Privacy risks of virtual keyboards: is Bitmoji safe?

Third-party keyboard apps spice up texting on your smartphone. They are designed to be fast, intuitive, or entertaining – in other words, to simply be better than your boring built-in keyboard. You can find a keyboard for nearly everything – GIFs, emojis, AI-based text predictions, personalized suggestions, texting via drawing, swiping instead of tapping, or to use any color your heart desires.

Having this in mind, it’s not surprising that one of the most popular keyboard apps is Bitmoji, an app that lets users create personalized avatars and add an emoji keyboard. But enriching your texts with the hilarious Bitmoji stickers may have a dark side. Have you ever wondered how secure an app that senses your every keystroke is? Does it threaten your privacy and security, or are we just getting too paranoid over here? Let’s take a closer look.

The app itself may be relatively safe. While hackers often use fake keyboard apps to steal users’ passwords and spread malware, Bitmoji is not a virus or a malicious app. It’s a legitimate app built by the creators of Snapchat, a popular social media app. If you keep it up to date, the app should be safe. Keep in mind that it is intended for audiences of 13 and above, so Bitmoji is not considered safe for kids under 12.

In any case, Bitmoji’s privacy policies are much more concerning than the app’s security. Third-party keyboard apps (including Bitmoji) ask you to choose “allow full access” to operate. This permission request is what bugs many users because it sounds like the app wants a little too much.

Apple’s default warning message doesn’t make it easier. It says that granting Bitmoji keyboard full access allows the developer to access, record, and transmit everything you type, including your sensitive information – passwords, banking details, addresses, and phone numbers. When reading this, it feels like you may end up in a privacy-loss nightmare by innocently tapping “Allow.”

You want that keyboard, though. And this makes you feel ambiguous.

Speaking of Bitmoji, it has a dedicated page where it explains the need for “full access” to its users: “We ask for Full Access permission so that we can download your custom Bitmoji images from our servers.”

Anticipating the potential worries about Bitmoji privacy issues, the app creators have added an assurance that “Bitmoji Keyboard can’t read or access anything you type using your iPhone keyboard or any other third party keyboard.”

Technically, the possibility for the app to get the keystroke data remains. It does not necessarily mean that the Bitmoji app records all the stuff you type – since it’s not a typical keyboard, chances are it only tracks the Bitmoji stickers you use instead of every keystroke you make on your phone.

So while you have Bitmoji’s word for not grabbing your messaging data, it is all about trust. There are no solid reasons to be worried, so you probably shouldn’t. Probably. But keep in mind that Bitmoji does collect other data than the stuff you type.

If your privacy is important to you, protect it with NordVPN.

While the “full access” request in iOS looks obscure, the required permissions come in more detail when you download Bitmoji from the Google Play store. What we see here is somewhat eyebrow-raising.

Even though the app stopped asking for microphone and camera access, identity, device ID, and call information – it’s suspicious that a virtual keyboard based on stickers needs all this. Most likely, the permission is related to it obtaining more information for advertising purposes.

To answer what data Bitmoji collects, let’s take a look at its privacy policy. Surprisingly enough, Bitmoji’s privacy policy links to Snapchat’s because apparently, the keyboard app does not have its own. While both services are provided by the same company, these two apps sure differ in terms of purpose and functionality. Obviously, Bitmoji alone isn’t capable of collecting the amount and types of data that Snapchat can. However, following the general privacy policy, here’s the data Bitmoji collects:

• Information you choose to provide. This covers the standard set of info required for using the service: unique login credentials, email address, phone number, and date of birth. It also includes the specifics of your Bitmoji.
• Service usage information. It’s a common practice for apps to collect data on how users use their apps. Bitmoji isn’t an exception as it gathers information about your Bitmoji-sending activity. Content, device, and location information, phonebook, camera and photos, cookies, and other tracking details are also listed under this section.
• Information from third parties. Aside from the data Snap.Inc gathers from your app activity, it collects info from third parties. How, exactly? Even though the provided description is vague, we can see that this practice has most to do with user profiling and obtaining info from the company’s affiliates.

Since Bitmoji’s privacy policy covers all services that belong to Snap.Inc, it is unclear what information exactly the app collects.

At best, your data is used to improve the Bitmoji service – to offer you stickers of the type you like and make them more convenient to use.

What’s more likely is that the collected information can be used to serve you targeted ads on Snapchat, since that’s the way the app is making money. So if you have it installed but don’t use it, delete Snapchat to limit the amount of data collected.

At worst, your private data may end up being inadvertently exposed. Even though third-party keyboard developers should keep their users’ data protected, history shows that leaks happen, and some of them can be pretty big, such as the recent case of WhatsApp.

At the end of 2022, an ad was posted in a hacker hacker forum by someone claiming to have a treasure trove of WhatsApp user data — almost 500 million phone numbers from 84 countries. To make matters worse, WhatsApp data leak followed another data leak from its parent company Meta, containing 500 million users’ data. The data included location, device details, and even email addresses and phone numbers.

That’s why it is always a good idea to take a look at a company’s privacy policy to see how it is handling your data – and whether it’s encrypted and protected from hackers.

Taking everything into account, there’s neither an absolute “yes” nor “no” answer to the question of whether you’re safe to use Bitmoji. Its extensive permissions look fishy, its privacy policy is obscure, and also general privacy risks arise from using any third-party keyboard app – you should be aware of all these issues. But it doesn’t make a strong argument for claiming Bitmoji is a critical privacy threat.

So if funny and goofy stickers are what you want to make your texting more entertaining, go for it and give Bitmoji a chance, but always remember the risks that may come with a virtual keyboard app residing on your phone.

Whether you’re browsing the web or playing on your smartphone, you should always keep privacy and security in mind. Here are a few tips on how to stay safe without getting overwhelmed:

• If you want to enhance your data privacy, use a VPN. It masks your IP address and hides your virtual location. And if you have NordVPN with Threat Protection, it can also scan files and websites you visit to prevent malware.
• Treat your phone as your wardrobe — keep everything up to date and sorted, and remove what you don’t use.
• Before installing a new app, search for it online and make sure it isn’t one of those fake, malware-infected apps hackers exploit.
• Use unique passwords. As simple as it sounds, even services that take extra security measures will have a hard time protecting your data if you reuse passwords.
• Avoid niche app stores. If you need an app, make sure to download it from a reputable site.