Over the weekend, Microsoft-owned company, SwiftKey, announced that a number of SwiftKey Cloud users were seeing other unknown predictions appearing in their keyboard autocorrect. The data had been synchronized across from SwiftKey’s Cloud system and it appears that other personalized dictionaries had been moved across. SwiftKey report that only a few customers noticed unexpected predictions and only a rare number saw other email addresses appearing in their keyboard. For the time being and given the security implications, SwiftKey have disabled their Cloud service and updated their applications to remove email address predictions. Because of this, it’s not currently possible for customers to back up their autocorrect database to the cloud.
SwiftKey is one of the most popular third-party keyboards in use around the world today thanks to a combination of superb word recognition and predictions, the slide-to-type feature (introduced before Google used it with their own keyboard, for example) and combined with solid theme support. The stock application includes a number of themes and customers can buy and download more. SwiftKey was originally released as a premium application with a free trial but the company updated this by deciding to sell themes and keep the core keyboard free of charge. Apple have relatively recently opened up third party keyboard support for iOS and SwiftKey has found a new home on the iPhone. The company’s blog states that the issue is caused by a bug in the SwiftKey keyboard synchronization software and the company does not believe it poses a security issue for customers, which ignores how strange email addresses found their way into other users’ keyboard autocorrect databases. SwiftKey is used by both iOS and Android users and it’s not clear if the fault lies at the server side, or client application on either or both platforms.
At this juncture we don’t have any additional information about the flaw in SwiftKey nor a timescale as to when the company are going to release a fix. This is not the first time a keyboard application has exposed a security risk, as last year we saw Samsung’s keyboard come under scrutiny because of a security flaw and an estimated 600 million devices were exposed. In the last eighteen months we have also seen a number of relatively high profile security vulnerabilities and risks exposed, such as the Apple iCloud and LinkedIn password hacks and of course the Stagefright critical vulnerability. Although some sensitive applications come with their own keyboard (such as banking applications), the majority use the system-used keyboard for entering account credentials, lock codes and passwords. SwiftKey may need to figure out what the bug is and come clean about the state of play with their Cloud sync services to keep confidence in the technology.