A smartphone keyboard app — used by tens of millions of customers — allegedly stored personal details, precise location, friends' phone numbers, and even unencrypted passwords on a completely insecure server. In short — all the details were open to the public.
A joint report by Kromtech Alliance and ZDNet found keyboard apps from Ai.Type left data unsecured for more than 31 million users. Although Ai.Type apps are available on the iOS App Store, the exposed data appears to belong exclusively to Android users.
Tel Aviv-based Ai.Type is a startup which designs and develops personalized keyboards for iPhones and Android handsets. The company claims its app has been downloaded more than 40 million times, with additional keyboards that support over 40 languages from Farsi to Slovenian. These apps are installed over 1.5 million times per month, Ai.Type boasts on its website.
The seven-year-old company also claims that anything typed using its keyboards "stays encrypted and private." But this enormous leak has put that claim in serious doubt.
"Once again, a reckless software vendor has carelessly left its users' sensitive data available for anyone to grab," says Graham Cluley, a cybersecurity expert to GearBrain.
The server used by Ai.Type's applications, owned by company co-founder Eitan Fitusi, was not protected with a password, according to cybersecurity experts — allowing free access to a claimed 577GB of sensitive information.
"Ai.Type accidentally exposed their entire 577GB Mongo-hosted database to anyone with an internet connection," says Bob Diachenko, chief communications officer at Kromtech Security Center. "This also exposed just how much data they access and how they obtain a treasure trove of data that average users not do expect to be extracted or data-mined from their phone or tablet."
Over half a terabyte of private data was exposed due to there being no passwordiStock
App developers are 'acting like chimpanzees at a tea party'
"The problem for millions of app users around the world is that we simply have no clue as to which developers are competent, and treating our privacy as a priority, and which are acting like chimpanzees at a tea party," Cluley told GearBrain.
Data including phone numbers, a user's name, their device name and model, network name, screen resolution, user language and Android version are reportedly compromised — as well as extraordinary details that many user's likely never knew the app could see.
Ai.Type helped itself (once given permission by the user, often without a second thought) to the phone's IMEI number, as well as links to the user's social media pages and profile images, their exact location in real-time, along with every contact stored on their device.
Worst of all, researchers claimed the app stored — and uploaded to the insecure server — text entered into the keyboard, such as phone numbers, private and sensitive information, web search terms, emails addresses and their corresponding passwords.
A wakeup call
"This is once again a wakeup call for any company that gathers and stores data on their customers to protect, secure, and audit their data privacy practices," says Alex Kernishniuk, vice president of strategic alliances at Kromtech, which helped to uncover the leak.
For now, the possibility that anyone who download the keyboard apps had all of their phone data exposed publicly online is a "logical" thought, adds Kromtech's Diachenko.
"This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user," he says. "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices."