News broke yesterday about a massive breach is affecting a keyboard app, Ai.type, which collects personal data of users. It was discovered by the Kromtech Security Centre, who found the data belonging to 31 million users available for anyone to download without a password.
Commenting on this, Mark James, security specialist at ESET said:
“One of the biggest problem’s currently with how mobile programs and applications work is the request for information that the program will have access to while it’s on your device. Sadly your only choice is do you or don’t you want to install it; if the answer is yes then you have accept all the conditions often without realising exactly what it entails; in this case, the amount of data being sent to an unknown uncontrollable server is staggering. To harvest full name, phone number, email address, device name, screen resolution, model details along with so much more personal info, and to then find out that users entire contacts list is also being uploaded is not acceptable.
That in itself is a massive horde of data to hold on a well secured server away from harms reach, but sadly that was just not so. The database was not configured correctly and thus enabled full access from the internet to all the data being held, making it essentially free for all access.
Sadly these days there is no such thing as free, often our price is data upload, some of course is necessary for the app to do its job but more often than not it’s simply not the case. In an ideal world we should have full control over what we allow any device to harvest and choose whether we want to hand it over.
Always evaluate the permissions before you install any programs or applications, as with so many choices these days it can sometimes pay dividends to pick and choose your apps wisely.”