Virtual Keyboard App Reveals Data Of 31m Android Users

A popular virtual keyboard app for Android, Ai.type, is at the centre of a massive data breach, after researchers discovered an open database online.

The database contained the personal data of 31 million Android users, and it apparently exposed the names, phone numbers, locations and Google queries of the users.

The discovery has led to questions about the ‘unacceptable’ amount of data that app developers are harvesting from their users.

Social Networking Data

The discovery of the mammoth trove of personal data was made by Bob Diachenko of the Kromtech Security Centre (part of security specialists Mackeeper).

“The Kromtech Security Center has discovered a massive amount of customer files leaked online and publically available,” blogged Diachenko.

“Researchers were able to access the data and details of 31,293,959 users. The misconfigured MongoDB database appears to belong to Ai.Type a Tel Aviv-based startup that designs and develops a personalized keyboard for mobile phones and tablets for both Android and iOS devices.

He pointed out that the misconfigured MongoDB database appears to belong to Tel Aviv-based Ai.Type, which designs and develops a personalised keyboard for mobile phones and tablets for both Android and iOS devices.

The firm was established in 2010 and since that time, its flagship product for Android was downloaded about 40 million times from the Google Play store.

“Ai.Type accidentally exposed their entire 577GB Mongo-hosted database to anyone with an internet connection,” he added. “This also exposed just how much data they access and how they obtain a treasure trove of data that average users do not expect to be extracted or data mined from their phone or tablet.”

According to Diachenko, this leaked information includes telephone numbers, full name of the owner, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number (international mobile subscriber identity used for interconnection), IMEI number (a unique number given to every single mobile phone), emails associated with the phone, country of residence, and perhaps most damaging information associated with the social media profiles (birthdate, title, emails etc.) and photo (links to Google+, Facebook etc.), IP (if available), location details (long/lat).

Company Response

“Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online,” warned Diachenko.

“This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user,” he rightly pointed out. “It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices.”

However the boss of Ai.Type, whilst he admitted the breach, said that most of the data was not sensitive.

Eitan Fitusi, chief executive and founder of Ai.type, told the BBC the amount of data exposed was not as extensive as claimed.

“It was a secondary database,” he reportedly said of the discovery.

He added that the geo-location data was not accurate; there was no IMEI information; and the user behaviour collected by the company involved only which ads they clicked.

Fitusi did confirm that the database has now been shut down and he reportedly said he was “confident” about the company’s security.

Does IoT security concern you?

  • Yes (89%)
  • No (11%)

Loading ...

Not Acceptable

But security analysts were quick to warn of the amount of information that mobile apps gather about users, and said the practice was not acceptable.

“One of the biggest problem’s currently with how mobile programs and applications work is the request for information that the program will have access to while it’s on your device,” said Mark James, security specialist at ESET.

“Sadly your only choice is do you or don’t you want to install it; if the answer is yes then you have accept all the conditions often without realising exactly what it entails; in this case, the amount of data being sent to an unknown uncontrollable server is staggering. To harvest full name, phone number, email address, device name, screen resolution, model details along with so much more personal info, and to then find out that users entire contacts list is also being uploaded is not acceptable.”

“That in itself is a massive horde of data to hold on a well secured server away from harms reach, but sadly that was just not so,” said James. “The database was not configured correctly and thus enabled full access from the internet to all the data being held, making it essentially free for all access.”

Do you know all about security in 2017? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Intel Adds Two Chip Veterans To Board, Amid Search For New CEO

Two chip veterans named for Intel's board of directors, amid reports of expertise gap after…

1 day ago

Waymo To Expand Ride-Hailing Service To Miami

Another major city in the United States is to receive Alphabet's Waymo ride-hailing service, with…

1 day ago

Meta To Spend $10 Billion On Largest Data Centre To Date

Facebook parent confirms its 23rd data centre in the US will be located in Louisiana,…

2 days ago

Musk’s Neuralink Animal Lab Cited For ‘Objectionable Conditions’

Federal regulator reportedly cites animal lab at Elon Musk's Neuralink for “objectionable conditions or practices”

2 days ago

Trump Nominates Cryptocurrency Advocate Paul Atkins As SEC Chair

President-elect Donald Trump nominates a new chairman to head the SEC, who is a noted…

2 days ago