Ai.Type keyboard's lax security leaks millions of user data

Virtual keyboards are perhaps one of the strangest and often underestimated kind of software on mobile devices today. On the one hand, it's easy to take them for granted because they're just on-screen keyboards. On the other hand, anything that you type, including sensitive information like passwords and credit card details, passes through them. With that much power, keyboard developers need to exercise great responsibility as well. Unfortunately, a "popular" keyboard by the name of Ai.Type didn't think so, leaking more than 31 million users' data simply because it didn't protect its own database with a password.

As its name implies, Ai.Type is a keyboard that promises to leverage the latest buzzwords to improve the user experience. It boasts of having over 40 million users globally, both on Android and iOS, a fact that is ironically confirmed by this massive leak. Unfortunately for the Android users among that 40 million, almost all of their personal information has been uploaded to Ai.Type's database and, consequently, potentially pilfered by a hacker.

It's not unusual for third-party keyboards to request access to different parts of the operating system. Android and iOS both warn users of the risk of using such keyboards. But Ai.Type seems to have gone the extra mile and requires permissions for anything and everything available on your Android device. Given how many installs its Play Store page says it has, that many users agreed to such a thing.

Unfortunately, the developers didn't go the extra mile to secure their own database. It because too easy with anyone with hacking knowledge to access nearly 580 GB of user data. That large lump includes everything from the user's email address, phone number, and device telemetry to contacts, location, birthday, and everything that was typed through the keyboard, including passwords. Adding insult to injury, the data wasn't at all encrypted, contrary to the company's privacy policy.

So, on the one hand, you have a developer that didn't even take the most basic precautions to ensure the security of its own database. On the other hand, you also have a developer that has collected far more user data than it needs and in a way that violated its own policies. It's a lose-lose situation for users, and the Tel Aviv-based company has unsurprisingly gone silent.