Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Android Privacy

A Popular Virtual Keyboard App Leaks 31 Million Users' Personal Data (zdnet.com) 65

Zack Whittaker, writing for ZDNet: Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online, after the app's developer failed to secure the database's server. The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users across the world. But the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data. The database appears to only contain records on the app's Android users.
This discussion has been archived. No new comments can be posted.

A Popular Virtual Keyboard App Leaks 31 Million Users' Personal Data

Comments Filter:
  • by networkBoy ( 774728 ) on Tuesday December 05, 2017 @12:34PM (#55681001) Journal

    But the server wasn't protected with a password,

  • Idiot users (Score:4, Insightful)

    by reanjr ( 588767 ) on Tuesday December 05, 2017 @12:37PM (#55681031) Homepage

    Would you like to install this keyboard that requires access to the network?

    No.

    • by Anonymous Coward
      This is required to install certain updates, improve security, and provide customer feedback. Are you SURE you want to prevent access to the network? The software may not work correctly.

      Ummm. I don't know. I really want to use this software. Crap. OK Yes.
      • Security updates are handled by the OS, not the keyboard. Anyone claiming the keyboard needs Internet for security updates is an obvious scammer.

        • by AuMatar ( 183847 )

          Depends on the implementation of the keyboard. If the keyboard has downloadable components, such as parts written in javascript, or datafiles then downloadable updates could include security fixes.

    • Re:Idiot users (Score:4, Informative)

      by Hal_Porter ( 817932 ) on Tuesday December 05, 2017 @01:02PM (#55681249)

      Most of them do unfortunately. E.g. SwiftKey does. Also SwiftKey used to be an indie dev house but that got bought by Microsoft. It'd be nice to think that Microsoft selflessly love Android users and want to support a good keyboard application for Android and iOS even though they are competitors to Windows Phone. However it's more likely that they bought it because it had a bunch of user data they could monetize in various dubious ways.

      https://swiftkey-keyboard.file... [fileplanet.com]

      Potentially dangerous permissions
      GET_ACCOUNTS: Allows access to the list of accounts in the Accounts Service.
      READ_EXTERNAL_STORAGE: Allows an application to read from external storage.
      READ_SMS: Allows an application to read SMS messages.
      WRITE_EXTERNAL_STORAGE: Allows an application to write to external storage.
      Other permissions
      ACCESS_NETWORK_STATE: Allows applications to access information about networks.
      ACCESS_WIFI_STATE: Allows applications to access information about Wi-Fi networks.
      INTERNET: Allows applications to open network sockets.
      RECEIVE_BOOT_COMPLETED: Allows an application to receive the ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting. If you don't request this permission, you will not receive the broadcast at that time. Though holding this permission does not have any security implications, it can have a negative impact on the user experience by increasing the amount of time it takes the system to start and allowing applications to have themselves running without the user being aware of them. As such, you must explicitly declare your use of this facility to make that visible to the user.
      VIBRATE: Allows access to the vibrator.
      WAKE_LOCK: Allows using PowerManager WakeLocks to keep processor from sleeping or screen from dimming.
      com.android.vending.BILLING
      com.google.android.c2dm.permission.RECEIVE
      com.swiftkey.languageprovider.READLANG
      com.swiftkey.swiftkeyconfigurator.READCONFIG
      com.touchtype.swiftkey.permission.C2D_MESSAGE

      So does Swype

      http://forum.swype.com/showthr... [swype.com]

      Hi there, I just spotted Swype in the Google Play store and had exactly the same concerns.

      Outside of reading the dictionary, I would not have expected Swype should not require any special permissions, and yet it wants a big long list of permissions:
      Record audio
      Get my approximate and precise location
      Read my text messages
      Full network access
      Pair with Bluetooth devices
      Read my contacts
      Read terms I've added to the dictionary
      Read call log
      Read phone status and identity
      Modify or delete the contents of my USB storage
      Find accounts on my device
      View network connections
      View wifi connections
      Access protected storage

      So does Google Keyboard

      https://www.xda-developers.com... [xda-developers.com]

      Let's take a look at what's going on here. First off, Google Keyboard has access to your own contact card, and accounts on your device. This means it has the ability to know who you are, and all of the Email (and other) accounts you have available on your device. That means it's possible for them to see what Google/Dropbox/ Twitter/Microsoft Exchange/Facebook accounts you have available on your phone. I have absolutely no idea why this is needed, nor why people are willing to give this information over.

      Next up, the app can read your contacts. That's fair enough-Google obviously want to add your contact names to the spell-checker and auto-complete databases. This makes sense, and is something justifiable for a keyboard. The ability to modify or delete the contents of USB storage is somewhat strange, but while it does allow access to all your data stored on your "SD card," there's unfortunately no real

      • And just a think, I can install a third party keyboard on iOS and not allow it any of these permissions - or even network access.

        • Just like you can on Android. Users have to make smart choices.

          • by Karlt1 ( 231423 )

            Can you both tell it to not allow network access and still install it and it will run?

            Do you have to purposefully go into settings and enable network access or is that one of n number of permissions in an unituitive list that people will just press okay?

            • You can't deny an app network access, except by not installing it. An Android app does need to request network permissions to access the network, so the user will be notified it can do this, but it's not a configurable permission. You have to uninstall the app the prevent it from accessing the network.

              • by Karlt1 ( 231423 )

                You can't deny network access in iOS either in general (only cellular access). But Apple has the good sense to make sure that installing a keyboard and allowing it network access had to be a very intentional act. You have to go to settings to do it. You can't just mindlessly click "Allow" based on a prompt.

      • I use MessageEase. The only permission it asks for is "Record Audio" so it can perform voice typing.

      • Re:Idiot users (Score:5, Informative)

        by AuMatar ( 183847 ) on Tuesday December 05, 2017 @01:52PM (#55681765)

        Having worked at Swype, I can tell you why most of those are there.

        Record audio- see the voice recognition button? Required for it to work. Lots of people like voice recognition

        Get my approximate and precise location- download dictionaries of local places that wouldn't be in the normal dictionary.

        Read my text messages- train autocorrect algorithms

        Full network access- upload dictionaries to the server/download your dictionaries to a new device. Also their whole theme download store.

        Pair with Bluetooth devices- bluetooth headsets

        Read my contacts- we scan your contacts to add the names to the dictionary, so it will allow you to type your friend's names.

        Read terms I've added to the dictionary- Swype has its own dictionary, but if you added any to the device's we want to add those to ours

        Read phone status and identity- literally this was to turn off typing noises when on speakerphone

        Modify or delete the contents of my USB storage- to allow you to store the dictionary on a connected device, if you wanted

        If you want a smooth app that integrates with the OS well, you're going to need a lot of permissions. There's just no way around it.

        • by sjames ( 1099 )

          It would be nice if the Android permissions could be better divided in places. As you point out, knowing the phone is off hook or ringing is legitimate for practically any app that generates sound, but they don't really need to know who is calling or being called. Unfortunately, asking for one without the other isn't possible so everyone gets the side eye.

          Likewise, a bunch of apps that need extra storage space end up making suspicious sounding requests to access photos, music, and videos when all they reall

          • by AuMatar ( 183847 )

            It would be. They seem to be going the other way though- bundling permissions in permission groups on the play store listings. At least now you can turn them on and off individually, and well written apps will still work.

    • " Eitan Fitusi, co-founder of AI.type ..."

          So, it uses AI to predictive suggest as you type. Seems like that would require network access. Not that I would install it. I turn off googles default predictive typing for that exact reason.

      • by AuMatar ( 183847 )

        Actually it doesn't, that level of data can be stored on the client (and generally is). Its simple n-grams. Keeping it up to date would require network access.

  • by Anonymous Coward
    577 gigabytes!
    Great Scott!
  • by b0s0z0ku ( 752509 ) on Tuesday December 05, 2017 @12:38PM (#55681043)

    A keyboard CrAPPlet has no need for access to contact data, let alone to upload it to an outside server. There could be only two reasons: to spam, or to sell it.

    Either way, hope the company gets sued to Kingdom come and its founder ends up jailed.

    • by Anonymous Coward

      That is not entirely true. The names of people you know are there, including how to spell them. Surely a keyboard application could make use of that data.

  • "I'm in your keyboard, leaking your personal data."

  • Stupid quotes. (Score:5, Informative)

    by Fly Swatter ( 30498 ) on Tuesday December 05, 2017 @12:40PM (#55681057) Homepage

    A quote from within the article (yes someone read the article):

    "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices,

    Like paying for the same app will really turn off that data collection. The question things like this really raises is if allowing any data collection at all, ever, should be allowed.

    • Google changed Android so that all apps have "internet" rights.
      Smart move, it's an advertisement company after all.

    • by Anonymous Coward

      "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices,

      Free comes with a dick up your ass.
      - Future, 8 Mile

  • Was the person posting this article new, or was there some compelling reason not to disclose the app in question?

  • by HuskyDog ( 143220 ) on Tuesday December 05, 2017 @12:57PM (#55681221) Homepage
    So, 577 GB for 31 million users? That gives us about 18.6 MB per customer!!

    Clearly this is rather more than just some basic contact details and IP addresses and suggests that the bulk download of data from phones described in the article isn't just an occasional aberration.

    How come the Andoid OS even allows a keyboard app access to stored data in the first place?
  • by fishscene ( 3662081 ) on Tuesday December 05, 2017 @01:22PM (#55681425)
    I'm pretty sure the "leak" was the company collecting this information in the first place.
  • More like Google AI developer goldmine. "Pssstt...leave the backdoor open." But like everything wrong they do now, they'll burry it when their bots "just happen find some random guy" on a hate speech rant in the comments of a news article. Why do think the a lot of Slashdot comments start out so messed up and unrelated? It gives Google and other search engines a reason to make it harder to find since the comments are a part of the article. The bots can claim ignorance. That's why a lot of decentralized medi
  • Even with all of Apple's recent fuck-ups I'm still happy to have an iPhone every time I read about yet another security breach on Android.

  • It doesn't do predictive text, but everything else. I find the Ctrl C and V very useful https://play.google.com/store/... [google.com]

    No permissions other than input.

C makes it easy for you to shoot yourself in the foot. C++ makes that harder, but when you do, it blows away your whole leg. -- Bjarne Stroustrup

Working...