quote:
Have a Samsung Galaxy device? Chances are it has a security flaw that lets attackers install malware on it or eavesdrop on your calls, and there's nothing you can do about it.

Chicago-based security firm NowSecure has published a report claiming that a bug in the Swift keyboard software, preinstalled on more than 600 million Samsung devices, can allow a remote attacker, which is capable of controlling a user's network traffic to execute arbitrary code on the user's phone.

quote:
The list of potentially vulnerable devices is a scary one, including Samsung Galaxy S6, S5, S4 and S4 mini on major U.S. carriers, including Verizon, AT&T, Sprint and T-Mobile. The status of some devices with regards to this vulnerability is unknown, but some — like Galaxy S6 on Verizon and Sprint, and Galaxy S5 and T-Mobile — are vulnerable.

LINK

Hmm... Even if Samsung gets this fixed, the carriers still will take their time with sending updates out.

What is Swift keyboard anyway? I had an S2, and I didn't have this.

3 ...

Report Post

Posted by ILikeLSUToo

Central, LA

Member since Jan 2008

18018 posts

Posted on 6/17/15 at 12:51 pm to boXerrumble

SwiftKey is a third-party keyboard app that learns your writing style over time for a more intelligent autocorrect. I use it on my Nexus 6.

For those who use the SwiftKey app by choice on other phones, this is not a concern. LINK

quote:
Swiftkey is not to blame here and vulnerability is unrelated to SwiftKey’s consumer apps on Google Play and the Apple App Store. So your Swiftkey app has nothing to do with this story.

Yes, it supplies Samsung with the core technology that powers the word predictions in their keyboard.

But TechCrunch understand that the way that Swiftkey’s engine was integrated on Samsung devices introduced the security vulnerability in the first place.

It’s also a very low risk problem. For the bug to expose the phone, a user would have to be connected to a compromised network (such as a spoofed public Wi-Fi network) created for those purposes by a hacker with malicious intentions.

In a statement, Swiftkey told us that even then the access is only possible if the user’s keyboard is “conducting a language update at that specific time, while connected to the compromised network.”

It absolutely does not affect SwiftKey’s app on Google Play or the Apple App Store.

Here’s the bottom-line: our sources have told us that Samsung “screwed up” how they implemented Swiftkey’s SDK into their keyboard. Why? because they crazily gave the keyboard system level permissions.

As NowSecure says:

“It’s unfortunate but typical for OEMs and carriers to preinstall third-party applications to a device. In some cases these applications are run from a privileged context. This is the case with the Swift (sic) keyboard on Samsung… This means that the keyboard was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device, system user, which is a notch short of being root.”

Swiftkey does have one issue though: It used HTTP rather than HTTPS in some aspects of how the keyboard gets updated. This might have protected what appears to be a basic mistake in how Samsung integrated SwiftKey on their devices.

But whether it’s HTTP vs HTTPS is not the main issue here. It’s the system permissions – which is a problem laying firmly in Samsung’s camp.

0 ...

Report Post

Posted by WONTONGO

Member since Oct 2007

4297 posts

Posted on 6/17/15 at 1:12 pm to boXerrumble

So first I find out Swiftkey is behind the Textra problems I'm having and now this.

Even if it's Samsung's fault this is too much bad shite for one app in one day. I uninstalled.

I'll check back in a few weeks.

0 ...

Report Post

Posted by BuckeyeFan87