AI.Type Keyboard’s User Database Was Left Unprotected
The AI.Type Keyboard is one of many new generation smart keyboards, available for both the Android and iOS platforms, was recently exposed as having potentially exposed its 577 GB database full of user information. The Kromtech Security Center discovered that AI.Type’s MongoDB was accessible from the Internet and, worse, did not have a password. Security researchers were able to access the full database, download or information. By information, here we mean usernames, device names and models, ‘phone numbers, IMEI numbers, email addresses, the county of residence, IP address and location details, social media links and contact information. In other words, a bucket of data about users of the AI.Type Keyboard… for over thirty one million users.
The scope of the potential leak is at least eyebrow raising, but I suppose there’s some comfort in that the information was discovered by an Internet security firm rather than a hacker – at least, as far as we can tell! In response to a negative review of the keyboard on the Google Play Store, the AI.Type developer responded explaining that the keyboard did not request location information so this was not exposed, and “the leak is completely fixed.”
Should a keyboard log so much information about users? This opens up another argument. You see, the industry has pushed the development of smarter software keyboards. Smart keyboards learn how we use them, which enhances the accuracy of the prediction engine. They learn how we use them by watching what we type and adapting, and some by looking at what we have typed and written elsewhere. This is how the keyboard can identify a word we have typed that it might otherwise not understand. A consequence of this is that the keyboard generates data, which is typically stored in a cloud-based database somewhere. Personally, when I am not using my Apple wireless keyboard I am using Gboard, Google’s own keyboard, and as you can see from the screen image here, Gboard uses a substantial amount of Wi-Fi data. The data shuffling backwards and forwards between the app and the Google server is maintaining and improving the personal database for my particular profile.
Should this bother you? Perhaps. We allow companies – and ultimately advertisers – access to the amount of information our smartphone logs about us because in return, we benefit from a “free” application or service. AI.Type Keyboard’s developer appears to have made a fundamental error; let’s hope the information wasn’t already leaked.