Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Popular Virtual Keyboard App Leaks 31 Million Users' Personal Data (zdnet.com)

Posted by msmash on from the security-woes dept.

Zack Whittaker, writing for ZDNet: Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online, after the app's developer failed to secure the database's server. The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users across the world. But the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data. The database appears to only contain records on the app's Android users.

65 comments

  1. Hanging offence by networkBoy · · Score: 2

    But the server wasn't protected with a password,

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    1. Re:Hanging offence by Immerman · · Score: 5, Insightful

      Frack the password - why was a fracking *keyboard app* storing personal information on a remote server in the first place!?!?!

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    2. Re:Hanging offence by Anonymous Coward · · Score: 0

      It's doing that because the users of it want it to.

      Many keyboards offer "smart word suggestion", so every word you type is added to the same database as every word everyone else types, and it can suggest *everyones* most frequently typed next work.

    3. Re: Hanging offence by Anonymous Coward · · Score: 0

      Suuuure. THATS the reason.

      Try again slave.

  2. Idiot users by reanjr · · Score: 3, Insightful

    Would you like to install this keyboard that requires access to the network?

    No.

    1. Re:Idiot users by Anonymous Coward · · Score: 1

      This is required to install certain updates, improve security, and provide customer feedback. Are you SURE you want to prevent access to the network? The software may not work correctly.

      Ummm. I don't know. I really want to use this software. Crap. OK Yes.

    2. Re:Idiot users by Hal_Porter · · Score: 4, Informative

      Most of them do unfortunately. E.g. SwiftKey does. Also SwiftKey used to be an indie dev house but that got bought by Microsoft. It'd be nice to think that Microsoft selflessly love Android users and want to support a good keyboard application for Android and iOS even though they are competitors to Windows Phone. However it's more likely that they bought it because it had a bunch of user data they could monetize in various dubious ways.

      https://swiftkey-keyboard.file...

      Potentially dangerous permissions
      GET_ACCOUNTS: Allows access to the list of accounts in the Accounts Service.
      READ_EXTERNAL_STORAGE: Allows an application to read from external storage.
      READ_SMS: Allows an application to read SMS messages.
      WRITE_EXTERNAL_STORAGE: Allows an application to write to external storage.
      Other permissions
      ACCESS_NETWORK_STATE: Allows applications to access information about networks.
      ACCESS_WIFI_STATE: Allows applications to access information about Wi-Fi networks.
      INTERNET: Allows applications to open network sockets.
      RECEIVE_BOOT_COMPLETED: Allows an application to receive the ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting. If you don't request this permission, you will not receive the broadcast at that time. Though holding this permission does not have any security implications, it can have a negative impact on the user experience by increasing the amount of time it takes the system to start and allowing applications to have themselves running without the user being aware of them. As such, you must explicitly declare your use of this facility to make that visible to the user.
      VIBRATE: Allows access to the vibrator.
      WAKE_LOCK: Allows using PowerManager WakeLocks to keep processor from sleeping or screen from dimming.
      com.android.vending.BILLING
      com.google.android.c2dm.permission.RECEIVE
      com.swiftkey.languageprovider.READLANG
      com.swiftkey.swiftkeyconfigurator.READCONFIG
      com.touchtype.swiftkey.permission.C2D_MESSAGE

      So does Swype

      http://forum.swype.com/showthr...

      Hi there, I just spotted Swype in the Google Play store and had exactly the same concerns.

      Outside of reading the dictionary, I would not have expected Swype should not require any special permissions, and yet it wants a big long list of permissions:
      Record audio
      Get my approximate and precise location
      Read my text messages
      Full network access
      Pair with Bluetooth devices
      Read my contacts
      Read terms I've added to the dictionary
      Read call log
      Read phone status and identity
      Modify or delete the contents of my USB storage
      Find accounts on my device
      View network connections
      View wifi connections
      Access protected storage

      So does Google Keyboard

      https://www.xda-developers.com...

      Let's take a look at what's going on here. First off, Google Keyboard has access to your own contact card, and accounts on your device. This means it has the ability to know who you are, and all of the Email (and other) accounts you have available on your device. That means it's possible for them to see what Google/Dropbox/ Twitter/Microsoft Exchange/Facebook accounts you have available on your phone. I have absolutely no idea why this is needed, nor why people are willing to give this information over.

      Next up, the app can read your contacts. That's fair enough-Google obviously want to add your contact names to the spell-checker and auto-complete databases. This makes sense, and is something justifiable for a keyboard. The ability to modify or delete the contents of USB storage is somewhat strange, but while it does allow access to all your data stored on your "SD card," there's unfortunately no real

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    3. Re: Idiot users by Karlt1 · · Score: 1

      And just a think, I can install a third party keyboard on iOS and not allow it any of these permissions - or even network access.

    4. Re: Idiot users by reanjr · · Score: 1

      Security updates are handled by the OS, not the keyboard. Anyone claiming the keyboard needs Internet for security updates is an obvious scammer.

    5. Re: Idiot users by reanjr · · Score: 1

      I use MessageEase. The only permission it asks for is "Record Audio" so it can perform voice typing.

    6. Re: Idiot users by reanjr · · Score: 1

      Just like you can on Android. Users have to make smart choices.

    7. Re:Idiot users by link-error · · Score: 1

      " Eitan Fitusi, co-founder of AI.type ..."

          So, it uses AI to predictive suggest as you type. Seems like that would require network access. Not that I would install it. I turn off googles default predictive typing for that exact reason.

      --
      -Unresolved symbol? Byte me!
    8. Re:Idiot users by Anonymous Coward · · Score: 0

      Google keyboard has a bunch of gifs and stuff, I imagine it downloads them in the background without telling the user.

      The problem with all of these is they have all these other features that need additional permissions that could be abused and you have no way of really controlling when and why the permission is used.

      Why does a keyboard need microphone access? Because they allow you to hold a hotkey and then use voice to text... a useful feature when you're busy and don't want to type.

      Why does Swiftkey need to read your SMS or other accounts? Because they allow you to personalize the dictionary and predictive text based on how you type.

    9. Re: Idiot users by AuMatar · · Score: 1

      Depends on the implementation of the keyboard. If the keyboard has downloadable components, such as parts written in javascript, or datafiles then downloadable updates could include security fixes.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    10. Re:Idiot users by AuMatar · · Score: 4, Informative

      Having worked at Swype, I can tell you why most of those are there.

      Record audio- see the voice recognition button? Required for it to work. Lots of people like voice recognition

      Get my approximate and precise location- download dictionaries of local places that wouldn't be in the normal dictionary.

      Read my text messages- train autocorrect algorithms

      Full network access- upload dictionaries to the server/download your dictionaries to a new device. Also their whole theme download store.

      Pair with Bluetooth devices- bluetooth headsets

      Read my contacts- we scan your contacts to add the names to the dictionary, so it will allow you to type your friend's names.

      Read terms I've added to the dictionary- Swype has its own dictionary, but if you added any to the device's we want to add those to ours

      Read phone status and identity- literally this was to turn off typing noises when on speakerphone

      Modify or delete the contents of my USB storage- to allow you to store the dictionary on a connected device, if you wanted

      If you want a smooth app that integrates with the OS well, you're going to need a lot of permissions. There's just no way around it.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    11. Re:Idiot users by AuMatar · · Score: 1

      Actually it doesn't, that level of data can be stored on the client (and generally is). Its simple n-grams. Keeping it up to date would require network access.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    12. Re:Idiot users by Anonymous Coward · · Score: 0

      Thank you. Most of that seems reasonablish at least. It would be nice if you could disable certain features though to reduce that. For example, I dont want voice recognition, gps located dictionaries, or pairing with bluetooth. I just dont need those features.

    13. Re: Idiot users by Karlt1 · · Score: 1

      Can you both tell it to not allow network access and still install it and it will run?

      Do you have to purposefully go into settings and enable network access or is that one of n number of permissions in an unituitive list that people will just press okay?

    14. Re:Idiot users by sjames · · Score: 2

      It would be nice if the Android permissions could be better divided in places. As you point out, knowing the phone is off hook or ringing is legitimate for practically any app that generates sound, but they don't really need to know who is calling or being called. Unfortunately, asking for one without the other isn't possible so everyone gets the side eye.

      Likewise, a bunch of apps that need extra storage space end up making suspicious sounding requests to access photos, music, and videos when all they really want is the ability to have their own private directory to store a few things in.

    15. Re:Idiot users by Anonymous Coward · · Score: 0

      > Get my approximate and precise location- download dictionaries of local places that wouldn't be in the normal dictionary.

      Calling bullshit on this one. Same with the full network access. I guess "dictionaries" is the new get-out-of-jail-free card?

    16. Re:Idiot users by AuMatar · · Score: 1

      I worked with the people who wrote the feature. I also have seen it in action as a user- when I went to Spain a large number of local places like the Segrada Familia went into the dictionary. I can assure you that was absolutely what it was added for (and it only used approximate location, no need to know the location to more than city). Whether its been increased in scope in the last few years I couldn't tell you, I left the company in May 2012.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    17. Re:Idiot users by AuMatar · · Score: 1

      It would be. They seem to be going the other way though- bundling permissions in permission groups on the play store listings. At least now you can turn them on and off individually, and well written apps will still work.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    18. Re: Idiot users by maglor_83 · · Score: 1

      You can't deny an app network access, except by not installing it. An Android app does need to request network permissions to access the network, so the user will be notified it can do this, but it's not a configurable permission. You have to uninstall the app the prevent it from accessing the network.

    19. Re: Idiot users by Karlt1 · · Score: 1

      You can't deny network access in iOS either in general (only cellular access). But Apple has the good sense to make sure that installing a keyboard and allowing it network access had to be a very intentional act. You have to go to settings to do it. You can't just mindlessly click "Allow" based on a prompt.

    20. Re: Idiot users by Anonymous Coward · · Score: 0

      And you have to be a completely incompetent developer to write a virtual keyboard app that way.

      Sorry, but a keyboard app that requires network access is nothing but a keylogger disguised as an app.

    21. Re: Idiot users by AuMatar · · Score: 1

      An every keyboard written today is written this way. What are you going to do, ship every language to every phone regardless of if it will be used? Of course not, you download the dictionaries at runtime. You'll find few to no keyboards without a network connection of some type.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    22. Re:Idiot users by AuMatar · · Score: 1

      You can, but you still have to claim all the permissions you could use. That's the way the permissions work- you put them all int he manifest, and all are shown when you download it. (Then on modern android some permissions require you to ask again at runtime).

      --
      I still have more fans than freaks. WTF is wrong with you people?
    23. Re: Idiot users by Anonymous Coward · · Score: 0

      Wrong question.

      Why does a keyboard app need to store what users type ?

  3. that's a lot of user data by Anonymous Coward · · Score: 1

    577 gigabytes!
    Great Scott!

  4. Stolen contact data... by b0s0z0ku · · Score: 3, Insightful

    A keyboard CrAPPlet has no need for access to contact data, let alone to upload it to an outside server. There could be only two reasons: to spam, or to sell it.

    Either way, hope the company gets sued to Kingdom come and its founder ends up jailed.

    1. Re:Stolen contact data... by Anonymous Coward · · Score: 1

      That is not entirely true. The names of people you know are there, including how to spell them. Surely a keyboard application could make use of that data.

    2. Re:Stolen contact data... by Anonymous Coward · · Score: 0

      So instead of teaching the app and having the data stored locally, you are so ignorantly stupid to allow a KEYBOARD app access to the internet along with every bit of personal data in your device?

  5. Obligatory by DontBeAMoran · · Score: 1

    "I'm in your keyboard, leaking your personal data."

    --
    #DeleteFacebook
  6. Stupid quotes. by Fly+Swatter · · Score: 5, Informative

    A quote from within the article (yes someone read the article):

    "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices,

    Like paying for the same app will really turn off that data collection. The question things like this really raises is if allowing any data collection at all, ever, should be allowed.

    1. Re:Stupid quotes. by Anonymous Coward · · Score: 1

      "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices,

      Free comes with a dick up your ass.
      - Future, 8 Mile

  7. For heaven's sake, which app?? by Excelcia · · Score: 2

    Was the person posting this article new, or was there some compelling reason not to disclose the app in question?

    1. Re:For heaven's sake, which app?? by Fly+Swatter · · Score: 1

      co-founder of AI.type, a customizable and personalizable on-screen keyboard

      It's in the summary silly.

    2. Re:For heaven's sake, which app?? by Anonymous Coward · · Score: 3, Informative

      I had to look it up elsewhere. Apparently, it's the company AI.type, based in Tel Aviv.

      Other articles I found this in:

    3. Re:For heaven's sake, which app?? by Alan+Shutko · · Score: 1

      It was in the summary. The keyboard in question is AI.type.

    4. Re:For heaven's sake, which app?? by Desler · · Score: 1

      It’s in the second sentence. Do you have the attention span of a gnat?

    5. Re:For heaven's sake, which app?? by Anonymous Coward · · Score: 0

      Mmmm, donut. Sorry, did you say something?

  8. Holy Shit by Anonymous Coward · · Score: 0

    That is far worse than expected. Programming such a thing should be a federal offense.

  9. ZDnet crap by Anonymous Coward · · Score: 0

    "Bob Diachenko, head of communications at Kromtech Security Center, warned of the dangers of using free apps"

    WTF is that supposed to mean? That paid companies are not doing sh*t with the databases too? Linkedin never did? And a ton of others? Paid companies do not use our data in their benefit for monetizing the hell out of us? I doubt it!

    Phreaking people.

  10. 18.6 MB per customer? by HuskyDog · · Score: 3, Interesting

    So, 577 GB for 31 million users? That gives us about 18.6 MB per customer!!

    Clearly this is rather more than just some basic contact details and IP addresses and suggests that the bulk download of data from phones described in the article isn't just an occasional aberration.

    How come the Andoid OS even allows a keyboard app access to stored data in the first place?

    1. Re:18.6 MB per customer? by sinij · · Score: 1

      How come the Andoid OS even allows a keyboard app access to stored data in the first place?

      Because the user allowed it.

    2. Re:18.6 MB per customer? by Calydor · · Score: 1

      It's a complete log of everything ever entered using that app.

      You know.

      Like URLs, usernames and passwords.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    3. Re:18.6 MB per customer? by HuskyDog · · Score: 3, Interesting

      Yes, I was writing complete rubbish and it is indeed 18.6 KB not MB. Doh!!

      Makes mental note to triple check maths before posting comments! Clearly 18.6 kB could easily be the amount typed into the keyboard.

    4. Re:18.6 MB per customer? by Anonymous Coward · · Score: 0

      Just check all the boxes and OK everything, Right? Ain't got time for legalese!

    5. Re:18.6 MB per customer? by Anonymous Coward · · Score: 0

      How come the Andoid OS even allows a keyboard app access to stored data in the first place?

      Android, unlike iOS, does not allow the user to decide which permissions it will give each app. So, while in iOS you may decide to allow Snapchat to access the phone camera, you can also deny the flashlight app from accessing it. Not on Android, though. It's a bulk thing, you either accept them all, or don't get the app. So, if some cool app (like a keyboard that does what you want, whatever that may be) asks for contact information and access to the phone storage, you can't say "don't look at my data." So yeah, Google fucked this one up very much.

  11. Math fail. by Fly+Swatter · · Score: 4, Informative

    It's 18.6k. Only off by a thousand fold. But even if all they collect is text entry (its a keyboard app), thats a lot of info they should never have. The whole android ecosystem as it currently exists needs to die in a fire.

  12. Google changed Android so that all apps have by Kartu · · Score: 1

    Google changed Android so that all apps have "internet" rights.
    Smart move, it's an advertisement company after all.

  13. That's not the leak. by fishscene · · Score: 3, Funny

    I'm pretty sure the "leak" was the company collecting this information in the first place.

    1. Re:That's not the leak. by Anonymous Coward · · Score: 0

      Also who in his sane mind trust this funny looking keylogger.

    2. Re:That's not the leak. by Anonymous Coward · · Score: 0

      You do know that Android's stock keyboard does the exact same thing? It sends 256 bytes to the mothership a RECORDED (and verified) 4000 times a day (that is almost 1MB of encrypted data per day).

  14. I smell BS in any case... by Anonymous Coward · · Score: 0

    "The server wasn't protected with a password." Huh? Shouldn't it be behind a firewall, with 2FA authentication [1], with the database encrypted either via column encryption or transparant encryption? Even the logs of my WordPress site have better protection than that.

    I don't think the developer even gave a rat's ass about this, or perhaps was paid to slurp data and have an "accidental" breach.

    Products like this need thrown off the respective app stores and never allowed back on. Maybe Google should even enforce fines in case user data is compromised.

    1. Re:I smell BS in any case... by Anonymous Coward · · Score: 0

      It was probably an open NoSQL server. Many of them came for years with default settings that allowed access without a password. There have been a lot of problems with admins taking app setups involving NoSQL servers and putting them together in public cloud configurations. Just a complete lack of experience all around.

  15. Re:Found the LUDDITE! by b0s0z0ku · · Score: 1

    Proud Luddite.

    Ludd! Ludd! Ludd-ludd-ludd :)

  16. Only Android...AI...hmmmmm by TheOuterLinux · · Score: 1

    More like Google AI developer goldmine. "Pssstt...leave the backdoor open." But like everything wrong they do now, they'll burry it when their bots "just happen find some random guy" on a hate speech rant in the comments of a news article. Why do think the a lot of Slashdot comments start out so messed up and unrelated? It gives Google and other search engines a reason to make it harder to find since the comments are a part of the article. The bots can claim ignorance. That's why a lot of decentralized media use things like Disqus or still use good ol' "#join our IRC" for chatting.

    1. Re: Only Android...AI...hmmmmm by TheOuterLinux · · Score: 1

      Pay the troll to burry the mole.

  17. Hipster by Anonymous Coward · · Score: 0

    By the look of him, jewish too.

  18. Yay Apple by tsa · · Score: 1

    Even with all of Apple's recent fuck-ups I'm still happy to have an iPhone every time I read about yet another security breach on Android.

    --

    -- Cheers!

  19. Hacker keyboard by Trax3001BBS · · Score: 1

    It doesn't do predictive text, but everything else. I find the Ctrl C and V very useful https://play.google.com/store/...

    No permissions other than input.

  20. AI.type by Anonymous Coward · · Score: 0

    Popular, really?

    Never heard of it until now.