Vetmoji, the new emoji-keyboard app for Android and iPhone, is supposed to be some light-hearted fun for those in uniform. There’s a selection of silly faces in camouflage hats, a soundboard of phrases like “Bravo Zulu”, and gifs of the Iraq and Afghanistan Veterans of America waving flags. The app, produced for IAVA with Kapps media, also contains a quiet flaw: when someone uses the Vetmoji keyboard, the keyboard can access all the data they type.

The flaw was spotted in a review of the keyboard on the app story. User T-chuk2965 gave the keyboard one star, and wrote, in part:

I was super excited when I got the email from IAVA about new military emojis. I gladly paid the $1.99 and then was told the app needs full access to my phone with a key logger. This allows the app to track and store sensitive information like credit card numbers and SS numbers. More importantly I can't communicate with my troops on drill activities or fellow employees as a police officer. I denied access and every time I type a message and click the emoji keyboard to add an emoji I get an additional pop up screen asking me allow access to this additional keyboard.

T-chuk titled his review “OpSec”, which is military shorthand for “Operational Security.” The Pentagon defines Operational Security as “the process by which we protect unclassified information that can be used against us,” and broadcasting everything typed in a message to a third-party app seems to be a clear violation of that basic safety practice.

The risk that a keyboard app is also a keylogger is an intrinsic risk in any keyboard app a user chooses to install.

The Defense Technical Information Center listed keyloggers as malicious code, noting they can corrupt files and destroy or modify information, compromise that information and lose it, or give hackers access to sabotage systems. The Duqu malware was introduced into secure computer systems after the attacker used a keylogger to get credentials for that computer. In 2013, a Romanian hacker was sentenced to 21 months for, in part, using a keylogger to steal credit card information from Subway stores and others at the time of sale.

The risk that a keyboard app is also a keylogger isn’t limited to the Vetmoji keyboard. It is, really, an intrinsic risk in any keyboard app a user chooses to download and install on her phone. As information security professional Lenny Zeltser writes:

The users need to trust the keyboard developer not to capture keystrokes and other sensitive data beyond Language Modeling Data. Doing this could be done on purpose by a malicious keyboard app or by accident by an otherwise benign application. In this case, the keyboard could act as a powerful keylogger for the mobile device.

That’s a risk that anyone takes when using a third-party keyboard on a mobile device. What makes it stand out with Vetmoji is the target audience includes servicemembers, whose keystrokes could give away personal information like credit card numbers and logins, as well as the location they’re deployed and any plans they might be coordinating.

That’s not great. Or, in the words of Vetmoji,

by Kelsey D. Atherton