Samsung promises patches for serious keyboard security hole

Samsung is scrambling to provide a fix for a serious vulnerability affecting as many as 600 million of its high-end devices.

The flaw lies in Samsung's customised version of the Swiftkey keyboard, which is the system default in its devices and cannot be uninstalled.

Researcher Ryan Welton showed that it was possible to inject malicious code on devices by exploiting the lack of protection for the keyboard app update mechanism.

Samsung maintained that the vulnerability was difficult to exploit, and said there had been no reported cases of customers' Galaxy devices being compromised.

Furthermore, Samsung said its Knox security platform, installed on flagship devices since the Galaxy S4, would protect users against the keyboard vulnerability by taking advantage of Security Enhancements for Linux, which has been part of Google's Android operating system since version 4.3.

SELinux enforces mandatory security settings on Android devices.

The Korean electronics giant will issue policy updates to stop the keyboard vulnerability over-the-air in the coming days, Samsung said. To receive it, user devices must have automatic reception of security policy updates enabled.

Samsung said there would be an expedited firmware update for those devices that do not have Knox installed by default.

That update will need testing and approval by telcos retailing Samsung devices before it becomes available. Samsung did not provide a time frame for the firmware update rollout.

Samsung had provided an update to its telco partners earlier in the year but has now opted to send it direct to affected customer phones.