Personal data belonging to more than 31 million users of a third-party smartphone keyboard app called ai.type were exposed online due to an unprotected online database.
In total, nearly 580 gigabytes of user records were left visible in a MongoDB database after the app’s Israel-based developer failed to use some form of authentication to secure its database server.
The developer’s keyboard apps boast 40 million users across Android and iOS, but only Android users were affected by the security lapse.
CEO and founder of ai.type, Eitan Fitusi, was later reported as having secured the data with a password after being alerted to the issue several times. Before that happened, however, the treasure trove of information was there waiting to become ‘manna from heaven’ for electronic miscreants.
Perhaps just as worryingly, however, is the sheer scope of information sucked up by the on-screen keyboard app, which offers an alternative to the standard smartphone keyboards.
Reports suggest that the breadth of personal information left visible runs the whole gamut, apparently based also on whether the users had installed the app’s free or paid version. The information collected included users’ full names, email addresses, location data, a device’s IMSI and IMEI number, its make and model, Android version, details from users’ public Google profile, and contents of users’ address books.
Also found was a database table containing over 8.6 million entries of text that had been entered on the keyboard and that reportedly included email addresses and their passwords.
Meanwhile, Fitusi was quoted as saying that the data in jeopardy had not been as extensive as claimed and that the app is not snooping on users.
"It was a secondary database," he told the BBC of the reports, adding that the geo-location data was not accurate, that no IMEI information had been hoovered up, and that the user behavior collected by the company involved only which ads they clicked.
In response to such data collection practices, ESET security specialist Mark James said that “that in itself is a massive hoard of data to hold on a well secured server away from harm’s reach, but sadly that was just not so”.
“The database was not configured correctly and thus enabled full access from the internet to all the data being held, making it essentially free for all access,” he added.
Another keyboard app, SwiftKey, had its share of security issues last July after it was reported that some users had received predictive text messages intended for other people, including email addresses and phone numbers. Blaming the glitch on a bug in the keyboard’s synchronization program, the app’s maker temporarily suspended cloud syncing.
Users are advised to exercise caution when installing mobile apps. This is, perhaps, doubly the case with keyboard apps which, by their very nature, have access to all data typed by users, including the most sensitive of information, such as passwords and credit card details.