Third-party Android and iOS keyboard ai-type is at the center of something of a privacy nightmare after a misconfigured database leaked the personal details of more than 31 million of its users.
Researchers at Kromtech Security Center discovered an unprotected database had been exposed by developers, revealing incredibly detailed information about its users. The database was found to be freely available for anyone to download, with no password required to access a treasure trove of information.
While the personalization features offered by ai.type certainly require a certain amount of data to be collected about users, questions have been raised about just how far-reaching this data collection has been. Installation of the app on an iPhone requires "Full access" for it to work, granting it access to a massive amount of information, including past keyboard data.
The Kromtech Security Center reveals the lengthy list of data exposed by the leak:
Phone number, full name of the owner, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number (international mobile subscriber identity used for interconnection), IMEI number (a unique number given to every single mobile phone), emails associated with the phone, country of residence, links and the information associated with the social media profiles (birthdate, title, emails etc.) and photo (links to Google+, Facebook etc.), IP (if available), location details (long/lat).
The 577GB database included the details of 31,293,959 users, and in many cases this included data scraped from contact lists. Speaking to the BBC, however, ai.type's founder and chief executive, Eitan Fitusi, referred to the leaked database as "a secondary database," and denied the scale of exposed data was as high as claimed. In particular he denied that IMEI information was collected, said the collected geo-location data was not accurate, and pointed out that user behavior data was only collected from ads that were clicked.
But Fitusi's claims are very much at odds with the findings of the Kromtech Security Center.
Mark James, a security specialist from ESET expressed surprise at just how much data was collected, and advised users to exercise caution:
To harvest full name, phone number, email address, device name, screen resolution, model details along with so much more personal info, and to then find out that users' entire contacts list is also being uploaded is not acceptable. That in itself is a massive horde of data to hold on a well secured server away from harms reach, but sadly that was just not so. The database was not configured correctly and thus enabled full access from the internet to all the data being held, making it essentially free for all access.
Sadly these days there is no such thing as free, often our price is data upload, some of course is necessary for the app to do its job but more often than not it’s simply not the case. In an ideal world we should have full control over what we allow any device to harvest and choose whether we want to hand it over. Always evaluate the permissions before you install any programs or applications, as with so many choices these days it can sometimes pay dividends to pick and choose your apps wisely."