Zack Whittaker, writing for ZDNet: Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online, after the app's developer failed to secure the database's server. The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users across the world. But the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data. The database appears to only contain records on the app's Android users.

  • But the server wasn't protected with a password,

  • Would you like to install this keyboard that requires access to the network?

    No.

    • Most of them do unfortunately. E.g. SwiftKey does. Also SwiftKey used to be an indie dev house but that got bought by Microsoft. It'd be nice to think that Microsoft selflessly love Android users and want to support a good keyboard application for Android and iOS even though they are competitors to Windows Phone. However it's more likely that they bought it because it had a bunch of user data they could monetize in various dubious ways.

      https://swiftkey-keyboard.file... [fileplanet.com]

      Potentially dangerous permissions
      GET_ACCOUNTS: Allows access to the list of accounts in the Accounts Service.
      READ_EXTERNAL_STORAGE: Allows an application to read from external storage.
      READ_SMS: Allows an application to read SMS messages.
      WRITE_EXTERNAL_STORAGE: Allows an application to write to external storage.
      Other permissions
      ACCESS_NETWORK_STATE: Allows applications to access information about networks.
      ACCESS_WIFI_STATE: Allows applications to access information about Wi-Fi networks.
      INTERNET: Allows applications to open network sockets.
      RECEIVE_BOOT_COMPLETED: Allows an application to receive the ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting. If you don't request this permission, you will not receive the broadcast at that time. Though holding this permission does not have any security implications, it can have a negative impact on the user experience by increasing the amount of time it takes the system to start and allowing applications to have themselves running without the user being aware of them. As such, you must explicitly declare your use of this facility to make that visible to the user.
      VIBRATE: Allows access to the vibrator.
      WAKE_LOCK: Allows using PowerManager WakeLocks to keep processor from sleeping or screen from dimming.
      com.android.vending.BILLING
      com.google.android.c2dm.permission.RECEIVE
      com.swiftkey.languageprovider.READLANG
      com.swiftkey.swiftkeyconfigurator.READCONFIG
      com.touchtype.swiftkey.permission.C2D_MESSAGE

      So does Swype

      http://forum.swype.com/sh [swype.com]

    • " Eitan Fitusi, co-founder of AI.type ..."

          So, it uses AI to predictive suggest as you type. Seems like that would require network access. Not that I would install it. I turn off googles default predictive typing for that exact reason.

  • that's a lot of user data (Score:1)

    by Anonymous Coward
    577 gigabytes!
    Great Scott!

  • A keyboard CrAPPlet has no need for access to contact data, let alone to upload it to an outside server. There could be only two reasons: to spam, or to sell it.

    Either way, hope the company gets sued to Kingdom come and its founder ends up jailed.

  • "I'm in your keyboard, leaking your personal data."

  • Stupid quotes. (Score:3)

    by Fly Swatter ( 30498 ) on Tuesday December 05, 2017 @12:40PM (#55681057) Homepage

    A quote from within the article (yes someone read the article):

    "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices,

    Like paying for the same app will really turn off that data collection. The question things like this really raises is if allowing any data collection at all, ever, should be allowed.

  • Was the person posting this article new, or was there some compelling reason not to disclose the app in question?

  • So, 577 GB for 31 million users? That gives us about 18.6 MB per customer!!

    Clearly this is rather more than just some basic contact details and IP addresses and suggests that the bulk download of data from phones described in the article isn't just an occasional aberration.

    How come the Andoid OS even allows a keyboard app access to stored data in the first place?

    • Re: (Score:2)

      by sinij ( 911942 )

      How come the Andoid OS even allows a keyboard app access to stored data in the first place?

      Because the user allowed it.

    • It's 18.6k. Only off by a thousand fold. But even if all they collect is text entry (its a keyboard app), thats a lot of info they should never have. The whole android ecosystem as it currently exists needs to die in a fire.

    • Re: (Score:2)

      by Calydor ( 739835 )

      It's a complete log of everything ever entered using that app.

      You know.

      Like URLs, usernames and passwords.

  • I'm pretty sure the "leak" was the company collecting this information in the first place.

