Data of 31 million users of iPhone add-on keyboard ai.type potentially leaks

Posted:
in iOS edited December 2017
Conflicting accounts have emerged about a security breach involving the ai.type add-on keyboard for iOS and Android, with researchers claiming that 31 million people's data has been compromised -- with a user's contacts also potentially included in the leak.




The Kromtech Security Center discovered on Tuesday that a MongoDB database used to collect data on ai.type keyboard users was misconfigured, and was available on the internet. Contained in the database is reportedly "data and details of 31,293,959 users" of the ai.type keyboard.

According to the researchers, user information includes phone numbers, full names, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number, IMEI number, emails associated with the phone, country of residence, links and the information associated with the social media profiles including birthdates and photos, IP, and location details.

Making the situation worse, it appears that 6.4 million records contained data gleaned from a user's Contacts, including names and phone numbers, leading to a total of 373 million records in the briefly publicly available database.




Other information in the database includes average messages per day, words per message, and ages of users.

"It is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online. This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user," said Kromtech's Head of Communications Bob Diachenko. "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices."

Upon installation, ai.type asks for "Full Access." If permission is granted, the add-on keyboard can transmit absolutely anything typed through the keyboard to the developer. However, the company claims that it will never use personal information it collects -- but if Kromtech is correct, the company appears to have stored a fair amount of information from the user's device anyhow.

Ai.type tells a different story about the data contained in the database -- but does not deny that a database was available publicly for a period of time.

Speaking to the BBC, Chief Executive Eitan Fitusi says that the stolen information was a "secondary database." Additionally, he claims that the IMEI information was never collected by the company, user data collected only involves what ads are clicked by the user, and that the location data wasn't accurate.

Fitusi claims that the database has been secured since the breach.

The company that found the database, Kromtech, is the company that develops and sells the poorly regarded MacKeeper suite of applications.
«1

Comments

  • Reply 1 of 40
    jbdragonjbdragon Posts: 1,903member
    Well, I'm glad I'm not using this Keyboard.  This crap is exactly why Apple forces their own keyboard when you go to type in a Password.  Because at least that Data is safe.  Why would you collect all this Data if you were not using it?  Just for the hell of it?  How are you making money if the Keyboard is free?  Makes no sense.

    zroger73anton zuykovpscooter63lostkiwiracerhomiecornchipwatto_cobra
  • Reply 2 of 40
    If I read the article correctly, the mention of "31 million iPhone users" is misleading.  I expect that vast majority of those users are, in fact, Android owners.  I doubt there are 31 million iPhone numbers who have tried any alternative keyboards to date.

    I do like the (well deserved) dig at Kromtech in the last line, however.
    edited December 2017 SpamSandwichpscooter63lostkiwiracerhomieppartekimjony0cornchipwatto_cobraGeorgeBMac
  • Reply 3 of 40
    gatorguygatorguy Posts: 19,399member
    If I read the article correctly, the mention of "31 million iPhone users" is misleading.  I expect that vast majority of those users are, in fact, Android owners.  I doubt there are 31 million iPhone numbers who have tried any alternative keyboards to date.

    I do like the (well deserved) dig at Kromtech in the last line, however.
    On the Play Store the free version shows 5M (but could be up to less than 10M) downloads and the premium ad-free one show 100K. 
    https://play.google.com/store/apps/details?id=com.aitype.android.emojinew&hl=en
    edited December 2017 racerhomie
  • Reply 4 of 40
    Rayz2016Rayz2016 Posts: 4,456member
    gatorguy said:
    If I read the article correctly, the mention of "31 million iPhone users" is misleading.  I expect that vast majority of those users are, in fact, Android owners.  I doubt there are 31 million iPhone numbers who have tried any alternative keyboards to date.

    I do like the (well deserved) dig at Kromtech in the last line, however.
    On the Play Store the free version shows 5M (but could be up to less than 10M) downloads and the premium ad-free one show 100K. 
    https://play.google.com/store/apps/details?id=com.aitype.android.emojinew&hl=en
    I thought Android had more than one App Store.

    Soliracerhomiewatto_cobra
  • Reply 5 of 40
    People whine about Apple’s “walled garden.” I prefer to stay in the garden and avoid most of these issues. And when problems do arise, they get fixed quickly. Enjoy your cool hacks. 
    equality72521anton zuykovSpamSandwichpscooter63bonobobracerhomiejony0cornchipwatto_cobraGeorgeBMac
  • Reply 6 of 40
    SoliSoli Posts: 8,403member
    As a general rule I don't install any 3rd-party keyboard, but damn.
    anton zuykovpscooter63bonobobracerhomieppartekimcornchipsphericwatto_cobra
  • Reply 7 of 40
    I find it interesting that some iPhone users, despite having to cough up a significant buck to buy the hardware, are willingly forfeiting some of the most important features iOS offers, by installing useless (ok, that may be too far, but I sincerely fail to recognize the relevance of the so called alternative, or 'pro', keyboards) adware. I don't know shit about Android (despite my monthly janitor function on my mother's device) so I won't go there, but it surprises me that such information could be gleaned from an iOS app, even with user consent. Isn't it against Apple policies to even ask for access not relevant to the app function?
    randominternetpersonwatto_cobra
  • Reply 8 of 40
    gatorguygatorguy Posts: 19,399member
    Rayz2016 said:
    gatorguy said:
    If I read the article correctly, the mention of "31 million iPhone users" is misleading.  I expect that vast majority of those users are, in fact, Android owners.  I doubt there are 31 million iPhone numbers who have tried any alternative keyboards to date.

    I do like the (well deserved) dig at Kromtech in the last line, however.
    On the Play Store the free version shows 5M (but could be up to less than 10M) downloads and the premium ad-free one show 100K. 
    https://play.google.com/store/apps/details?id=com.aitype.android.emojinew&hl=en
    I thought Android had more than one App Store.

    No idea where they make their app available outside of the official app stores if they do. Have you seen it somewhere else too? 
  • Reply 9 of 40
    I think the EULA should clearly spell out what companies get from you within the first couple of sentences. Like we are going to collect all the info on your phone and store it on our servers and sell it to other companies to pay for your free service. Second what happens to the company if they fail to keep your data safe and customer options for remediation. All the other legal techno get out of jail free card stuff should come third but be understood by a layman. 

    Personally I love the Apple implementation of requiring their keyboard when entering passwords. I don’t use any other keyboards but I tried swipe years ago. My android friends kept raving about swiping but it just didn’t get me. The walled garden works for me. 

    “Free” always makes me wonder what the TRUE cost is. 
    randominternetpersonanton zuykovlostkiwipscooter63pscooter63watto_cobra
  • Reply 10 of 40
    philboogiephilboogie Posts: 7,425member
    AI has an iOS keyboard app¿
    Solianton zuykov
  • Reply 11 of 40
    Rayz2016Rayz2016 Posts: 4,456member
    gatorguy said:
    Rayz2016 said:
    gatorguy said:
    If I read the article correctly, the mention of "31 million iPhone users" is misleading.  I expect that vast majority of those users are, in fact, Android owners.  I doubt there are 31 million iPhone numbers who have tried any alternative keyboards to date.

    I do like the (well deserved) dig at Kromtech in the last line, however.
    On the Play Store the free version shows 5M (but could be up to less than 10M) downloads and the premium ad-free one show 100K. 
    https://play.google.com/store/apps/details?id=com.aitype.android.emojinew&hl=en
    I thought Android had more than one App Store.

    No idea where they make their app available outside of the official app stores if they do. Have you seen it somewhere else too? 
    Well, since there seem to be at least ten app stores, wasn’t sure where to begin, so dived in at random and found one here. 


    https://a-i-type-keyboard-free.en.uptodown.com/android

    Might be the only one, but since this outfit seems to have been harvesting user info for some reason, my guess is that they’ll be aiming for as wide a distribution as possible. 

    edited December 2017 randominternetpersonlostkiwi
  • Reply 12 of 40
    Rayz2016Rayz2016 Posts: 4,456member
    pujones1 said:
    I think the EULA should clearly spell out what companies get from you within the first couple of sentences. Like we are going to collect all the info on your phone and store it on our servers and sell it to other companies to pay for your free service. Second what happens to the company if they fail to keep your data safe and customer options for remediation. All the other legal techno get out of jail free card stuff should come third but be understood by a layman. 

    Personally I love the Apple implementation of requiring their keyboard when entering passwords. I don’t use any other keyboards but I tried swipe years ago. My android friends kept raving about swiping but it just didn’t get me. The walled garden works for me. 

    “Free” always makes me wonder what the TRUE cost is. 
    And so you should. There is no such thing as free. If they don’t want money up front then the price is you. 
    lostkiwiracerhomiecornchipwatto_cobra
  • Reply 13 of 40
    gatorguygatorguy Posts: 19,399member
    Rayz2016 said:
    gatorguy said:
    Rayz2016 said:
    gatorguy said:
    If I read the article correctly, the mention of "31 million iPhone users" is misleading.  I expect that vast majority of those users are, in fact, Android owners.  I doubt there are 31 million iPhone numbers who have tried any alternative keyboards to date.

    I do like the (well deserved) dig at Kromtech in the last line, however.
    On the Play Store the free version shows 5M (but could be up to less than 10M) downloads and the premium ad-free one show 100K. 
    https://play.google.com/store/apps/details?id=com.aitype.android.emojinew&hl=en
    I thought Android had more than one App Store.

    No idea where they make their app available outside of the official app stores if they do. Have you seen it somewhere else too? 
    Well, since there seem to be at least ten app stores, wasn’t sure where to begin, so dived in at random and found one here. 


    https://a-i-type-keyboard-free.en.uptodown.com/android

    Might be the only one, but since this outfit seems to have been harvesting user info for some reason, my guess is that they’ll be aiming for as wide a distribution as possible. 

    Thanks, so there's at least one other place. I would think the official stores would be far busier than 3rd party ones, but I've not ever looked outside official sources. Anyway the bulk of the installs would likely be from Google Play and the App Store don't you think, not that it matters. It appears AI.type was an equal opportunity offender, and certainly not the only app developer who doesn't disclose everything about their app despite the platform, and especially if there's an iOS DarkSideLoader and/or Cydia or dodgy free-Androidware stores involved. We should all stick to official outlets. They may not be 100% safe and secure but there's rarely if ever any reason to look outside them and hammer that risk factor.
    edited December 2017 randominternetpersontgr1
  • Reply 14 of 40
    SoliSoli Posts: 8,403member
    gatorguy said:
    Rayz2016 said:
    gatorguy said:
    Rayz2016 said:
    gatorguy said:
    If I read the article correctly, the mention of "31 million iPhone users" is misleading.  I expect that vast majority of those users are, in fact, Android owners.  I doubt there are 31 million iPhone numbers who have tried any alternative keyboards to date.

    I do like the (well deserved) dig at Kromtech in the last line, however.
    On the Play Store the free version shows 5M (but could be up to less than 10M) downloads and the premium ad-free one show 100K. 
    https://play.google.com/store/apps/details?id=com.aitype.android.emojinew&hl=en
    I thought Android had more than one App Store.

    No idea where they make their app available outside of the official app stores if they do. Have you seen it somewhere else too? 
    Well, since there seem to be at least ten app stores, wasn’t sure where to begin, so dived in at random and found one here. 


    https://a-i-type-keyboard-free.en.uptodown.com/android

    Might be the only one, but since this outfit seems to have been harvesting user info for some reason, my guess is that they’ll be aiming for as wide a distribution as possible. 

    Thanks, so there's at least one other place. I would think the official stores would be far busier than 3rd party ones, but I've not ever looked outside official sources. Anyway the bulk of the installs would likely be from Google Play and the App Store don't you think, not that it matters. It appears AI.type was an equal opportunity offender, and certainly not the only app developer who doesn't disclose everything about their app despite the platform. 
    If you can sideload an app then the potential places it can downloaded are endless. I’d think that torrent sites are ripe with cracked Android apps.
    lostkiwiracerhomiecornchipwatto_cobra
  • Reply 15 of 40
    This sh*t is why:
    1. Apple should not have allowed the use of any third party keyboard in their iOS products.
    2. Any sane person should not be using a third party keyboard, even after Apple allowed that.

    But muh customization! SMH
    cornchipsphericwatto_cobra
  • Reply 16 of 40
    gatorguygatorguy Posts: 19,399member
    Soli said:
    gatorguy said:
    Rayz2016 said:
    gatorguy said:
    Rayz2016 said:
    gatorguy said:
    If I read the article correctly, the mention of "31 million iPhone users" is misleading.  I expect that vast majority of those users are, in fact, Android owners.  I doubt there are 31 million iPhone numbers who have tried any alternative keyboards to date.

    I do like the (well deserved) dig at Kromtech in the last line, however.
    On the Play Store the free version shows 5M (but could be up to less than 10M) downloads and the premium ad-free one show 100K. 
    https://play.google.com/store/apps/details?id=com.aitype.android.emojinew&hl=en
    I thought Android had more than one App Store.

    No idea where they make their app available outside of the official app stores if they do. Have you seen it somewhere else too? 
    Well, since there seem to be at least ten app stores, wasn’t sure where to begin, so dived in at random and found one here. 


    https://a-i-type-keyboard-free.en.uptodown.com/android

    Might be the only one, but since this outfit seems to have been harvesting user info for some reason, my guess is that they’ll be aiming for as wide a distribution as possible. 

    Thanks, so there's at least one other place. I would think the official stores would be far busier than 3rd party ones, but I've not ever looked outside official sources. Anyway the bulk of the installs would likely be from Google Play and the App Store don't you think, not that it matters. It appears AI.type was an equal opportunity offender, and certainly not the only app developer who doesn't disclose everything about their app despite the platform. 
    If you can sideload an app then the potential places it can downloaded are endless. I’d think that torrent sites are ripe with cracked Android apps.
    There's also iOS DarkSideLoader sites too that reportedly don't require jailbroken iDevices (normally paid games are a biggie apparently), tho they are far harder to discover than Cydia or many of the 3rd party Android stores. As for cracked apps, they're in the same league as cracked Mac and Windows versions of Photoshop, or Illustrator, or other high dollar software. I'm amazed at the willingness of some folks to expose themselves to PUP's , malware and outright theft just to save a little money. 
    edited December 2017
  • Reply 17 of 40
    "The Kromtech Security Center discovered on Tuesday that a MongoDB database used to collect data on ai.type keyboard users was misconfigured, and was available on the internet."

    Turns out you have to know what you are doing BEFORE you start handling sensitive information for your clients. What a new idea that is.
    But here is a shocker. Even if their keyboard turns out to be crap, and then don't see another download in months, they will just open another developer account and write another keyboard exactly like the one before! And the "tech-savvy" people will download it again, while mumbling incoherently about oppressive Apple and lack of customization in their products. Sigh.
    racerhomiecornchip
  • Reply 18 of 40
    are people really surprised? android was developed by google, the same people that view us all as data generators to be harvested and sold to the highest bidder. It's probably a key selling point to developers and manufacturers alike; "get data on all your users, see who uses your device/app, how and when, what they like/dislike, activate the camera to watch them secretly and get a copy of everything they type on the keyboard to steal credit card info and passwords! help make your app/device better!"

    I highly doubt the same information was available from any iOS version.
  • Reply 19 of 40
    gatorguygatorguy Posts: 19,399member
    adm1 said:
    are people really surprised? android was developed by google, the same people that view us all as data generators to be harvested and sold to the highest bidder. It's probably a key selling point to developers and manufacturers alike; "get data on all your users, see who uses your device/app, how and when, what they like/dislike, activate the camera to watch them secretly and get a copy of everything they type on the keyboard to steal credit card info and passwords! help make your app/device better!"

    I highly doubt the same information was available from any iOS version.
    Don't be so doubtful. Did the app offer this popup when installed? If you continued you gave it your blessing. It would be nigh-impossible for Apple to police this after the fact..
    22

    There's a good read which explains the potential iOS app problems here:
    https://zeltser.com/third-party-keyboards-security/
    edited December 2017 ben20cornchiptgr1lightvox
  • Reply 20 of 40
    slurpyslurpy Posts: 5,062member
    Aren't 3rd party keyboard ones of the "best" parts of Androids? They were definitely at the top of "why iPhones suck" bullet point lists for years. Incredibly (not so incredibly) I haven't seen a SINGLE iPhone user in the wild using one of these 3rd party keyboards, because why would they? Android's appeal has always been shitty hacks and "freedom" to install garbage with massive security implications. Kind of funny how 3rd party KBs used to be the most important feature in the world when they weren't on iOS, then when they were nobody cared anymore. Then people pretend to be shocked every time this happens. 
    edited December 2017 Solilostkiwirandominternetpersonbonobobpujones1racerhomiepscooter63GG1anton zuykovcornchip
Sign In or Register to comment.