Android keyboard app misled 200 million users about how it was collecting data

Fortunately, that’s no longer the case…

David bisson
David Bisson

Android keyboard app misled 200 million users about how it was collecting data

A popular keyboard app for Android offered conflicting statements about its data collection policies to its more than 200 million users.

The discrepancy came to light on 21 September when researchers from AdGuard published their research findings from a review of GO Keyboard.

As of this writing, the app comes in two versions. Those variants boast a combined user base of over 200 million people.

Sign up to our free newsletter.
Security news, advice, and tips.
Screen shot 2017 10 02 at 8.24.47 am
A screenshot of one of the GO Keyboard versions on Google Play.

Both versions of the GO Keyboard engaged in data collection practices that would make privacy-concerned Android users squirm.

First, it collected a user’s Google email account as well as other important device information and uploaded all that data to its servers. Second, it can download and execute code from a remote server in violation of its policy. Those snippets of code include plugins marked as adware or potentially unwanted programs (PUPs) by multiple anti-virus engines.

AdGuard’s researchers were especially concerned when they unearthed that last capability:

“What’s important, given the apps’ extensive permissions, remote code execution introduces severe security and privacy risks. At any time the server owner may decide to change the app behavior and not just steal your email address, but do literally whatever he or she wants. Remember, it’s a keyboard, and every important bit of information you enter goes through it!”

Go downloading adware
GO Keyboard’s ability to download code at work. (Source: AdGuard)

What makes this data collection EVEN MORE egregious? It says on both of its Google Play pages that it “will never collect your personal info including credit card information.” But in its privacy policy, GO Keyboard reserves the right to to collect information about a user’s interactions on social media as well as their “registered related information” like their names, birth dates, and addresses.

Here’s what the company has to say about that dichotomy:

“While it is not our intention to collect any personally identifiable information (‘PII’) (except for registration and user support purposes as set forth in this Privacy Policy), the data collected may include PII. As part of our privacy measures, we implement certain rules designed to avoid the unintentional collection of PII such as email addresses, social security numbers, credit card numbers, login information etc. Such rules are based on known field types, parameters, values and algorithms but they are not foolproof and hence the Software & Services may sometimes, unintentionally, collect unwanted information. We regularly examine and update these rules.”

Ah, so it meant it will never (well… sometimes) unintentionally collect personal information. Its intention to store data and share it with third-parties and ad networks is spelled out clearly in its privacy policy.

Needless to say, AdGuard’s researchers weren’t thrilled about this “unacceptable and dangerous” behavior, so they contacted Google. The tech giant never responded to the firm’s complaint, reports HackRead. But the researchers did confirm that the makers of GO Keyboard updated both apps on 22 September and in so doing removed the violations.

If this story reveals anything, it’s that you can’t always trust what apps present themselves as on Google Play. Users should carefully read the reviews and permissions of an app before they install it. If anything seems excessive or amiss, they should refrain fro completing the installation process. For any unfamiliar developers, users should also consider reading the developer’s privacy policy.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Android keyboard app misled 200 million users about how it was collecting data”

  1. David L

    Almost every big name app from Chinese companies have been found, at some time, to be violating users privacy, or serving adware, or have malicious code included. I'm not painting with a broad brush, but I have read tons of security research over the last several years, about many of these apps. Lots if Browsers, file managers, keyboards, Security apps, and others, because these require the most permissions, and that makes them that much more of a threat to users. Sadly, most users could care less about doing the work of properly vetting apps.

    It's bad enough, we have to guard against our own governments, and the tech giants, OEMs, and internet providers, but, apps too! Especially apps. And don't get me started on supply chains that corrupt devices before they're delivered into unsuspecting hands. Again, guess which country they came from?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.