The Samsung Knox login screen on a Galaxy S4 smartphone. Credit: Laptop Magazine.
In October of 2014 a German security researcher says that pre-installed Samsung Knox has security problems and isn’t safe to use due to some obvious security holes.
Samsung touts its Knox software as a safe partition for business professionals that are looking to comply with their company’s security policies. Samsung further claims that Knox is a “Comprehensive device management solution ideal for enterprises looking to secure their mobile data, while respecting employees’ privacy.” Samsung Knox is supposed to be secure as its namesake Fort Knox.
Samsung Knox is supposed to be a competitor for applications like BYOD Divide which setup a separate partition on Android devices that provides a separate work space from personal space. This allows a company’s IT team to remotely manage company data without interfering with an employee’s personal apps and data. This also consolidates the number of devices an employee has to carry and saves company cash in that the company doesn’t have to purchase devices for employees to use for company business.
When users setup Knox on their device, they chose a pin in case they forget their password. The pin that is used during the setup process is stored locally on the device in clear text in the pin.xml file. When a user taps the “Password forgotten?” button and enters their pin, the Knox app will provide the first and last characters, along with the number of characters in their password. The password is also stored locally on the device though what looks like an AES encrypted string which is a symmetric encryption algorithm. The decryption program is also stored locally on the device and can be converted to a jar file to be reverse engineered.
Samsung Knox uses the Android ID together with a hardcoded string and mixes them for the encryption key. Since Knox doesn’t use randomly generated numbers to make the encryption key, attackers can easily find out the Android ID number and use it to generate the encryption key thereby giving them the means to decrypt the locally stored password.
Samsung has since responded to these concerns in an official statement as follows:
“KNOX does save the encryption key required to auto-mount the container’s file system in TrustZone. However, unlike what is implied in the blog, the access to this key is strongly controlled. Only trusted system processes can retrieve it, and KNOX Trusted Boot will lock down the container key store in the event of a system compromise.”
After these concerns were brought forward, Samsung has since deprecated Knox personal and replaced it with My KNOX; however, it is still pre-installed on older Samsung devices.