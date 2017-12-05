A Popular Virtual Keyboard App Leaks 31 Million Users' Personal Data (zdnet.com) 29
Zack Whittaker, writing for ZDNet: Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online, after the app's developer failed to secure the database's server. The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users across the world. But the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data. The database appears to only contain records on the app's Android users.
But the server wasn't protected with a password,
Would you like to install this keyboard that requires access to the network?
Security updates are handled by the OS, not the keyboard. Anyone claiming the keyboard needs Internet for security updates is an obvious scammer.
Most of them do unfortunately. E.g. SwiftKey does. Also SwiftKey used to be an indie dev house but that got bought by Microsoft. It'd be nice to think that Microsoft selflessly love Android users and want to support a good keyboard application for Android and iOS even though they are competitors to Windows Phone. However it's more likely that they bought it because it had a bunch of user data they could monetize in various dubious ways.
https://swiftkey-keyboard.file... [fileplanet.com]
Potentially dangerous permissions
GET_ACCOUNTS: Allows access to the list of accounts in the Accounts Service.
READ_EXTERNAL_STORAGE: Allows an application to read from external storage.
READ_SMS: Allows an application to read SMS messages.
WRITE_EXTERNAL_STORAGE: Allows an application to write to external storage.
Other permissions
ACCESS_NETWORK_STATE: Allows applications to access information about networks.
ACCESS_WIFI_STATE: Allows applications to access information about Wi-Fi networks.
INTERNET: Allows applications to open network sockets.
RECEIVE_BOOT_COMPLETED: Allows an application to receive the ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting. If you don't request this permission, you will not receive the broadcast at that time. Though holding this permission does not have any security implications, it can have a negative impact on the user experience by increasing the amount of time it takes the system to start and allowing applications to have themselves running without the user being aware of them. As such, you must explicitly declare your use of this facility to make that visible to the user.
VIBRATE: Allows access to the vibrator.
WAKE_LOCK: Allows using PowerManager WakeLocks to keep processor from sleeping or screen from dimming.
com.android.vending.BILLING
com.google.android.c2dm.permission.RECEIVE
com.swiftkey.languageprovider.READLANG
com.swiftkey.swiftkeyconfigurator.READCONFIG
com.touchtype.swiftkey.permission.C2D_MESSAGE
So does Swype
http://forum.swype.com/sh [swype.com]
And just a think, I can install a third party keyboard on iOS and not allow it any of these permissions - or even network access.
Just like you can on Android. Users have to make smart choices.
I use MessageEase. The only permission it asks for is "Record Audio" so it can perform voice typing.
" Eitan Fitusi, co-founder of AI.type
..."
So, it uses AI to predictive suggest as you type. Seems like that would require network access. Not that I would install it. I turn off googles default predictive typing for that exact reason.
A keyboard CrAPPlet has no need for access to contact data, let alone to upload it to an outside server. There could be only two reasons: to spam, or to sell it.
Either way, hope the company gets sued to Kingdom come and its founder ends up jailed.
"I'm in your keyboard, leaking your personal data."
A quote from within the article (yes someone read the article):
"It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices,
Like paying for the same app will really turn off that data collection. The question things like this really raises is if allowing any data collection at all, ever, should be allowed.
Google changed Android so that all apps have "internet" rights.
Smart move, it's an advertisement company after all.
Was the person posting this article new, or was there some compelling reason not to disclose the app in question?
co-founder of AI.type, a customizable and personalizable on-screen keyboard
It's in the summary silly.
I had to look it up elsewhere. Apparently, it's the company AI.type [aitype.com], based in Tel Aviv.
It was in the summary. The keyboard in question is AI.type [aitype.com].
It’s in the second sentence. Do you have the attention span of a gnat?
Clearly this is rather more than just some basic contact details and IP addresses and suggests that the bulk download of data from phones described in the article isn't just an occasional aberration.
How come the Andoid OS even allows a keyboard app access to stored data in the first place?
How come the Andoid OS even allows a keyboard app access to stored data in the first place?
Because the user allowed it.
It's a complete log of everything ever entered using that app.
You know.
Like URLs, usernames and passwords.
