Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Popular Virtual Keyboard App Leaks 31 Million Users' Personal Data (zdnet.com)

Posted by msmash on from the security-woes dept.

Zack Whittaker, writing for ZDNet: Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online, after the app's developer failed to secure the database's server. The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users across the world. But the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data. The database appears to only contain records on the app's Android users.

14 of 65 comments (clear)

  1. Hanging offence by networkBoy · · Score: 2

    But the server wasn't protected with a password,

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    1. Re:Hanging offence by Immerman · · Score: 5, Insightful

      Frack the password - why was a fracking *keyboard app* storing personal information on a remote server in the first place!?!?!

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
  2. Idiot users by reanjr · · Score: 3, Insightful

    Would you like to install this keyboard that requires access to the network?

    No.

    1. Re:Idiot users by Hal_Porter · · Score: 4, Informative

      Most of them do unfortunately. E.g. SwiftKey does. Also SwiftKey used to be an indie dev house but that got bought by Microsoft. It'd be nice to think that Microsoft selflessly love Android users and want to support a good keyboard application for Android and iOS even though they are competitors to Windows Phone. However it's more likely that they bought it because it had a bunch of user data they could monetize in various dubious ways.

      https://swiftkey-keyboard.file...

      Potentially dangerous permissions
      GET_ACCOUNTS: Allows access to the list of accounts in the Accounts Service.
      READ_EXTERNAL_STORAGE: Allows an application to read from external storage.
      READ_SMS: Allows an application to read SMS messages.
      WRITE_EXTERNAL_STORAGE: Allows an application to write to external storage.
      Other permissions
      ACCESS_NETWORK_STATE: Allows applications to access information about networks.
      ACCESS_WIFI_STATE: Allows applications to access information about Wi-Fi networks.
      INTERNET: Allows applications to open network sockets.
      RECEIVE_BOOT_COMPLETED: Allows an application to receive the ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting. If you don't request this permission, you will not receive the broadcast at that time. Though holding this permission does not have any security implications, it can have a negative impact on the user experience by increasing the amount of time it takes the system to start and allowing applications to have themselves running without the user being aware of them. As such, you must explicitly declare your use of this facility to make that visible to the user.
      VIBRATE: Allows access to the vibrator.
      WAKE_LOCK: Allows using PowerManager WakeLocks to keep processor from sleeping or screen from dimming.
      com.android.vending.BILLING
      com.google.android.c2dm.permission.RECEIVE
      com.swiftkey.languageprovider.READLANG
      com.swiftkey.swiftkeyconfigurator.READCONFIG
      com.touchtype.swiftkey.permission.C2D_MESSAGE

      So does Swype

      http://forum.swype.com/showthr...

      Hi there, I just spotted Swype in the Google Play store and had exactly the same concerns.

      Outside of reading the dictionary, I would not have expected Swype should not require any special permissions, and yet it wants a big long list of permissions:
      Record audio
      Get my approximate and precise location
      Read my text messages
      Full network access
      Pair with Bluetooth devices
      Read my contacts
      Read terms I've added to the dictionary
      Read call log
      Read phone status and identity
      Modify or delete the contents of my USB storage
      Find accounts on my device
      View network connections
      View wifi connections
      Access protected storage

      So does Google Keyboard

      https://www.xda-developers.com...

      Let's take a look at what's going on here. First off, Google Keyboard has access to your own contact card, and accounts on your device. This means it has the ability to know who you are, and all of the Email (and other) accounts you have available on your device. That means it's possible for them to see what Google/Dropbox/ Twitter/Microsoft Exchange/Facebook accounts you have available on your phone. I have absolutely no idea why this is needed, nor why people are willing to give this information over.

      Next up, the app can read your contacts. That's fair enough-Google obviously want to add your contact names to the spell-checker and auto-complete databases. This makes sense, and is something justifiable for a keyboard. The ability to modify or delete the contents of USB storage is somewhat strange, but while it does allow access to all your data stored on your "SD card," there's unfortunately no real

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    2. Re:Idiot users by AuMatar · · Score: 4, Informative

      Having worked at Swype, I can tell you why most of those are there.

      Record audio- see the voice recognition button? Required for it to work. Lots of people like voice recognition

      Get my approximate and precise location- download dictionaries of local places that wouldn't be in the normal dictionary.

      Read my text messages- train autocorrect algorithms

      Full network access- upload dictionaries to the server/download your dictionaries to a new device. Also their whole theme download store.

      Pair with Bluetooth devices- bluetooth headsets

      Read my contacts- we scan your contacts to add the names to the dictionary, so it will allow you to type your friend's names.

      Read terms I've added to the dictionary- Swype has its own dictionary, but if you added any to the device's we want to add those to ours

      Read phone status and identity- literally this was to turn off typing noises when on speakerphone

      Modify or delete the contents of my USB storage- to allow you to store the dictionary on a connected device, if you wanted

      If you want a smooth app that integrates with the OS well, you're going to need a lot of permissions. There's just no way around it.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    3. Re:Idiot users by sjames · · Score: 2

      It would be nice if the Android permissions could be better divided in places. As you point out, knowing the phone is off hook or ringing is legitimate for practically any app that generates sound, but they don't really need to know who is calling or being called. Unfortunately, asking for one without the other isn't possible so everyone gets the side eye.

      Likewise, a bunch of apps that need extra storage space end up making suspicious sounding requests to access photos, music, and videos when all they really want is the ability to have their own private directory to store a few things in.

  3. Stolen contact data... by b0s0z0ku · · Score: 3, Insightful

    A keyboard CrAPPlet has no need for access to contact data, let alone to upload it to an outside server. There could be only two reasons: to spam, or to sell it.

    Either way, hope the company gets sued to Kingdom come and its founder ends up jailed.

  4. Stupid quotes. by Fly+Swatter · · Score: 5, Informative

    A quote from within the article (yes someone read the article):

    "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices,

    Like paying for the same app will really turn off that data collection. The question things like this really raises is if allowing any data collection at all, ever, should be allowed.

  5. For heaven's sake, which app?? by Excelcia · · Score: 2

    Was the person posting this article new, or was there some compelling reason not to disclose the app in question?

    1. Re:For heaven's sake, which app?? by Anonymous Coward · · Score: 3, Informative

      I had to look it up elsewhere. Apparently, it's the company AI.type, based in Tel Aviv.

      Other articles I found this in:

  6. 18.6 MB per customer? by HuskyDog · · Score: 3, Interesting

    So, 577 GB for 31 million users? That gives us about 18.6 MB per customer!!

    Clearly this is rather more than just some basic contact details and IP addresses and suggests that the bulk download of data from phones described in the article isn't just an occasional aberration.

    How come the Andoid OS even allows a keyboard app access to stored data in the first place?

    1. Re:18.6 MB per customer? by HuskyDog · · Score: 3, Interesting

      Yes, I was writing complete rubbish and it is indeed 18.6 KB not MB. Doh!!

      Makes mental note to triple check maths before posting comments! Clearly 18.6 kB could easily be the amount typed into the keyboard.

  7. Math fail. by Fly+Swatter · · Score: 4, Informative

    It's 18.6k. Only off by a thousand fold. But even if all they collect is text entry (its a keyboard app), thats a lot of info they should never have. The whole android ecosystem as it currently exists needs to die in a fire.

  8. That's not the leak. by fishscene · · Score: 3, Funny

    I'm pretty sure the "leak" was the company collecting this information in the first place.