According to a new report from the Kromtech Security Center, more than 31 million records of both Android and iOS users of third-party keyboard ai.type was briefly available to anyone to view online.
The security firm detailed some of the information found in the database:
Client files that included the personal details of 31,293,959 users who installed ai.type virtual keyboard. This is highly sensitive and identifiable information such as:
Phone number, full name of the owner, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number (international mobile subscriber identity used for interconnection), IMEI number (a unique number given to every single mobile phone), emails associated with the phone, country of residence, links and the information associated with the social media profiles (birthdate, title, emails etc.) and photo (links to Google+, Facebook etc.), IP (if available), location details (long/lat).
In the blog post, the firm didn’t indicate if there was any different information from iOS or Android devices.
On iOS devices, users select to give a third-party keyboard full access that allows the developer to view what’s typed on the keyboard.
Speaking to the BBC, the ai.type CEO disputed the claims:
But Eitan Fitusi, chief executive and founder of Ai.type, told the BBC the amount of data exposed was not as extensive as claimed.
“It was a secondary database,” he said of the discovery.
Mr Fitusi said:
the geo-location data was not accurate
no IMEI information (a model number for a specific phone) had been gathered
the user behaviour collected by the company involved only which ads they clicked
No matter what information leaked, if you have ai.type installed on your iOS devices, it would probably be a smart choice to uninstall the keyboard.