Why is my Android keyboard sending unencrypted data? And where?

I recently switched phones from a LG G4 to a Sony Xperia X Performance (isn't that a mouthful!), so I had a spare Android phone lying around. What better use for than to sniff some traffic! First up is ai.type Free Emoji Keyboard, a free keyboard that has built in text-swiping features, emoji, a calculator and much more. Android keyboards have the ability to read what you type, mostly just to improve text correction and prediction. This is an understandable permission but has the opportunity for misuse.

I loaded up Burp Suite, added the proxy setting to the phone and off I went. First request right off:

Holy leaking information batman! The app sent my email addresses, latitude, longitude, IP address and device info to their server over HTTP.

Now you may be thinking "well ads display in apps too, they must send juicy tracking information back too", so let's take a look.

Create an ad blocking VPN for mobile use

Ads on your mobile device can use a fair chunk of your monthly data, so I set out to create a way to disable them while browsing. If you happen to have a rooted Android phone, AdAway is the easiest solution that I have found. Another solution is creating your own DNS server, to have all traffic to unwanted domains be unresolved. While that's great, one can only set the DNS servers manually for wifi, not for mobile data (3G/LTE). The fix this issue, what I did was create an OpenVPN server with Bind9 zones to block unwanted domains.


To bootstrap installing VPN, I used this script to quickly set up an OpenVPN server. Its all very straight forward and will prompt for a few options.

If all went well, it will generate a client profile for you to use (.ovpn). Next, I installed bind9 and followed this tutorial. Once that is all set up, you'll have an ad blocking DNS server! Only thing left to do is force clients to use the DNS.