Update June 19: Samsung's detailed what you can do to make sure you get the fix for the exploit.
Update June 18: Samsung tells Android Central that it's preparing a security update that won't have to wait on a full system update from the operators.
Samsung's stock keyboard — as in the one that ships on its phones — is the subject today of a piece from security firm NowSecure that details a flaw that has the possibility of allowing code to be executed remotely on your phone. Samsung's built-in keyboard uses the SwiftKey software development kit for prediction and language packs, and that's where the exploit was found.
NowSecure has headlined the entire thing with "Samsung Keyboard Security Risk Disclosed: Over 600M+ Devices Worldwide Impacted." That's scary-sounding stuff. (Especially when it includes bright red backgrounds and scary-looking images of what generally is known as a dead face.)
So do you need to worry? Probably not. Let's break it down.
First thing's first: It's been confirmed to us that we're talking about Samsung's stock keyboard on the Galaxy S6, Galaxy S5, Galaxy S4 and GS4 Mini — and not the version of SwiftKey that you can download from Google Play or the Apple App Store. Those are two very different things. (And if you're not using a Samsung phone, obviously none of this applies to you anyway.)
We reached out to SwiftKey, which gave us the following statement:
We've seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.
We also reached out to Samsung earlier in the day but have yet to receive any comment. We'll update if and when we get one.
Reading through NowSecure's technical blog on the exploit we can get a glimpse of what's going on. (If you read it yourself, do note that where they say "Swift" they mean "SwiftKey.") If you're connected to an unsecure access point (such as an open Wifi network), it's possible for someone to intercept and alter the SwiftKey language packs as they're updating (which they periodically do for obvious reasons — improved prediction and what not), sending your phone data from the attackers.
Being able to piggyback that is bad. But, again, it's dependent on you being on an unsecure network in the first place (which you really shouldn't be — avoid public hotspots that don't use wireless security, or consider a VPN). And someone being there to do something nefarious in the first place.
And it depends on you having an unpatched device. As NowSecure itself points out, Samsung's already submitted patches to the carriers. It just has no idea how many have pushed the patch, or ultimately how many devices remain vulnerable.
Those are a lot of variables and unknowns that ultimately add up to another academic exploit (as opposed to one that has real-world implications) that indeed needs to (and has been) patched, though it does underscore the importance of the operators that control updates to phones in the U.S. to get updates pushed out more quickly.
Update June 17: SwiftKey, in a blog post, says:
We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this obscure but important security issue.
The vulnerability in question poses a low risk: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user's keyboard is conducting a language update at that specific time, while connected to the compromised network.
We may earn a commission for purchases using our links. Learn more.
Review: The Apple Watch Series 6 puts all Android smartwatches to shame
With the Apple Watch Series 6, Apple is offering timely updates that make a great smartwatch even better. The gorgeous hardware is combined with the best wearable platform available today, and the health-focused features give the Apple Watch an added edge.
We have to get used to a future without free accessories
If not this year, then next year, And if not Samsung, then insert another brand because it's going to happen thanks to Apple's "innovation" of making less seem like more.
These small Android phones fit your hand and pocket perfectly
Not everyone wants to wield a giant smartphone. Here are our top picks for the best small phone you can buy.
Pair that snazzy Galaxy S20 FE with an awesome case to keep it protected
Samsung unveiled the Galaxy S20 FE and the device is sure to turn plenty of heads for the next few months. With stiff competition in the mid-range market, it's clear that Samsung wants to compete and the S20 FE is fantastic. If you're picking one of these awesome new devices up, make sure you pair it with a case to keep it looking awesome.