Android app suffers huge data breach – not from a hack, but by pure carelessness
An Android app that enabled users to create and customise keyboards has shown exactly how not to store data, by leaving a sensitive database accessible to anyone – without even requiring a password.
AI.type has been downloaded around 40 million times, by a total of 31 million users. The personal details of these users was then collated into a 577GB database, but then left open and accessible to anyone, without even the most basic password protection.
What made this most alarming was the sheer volume of personal data AI.type had harvested. For example, the app took details from within the contact book of each device on which it was installed – meaning not only the names and numbers of account holders was accessed, but the details for every single one of those 31 million people’s contacts. The total number of phone numbers discovered is thought to be around 374.6 million.
Additionally, AI.type was also able to determine and store the other apps a user had downloaded onto their phone – including those for banking and dating.
This information was gleaned primarily from the app’s free version. In order to better monetise the offering, it harvested a proportionally large amount of personal data, to serve better-targeted advertisements. Those who had paid for the premium version wouldn’t have had quite so much of their data taken (and subsequently exposed).
Perhaps most frustratingly of all for AI.type users, it took cyber security firm Kromtech a number of attempts to actually get a response from the app developers after first raising the issue. This left it even longer before a fix was rolled out.
It’s thought the error came from AI.type using a MongoDB server to host its database. Though Mongo itself has produced a security checklist for all users, many still make the mistake of not properly configuring the software – which leaves them open to attack.
Commenting on the sheer volume of exposed data, head of communications at Kromtech, Bob Diachenko told ZDNet: “Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online. This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user.”