This morning, a company called NowSecure published an exploit claiming to affect SwiftKey on Samsung devices that they assert could impact "600 million+" devices. Well, maybe.

While we cannot verify the true seriousness of the security flaw were an attacker to successfully manage to exploit it, we were able to verify something substantially more important to end user safety - it does not affect the SwiftKey app, only the built-in Samsung IME which is partly developed by SwiftKey. We reached out to SwiftKey this morning and they confirmed that the versions of SwiftKey shipping on the Google Play Store (and the Apple App Store, if you care) are not vulnerable to the alleged flaw.

The app in question is not SwiftKey itself, but rather the Samsung IME keyboard that SwiftKey develops for Samsung.

We’ve seen reports of a security issue related to the Samsung keyboard. We can confirm that the SwiftKey Keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.

If you have a device with SwiftKey and are concerned with the security of the application, update it, not that there's any reason you should be vulnerable at this point to begin with. As for the stock Samsung keyboard app, it's actually not even clear if newer devices can be fully affected by the exploit, as it was demonstrated on substantially older firmware. While there is no simple way to update the Samsung IME keyboard (you can remove the app entirely if you're rooted, though), this isn't an easy flaw to exploit.

An attack would also be rather involved - essentially, a malicious party would have to have already deeply compromised the security of the network you're on and use DNS hijacking or a similar man-in-the-middle exploit to redirect your phone to a fake language pack update that could then potentially inject your device with malicious code. And even under these conditions, only when the app initiates a new language pack download or language pack update can the flaw be taken advantage of. This would make it quite difficult to exploit reliably, let alone on any sort of scale.

Tl;dr? There's probably nothing much here to worry about unless you regularly frequent unsecured wireless networks.

SwiftKey has a blog post up this morning, which includes this statement from Samsung:

Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security.

Samsung KNOX has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days.

In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.