacy “is our main concern.” Any text entered on the keyboard “stays encrypted and private,” says the company.

But the database wasn’t encrypted. We also found evidence that text entered on the keyboard does get recorded and stored by the company, though to what extent remains unclear.

The company also promises to “never share your data or learn from password fields,” but we saw one table containing more than 8.6 million entries of text that had been entered using the keyboard, which included private and sensitive information, like phone numbers, web search terms, and in some cases concatenated email addresses and corresponding passwords.

The lousy security for an app that people use when typing – which obviously will include the typing of sensitive information – highlights how trusting people are, and why they should be me more wary.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email