I was just listening to the discussion of the Samsung SwiftKey keyboard vulnerability from Security Now! episode 513, and I came up with a simple DNS-based mitigation that a user could implement to protect themselves.
Without any user interaction, the user’s phone makes a plaintext http GET request to a SwiftKey update server, and this request can be hijacked and malicious code injected into the phone by any man-in-the-middle bad actor. According to NowSecure, the discoverer of the vulnerability, the request looks like this:
With a rooted Android phone, a user could edit their
/etc/hosts file to redirect the hostname of the update server (
localhost, preventing the http GET request from ever leaving the phone. In other words, the user is hijacking the request to the update server before a bad guy gets the opportunity to do the same.
With a non-rooted phone, there are DNS Resolver apps that can be installed that do the same kind of redirection to
Will this kind of mitigation work? Since I don’t have an Android phone to test against, this is just a thought experiment for myself.