This morning, a company called NowSecure published an exploit for SwiftKey on Samsung devices that they claim could affect “600 million+” devices. Except that’s almost certainly not true.


While we cannot verify the true seriousness of the security flaw were an attacker to successfully manage to exploit it, we were able to verify something substantially more important to end user safety: it’s already fixed in SwiftKey. We reached out to SwiftKey this morning and they confirmed that the versions of SwiftKey shipping on the Google Play Store (and the Apple App Store, if you care) are not vulnerable to the alleged flaw.


Given that Android devices are configured by default to update applications on the device, even those that are preloaded, it seems fairly safe to say that the actual number of devices potentially remaining unprotected is substantially lower than “600 million+.” In fairness, some Samsung phones shipping with a preloaded version of SwiftKey could be affected “out of the box,” but their first update to the SwiftKey app will obviously remedy this. Here’s SwiftKey’s statement:


We’ve seen reports of a security issue related to the Samsung keyboard. We can confirm that the SwiftKey Keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.



If you have a Samsung device with SwiftKey and are concerned with the security of the application, update it.


The exploit itself also seems rather involved. Essentially, an attacker would have to have already deeply compromised the security of the network you’re on and use DNS hijacking or a similar man-in-the-middle exploit to redirect your phone to a fake language pack update that could then potentially inject your device with malicious code. And even under these conditions, only when the app initiates a new language pack download or language pack update can the flaw be taken advantage of – there is no mechanism provided by the author to remotely “trick” the app into believing it suddenly needs a language pack update or forcing it into downloading a new one. This would make it quite difficult to exploit reliably, let alone on any sort of scale.


Tl;dr? There’s probably nothing here to worry about unless you actively avoid updating pre-loaded software and regularly frequent unsecured wireless networks, both of which are terrible security habits anyway.