31 million Android users’ personal data exposed thanks to an insecure keyboard app

Vaughn Highfield December 6, 2017

Other than the worry that a dodgy keyboard app could be logging your every keystroke and sending it off to some suspect third-party, you’d hope something as straightforward as typing was worry free. Unfortunately not, as an incredibly popular keyboard app has just suffered at the hands of a mammoth data breach all because it wasn’t storing personal user information on a secure server.

31 million Android users' personal data exposed thanks to an insecure keyboard app

The app, AI.type, stored its data on a server owned by company co-founder Eitan Fitusi. The server held user information, including personal records, totalling over 577 gigabytes of sensitive data including names, emails and how long the app had been installed. The data also contained information around user’s precise location, including city and country.

Bizarrely, only Android users are affected by the breach, presumably because iOS user information is stored on a separate server database.

The data breach was discovered by security researchers Kromtech Security Centre and then corroborated by ZDNet. Interestingly, Fitusi has repaired the security lapse but hasn’t issued a statement around the information breach beyond acknowledging that it had happened.

Users on the free version have more data farmed from their usage than that of the paid version – a statement made clear in its privacy policy. This data is then monetised through advertising, but it was also stored on the insecure server, linked to individual users. It also contained seemingly useless information such as each user’s IMSI and IMEI device number – which are unique numbers to identify a phone on the global network and one to identify it on a particular network – alongside make and model information, screen resolution and even the version of Android it’s running.

android_keyboard_hack_aitype

Most alarmingly of all, some of the more complete records contained user’s phone numbers and the name of their mobile network operator. Some also listed their IP addresses and the name of the internet provider for the Wi-Fi networks the user had accessed while using AI.type. Those that logged into the app using a Google profile also had their information scraped, revealing email addresses, dates of birth, gender and even profile photos.

ZDNet also confirmed that AI.type was scraping contact information from user’s phones, with data tables containing over 10.7 million email addresses and another with 374.6 million phone numbers. Other tables also included a list of the other apps installed on a device, although it doesn’t appear to have captured any data from within them.

Interestingly, AI.type says on its website that user privacy “is our main concern”, and that any text entered on the keyboard “stays encrypted and private”. Except with the wide-ranging permissions keyboards have on Android, including the option to read text messages, view photos and videos and even record audio, combined with the fact that it didn’t store user data in a secure storage, you have to wonder just how accurate that is.

AI.type also states that it will “never share your data or learn from password fields” but, as ZDNet highlights, there was a table with 8.6 million entries of sensitive information logged and stored via the keyboard. These weren’t insignificant details either, they contained phone numbers, web searches and email addresses and corresponding passwords.

Those who paid for the app would have far less data exposed, but it’s still unclear just how much of their information has been gleaned too. One would always expect a free app to come with some caveats, but if the paid app was also harvesting the same level of sensitive data, AI.type has some serious questions to answer.

With 31 million Android users exposed, and the potential for more to be at risk on iOS, you have to sit back and wonder if it’s really worth moving away from a secure OS-specific keyboard to a third-party app.