Virtual Keyboard App Reveals Data Of 31m Android Users


The database, which appeared to contain information exclusively from Android users, belonged to AI.type co-founder Eitan Fitusi.

"The misconfigured MongoDB database appears to belong to Ai.Type a Tel Aviv-based startup that designs and develops a personalized keyboard for mobile phones and tablets for both Android and iOS devices", Kromtech Security Center said.

At the same time, poor security practices followed by app developers are also placing such sensitive data belonging to millions of users at risk.

Ai.type's own figures state that the app has been downloaded about 40 million times on the Google Play store since its launch in 2010.

However, when researchers installed Ai.Type they were shocked to discover that users must allow "Full Access" to all of their data stored on the testing iPhone, including all keyboard data past and present. "This is a shocking amount of information on their users who assume they are getting a simple keyboard application", he said.

But the security researchers found that this isn't the case, given that not only was there an unsecured server sitting full of user data, but the texts weren't encrypted either as they were able to download and look through the database files where they found a table containing 8.6 million entries of text that had been typed into the keyboard app.

ZDNet who obtained a portion of the database to verify the information collected by the servers made a few scarier revelations to the breach.

Alabama DC Jeremy Pruitt offered Tennessee job
Saban is the best coach in college football, and even he relies on the deepest pool of assistant coaches in the country. Hearing that #Alabama DC Jeremy Pruitt has emerged as a strong candidate for the #Tennessee head coaching vacancy.

Mariners, Angels reportedly acquire more bonus money aimed for Ohtani
Because Ohtani is under 25 he is subject to global spending limits, which severely limits his earning power on the free market. Banuelos was probably the Mariners' top catching prospect in their minor league system, certainly from a defensive standpoint.

Lubaina Himid awarded Britain's Turner Prize, oldest artist ever to win
She is now based in Preston, England; her work primarily addresses racial politics and the representation of black people in art. The Preston, England-based artist was awarded the 25,000-pound ($34,000) prize at a ceremony in the English city of Hull.

Interestingly, AI.type says on its website that user privacy "is our main concern", and that any text entered on the keyboard "stays encrypted and private".

It found each record contains a basic collected data, including the user's full name, email addresses, and how many days the app was installed. Leaked records as per Kromtech Security, also had a range of other statistics like the most popular users' Google queries for different regions.

The 577GB database included the details of 31,293,959 users, and in many cases this included data scraped from contact lists. Android users who install the free version of the app might be scared away by an alert that says the keyboard may collect "all the text you type", including passwords and credit card numbers. Accompanying the numbers were the make and model of the device, its screen resolution and the version of Android it was running.

ZDNet said it also found several tables of contact data uploaded from a user's phone, one with 10.7 million email addresses and another with 374.6 million phone numbers.

"It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products", the company said in its blog post.

Most alarmingly of all, some of the more complete records contained user's phone numbers and the name of their mobile network operator.

A large number of the records also included the phone number and telecom provider of users as well as some specific details of their public Google profile including their dates of birth, genders, profile photos and email addresses. However, he outlined that most of the data was insensitive.