DNS-based mitigation for Samsung SwiftKey keyboard vulnerability

I was just listening to the discussion of the Samsung SwiftKey keyboard vulnerability from Security Now! episode 513, and I came up with a simple DNS-based mitigation that a user could implement to protect themselves.

The Vulnerability

Without any user interaction, the user’s phone makes a plaintext http GET request to a SwiftKey update server, and this request can be hijacked and malicious code injected into the phone by any man-in-the-middle bad actor. According to NowSecure, the discoverer of the vulnerability, the request looks like this:

GET http://skslm.swiftkey.net/samsung/downloads/v1.3-USA/az_AZ.zip

DNS-based Mitigation

With a rooted Android phone, a user could edit their /etc/hosts file to redirect the hostname of the update server (skslm.swiftkey.net) to localhost, preventing the http GET request from ever leaving the phone. In other words, the user is hijacking the request to the update server before a bad guy gets the opportunity to do the same.

With a non-rooted phone, there are DNS Resolver apps that can be installed that do the same kind of redirection to localhost.

Will this kind of mitigation work? Since I don’t have an Android phone to test against, this is just a thought experiment for myself.

King of my own domain

I am pleased to announce that the Mad Philosopher now has his own domain. That is, these posts can now be accessed from the site https://madphilosopher.ca/. I registered the domain name from easyDNS on the advice of a friend. And it was truly easy. So now I’m on my way to building a true web identity and a better website.

Also, look for my latest picture gallery, just posted. I’ve had my camera since the Fall of 2000, so it’s about time that I put some more pictures on the site. The gallery design is based on other picture galleries that I have seen on the web, but I wrote the software that enables me to compile and update the galleries easily. If you are interested in using the software for your own site, please ask.

Enjoy! And thanks for visiting my site.