Samsung Flaw Highlights Inherent Mobile Keyboard Weaknesses.
The news that 600m Samsung smartphones have been vulnerable to malicious updates that allow attackers to spy on calls and messages, illustrates the need to add extra security to mobile keyboard operations.
While this flaw highlights several issues such as the dangers of elevated privileges to the host app and the security of non-https updates, it also underscores the central role a system keyboard can take in securing sensitive data on a mobile device.
The fundamental issue concerns the way the keyboard interacts with data flows and mobile applications. Default system keyboards produced by Apple, Samsung and other manufacturers send data entered by mobile keypads to the cloud – in clear text – in order to facilitate their predictive text services. Not good.
Another key issue arises because keyboards operate in a separate process to the applications they serve. Sandboxing of apps is all well and good, but the mobile system keyboard sends characters in clear text to the application it serves, thus inherently compromising data entry by the user.
SentryBay have developed a secure mobile keyboard which ensures no data is sent to the cloud. Keys entered into the secure keyboard can also be encrypted, while it is fake random data generated by the technology that is picked up by keyloggers. In addition, there is a mechanism to allow the secure keyboard to be built into a host application – removing the possibility of data interception at source.
While much progress has been made in developing mobile architecture with security in mind, this is not the case with use of keyboards so it is not surprising that serious gaps are appearing which places sensitive user inputs at risk.