How Android Keyboard App Collects Sensitive Data Inappropriately

PC Network Solutions Android, Android Update, Mobile Security

Go Keyboard is one of the most popular Android keyboard app on Play Store with a user base of over 200 million. On the21st of September, AdGuard published findings of a research on Go Keyboard. It revealed that the developers of the app had released to the public conflicting report about how the app collects user data.

The app has two versions, and both versions were found to collect user data in a way that could be described as improper. AdGuard discovered that Go Keyboard collected user’s Google email address as well as other sensitive information and uploaded them on its servers. It could also download and execute code relating to this information from remote servers. The app was described by AdGuard as having extensive permission and remote control execution that was capable of introducing serious security and privacy issues. Sensitive information such as healthcare records stored on these servers could be stolen at any time.

The developers of the app seem to be speaking from two sides of the mouth, as they release conflicting information on their Google Play pages and in their privacy policy. According to their Google Play pages, the developers claim they will never collect personal information including credit card information and information relating to healthcare related records. But according to its privacy policy, the app reserves the right to collect and store information relating to user’s interaction as well as registered related information, for example, names, birth dates, and address.

When confronted about this dichotomy, the company stated that it wasn’t their intention to collect any “Personally Identifiable Information” (PII), however, the legitimate data collected by the app may sometimes include these PII. The developers revealed that they have rules based on algorithms designed to prevent such unintentional collection of sensitive personal data. Such rules are however not foolproof and would require regular updating.

Regardless of how hard they try to hide it, it was obvious that they meant to collect, store and share data with third parties and ad network, as stated clearly by their privacy policy. In the light of this revelation, AdGuard had contacted the tech giant, Google. Although Google didn’t publicly respond to the issue, the developers of Go Keyboard made some major changes in the two versions of the app on the 22nd of September. One of those changes included the removal of the privacy violation.

One of the keys take-home lessons from this experience is that apps can’t really be trusted by the way they are presented on Play Store. It is therefore very important that users be more cybersecurity conscious and read the app’s review and permission very carefully before they go ahead to install it. If they come across something that doesn’t seem to right, it is better to refrain from installing such apps. In the case of an unfamiliar developer, users need to be extra wary and should make it a priority to read that developer’s privacy policy.

Sensitive information of users’ health care information can be mined if users are not aware of the need to be more cybersecurity responsible. It is important that Healthcare IT professionals be aware of the risk involved in allowing healthcare information to be hacked into and used for devious purposes by unsuspecting people.