Another security story misses the point, and your phone isn't likely in any real danger.
Update June 19: Samsung's detailed what you can do to make sure you get the fix for the exploit.
Update June 18: Samsung tells Android Central that it's preparing a security update that won't have to wait on a full system update from the operators.
Samsung's stock keyboard — as in the one that ships on its phones — is the subject today of a piece from security firm NowSecure that details a flaw that has the possibility of allowing code to be executed remotely on your phone. Samsung's built-in keyboard uses the SwiftKey software development kit for prediction and language packs, and that's where the exploit was found.
NowSecure has headlined the entire thing with "Samsung Keyboard Security Risk Disclosed: Over 600M+ Devices Worldwide Impacted." That's scary-sounding stuff. (Especially when it includes bright red backgrounds and scary-looking images of what generally is known as a dead face.)
So do you need to worry? Probably not. Let's break it down.
First thing's first: It's been confirmed to us that we're talking about Samsung's stock keyboard on the Galaxy S6, Galaxy S5, Galaxy S4 and GS4 Mini — and not the version of SwiftKey that you can download from Google Play or the Apple App Store. Those are two very different things. (And if you're not using a Samsung phone, obviously none of this applies to you anyway.)
We reached out to SwiftKey, which gave us the following statement:
We've seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.
We also reached out to Samsung earlier in the day but have yet to receive any comment. We'll update if and when we get one.
Reading through NowSecure's technical blog on the exploit we can get a glimpse of what's going on. (If you read it yourself, do note that where they say "Swift" they mean "SwiftKey.") If you're connected to an unsecure access point (such as an open Wifi network), it's possible for someone to intercept and alter the SwiftKey language packs as they're updating (which they periodically do for obvious reasons — improved prediction and what not), sending your phone data from the attackers.
Being able to piggyback that is bad. But, again, it's dependent on you being on an unsecure network in the first place (which you really shouldn't be — avoid public hotspots that don't use wireless security, or consider a VPN). And someone being there to do something nefarious in the first place.
And it depends on you having an unpatched device. As NowSecure itself points out, Samsung's already submitted patches to the carriers. It just has no idea how many have pushed the patch, or ultimately how many devices remain vulnerable.
Those are a lot of variables and unknowns that ultimately add up to another academic exploit (as opposed to one that has real-world implications) that indeed needs to (and has been) patched, though it does underscore the importance of the operators that control updates to phones in the U.S. to get updates pushed out more quickly.
Update June 17: SwiftKey, in a blog post, says:
We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this obscure but important security issue.
The vulnerability in question poses a low risk: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user's keyboard is conducting a language update at that specific time, while connected to the compromised network.