Android Keyboard App Leaks Data of 31mn Users

Passwords are not perfect, but it is still a good idea to use them. There was no password protecting a server run by Eitan Fitusi, co-founder of AI.type, a customizable on-screen keyboard. This meant anyone could access the company’s database of user records, a serious failure discovered by Kromtech Security Center which was then reported by ZDNet.

Over 577 gigabytes of sensitive data were leaked about 31mn customers of AI.type. The breach only affected the Android customers of AI.type because data about Apple users was stored on a different server.

The breach also revealed just how much personal data was being grabbed by the greedy app. The privacy policy of the app makes it clear that the free version collects more data than the paid version, and that this data is monetized through advertising. However, it is hard to understand why AI.type was collecting:

  • the IMSI and IMEI numbers for each device
  • the IP address and name of the customer’s internet provider, if connected to Wi-Fi
  • information about the user’s contacts, including phone numbers and email addresses
  • lists of the apps installed on each device, including banking apps

The ZDNet report highlighted the huge difference between what AI.type said about privacy and how the business behaved in real life.

…AI.type says on its website that user’s privacy “is our main concern.” Any text entered on the keyboard “stays encrypted and private,” says the company.

But the database wasn’t encrypted. We also found evidence that text entered on the keyboard does get recorded and stored by the company, though to what extent remains unclear.

The company also promises to “never share your data or learn from password fields,” but we saw one table containing more than 8.6 million entries of text that had been entered using the keyboard, which included private and sensitive information, like phone numbers, web search terms, and in some cases concatenated email addresses and corresponding passwords.

The lousy security for an app that people use when typing – which obviously will include the typing of sensitive information – highlights how trusting people are, and why they should be me more wary.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.