The researchers demanded data left visible entered names, phone numbers, locations and Google queries.
The chief of the Israeli company back the app confirmed the breach but said most of the data was not sensitive.
Bob Diachenko, from the Kromtech Security Centre, part of contract company Mackeeper, said the number of data required by the app at the point of the download was “unexpected”.
“Why would a keyboard and emoji form need to gather the entire data of the user’s phone or tablet?” he addressed in his report.
“Based on the flowed database, they appear to collect everything from communications to keystrokes.”
But Eitan Fitusi, chief executive and founder of Ai.type, told the News the expense of data exposed was not as comprehensive as claimed.
“It was a subordinate database,” he said of the discovery.
Mr. Fitusi said:
- the geo-location data was not right
- no IMEI data (a model number for a specific phone) had been associated
- the user behavior collected by the business involved only which ads they clicked
The database has now been shut down and Mr. Fitusi said he was “certain” about the company’s security.
Mr. Diachenko acknowledged that while there were no credit card or fee details, there was a wide range of individual information including social media profiles.