An unidentified security researcher has analyzed the design of Samsung's Knox security software for Android devices and claims that the code implements encryption in an insecure manner.
The researcher, in a blog post published under the name "Ares," cites the US government's decision to certify Knox for government use as a rationale for releasing the findings.
This week, Samsung's Galaxy S4 and S5, Galaxy Note 3, and Galaxy Note 10.1 2014 Edition were added to the Commercial Solutions for Classified (CSfC) Program run by the National Security Agency and Central Security Service. This followed the US Department of Defense's approval of Samsung Knox-enabled devices in May 2013 for use in DoD networks.
It also followed Google's announcement this year that it has partnered with Samsung to make portions of the Knox software available to the recently released Android Lollipop.
[Nobody cares about your data like you do. Read 3 Enterprise Security Tenets To Take Personally.]
The problem with Knox is a simple one: Samsung has relied on security through obscurity, a practice widely frowned on by security experts, particularly in an era of instantaneous worldwide electronic publishing.
"Ares" found that Knox writes the PIN used to initiate password recovery to an XML file in readable form -- cleartext. Entering the PIN correctly returns a password hint: the first and last character of the password, along with the length of the password. From this, "Ares" reports being able to deduce that Knox stores the user's password on the device.
So not only is Knox making the password weaker to anyone with the PIN -- and anyone can get the PIN -- by revealing information about its characters and length, but it's storing the password (in encrypted form) where it can be attacked.
Worse still, the researcher's code analysis indicates that Knox is relying on predictable strings -- a hardcoded string and the device's Android ID -- to generate the encryption key.
"Samsung really tried to hide the functionality to generate the key, following the security-by-obscurity rule," the blog post explains. "In the end it just uses the Android ID together with a hardcoded string and mix[es] them for the encryption key. I would have expected from a product called Knox a different approach."
"Ares" advises Samsung to use a key-generation function that's not predictable and not to store the password on the device. Storing it on the device enhances convenience, by making password recovery possible as a local operation, but it undermines security.
Neither Samsung nor Google responded to requests for comment.
"Knox is better than nothing and represents a first cut standard of creating a secure environment for hosting applications on Android," Philip Lieberman, president of the security software company Lieberman Software, said in an email. "A better strategy would be the use of special purpose hardware on the device itself which is the approach used by Apple and Microsoft that creates walled gardens for their ecosystems."
Knox relies on security through obscurity, Lieberman said, because stronger security would have required fundamental changes to Android's security model or special hardware. "Government users have successfully used Android for high-security applications, but the entire operating system and stack were custom built and hosted on special-purpose storage and encryption technology. The use of consumer software and hardware is a dream for commercial and government users, but to date this is still a dream, hope, and desire."
Update: Samsung on Friday challenged the researcher's claims in a blog post. "We analyzed these claims in detail and found the conclusions to be incorrect for KNOX enterprise solutions," the company said, offering specific refutations for two of the three points raised and arguring that the storage of a password on the device is not an issue because KNOX Trusted Boot protects it.
How cloud, virtualization, mobility, and other network-altering trends impact security -- and the IT pros responsible for infrastructure protection. Get the Network Security Career Guide issue of Network Security today.Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio