Updated 12.50pm PDT 6/18/15 to add clarification and details of imminent Samsung keyboard security fix
On Tuesday, we learned that a security vulnerability exists in Samsung’s Android keyboard software. This was publicly revealed yesterday in a statement in The Wall Street Journal by NowSecure.
This vulnerability is unrelated to and does not affect our SwiftKey consumer apps on Google Play and the Apple App Store.
We supply Samsung with the core technology that powers the word predictions in their keyboard via an SDK – which is distinct from a pre-installed app (you can learn more about this here). We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue.
The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.
A Samsung spokesperson issued the following statement on Thursday (which you can read in full here):
“Samsung takes all security threats very seriously. There have been reports that there is vulnerability when keyboard updates are carried out on Galaxy devices. We are aware of this issue and are committed to providing the latest in security on all of our devices … as the reports indicate, the risk does exist and Samsung will roll out a security policy update in the coming days.”
If you own a Galaxy device with Samsung KNOX, you will be able to receive an over-the-air update to invalidate any potential vulnerabilities caused by this issue. For this to work, you need to make sure your device automatically receives security policy updates. To do this, go to Settings > Lock Screen and Security > Other Security Settings > Security policy updates, and check that the ‘Automatic Updates’ option is activated. At the same screen, you can also click ‘Check for updates’ to manually retrieve any new security policy updates.
For devices that don’t come with KNOX by default, Samsung said it is currently working on an expedited firmware update that will be available upon completion of all testing and approvals.
We are absolutely committed to maintaining world-class standards in security and privacy practices for our users. For absolute clarity, this issue does not affect SwiftKey’s consumer keyboard applications on Google Play or the Apple App Store.