By Tomáš Foltýn
Personal data belonging to more than 31 million
users of a third-party smartphone keyboard app called ai.type were exposed
online due to an unprotected online database.
In total, nearly 580 gigabytes of user records were
left visible in a MongoDB database after the app’s
Israel-based developer failed to use some form of authentication to secure its database server.
The developer’s keyboard apps boast 40 million
users across Android and iOS, but only Android
users were affected by the security lapse.
CEO and founder of ai.type, Eitan Fitusi, was later
reported as having secured the data with a password after
being alerted to the issue several times. Before that happened, however, the
treasure trove of information was there waiting to become ‘manna from heaven’
for electronic miscreants.
Perhaps just as worryingly, however, is the sheer
scope of information sucked up by the on-screen keyboard app, which offers an
alternative to the standard smartphone keyboards.
Reports suggest that the breadth of personal
information left visible runs the whole gamut, apparently based also on whether
the users had installed the app’s free or paid version. The information
collected included users’ full names, email addresses, location data, a
device’s IMSI and IMEI number, its make and model, Android version, details
from users’ public Google profile, and contents of users’ address books.
Also found was a database table containing over 8.6
million entries of text that had been entered on the keyboard and that
reportedly included email addresses and their passwords.
Meanwhile, Fitusi was quoted
as saying that the data in jeopardy had not been as extensive as claimed and
that the app is not snooping on users.
“It was a secondary database,” he told the BBC of
the reports, adding that the geo-location data was not accurate, that no IMEI
information had been hoovered up, and that the
user behavior collected by the company involved only which ads they clicked.
In response to such data collection practices, ESET
security specialist Mark James said that “that in itself is a massive hoard of
data to hold on a well secured server away from harm’s reach, but sadly that
was just not so”.
“The database was not configured correctly and thus
enabled full access from the internet to all the data being held, making it
essentially free for all access,” he added.
Another keyboard app, SwiftKey, had its share of
security issues last July after it was reported that some users had received predictive text messages
intended for other people, including email addresses and phone numbers. Blaming
the glitch on a bug in the keyboard’s synchronization program, the app’s maker
temporarily suspended cloud syncing.
Users are advised to exercise caution when installing mobile apps. This is, perhaps, doubly
the case with keyboard apps which, by their very nature, have access to all
data typed by users, including the most sensitive of information, such as
passwords and credit card details.