Data-slurping keyboard app makes Mongo mistake with user data

Pablo Tucker
December 7, 2017

Another data leak case has surfaced wherein the personal details of almost 31 million Android users using the AI.type app has been exposed on an online open database.

Eitan Fitusi, chief executive and founder of Ai.type, told the BBC the amount of data exposed was not as extensive as claimed. The company claims its app has been downloaded more than 40 million times, with additional keyboards that support over 40 languages from Farsi to Slovenian. The server held user information, including personal records, totalling over 577 gigabytes of sensitive data including names, emails and how long the app had been installed.

The massive trove of information was not protected by a password, meaning anyone with the direct URL to the database could access the information stored within.

But security analysts were quick to warn of the amount of information that mobile apps gather about users, and said the practice was not acceptable. It also contained seemingly useless information such as each user's IMSI and IMEI device number - which are unique numbers to identify a phone on the global network and one to identify it on a particular network - alongside make and model information, screen resolution and even the version of Android it's running. The records also included the user's location set by Global Positioning System, including their city and country.

ZDNet obtained a portion of the database to verify. Other records included information from linked Google profiles including profile pictures, email addresses, dates of birth and genders.

The data was only secured after the firm made several attempts to contact Fitusi, who acknowledged the security lapse this weekend.

It seems that users who downloaded the freemium version of Ai.type had more data exposed than those with the paid version as the free one collects more information from devices. Ai.Type was also collecting data from user's contact lists, according to the researchers. The unprotected database from AI.type reveals just how much detail the app can grab from users without their explicit knowledge.

Google often warns users of the security risks that come with the use of a third-party keyboard, but AI.type touts on its website that user privacy is its "main concern" and that any entered text "stays encrypted and private".

ANOTHER DAY, another dodgy Android app discovered, this time in the form of the personal data leaking ai.type Keyboard. If that wasn't enough data for the keyboard to mine, security researchers added that "there was a range of other statistics" including the most popular users' Google queries for different regions.

"This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user".

'Some want to sell the data they collect, others use it for targeted marketing, predictive artificial intelligence, and cyber criminals want to use it to make money in more and more creative ways. Bob Diachenko, head of communications at Kromtech Security Center, wonders if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices.

Other reports by iNewsToday