New Emoji App For Veterans Contains A Major Security Flaw

And your favorite keyboard app may have it too

By Kelsey D. Atherton | Published May 11, 2016 1:27 AM EDT

Technology

Vetmoji Zippered Mouth Face — Loose keystrokes defeat security measures, no joke. Vetmoji

Vetmoji Hashtag Logo

In the 15th year of the War on Terror, we get star-spangled hashtag pictograms.

Vetmoji, the new emoji-keyboard app for Android and iPhone, is supposed to be some light-hearted fun for those in uniform. There’s a selection of silly faces in camouflage hats, a soundboard of phrases like “Bravo Zulu”, and gifs of the Iraq and Afghanistan Veterans of America waving flags. The app, produced for IAVA with Kapps media, also contains a quiet flaw: when someone uses the Vetmoji keyboard, the keyboard can access all the data they type.

The flaw was spotted in a review of the keyboard on the app story. User T-chuk2965 gave the keyboard one star, and wrote, in part:

T-chuk titled his review “OpSec”, which is military shorthand for “Operational Security.” The Pentagon defines Operational Security as “the process by which we protect unclassified information that can be used against us,” and broadcasting everything typed in a message to a third-party app seems to be a clear violation of that basic safety practice.

The Defense Technical Information Center listed keyloggers as malicious code, noting they can corrupt files and destroy or modify information, compromise that information and lose it, or give hackers access to sabotage systems. The Duqu malware was introduced into secure computer systems after the attacker used a keylogger to get credentials for that computer. In 2013, a Romanian hacker was sentenced to 21 months for, in part, using a keylogger to steal credit card information from Subway stores and others at the time of sale.

The risk that a keyboard app is also a keylogger isn’t limited to the Vetmoji keyboard. It is, really, an intrinsic risk in any keyboard app a user chooses to download and install on her phone. As information security professional Lenny Zeltser writes:

That’s a risk that anyone takes when using a third-party keyboard on a mobile device. What makes it stand out with Vetmoji is the target audience includes servicemembers, whose keystrokes could give away personal information like credit card numbers and logins, as well as the location they’re deployed and any plans they might be coordinating.

That’s not great. Or, in the words of Vetmoji,

Vetmoji Zippered Mouth Face

Loose keystrokes defeat security measures, no joke.

Kelsey D. Atherton

Kelsey D. Atherton is a military technology journalist who has contributed to Popular Science since 2013. He covers uncrewed robotics and other drones, communications systems, the nuclear enterprise, and the technologies that go into planning, waging, and mitigating war.

Military

apps