The flaw was spotted in a review of the keyboard on the app story. User T-chuk2965 gave the keyboard one star, and wrote, in part: T-chuk titled his review “OpSec”, which is military shorthand for “Operational Security.” The Pentagon defines Operational Security as “the process by which we protect unclassified information that can be used against us,” and broadcasting everything typed in a message to a third-party app seems to be a clear violation of that basic safety practice. The Defense Technical Information Center listed keyloggers as malicious code, noting they can corrupt files and destroy or modify information, compromise that information and lose it, or give hackers access to sabotage systems. The Duqu malware was introduced into secure computer systems after the attacker used a keylogger to get credentials for that computer. In 2013, a Romanian hacker was sentenced to 21 months for, in part, using a keylogger to steal credit card information from Subway stores and others at the time of sale. The risk that a keyboard app is also a keylogger isn’t limited to the Vetmoji keyboard. It is, really, an intrinsic risk in any keyboard app a user chooses to download and install on her phone. As information security professional Lenny Zeltser writes: That’s a risk that anyone takes when using a third-party keyboard on a mobile device. What makes it stand out with Vetmoji is the target audience includes servicemembers, whose keystrokes could give away personal information like credit card numbers and logins, as well as the location they’re deployed and any plans they might be coordinating. That’s not great. Or, in the words of Vetmoji,
