Thread: A.I.Type Keyboard Sends All Your Keystrokes To Their Servers In Plain -Text -

A.I.Type Keyboard Sends All Your Keystrokes To Their Servers In Plain -Text - Sometimes You Can't Trust The Cloud

One of the features that really differentiates Android from other mobile operating systems is the ability to install a custom keyboard that works for you. I constantly keep jumping between a variety of keyboards as new updates come out (right now I've settled on SwiftKey due to its unparalleled prediction technology), but when some of our readers pointed out A.I.type Keyboard's "psychic" word completion, I had to check it out.

However, what I found in A.I. Keyboard's Market description prevented me from even installing it - all smart predictions happen in the cloud, which means everything you type (or almost everything) gets sent over the data connection to their servers. You can turn it off - sure, but then you lose "psychic" abilities, which seems to be this keyboard's main selling point. I'm not even kidding about the "psychic" part - here's an excerpt from their Market page:

Psychic word completions and predictions are generated by A.I.type’s servers on the Cloud. When the device is offline or Internet connection is too slow, or if you disabled Cloud-based prediction, word suggestions will be generated by the device only.

Privacy notice: while installing A.I.type Keyboard, you will receive a warning message about collecting sensitive data. This is the standard general-purpose Android message issued for any downloaded keyboard and it does not pertain to A.I.type. Our keyboard DOES NOT COLLECT YOUR SENSITIVE DATA.

Do I want a random company to know what I'm typing into every single text field (outside of possibly password fields)? Pardon my language, but hell no.

Oh, and about that last privacy part... A.I. Keyboard probably doesn't collect your sensitive data, but what it does do is send all those prediction queries over to the cloud in plain-text, unencrypted, for everyone on your local Wi-Fi network or anywhere in the request's path to see. Like so:

GET /beta081/cell/predict?i=T4420&l=Th&t= HTTP/1.1

Code:

GET /beta081/cell/predict?i=T4420&l=Th&t= HTTP/1.1
Host: 72.26.211.90
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 21 Oct 2011 16:39:43 GMT
Connection: close
1d
Th;;the;they;this;there;that;
0

GET /beta081/cell/predict?i=T4420&l=This+ke&t= HTTP/1.1
Host: 72.26.211.90
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 21 Oct 2011 16:39:47 GMT
Connection: close
24
ke;;knowledge;keeps;key;killer;kept;
0

Here, check it out for yourself: http://72.26.211.90/beta081/cell/pre...&l=Android+Pol (you should see http:// and "Pol;;police;political;policy;politics;poolpla y;" as the result).

Needless to say, the app went to the trash right after our tests were over.

When I brought up my initial privacy concerns to A.I.type's CEO Eitan Fitusi before even digging into this, he had the following to say (all spelling left as is, text in italics added by me):

Hi Arten (that's not my name)

We here those concerning before and understand them, that why we work hard on our new local data model, that already available in the current version, We are going to release very soon a new version, that will have a setting for shutting down cloud support prediction, although the prediction quality is effected, it is still great, and as close as possible to the full scale prediction, what mostly damaged from lack of cloud is names, locations or other vocabulary that is domain specific.

This new version also including a new superior learning model that learn the user, and enhanced the predictioncorrectioncompletion quality based on the user writing style, names and unique words that's the users use, user model will be stored locally and won't sent data to the cloud at all.

Having say that, I know that it's not much, but I can assure you that we are very concern about are user privacy and very strict regarding their data.

Also if you look at it the other way, you can wright an email with whatever keyboard you like then send it via Gmail that officially state that its learn YOUR data (or WhatsApp, Viper, Skype…. They all have access to your data)

Any way as I say before next version will give the user the option to use only local services, and keep is data local only.

Let this serve as a wake-up call to both users placing trust in the cloud and developers who don't utilize even the most basic security and privacy standards (hey, https would have been nice).

Remember, all cloud services are not created equal. I hope for their sake that A.I.type fixes this blatant disregard for privacy in the near future, and as for the rest of you - you've been warned.

Source : AndroidPolice