Samsung To Upgrade Knox To Mitigate Swiftkey Flaw

Samsung has rushed a fix for a critical vulnerability found in a native app shipped with millions of its latest smartphones.

Earlier this week, NowSecure revealed that more than 600 million Samsung smartphones are at risk from the flaw in messaging app SwiftKey.

Keyboard Flaw

The app, which is designed to help users to type without mistakes using autocorrect, comes pre-loaded on Samsung devices, and cannot be uninstalled from Samsung’s smartphone.

The vulnerability, discovered by Ryan Welton, mobile security specialist at NowSecure, could allow an attacker to remotely execute code as a privileged (system) user, and affects models including the Samsung Galaxy S6, S5, S4 and S4 mini.

It should be noted that only the pre-installed SwiftKey app is vulnerable, not the ones from Google Play Store or Apple iOS Store. But installing the app from the Play store will NOT remove the vulnerability of the pre-installed version apparently. And the security risk will exists on Galaxy smartphones, even if the app isn’t being used as the default keyboard.

Samsung was first notified of the flaw last December, and had already issued a patch to mobile network operators in early 2015. But it is unknown if the mobile operators have provided the patch to the devices on their network, meaning its is hard to determine how many users remain vulnerable.

Samsung therefore has taken the decision this week to upgrade its Knox security software in a few days in order to eliminate the risks, Bloomberg reported.

Samsung said in an email on Thursday that all Galaxy models since the S4 (released in 2013) are embedded with Knox. The upgrade will be available for download to users of all those models, it said. But it didn’t comment on plans for older models.

SwiftKey is taking the issue seriously and working with Samsung to ensure a patch is available as soon as possible, Jennifer Kutz, a spokeswoman for the company, told Bloomberg by email.

“The vulnerability in question is not easy to exploit,’ she said.

SwiftKey Statement

Indeed, SwiftKey told TechweekEurope earlier this week that the vulnerability is down to the way that Samsung integrated the app onto its smartphones.

“We supply Samsung with the core technology that powers the word predictions in their keyboard,” the company told TechweekEurope. “It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue.”

“The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device,” said SwiftKey. “This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”

“For clarity, this issue does not affect SwiftKey’s consumer keyboard applications on Google Play or the Apple App Store, and we are absolutely committed to maintaining world-class standards in security and privacy practices for our users,” said the company.

How much do you know about hacking? Take our quiz!