It should be noted that the bug was detected back in December 2014. Samsung asked the security researchers to keep this discovery in secret and notified Android security team. Now, half a year later, no fix has been issued, though Samsung claims it started that process in early 2015. The problem is that unlike Apple’s direct model of software updates, the company is beholden to mobile phone providers to push out updates to their users.
C/P from hackread.com
dated June 17th 2015
Android phone users have long shared the view that, despite the continual announcements of ongoing security breaches in an evermore technological world, their devices remained relatively secure.
This confidence is likely to have shattered by today’s news that up to 600 million users may be vulnerable to a cracking attack, primarily thanks to the widely successful keyboard app, SwiftKey.
Reported by NewsSource, the news was broke that the app has the potential to be compromised, despite initial preventive measures already being put into place.
The exploit in question was a rather obvious one; the keyboard pre-installed on Samsung devices would search for language pack updates over unencrypted lines, resulting in the potential for spoof proxy servers able to send malicious security updated to said devices. Furthermore, validating data could also be sent in addition to the false language packs, the end result being that this data would remain on the device.
How serious is this vulnerability?
Access sensors and resources like GPS, camera and microphone
Secretly install malicious app(s) without the user knowing
Tamper with how other apps work or how the phone works
Eavesdrop on incoming/outgoing messages or voice calls
Attempt to access sensitive personal data like pictures and text messages
The worst case scenario would result in giving away system user level privileges, allowing a malicious cyber-attacker access to contact data, bank credentials or even messages. This is a clear violation of privacy, leaving android users understandably upset that their user rights are being undermined.
“We’ve seen reports of a security issue related to the Samsung keyboard. We can confirm that the SwiftKey Keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”
All is not lost however. If you are reading this thinking that your data may be under threat, It is important to mention that the independent app SwiftKey is not affected, but instead the built-in Samsung IME is the vulnerable piece of software, which was partly developed by the keyboard app giants. If you have SwiftKey on your Samsung device, feel free to continue to update it. The app was not included in the article released by NewsSource.
Additionally, the stock Samsung keyboard that was highlighted as being a security threat was demonstrated using significantly older firmware, and with the added point that the keyboard isn’t simple to update, the flaw identified is not a simple one to exploit correctly.
An attack would also be rather involved – essentially, a malicious party would have to have already deeply compromised the security of the network of a user and use DNS hijacking or a similar man-in-the-middle exploit to redirect the phone to a fake language pack update that could then potentially inject the device with malicious code.
Taking these complicated factors into consideration, there is the additional hurdle that the device can only truly be exploited when the app initiates the download of a new language pack. This makes the whole process rather unreliable, and when one considers the probability that you will be one of the potential 600 million users to be attacked, it leaves one feeling less distraught.
Take the standard precautionary measures, such as frequently visiting unsecured wireless networks, and you should still be able to rest easy.
Watch here what’s going on with Samsung devices:
Update:
The Android Police report claims the current security flaw is something nothing to worry about. However, there hasn’t been any word from Samsung at the moment.
C/P from hackread.com
dated June 17th 2015
Android phone users have long shared the view that, despite the continual announcements of ongoing security breaches in an evermore technological world, their devices remained relatively secure.
This confidence is likely to have shattered by today’s news that up to 600 million users may be vulnerable to a cracking attack, primarily thanks to the widely successful keyboard app, SwiftKey.
Reported by NewsSource, the news was broke that the app has the potential to be compromised, despite initial preventive measures already being put into place.
The exploit in question was a rather obvious one; the keyboard pre-installed on Samsung devices would search for language pack updates over unencrypted lines, resulting in the potential for spoof proxy servers able to send malicious security updated to said devices. Furthermore, validating data could also be sent in addition to the false language packs, the end result being that this data would remain on the device.
How serious is this vulnerability?
Access sensors and resources like GPS, camera and microphone
Secretly install malicious app(s) without the user knowing
Tamper with how other apps work or how the phone works
Eavesdrop on incoming/outgoing messages or voice calls
Attempt to access sensitive personal data like pictures and text messages
The worst case scenario would result in giving away system user level privileges, allowing a malicious cyber-attacker access to contact data, bank credentials or even messages. This is a clear violation of privacy, leaving android users understandably upset that their user rights are being undermined.
“We’ve seen reports of a security issue related to the Samsung keyboard. We can confirm that the SwiftKey Keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”
All is not lost however. If you are reading this thinking that your data may be under threat, It is important to mention that the independent app SwiftKey is not affected, but instead the built-in Samsung IME is the vulnerable piece of software, which was partly developed by the keyboard app giants. If you have SwiftKey on your Samsung device, feel free to continue to update it. The app was not included in the article released by NewsSource.
Additionally, the stock Samsung keyboard that was highlighted as being a security threat was demonstrated using significantly older firmware, and with the added point that the keyboard isn’t simple to update, the flaw identified is not a simple one to exploit correctly.
An attack would also be rather involved – essentially, a malicious party would have to have already deeply compromised the security of the network of a user and use DNS hijacking or a similar man-in-the-middle exploit to redirect the phone to a fake language pack update that could then potentially inject the device with malicious code.
Taking these complicated factors into consideration, there is the additional hurdle that the device can only truly be exploited when the app initiates the download of a new language pack. This makes the whole process rather unreliable, and when one considers the probability that you will be one of the potential 600 million users to be attacked, it leaves one feeling less distraught.
Take the standard precautionary measures, such as frequently visiting unsecured wireless networks, and you should still be able to rest easy.
Watch here what’s going on with Samsung devices:
Update:
The Android Police report claims the current security flaw is something nothing to worry about. However, there hasn’t been any word from Samsung at the moment.