New Emoji App For Veterans Contains A Major Security Flaw

And your favorite keyboard app may have it too

Vetmoji Hashtag Logo

In the 15th year of the War on Terror, we get star-spangled hashtag pictograms.

Vetmoji, the new emoji-keyboard app for Android and iPhone, is supposed to be some light-hearted fun for those in uniform. There’s a selection of silly faces in camouflage hats, a soundboard of phrases like “Bravo Zulu”, and gifs of the Iraq and Afghanistan Veterans of America waving flags. The app, produced for IAVA with Kapps media, also contains a quiet flaw: when someone uses the Vetmoji keyboard, the keyboard can access all the data they type.

The flaw was spotted in a review of the keyboard on the app story. User T-chuk2965 gave the keyboard one star, and wrote, in part:

T-chuk titled his review “OpSec”, which is military shorthand for “Operational Security.” The Pentagon defines Operational Security as “the process by which we protect unclassified information that can be used against us,” and broadcasting everything typed in a message to a third-party app seems to be a clear violation of that basic safety practice.

The Defense Technical Information Center listed keyloggers as malicious code, noting they can corrupt files and destroy or modify information, compromise that information and lose it, or give hackers access to sabotage systems. The Duqu malware was introduced into secure computer systems after the attacker used a keylogger to get credentials for that computer. In 2013, a Romanian hacker was sentenced to 21 months for, in part, using a keylogger to steal credit card information from Subway stores and others at the time of sale.

The risk that a keyboard app is also a keylogger isn’t limited to the Vetmoji keyboard. It is, really, an intrinsic risk in any keyboard app a user chooses to download and install on her phone. As information security professional Lenny Zeltser writes:

That’s a risk that anyone takes when using a third-party keyboard on a mobile device. What makes it stand out with Vetmoji is the target audience includes servicemembers, whose keystrokes could give away personal information like credit card numbers and logins, as well as the location they’re deployed and any plans they might be coordinating.

That’s not great. Or, in the words of Vetmoji,

Kelsey D. Atherton

Kelsey D. Athertonis a defense technology journalist based in Albuquerque, New Mexico. His work on drones, lethal AI, and nuclear weapons has appeared in Slate, The New York Times, Foreign Policy, and elsewhere.