There’s another vulnerability affecting the Android platform that this week once again raises the question: am I vulnerable?
Researchers from NowSecure announced at Black Hat in London this week a vulnerability affecting the SwiftKey keyboard on Android.
The biggest concern is for Samsung Galaxy phones which install the SwiftKey keyboard by default and allow it to run as the operating system.
This vulnerability could allow attackers to take total control of a vulnerable Android phone.
Fortunately there is a fix for this vulnerability. But that’s not the end of the story.
Because this issue has again raised the question for Android users (and Samsung users in particular): am I vulnerable?
Just because a vulnerability has been patched doesn’t mean that YOU now have the patch. And for Android especially, it doesn’t mean that you’ll EVER get the patch.
Unlike iOS, the Android platform is very fragmented as far as versions and support. Just because you have an Android phone doesn’t mean you’ll actually get a fix for the vulnerability that affects your phone. In the United States especially, if you use an Android phone, you’re not a customer of Google, who makes Android (unless you bought a Nexus phone from Google directly): you’re a customer of the maker of the phone (for example: Samsung) and the wireless carrier (for example: AT&T, Verizon, Sprint or T-Mobile). Once a vulnerability is patched, it’s still a question of whether you’ll get the patch or not, and that question is answered by your phone maker and your wireless carrier. And the truth is, very often, for older versions of Android especially, that answer is: No, you won’t ever get the patch.
The SwiftKey vulnerability isn’t the first time this question has come up. We’ve documented numerous serious vulnerabilities that affect Android and won’t ever be patched for all users over the past two years alone:
Now we can add the SwiftKey vulnerability to this list of vulnerabilities that you may never be protected from.
When you consider that the amount of malware affecting Android just passed the 5 million mark in March 2015, this problem becomes all the more urgent and serious. Collectively, the vulnerability and malware situation on Android is comparably bad to that on Microsoft Windows. And just like you wouldn’t connect a Windows system to the Internet without security software, so you shouldn’t connect an Android system to the Internet without security software.
This isn’t a new problem. It’s also not an easy problem: I work in security and was left hanging on an unsupported and unsecured version of Android by my handset maker and carrier for a year and a half in 2013 (a problem I wrote about here). When the experts can’t solve it for themselves, it’s a sign that you’ve got a real, intractable problem.
Let’s be clear: even with this it is possible to use the Android platform safely. If you get your Android phone from Google, you’ll get your security patches from Google directly. Even if you get your Android phone from someone else, you can run security software for an extra layer of protection. And that will provide protections against malware on Android as well. But a key to being secure is understanding your risks. And the fact is that unpatchable vulnerabilities on Android are a real risk you have to be aware of, and account for.