The issue, reported to Samsung in December of 2014, is that the SwiftKey keyboard checks for new language packs over an unencrypted, plain text connection. Knowing this, NowSecure's Ryan Welton says he can spoof a proxy server for the keyboard that allows access to device sensors, apps and more:
Access sensors and resources like GPS, camera and microphone
Secretly install malicious app(s) without the user knowing
Tamper with how other apps work or how the phone works
Eavesdrop on incoming/outgoing messages or voice calls
Attempt to access sensitive personal data like pictures and text messages
The company has released at least one patch to carriers to address the issue in late March.
Even so, Galaxy phones are available in more than 100 regions around the world and the exploit can compromise handsets as far back as 2013's Galaxy S4.
Not only is this a shame for Galaxy phone owners but also for SwiftKey.
The company makes what I think are one of the best third-party keyboards; one that learns and customizes how you communicate based on your email and text messages if you allow it. Although the company has been quiet in regards to this particular security claim, I suspect it will close down any hole in the app if it hasn't already.
On the plus side, SwiftKey reached out via email with the following statement:
"We've seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further."
Update on June 17, 11:30am PT: Samsung has provided the following statement in regards to the security issue:
"Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security. Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with Swiftkey to address potential risks going forward."
That says to me that the company won't have to wait for carrier approvals to push the update and should close the potential exploit sooner rather than later.