Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Popular Virtual Keyboard App Leaks 31 Million Users' Personal Data (zdnet.com)

Posted by msmash on from the security-woes dept.

Zack Whittaker, writing for ZDNet: Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online, after the app's developer failed to secure the database's server. The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users across the world. But the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data. The database appears to only contain records on the app's Android users.

5 of 65 comments (clear)

  1. Stupid quotes. by Fly+Swatter · · Score: 5, Informative

    A quote from within the article (yes someone read the article):

    "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices,

    Like paying for the same app will really turn off that data collection. The question things like this really raises is if allowing any data collection at all, ever, should be allowed.

  2. Re:For heaven's sake, which app?? by Anonymous Coward · · Score: 3, Informative

    I had to look it up elsewhere. Apparently, it's the company AI.type, based in Tel Aviv.

    Other articles I found this in:

  3. Re:Idiot users by Hal_Porter · · Score: 4, Informative

    Most of them do unfortunately. E.g. SwiftKey does. Also SwiftKey used to be an indie dev house but that got bought by Microsoft. It'd be nice to think that Microsoft selflessly love Android users and want to support a good keyboard application for Android and iOS even though they are competitors to Windows Phone. However it's more likely that they bought it because it had a bunch of user data they could monetize in various dubious ways.

    https://swiftkey-keyboard.file...

    Potentially dangerous permissions
    GET_ACCOUNTS: Allows access to the list of accounts in the Accounts Service.
    READ_EXTERNAL_STORAGE: Allows an application to read from external storage.
    READ_SMS: Allows an application to read SMS messages.
    WRITE_EXTERNAL_STORAGE: Allows an application to write to external storage.
    Other permissions
    ACCESS_NETWORK_STATE: Allows applications to access information about networks.
    ACCESS_WIFI_STATE: Allows applications to access information about Wi-Fi networks.
    INTERNET: Allows applications to open network sockets.
    RECEIVE_BOOT_COMPLETED: Allows an application to receive the ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting. If you don't request this permission, you will not receive the broadcast at that time. Though holding this permission does not have any security implications, it can have a negative impact on the user experience by increasing the amount of time it takes the system to start and allowing applications to have themselves running without the user being aware of them. As such, you must explicitly declare your use of this facility to make that visible to the user.
    VIBRATE: Allows access to the vibrator.
    WAKE_LOCK: Allows using PowerManager WakeLocks to keep processor from sleeping or screen from dimming.
    com.android.vending.BILLING
    com.google.android.c2dm.permission.RECEIVE
    com.swiftkey.languageprovider.READLANG
    com.swiftkey.swiftkeyconfigurator.READCONFIG
    com.touchtype.swiftkey.permission.C2D_MESSAGE

    So does Swype

    http://forum.swype.com/showthr...

    Hi there, I just spotted Swype in the Google Play store and had exactly the same concerns.

    Outside of reading the dictionary, I would not have expected Swype should not require any special permissions, and yet it wants a big long list of permissions:
    Record audio
    Get my approximate and precise location
    Read my text messages
    Full network access
    Pair with Bluetooth devices
    Read my contacts
    Read terms I've added to the dictionary
    Read call log
    Read phone status and identity
    Modify or delete the contents of my USB storage
    Find accounts on my device
    View network connections
    View wifi connections
    Access protected storage

    So does Google Keyboard

    https://www.xda-developers.com...

    Let's take a look at what's going on here. First off, Google Keyboard has access to your own contact card, and accounts on your device. This means it has the ability to know who you are, and all of the Email (and other) accounts you have available on your device. That means it's possible for them to see what Google/Dropbox/ Twitter/Microsoft Exchange/Facebook accounts you have available on your phone. I have absolutely no idea why this is needed, nor why people are willing to give this information over.

    Next up, the app can read your contacts. That's fair enough-Google obviously want to add your contact names to the spell-checker and auto-complete databases. This makes sense, and is something justifiable for a keyboard. The ability to modify or delete the contents of USB storage is somewhat strange, but while it does allow access to all your data stored on your "SD card," there's unfortunately no real

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  4. Math fail. by Fly+Swatter · · Score: 4, Informative

    It's 18.6k. Only off by a thousand fold. But even if all they collect is text entry (its a keyboard app), thats a lot of info they should never have. The whole android ecosystem as it currently exists needs to die in a fire.

  5. Re:Idiot users by AuMatar · · Score: 4, Informative

    Having worked at Swype, I can tell you why most of those are there.

    Record audio- see the voice recognition button? Required for it to work. Lots of people like voice recognition

    Get my approximate and precise location- download dictionaries of local places that wouldn't be in the normal dictionary.

    Read my text messages- train autocorrect algorithms

    Full network access- upload dictionaries to the server/download your dictionaries to a new device. Also their whole theme download store.

    Pair with Bluetooth devices- bluetooth headsets

    Read my contacts- we scan your contacts to add the names to the dictionary, so it will allow you to type your friend's names.

    Read terms I've added to the dictionary- Swype has its own dictionary, but if you added any to the device's we want to add those to ours

    Read phone status and identity- literally this was to turn off typing noises when on speakerphone

    Modify or delete the contents of my USB storage- to allow you to store the dictionary on a connected device, if you wanted

    If you want a smooth app that integrates with the OS well, you're going to need a lot of permissions. There's just no way around it.

    --
    I still have more fans than freaks. WTF is wrong with you people?