Samsung follows Apple with major Galaxy smartphone security flaw
The security flaw was discovered by NowSecure security specialist Ryan Welton. He found that SwiftKey is getting language pack updates via unencrypted server connections in plain text. In other words, it's about the most unsecure way Samsung could've found for installing an update.
Mr. Welton found he could create a special server to trick Samsung phones into thinking they're talking with a legit update server, and then install a payload that opens the door for collecting data from victim's phones, listening in on phone calls, and even using the phone's microphone to eavesdrop on other conversations.
NowSecure said attackers can gain access to the device's sensors, GPS, camera, and microphone, can install malicious apps without the victim's knowledge, alter how the phone works and how apps interact, and potentially access private data.
News of the Samsung keyboard exploit follows news that Apple's sandbox environment for OS X and iOS isn't as secure as previously thought. The Apple threat, dubbed XARA, can use a maliciously crafted app to gather data from other apps, including passwords from Keychain.
Apple was alerted to the security flaw in October 2014, but still hasn't released a fix. Samsung knew about its security issue in November 2014, and delivered its patch to cell service providers at the end of March 2015 for Android 4.2 and higher. That update doesn't, however, appear to on phones yet.
Devices NowSecure knows to be susceptible to the keyboard flaw include the Galaxy S6, Galaxy S5, Galaxy S4, and Galaxy S4 Mini.
Samsung commented on the flaw saying,
Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security.
The company added that it's working on a new feature called KNOX to manage on-phone security policies to prevent issues like this. Samsung said that update will begin “rolling out in a few days.”
While both flaws make for some great schadenfreude, Apple's customers are ultimately in a better position. Apple controls software updates independently of cell service carriers, so once a patch is ready it can be pushed to everyone. Samsung's update process, on the other hand, is at the mercy of it carrier partners and they typically aren't overly responsive. Even though an update is available, it most likely isn't getting pushed out to affected Android devices.
It looks like new Android devices are shipping with the flaw in place, too. NowSecure tested some just purchased off the shelf Galaxy smartphones and found they're still susceptible.
TouchType, the company that makes SwiftKey, said the iPhone version isn't open to the attack, nor is the version available through the Google Play store.