Smartphone security is a growing concern. And the biggest smartphone maker by global market share, Samsung, has rightfully moved in to address the issue by offering is own security solution – Samsung Knox. It, however, is rather an illustration as to why you should look for real security elsewhere.
As we have already settled, the user is actually the weakest link in smartphone security. And in an age when bring your device (BYOD) is becoming more and more of a common practice, smartphone security is becoming a growing concern for enterprises. Samsung has developed Knox with that in mind, as a box within the Android ecosystem, allowing for the separation of business and personal information.
The problem is that Knox turns out rather easy to – sorry for the terrible pun but this is a really low-hanging fruit – knock-out.
The existence of holes in Knox is well documented
Last month, Israeli firm Viral Security Group showed how even a relatively unsophisticated adversary to take full control of a Samsung Galaxy phone. Their hack exploited a vulnerability in the platform’s TIMA Real-time Kernel Protection (RKP) module, which is responsible for defending the system from exploits.
And earlier this year researchers Uri Kanonov and Avishai Wool, also from Israel, found a number of holes in the Knox platform that allowed for a range of exploits. One allowed for the decryption of stored data by exploiting weaknesses in eCryptFS Key – the key generator which uses the owner’s seven-or-more character password and a 32-bit key to provide encryption.
The second showed Knox to be susceptible to man in the middle (MiTM) attacks in which an adversary could replace apps with malicious versions of them. And the third one abuses the system’s clipboardEx service, which has access to the user’s clipboard both inside Knox and outside of it.
More so, users of earlier versions of the platform complained about strange activity by the Knox app. CPU usage by the app reportedly spiked while the phone was in sleep mode, which made users worry about their data being spied on.
In 2014, a German hacker demonstrated how easy it was to decrypt Knox Personal 2.0. That version of the app used the phone's PIN to restore parts of a lost or forgotten password – so that the user could remember the rest. Only that the PIN was stored in plaintext, and the hidden part of the password was encrypted with a predictable key, making the crack all too easy.
Want Security? Look elsewhere
Now, to be fair, Samsung has addressed and fixed the above bugs in more recent updates. But the fact remains that they were there in the first place, while Knox is advertised as providing “defense-grade mobile security from the hardware to the application layer.” In their paper, Kanonov and Wool point out that even newer versions of Knox make security sacrifices in favor of user satisfaction.
The thing is that the platform is actually meant for the average Joe. And Joe is not the type of client that would normally sacrifice convenience for security, so he’s happier with just a perception for the latter. Knox’s OS within the OS approach gives him just that.
However, if you are looking for a truly effective method to secure your data, you need specialized solutions that have been built from the ground-up with total security in mind.