Your IP: Unknown · Your Status: Unprotected Protected

Blog In Depth

Privacy risks of virtual keyboards: is Bitmoji safe?

Jan 05, 2018 · 5 min read

Privacy risks of virtual keyboards: is Bitmoji safe?

Variety is the spice of life. Even on your mobile – why should you bother typing all the time while messaging with someone, when you can use GIFs or stickers to express your reactions with the level of precision no words can deliver?

We are talking about third-party keyboard apps that spice up texting on your smartphone. These keyboards are developed for being fast, intuitive, or entertaining – in other words, for being simply better than your boring in-built one. You can find a keyboard for nearly everything – GIFs, emojis, AI-based text predictions, personalized suggestions, texting via drawing, swiping instead of tapping, any colors your heart desires, etc.

Having this in mind, it’s not surprising that the list of the most-downloaded apps for iOS in 2017 was topped by Bitmoji – an app that lets users create personalized avatars and add an emoji keyboard. In the list compiled by Apple, Bitmoji surpasses such mainstreamers as Facebook, Youtube, Spotify, Uber and even Google Maps, as measured by the App Store downloads during last year.

All seems fun, all seems fine, but there might also be a dark side in enriching your texts with the hilarious Bitmoji stickers. What exactly happens when an app that may sense every keystroke resides on your phone? Does it threaten your privacy and security or are we just getting too paranoid over here? Let’s take a closer look.

“May we have full access, please?”

Third-party keyboard apps (including Bitmoji) ask to “allow full access” to operate. This permission request is what bugs many users, as it sounds like the app wants a little too much.

Apple’s default warning message doesn’t make it easier. It says that granting full access to a keyboard allows the developer to access, record and transmit everything you type, including your sensitive information – passwords, banking details, addresses and phone numbers. When reading this, it feels like you may end up in a privacy-loss nightmare by innocently tapping ‘Allow.’

You want that keyboard, though. And this makes you feel ambiguous.

So why do keyboards require “full access” permissions?

In most cases, an Internet connection is the reason why. Keyboard apps are intended to be “smart,” that is, to offer advanced customization functionalities, such as predictive suggestions or personalized auto-correct. To do so, these apps need to learn things about you – monitor, collect and analyze data about your usage patterns, the words you type, and so on. This process involves uploading usage data to servers of the developer company, which can’t be done without an Internet connection.

Bitmoji privacy concerns

Speaking of Bitmoji, it has a dedicated page where it explains the need for “full access” to its users as following: “We ask for Full Access permission so that we can download your custom Bitmoji images from our servers.”

Bitmoji full access

Anticipating the potential worries their users might have, Bitmoji also adds an assurance that “Bitmoji Keyboard can’t read or access anything you type using your iPhone keyboard or any other third party keyboard.”

So is Bitmoji safe to use?

Technically, a possibility for the app to get the keystroke data remains. It not necessarily means that Bitmoji records all the stuff you type – since it’s not a typical keyboard, chances are, it only tracks the Bitmoji stickers you use instead of every keystroke you make on your phone.

So while you have Bitmoji’s word for not grabbing your messaging data, it is all about trust. There are no solid reasons to be worried, so probably you shouldn’t. Probably. But keep in mind that Bitmoji does collect other data than the stuff you type.

Things get stranger on Android

While the “Full Access” request in iOS looks rather obscure, the required permissions come in more detail when downloading Bitmoji from Google Play store. What we see here is somewhat eyebrow-raising.

Microphone and camera access, identity, device ID and call information – it’s a bit suspicious that a virtual keyboard based on stickers needs all this. Most likely, it is somehow related to getting more information for advertising purposes.

Bitmoji Android 1 Bitmoji Android 2

What data does Bitmoji collect?

To get this answered, let’s take a look at its privacy policy. Surprisingly enough, Bitmoji privacy policy links to Snapchat’s, as apparently there’s no separate one for the keyboard app. Yes, Bitmoji goes under the umbrella of Snap.Inc, the company owning Snapchat, but these two apps sure differ in terms of purpose and functionalities. Obviously, Bitmoji alone isn’t capable of collecting the amount and types of data that Snapchat can. However, following the general privacy policy, here’s the data Bitmoji collects:

  • Information you choose to provide

This covers the standard set of info required for using the service: unique login credentials, email address, phone number and date of birth. Also, it includes specifics of your Bitmoji.

  • Service usage information

It’s a common practice for apps to collect data on how users use their apps. Bitmoji isn’t an exception as it gathers information about your Bitmoji-sending activity. Content, device and location information, phonebook, camera and photos, cookies and other tracking details are also listed under this section.

  • Information from third parties

Aside from the data Snap.Inc gathers from your app activity, it also collects info from third parties. How exactly? Even though the provided description is vague, we can see that this practice has most to do with user profiling and obtaining info from company’s affiliates.

Since the privacy policy covers all services that belong to Snap.Inc, it is unclear what information exactly Bitmoji collects. Judging from the sections listed, most of the data comes from Snapchat, not Bitmoji.

What happens with the data?

At best, your data is used to improve the Bitmoji service – to offer you stickers of the type you like, make them more convenient to use, etc.

If you’re using Snapchat along with Bitmoji, the collected information can be used to serve you targeted ads, because that’s the way Snapchat is making money.

At worst, your private data may end up being inadvertently exposed. Even though third-party keyboard developers should keep their users’ data protected, history shows that leaks happen and some of them can be pretty big.

For example, a recent case of Ai.type data leak. Personal information of more than 31 million users was discovered to be left unsecured on company’s servers: treasure-worth data could be easily accessed by anyone with no authentication required. The two most terrifying things about this leak were its’ extent and the fact that the data was extremely sensitive. More than 577 gigabytes of data included biographical data, precise location, device details and even email addresses and phone numbers from users’ contact books. And here’s the cherry on top: the database also stored email addresses with corresponding passwords, even though Ai.type was never supposed to “learn from password fields.”

That’s why it is always a good idea to take a look at company’s privacy policy to see how a virtual keyboard app is handling your data – whether it’s encrypted and protected from hackers.

Conclusion

Taking everything into account, there’s neither an absolute ‘yes’ nor ‘no’ answer to the question whether you’re safe to use Bitmoji. Their extensive permissions look fishy, the privacy policy is obscure, and there are also general privacy risks arising from using any third-party keyboard app – you should be aware of all these things. But it doesn’t make a strong argument for claiming Bitmoji to be a critical privacy threat.

So if funny and goofy stickers are what you want to make your texting more entertaining, go for it and give Bitmoji a chance, but always remember the risks that may come with a virtual keyboard app residing on your phone.


Elle Friberg
Elle Friberg successVerified author

Elle is a content writer at NordVPN. Being ever-curious, she always finds unexpected angles in the Internet privacy and security field to turn into gripping stories.


Subscribe to NordVPN blog