An AI.Type application database has been found on the Internet. Open to all, she nevertheless stored users' personal data as well as their address books.
Watch out for the mobile apps you download. Some store a lot of data about you and do not store it securely. The latest example is AI.Type, a popular alternative smartphone keyboard developed by the Israeli start-up of the same name. Available on iOS and Android, this app has more than 40 million users. Equipped with artificial intelligence functions, she is able to learn the writing style of the user and propose corrections and custom insertions.
What the product description does not say is that this application collects a large amount of personal data about users and stores them in databases open to all. Researchers in Kromtech Security were able to get their hands on a MongoDB database that obviously belongs to AI.Type and was freely accessible from the Internet.
6 million address books
This database contained 577 GB of data from 31 million users, probably on Android platform. It contained a quantity of personal data: name, surname, phone numbers, emails, country of residence, languages enabled, version of Android, IMSI number, IMEI number, data from social profiles, geolocation data. But that's not all. This AI.Type database also stored the address books of 6 million users, with names and phone number. Which accounted for over 373 million admissions. Finally, there was a lot of statistical data like the most frequent Google queries, average number of messages per day, average number of words not message, etc.
Pinned by a user on Play Store, the publisher tries to minimize this security vulnerability: "The data were found by a security expert and were not consulted or used by other people. The data mainly contained anonymous usage patterns, user retention, ad performance, and so on. The leak is completely corrected. Given the data found by the researchers, this answer is not very credible.
Users may be happy that the collection in MongoDB has not gone further. During installation, the app offers a "total access" option that allows it to transmit everything the user types to the publisher's servers. It is likely that this data is stored somewhere. Let's hope they are anonymized and properly secured. But doubt is allowed.