Privacy risks of virtual keyboards: is Bitmoji safe?
Variety is the spice of life. Even on your mobile – why should you bother typing all the time while messaging with someone, when you can use GIFs or stickers to express your reactions with the level of precision no words can deliver?
We are talking about third-party keyboard apps that spice up texting on your smartphone. These keyboards are developed for being fast, intuitive, or entertaining – in other words, for being simply better than your boring in-built one. You can find a keyboard for nearly everything – GIFs, emojis, AI-based text predictions, personalized suggestions, texting via drawing, swiping instead of tapping, any colors your heart desires, etc.
Having this in mind, it’s not surprising that the list of the most-downloaded apps for iOS in 2017 was topped by Bitmoji – an app that lets users create personalized avatars and add an emoji keyboard. In the list compiled by Apple, Bitmoji surpasses such mainstreamers as Facebook, Youtube, Spotify, Uber and even Google Maps, as measured by the App Store downloads during last year.
All seems fun, all seems fine, but there might also be a dark side in enriching your texts with the hilarious Bitmoji stickers. What exactly happens when an app that may sense every keystroke resides on your phone? Does it threaten your privacy and security or are we just getting too paranoid over here? Let’s take a closer look.
“May we have full access, please?”
Third-party keyboard apps (including Bitmoji) ask to “allow full access” to operate. This permission request is what bugs many users, as it sounds like the app wants a little too much.
Apple’s default warning message doesn’t make it easier. It says that granting full access to a keyboard allows the developer to access, record and transmit everything you type, including your sensitive information – passwords, banking details, addresses and phone numbers. When reading this, it feels like you may end up in a privacy-loss nightmare by innocently tapping ‘Allow.’
You want that keyboard, though. And this makes you feel ambiguous.
So why do keyboards require “full access” permissions?
In most cases, an Internet connection is the reason. Keyboard apps are intended to be “smart,” that is, to offer advanced customization functionalities, such as predictive suggestions or personalized auto-correct. To do so, these apps need to learn things about you – monitor, collect and analyze data about your usage patterns, the words you type, and so on. This process involves uploading usage data to servers of the developer company, which can’t be done without an Internet connection.
Bitmoji privacy concerns
Speaking of Bitmoji, it has a dedicated page where it explains the need for “full access” to its users as following: “We ask for Full Access permission so that we can download your custom Bitmoji images from our servers.”
Anticipating the potential worries their users might have, Bitmoji also adds an assurance that “Bitmoji Keyboard can’t read or access anything you type using your iPhone keyboard or any other third party keyboard.”
So is Bitmoji safe to use?
Technically, a possibility for the app to get the keystroke data remains. It not necessarily means that Bitmoji records all the stuff you type – since it’s not a typical keyboard, chances are, it only tracks the Bitmoji stickers you use instead of every keystroke you make on your phone.
So while you have Bitmoji’s word for not grabbing your messaging data, it is all about trust. There are no solid reasons to be worried, so probably you shouldn’t. Probably. But keep in mind that Bitmoji does collect other data than the stuff you type.
Things get stranger on Android
While the “Full Access” request in iOS looks rather obscure, the required permissions come in more detail when downloading Bitmoji from Google Play store. What we see here is somewhat eyebrow-raising.
Microphone and camera access, identity, device ID and call information – it’s a bit suspicious that a virtual keyboard based on stickers needs all this. Most likely, it is somehow related to getting more information for advertising purposes.
What data does Bitmoji collect?
- Information you choose to provide
This covers the standard set of info required for using the service: unique login credentials, email address, phone number and date of birth. Also, it includes specifics of your Bitmoji.
- Service usage information
It’s a common practice for apps to collect data on how users use their apps. Bitmoji isn’t an exception as it gathers information about your Bitmoji-sending activity. Content, device and location information, phonebook, camera and photos, cookies and other tracking details are also listed under this section.
- Information from third parties
Aside from the data Snap.Inc gathers from your app activity, it also collects info from third parties. How exactly? Even though the provided description is vague, we can see that this practice has most to do with user profiling and obtaining info from company’s affiliates.
What happens with the data?
At best, your data is used to improve the Bitmoji service – to offer you stickers of the type you like, make them more convenient to use, etc.
If you’re using Snapchat along with Bitmoji, the collected information can be used to serve you targeted ads, because that’s the way Snapchat is making money.
At worst, your private data may end up being inadvertently exposed. Even though third-party keyboard developers should keep their users’ data protected, history shows that leaks happen and some of them can be pretty big.
For example, a recent case of Ai.type data leak. Personal information of more than 31 million users was discovered to be left unsecured on company’s servers: treasure-worth data could be easily accessed by anyone with no authentication required. The two most terrifying things about this leak were its’ extent and the fact that the data was extremely sensitive. More than 577 gigabytes of data included biographical data, precise location, device details and even email addresses and phone numbers from users’ contact books. And here’s the cherry on top: the database also stored email addresses with corresponding passwords, even though Ai.type was never supposed to “learn from password fields.”
So if funny and goofy stickers are what you want to make your texting more entertaining, go for it and give Bitmoji a chance, but always remember the risks that may come with a virtual keyboard app residing on your phone.