Flash Keyboard is described as a “highly customizable keyboard” with unique features to help Android users type more efficiently. It boasts simple emoji access and language switching, a built-in thesaurus and a customisable user interface as its main features.
The app is available for free on Google Play and has been rated 4-stars by over 700,000 users. It has a total of over 50 million downloads. However, as The Register reports, UK-based security firm Pentest concluded the keyboard is “little more than malware” in a whitepaper published this week.
Flash Keyboard, an app with 50m users that is “little more than malware” according to security experts
DotC / Google Play
Pentest found that Flash Keyboard “abuses” Android permissions, requesting access to a number of features that it shouldn’t require. These include Bluetooth devices, the camera, a user’s contacts list and device administration features. While there are reasons behind the permissions as they are used for various features, Pentest warned they are “in excess” of what’s required for normal operation.
A more serious issue is Flash Keyboard’s secret data transfers to foreign servers. Pentest found the app transmits sensitive user data including the owner’s email address, device manufacturer, model number, IMEI and Android version to what it believes to be analytics servers in the United States, the Netherlands and China. It also sends details of the currently connected Wi-Fi network and others in the proximity, the identity of the mobile network being used and GPS coordinates that are accurate to within three metres of the user.
Pentest said the app is acting “deceptively” and in a way that could endanger users. It was found to replace the default lock screen with its own customized version to display advertisements, update itself without notifying the user, enforce techniques to make it difficult for users to uninstall the app, alongside sending personal information to unidentified servers without informing the user.
Flash Keyboard, an app with 50m users that is “little more than malware” according to security experts
DotC / Google Play
Pentest said it does not believe the developer is intentionally acting maliciously. Instead, it has ignored and disregarded the Android development policies laid out by Google and heavily monetised its app, in the process deceiving users and putting them at risk of attack.
“Through disregard for Android’s development policy and a desire to monetize a free application, the developers have created an application that deceives users, gathers personal information and obstructs uninstallation,” the firm said. “In more sinister hands, this application could covertly download updates that weaponizes the application, to exploit the granted privileges for mass or even targeted surveillance.”
The development team did not respond to Pentest’s requests for comment. Its Google Play Store listing for the app suggests it takes a proactive approach to security though, claiming “We DO NOT collect any personal data without your explicit permission.”
The company continues with a paragraph explaining users should ignore Android’s security warnings about installing third-party keyboards. “The warning message that says Flash Keyboard may be able to collect all the text you type, including personal data like passwords and credit card number, is a part of the Android operating system that appears when any third party keyboard is enabled,” the listing reads. “Rest assured you can use Flash keyboard safely.”
In Pentest’s opinion, you shouldn’t rest assured at all though. It appears as though Google agrees since the app vanished from the Play Store after Pentest notified the company. It has since been re-uploaded with a new listing published by “Flash Keyboard team” though.
The exposure of Flash Keyboard raises the question of whether other seemingly legitimate Android apps could also be putting users at risk. At the time when Pentest began investigating the app in February, it had more downloads than messaging client WhatsApp. It currently has between 50 and 100 million users and could be collecting personal information from them all, demonstrating that even big-name apps abuse security best practices.
