26
Oct
image
Last Updated: November 8th, 2011

One of the features that really differentiates Android from other mobile operating systems is the ability to install a custom keyboard that works for you. I constantly keep jumping between a variety of keyboards as new updates come out (right now I've settled on SwiftKey due to its unparalleled prediction technology), but when some of our readers pointed out A.I.type Keyboard's "psychic" word completion, I had to check it out.

However, what I found in A.I. Keyboard's Market description prevented me from even installing it - all smart predictions happen in the cloud, which means everything you type (or almost everything) gets sent over the data connection to their servers. You can turn it off - sure, but then you lose "psychic" abilities, which seems to be this keyboard's main selling point. I'm not even kidding about the "psychic" part - here's an excerpt from their Market page:

Psychic word completions and predictions are generated by A.I.type’s servers on the Cloud. When the device is offline or Internet connection is too slow, or if you disabled Cloud-based prediction, word suggestions will be generated by the device only.

Privacy notice: while installing A.I.type Keyboard, you will receive a warning message about collecting sensitive data. This is the standard general-purpose Android message issued for any downloaded keyboard and it does not pertain to A.I.type. Our keyboard DOES NOT COLLECT YOUR SENSITIVE DATA.

Do I want a random company to know what I'm typing into every single text field (outside of possibly password fields)? Pardon my language, but hell no.

Oh, and about that last privacy part... A.I. Keyboard probably doesn't collect your sensitive data, but what it does do is send all those prediction queries over to the cloud in plain-text, unencrypted, for everyone on your local Wi-Fi network or anywhere in the request's path to see. Like so:

GET /beta081/cell/predict?i=T4420&l=Th&t= HTTP/1.1
Host: 72.26.211.90
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 21 Oct 2011 16:39:43 GMT
Connection: close

1d
Th;;the;they;this;there;that;
0
GET /beta081/cell/predict?i=T4420&l=This+ke&t= HTTP/1.1
Host: 72.26.211.90
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 21 Oct 2011 16:39:47 GMT
Connection: close

24
ke;;knowledge;keeps;key;killer;kept;
0

Here, check it out for yourself: http://72.26.211.90/beta081/cell/predict?i=T4420&l=Android+Pol (you should see http:// and "Pol;;police;political;policy;politics;poolplay;" as the result).

Needless to say, the app went to the trash right after our tests were over.

When I brought up my initial privacy concerns to A.I.type's CEO Eitan Fitusi before even digging into this, he had the following to say (all spelling left as is, text in italics added by me):

Hi Arten (that's not my name)

We here those  concerning before and understand them, that why we work hard on our new local data model, that already available in the current version, We are going to release very soon a new version, that will have a setting for shutting down cloud support prediction, although the prediction quality is effected, it is still great, and as close as possible to the full scale prediction, what mostly damaged  from lack of cloud is names, locations  or other vocabulary that is domain specific.

This new version also including a new superior learning model that learn the user, and enhanced the predictioncorrectioncompletion quality based on the user writing style, names and unique words that's the users use, user model will be stored locally and won't  sent data to the cloud at all.

Having say that, I know that it's not much, but I can assure you that we are very concern about are user privacy and very strict regarding their data.

Also if you look at it the other way, you can wright an email with whatever keyboard you like then send it via Gmail that officially state that its learn YOUR data (or WhatsApp, Viper, Skype…. They all have access to your data)

Any way as I say before next version will give the user the option to use only local services, and keep is data local only.

image

Let this serve as a wake-up call to both users placing trust in the cloud and developers who don't utilize even the most basic security and privacy standards (hey, https would have been nice).

Remember, all cloud services are not created equal. I hope for their sake that A.I.type fixes this blatant disregard for privacy in the near future, and as for the rest of you - you've been warned.

Update: A.I.type's response below:

Artem and everybody,

A.I.type is a serious company with over 100,000 users around the globe. We are fully committed to our users' privacy and security.

Please allow me to make a few statements with regard to this issue:

A. Sensitive data such as passwords and credit card numbers are never logged or sent to the servers.

B. Transactions to our servers are anonymous. The servers do not know or need to know who you are.

C. The servers do not log, analyze or share user texts. Once responded to, a prediction query is completely forgotten.

D. MyType, A.I.type’s auto-learning mechanism, doesn’t store your texts. It learns words and patterns and stores them only locally on the device in a unique format that only the keyboard can read. Learned information is never sent to the servers.

E. The user may turn off Cloud-based prediction if still in doubt. If the Cloud is disconnected, there is no degradation of auto-correction, and prediction still compares favorably with other systems on the market

With regard to the security issue you raise, we agree that there is an issue in data transmission which we will address. Our PC version has been encrypting all traffic since its inception, but the Android versions are yet to do so. This is obviously an omission on our part which we will fix ASAP. As we have clearly stated in our company policy, we take privacy and security seriously. In that spirit, we would like to propose that you allow us to notify you when we have deployed the fix to the market so that you can do a followup security review of our product.

Best regards,

Noam Rotem

Co-Founder, VP R&D

A.I.type

Update 2: A.I.type v1.1 brings support for encryption, which is currently not turned on by default. After a soak period, new versions will ship with it enabled.

Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • Aaron

    I wouldn't use this based on the basic lack of understanding of the English language that was used by the CEO, let alone the issues raised in the article. FFS, get a translator!

    • Edd

      Exactly! A great selling point for a typing app... Did he use his own app to compose the message? :)

      Honestly while it's arrogance to ask the entire world to speak English (and I'm not advocating it), media perception is so important at times and it does not take much effort or cost to get someone to translate it properly.

    • Jon Garrett

      +1

      Ive already uninstalled this app. Im glad I made the switch from iOS to Android but I really don't understand Android App's obsession with accessing private data such as phone calls and text messaging.

  • http://denh.am DrMacinyasha

    I hate to say I told you so, but, "I told you so."

  • http://www.google.com/profiles/vkelman Vladimir Kelman

    Outrages! We should forget... well - remember not to use apps of this company forever.
    Besides the fact that this particular company tried to hide an extraordinary bad thing it's doing.

  • camoto

    In addition to 72.26.211.90, they also use 94.31.62.106 and 192.115.76.26.

    If you were slightly more aware of what permissions REALLY mean, you would have installed DroidWall and used the software without the cloud functionality....

  • Christopher

    It's ridiculous that they're not even sending the data over a secure connection.

    Similarly, Dolphin Browser reports back the URL of every website you visit, including those visited via SSL:

    GET /v3/columns?u=http%3A%2F%2Fwww.cyanogenmod.com%2F&t=1319569264354 HTTP/1.1
    Host: en.mywebzines.com

    This is to power the built-in Webzines feature, however there's no indication of this behaviour in their privacy policy that I could see, and there's no way to disable it.

    • http://www.AndroidPolice.com Artem Russakovskii

      Thanks, we'll dig into that too.

      • TOM

        Artem,
        In addition, when running a dolphin data backup, Dolphin stores every cookie, user name, and password onto your sd card, in an UNENCRYPTED database file. I'm not sure what other apps do for backup security, but this seems wrong. I emailed them about this in the past and they decided to ignore me. Scary stuff.

        • http://www.AndroidPolice.com Artem Russakovskii

          Can't find this database file with my Dolphin HD installation.

          Edit: I was able to produce the file after selecting Settings, Backup, Backup to SD, but that's to be expected, as that's what you're asking it to do. The word "backup" should have clued you in.

  • vincentisdoinghisiphone

    the grammar was bad, but how many americans can read and write a second language to his extent. [The rest of the comment is CENSORED
    - please stay respectful.]

    • Ryan B

      What does his ethnicity have to do with anything? Can't you evaluate the product on its own merits, without including race? What's next, accusing him of controlling the world's money?

  • jbonics

    This is my main way of identity theft, damn you. Huhhh no it doesn't, you have proof, awwww, shut.

  • Foo

    Thanks for sharing this, users need to fully understand how their data is exposed and in this instance there seems to be some basic security aspects they could be using.

    Wouldn't touch with a 10 foot pole.

  • Carlos

    I just hope he wasn't using ai keyboard to type that.lol

  • Simon Belmont

    Yikes! No encryption at all? That's pretty bad, especially if someone tries a man in the middle attack on the same Wi-Fi network as you, like Artem said. I will avoid this keyboard app!

    I have one question though. Does SwiftKey use a similar practice with the cloud in figuring out the word predictions or is that all done locally in the software? I know you can give SwiftKey access to your GMail or tweets so it learns your typing style, but only if you opt into that, but what I am asking is different. I assume it doesn't because Artem is using SwiftKey as we speak, but I figured I would ask.

    • Joe Osborne

      No, SwiftKey's predictions are all done locally. Giving it access to GMail etc, simply gives its models a larger personal corpus to learn from, but the raw content of that information is never actually stored, only learnt from.

      • Simon Belmont

        Thanks, Joe Osborne. I figured that was the case, but I knew a thoughtful poster like you would alleviate any doubts about that. :)

        A friend of mine was concerned after reading this article, even though I tried to assure her that it was done locally. Thanks for helping to bolster my claims. ;)

  • bry

    i no see wait the problem for is, you does?

  • Mr. Mark

    Has anyone really been far even as decided to use even go want to do look more like?

    • Simon Belmont

      What is this. I don't even.

      I see what you did there. Haha.

  • Franco

    I guess at least you know what it does be it wrong or right.I imagine there are many apps out there that dont let you know where the information is going.

    good bit of info there Artem,its that info that makes this site worth coming too.New and informative.Good stuff

  • Ricky Choo

    Hi, did you know that upon installing swift key, you get a warning that the company Wilkinson be able room see everything you type including your passwords?

  • Indirect

    Brb, getting a packet sniffer. <-- Literally all you would have to do is download a packet sniffer, put your wireless card/adapter into promiscuous mode, and just kinda watch all of the passwords, personal information, and anything else you would want to get your hands on just kinda be "psychically" brought up to your computer.

    Reason I say put it in promiscuous mode, then you can capture EVERY packet in the area instead of just trying to grab one on wifi. :3

    • Seth Grimshaw

      Alfa cards and backtrack are great for this.

  • Vicary

    With this under-educated cloud service design, it is not hard to have people guessing. They might have something "else" to do with the real time requests, don't know if it is about the keystroke data though.

    Instead of real time guessing of the words, an auto-update to the local dictionary with an anonymous-guaranteed word collection upload (better with the data format disclosed) would just do the job.

  • GigiAUT

    i'm sorry but i can't take a company with Comic Sans all over their site seriously.

  • Noam Rotem

    Artem and everybody,

    A.I.type is a serious company with over 100,000 users around the globe. We are fully committed to our users' privacy and security.

    Please allow me to make a few statements with regard to this issue:

    A. Sensitive data such as passwords and credit card numbers are never logged or sent to the servers.

    B. Transactions to our servers are anonymous. The servers do not know or need to know who you are.

    C. The servers do not log, analyze or share user texts. Once responded to, a prediction query is completely forgotten.

    D. MyType, A.I.type’s auto-learning mechanism, doesn’t store your texts. It learns words and patterns and stores them only locally on the device in a unique format that only the keyboard can read. Learned information is never sent to the servers.

    E. The user may turn off Cloud-based prediction if still in doubt. If the Cloud is disconnected, there is no degradation of auto-correction, and prediction still compares favorably with other systems on the market

    With regard to the security issue you raise, we agree that there is an issue in data transmission which we will address. Our PC version has been encrypting all traffic since its inception, but the Android versions are yet to do so. This is obviously an omission on our part which we will fix ASAP. As we have clearly stated in our company policy, we take privacy and security seriously. In that spirit, we would like to propose that you allow us to notify you when we have deployed the fix to the market so that you can do a followup security review of our product.

    Best regards,

    Noam Rotem
    Co-Founder, VP R&D
    A.I.type

  • jcase

    A. Sensitive data such as passwords and credit card numbers are never logged or sent to the servers.

    Noam Im sorry that is a foolish claim. You are leaving it to 3rd party devs to decide that. If author of X website/app messes up, your keyboard has no clue if its my password or gibberish.

    Aka you are not encrypting shit, you are potentially showing off user passwords and credit cards.

    • Noam Rotem

      Let me clarify, jcase.

      A.I.type keyboard is completely blind to password and numeric fields. We are trying to predict / correct only in free text fields. If you quote your password in a free text field, then yes - it may be sent to the servers for completion.

      As for the lack of encryption - you are right. As I officially admitted - that was a mistake and we will fix that ASAP.

      • http://www.AndroidPolice.com Artem Russakovskii

        The problem is not that you may input your password into a text field that's supposed to be a text field - it's that you may enter your password into a password field that the dev didn't set up as a password type.

  • Noam Rotem

    That's true, but in this case the password will appear as plain text (and not as stars) and visible to everyone looking behind my back, so I'll stop typing immediately.

    But enough said. Point taken.

  • ChemDude

    English is not the only language out there you naive bastards.

  • whodunit

    I might be off here but swiftkey's description of their keyboard didn't seem so different from I.A.Type's. In fact, it seemed worse to me. They read your fb, twitter & SMS. To me, that seems invasive but I don't see anyone complaining about them. Personnally, I like this keyboard. It works better for me than all the others I've tried. I love the autotext shortcut feature. None of the others I've tried have that.

    • http://www.AndroidPolice.com Artem Russakovskii

      SK doesn't send what you type to the cloud and you have to specifically authorize it to read your posts, SMS, etc to learn your writing style.

  • Richard

    Oh noes they AR St3aling our lives!!!

    For god sake people, this is not a huge issue! They have clearly stated this in the product description, they dont send passwords or private data. Oh noes!!! people around me can see im typing "th"

    Why are people soo sensitive about privacy over things which are incredibly stupid? Yes it would be possible to use HTTPS, but that means increased latency, memory footprint and cpu usage and the cost of an SSL certificate, so that the first couple of letters of a word are hidden. Not whole sentences, or anything private just the first few words. If people are close-by looking to see what your typing, the lack of ssl or encryption are the least of your worries.

    Stop making mountains out of mole-hills

    • http://www.AndroidPolice.com Artem Russakovskii

      You're clearly missing the point - it sends around what you're typing, not just arbitrarily the first few letters, so if you're typing the whole word without choosing a prediction, it'll send that over plaintext. Think credit card numbers, private info, urls, emails, anything. Issues like these are oftentimes overlooked, but it doesn't mean we should remain silent and not point them out and have apps improve overtime.

      Your whole argument is very short-sighted and childish. Clearly, computer security and privacy doesn't matter to you. Doesn't mean it doesn't matter to others.

      • ArunaSena

        Artem I have to agree with you here. Just to add on a bit if you don't mind.

        For example of a message :

        hey man, drop me an email here blabla@gGGG.com or call me at 123456789 once you make the payment into my account xxxxxxxx

        Would you want those information to appear in the Cloud? What happens if someone decides to use those information?

  • aitypist

    The thing that bothers me about this site is it's very one sided. You protect the consumer, but what about the producer of software. It is SO easy for EVERYBODY to rip off software developers and just steal their hard work by downloading pirate apk's, and then have the nerve to complain about it on top of that. Why don't you address that issue in a BIG WAY!?!

    • http://www.AndroidPolice.com Artem Russakovskii

      We are very anti-piracy at AP. This post has nothing to do with piracy.