Personal info of 31 million people leaked by popular virtual keyboard Ai.type

By now you have probably heard this happened. This is a shocking leak, and exactly the kind of thing that proves the point I was making about facial recognition data. There were objections to the headline of the Washington post article about ‘Apple sharing face data with apps’. Objections along the lines that it’s actually you who shares the data. As ever, the truth is in the middle. Decisions are made at the source to make such things possible, but yes, you can opt to not use third-party apps that need private data to operate. There are indeed warnings on the box, as there was in this case.

It made me think of Smile software’s borderline flippant help article about the scary keyboard warning for allowing full access to keyboards. Ultimately, that article explains the need for the warning, although I’m not sure they do themselves any favours with the headline. This keyboard app is case study that makes the point with an exclamation mark. It is a fuck-up of the highest order,

the app’s database server was left online without any form of authentication. This meant anyone could access the company’s treasure-trove of personal information, which totals more than 577 gigabytes of data, without needing a password.

Yes, you read that right. It gets worse,

Some information is worryingly personal. It contains the precise location of the user, their phone number and cell provider, and according to Whittaker, the user’s IP address and ISP, if they use the keyboard while connected to Wi-Fi.

For reasons unclear, it also uploaded a list of each app installed on the phone, allowing the makers to, in theory, determine what banking and dating apps were being used.

Ai.type effectively enumerated the device it was being used on. It also uploaded hundreds of millions of phone numbers and e-mail addresses, suggesting that the keyboard was accessing the users’ contact information.

Apparently this affected mostly free users, which should 1 serve as a good illustration of the adage that if you’re not paying for a product, you are the product.

Here is some more detail. Please — for the love of god — read those permission messages and think about the access an app has to what, and why. Stay safe.

Permalink
  1. But won’t