Data on 31 million users leaked by smartphone keyboard app

News by Teri Robinson

After the developer of virtual keyboard app Ai.Type left a 577GB Mongo-hosted database unsecured, personal data on more than 31 million customers was exposed to anyone who has an internet connection.

After the developer of virtual keyboard app Ai.Type left a 577GB Mongo-hosted database unsecured, personal data on more than 31 million customers was exposed to anyone who has an internet connection, according to a blog post by Kromtech Security Center whose researchers discovered the leaky database. 

Information exposed included phone numbers, owners' names, devices, mobile networks, SMS numbers, email addresses, data associated with social media accounts and more, researchers discovered.

“This also exposed just how much data they access and how they obtain a treasure trove of data that average users do not expect to be extracted or datamined from their phone or tablet,” according to the blog post.

"This breach highlights how vulnerable we are to apps or third-party tools that may be sloppy or reckless with security,” said Ray DeMeo, cofounder and chief officer at Virsec Systems. “Consumers are also notorious for choosing convenience over security and blithely allowing apps to have ‘full access' to anything on their phones.”

The bulk of users “never read the app permissions disclosure when downloading an app and they don't realise they are giving away access to almost everything including many areas the app publisher has no legitimate use for, but a few more damaging leaks like this one and that may change,” said John Gunn, chief marketing officer at VASCO Data Security. "Before, people only had to worry about their own gullibility, now users have to also worry about naive friends giving up their data to irresponsible and over-reaching app publishers."

Jeff Williams, CTO and cofounder of Contrast Security, called for the FCC to go after the app's author for making fraudulent claims about the product. 

“The fact that the author promised encryption and better security and completely failed to deliver is a serious problem,” said Williams. “How can consumers protect themselves, if marketing is free to claim anything without consequences for lying?” 

Better still “would be if app vendors were not only held to their claims, but were *required* to disclose basic security information about their products,” said Williams. “I see no other way to fix the broken software market.” 

DeMeo called for a shift “to a much more defensive security model: assume all but the most trusted apps and vendors are likely to be careless and get breached,” cautioning users not to voluntarily hand over personal data or “allow untrusted apps to access other data on your devices."

Javvad Malik, security advocate at AlienVault said: "It is concerning that a keyboard app is collecting excessive data from users which isn't needed for its operation. Unfortunately, many companies will opt to gather as much data as possible from its users that can be analysed or sold onto third parties.

The fact that this breach occurred via a misconfigured MongoDB database is not all that surprising. We've seen a rise in incidents where data is breached from misconfigured services, of which Amazon S3 buckets are amongst the most common.

It highlights the importance of companies to have cloud security expertise, and the right cloud monitoring tools in order to gain assurance that misconfigurations and security vulnerabilities aren't left in the environment."

Mark James, security specialist at ESET said: "One of the biggest problem's currently with how mobile programs and applications work is the request for information that the program will have access to while it's on your device. Sadly your only choice is do you or don't you want to install it; if the answer is yes then you have accept all the conditions often without realising exactly what it entails; in this case, the amount of data being sent to an unknown uncontrollable server is staggering. To harvest full name, phone number, email address, device name, screen resolution, model details along with so much more personal info, and to then find out that users entire contacts list is also being uploaded is not acceptable.

"That in itself is a massive horde of data to hold on a well secured server away from harms reach, but sadly that was just not so. The database was not configured correctly and thus enabled full access from the internet to all the data being held, making it essentially free for all access.

"Sadly these days there is no such thing as free, often our price is data upload, some of course is necessary for the app to do its job but more often than not it's simply not the case. In an ideal world we should have full control over what we allow any device to harvest and choose whether we want to hand it over.

"Always evaluate the permissions before you install any programs or applications, as with so many choices these days it can sometimes pay dividends to pick and choose your apps wisely."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews