A popular keyboard app for Android offered conflicting statements about its data collection policies to its more than 200 million users.
The discrepancy came to light on 21 September when researchers from AdGuard published their research findings from a review of GO Keyboard.
Both versions of the GO Keyboard engaged in data collection practices that would make privacy-concerned Android users squirm.
First, it collected a user’s Google email account as well as other important device information and uploaded all that data to its servers. Second, it can download and execute code from a remote server in violation of its policy. Those snippets of code include plugins marked as adware or potentially unwanted programs (PUPs) by multiple anti-virus engines.
AdGuard’s researchers were especially concerned when they unearthed that last capability:
“What’s important, given the apps’ extensive permissions, remote code execution introduces severe security and privacy risks. At any time the server owner may decide to change the app behavior and not just steal your email address, but do literally whatever he or she wants. Remember, it’s a keyboard, and every important bit of information you enter goes through it!”
Here’s what the company has to say about that dichotomy:
Needless to say, AdGuard’s researchers weren’t thrilled about this “unacceptable and dangerous” behavior, so they contacted Google. The tech giant never responded to the firm’s complaint, reports HackRead. But the researchers did confirm that the makers of GO Keyboard updated both apps on 22 September and in so doing removed the violations.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.