Is your smartphone leaking data?

December 2018

Hands holding smartphoneHow secure is the data on your smartphone? And are the so-called ‘private’ apps really as secure as they claim to be? Olivier Plante, CEO of Fleksy Keyboard explores how your personal data can escape your device.

Smartphone users have become increasingly conscious of the risks to their data privacy in recent years, however, most still misunderstand exactly how their data is leaked.

Revelations about the access and use of personal data - from GCHQ, CNI (Spain’s National Intelligence Centre) and National Security Agency (NSA) mass surveillance, to Cambridge Analytica’s Facebook data harvesting - have proved that not all digital conversations are by any means private. We’ve also grown to appreciate that user data can be used for a variety of different, and sometimes unhealthy, means.

Some people became worried about their governments and other authorities routinely spying on them. Others grew concerned that companies would use their data to bombard them with advertising - or even attempt to influence their political views.

An enemy in your pocket

With this increased awareness, smartphone users flocked to the likes of WhatsApp and Telegram. They were perceived as safe havens for privacy, due to end-to-end encryption. However, even by using such end-to-end encrypted apps, it is still possible for data snoopers and harvesters to gain access to private data via an unlikely source.

By connecting with the cloud, some mobile keyboards used for streamlining and personalising typing can access and use data from your device. Anything you type, from personal conversations to passwords and credit card details, has the potential to leave your device via many keyboard apps. Such data can be leaked whenever keyboard apps sync with the cloud. The ‘smart suggestions’ of some mobile keyboards, which often upload information as you type in order to offer more intuitive suggestions, pose another security risk.

Predicting and listening

There have been several notable cases of data leaks in recent years. The personal data of over 31 million users of the AI.type virtual keyboard app leaked online in 2017 after the company failed to secure the database’s server. Names, phone numbers, location data and Google searches were all found to have been leaked.

The users of another different keyboard extension, Swiftkey, reported in 2016 that their keyboards were suggesting the email addresses and search phrases of other users. The bug was found to originate from SwiftKey’s cloud sync service, which had to be suspended.

And while being investigated for intrusive ads in 2017, GO Keyboard, a widely-used custom Android keyboard app was found to be collecting extensive user data, such as Google account information and even the user’s location.

GO Keyboard was also found to be running external code. This was connected to dozens of third-party trackers and ad networks, meaning that the number of affected users ranged anywhere from 200 million to one billion.

Even Google’s own Gboard keyboard extension gives the company another avenue to harvest its users’ search queries, regardless of whether it is used in conjunction with end-to-end encryption apps.

Despite these problems, third-party keyboard apps have grown in popularity, mainly due to the improved usability, new features, innovative design themes and smart text prediction that they offer.

This means that the onus is on keyboard providers to regain the trust of their users, particularly in light of next-service prediction (NSP) - the latest innovation.

This new smart technology suggests restaurants, bars, cafes, shops, or even brands, based on what the user is typing, allowing users to instantly access content and information from the web, and access different apps within a single chat. For example, offering to ‘grab a drink’ with a friend could bring up suggestions of local bars, while suggesting a ‘meeting sometime next week’ with a colleague could trigger your phone’s calendar. But as such smart NSP algorithms are designed to comprehensively learn and predict user behaviour, particular care must be taken to ensure data privacy.

In April 2018, the French government announced its intention to move to using its own encrypted messaging service this summer, over fears that foreign entities could spy on officials using foreign-built encrypted apps which do not have servers in France. This is almost certainly just the start of a new trend of governments and possibly even large corporates turning to their own messaging services to avoid the possibility of ‘data leaks’ - intentional or otherwise.

Customers aren’t impressed

In light of growing data privacy concerns among governments, security agencies and regular smartphone users, brands must now take steps to renew trust. More and more users are both aware of and concerned by privacy issues, and, as a result, are becoming less willing to ignore what happens to their data behind the curtain.

People are also losing patience with companies using their data to sell them products they don’t want, or, in the case of Cambridge Analytica, seek to influence them in even shadier ways.

The days of ticking the T&Cs without reading them are disappearing, and if brands want to survive and compete, they need to respect the privacy of their customers and ensure their data is kept private.

In the meantime, as a user, take a closer look at the messaging and emailing apps you’re using. The first thing to check is whether they have the right layers of end-to-end encryption.

One good alternative to WhatsApp and Telegram is Signal, which has strong encryption credentials to ensure the privacy of your conversations.

You should also make sure you review the free services offered by any app and understand what data you’re giving away in return for the service. For instance, using Google as your search engine exposes your personal data and behaviours, but alternatives, such as Qwant, respect your privacy.

Data leaking can also occur via your internet browser - a potential gateway to all of your passwords and other forms of personal data and information, such as email and social media accounts.

The primary risk here comes from hackers, but if you’re concerned about your browser leaking your data - either directly or indirectly - it’s worth looking at Express VPN’s review of the most popular web browsers for privacy and security - https://www.expressvpn.com/blog/best-browsers-for-privacy/.

A separate risk is posed by Google Services, which updates Google apps and apps that originated from Google Play. These updates synchronise your contacts, update your location-based services and other actions. For instance, apps with map functionality will make use of your Google Maps data, which can be in-turn leaked to cybercriminals or be sold to marketers.

Malware (malicious software designed to harm your device), spyware (software aimed to snoop on your personal data) and ransomware (software designed to blackmail you) are all able to infiltrate your device via Google Services, but mainly via web browsing.

Have an antivirus app installed to minimise your chances of getting stung in this way. However, hackers have realised that most people are now wise to the various ‘wares’ and tend to look for less-known methods to access their data, such as keyboard data leaks. As such, it’s always worth doing some research into the many private alternative keyboards out there.

References
 

Image: Gettyimages/Georgijevic