DOC RABE Media - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Samsung KNOX security: Does NSA approved equal enterprise approved?

The Samsung KNOX platform has been approved by the NSA to protect classified data, but it's not without risks. Expert Michael Cobb explains.

The NSA recently approved the KNOX platform to protect classified data on Android-based Samsung devices, but I'm...

hearing that the platform is not as secure as it should be. What are the Samsung KNOX security problems and is there something else enterprises can do to mitigate the risks it presents?

Samsung KNOX was designed to address security shortcomings in the open source Android platform by providing separate partitions, or containers, to keep personal and business data isolated from each other. Containers have their own encrypted file systems, keeping secured apps separate from applications outside the container.

KNOX software is installed on various Samsung Android-based Galaxy devices. The Samsung Galaxy 4, 5 and Galaxy Note 3, as well as Note 10.1 2014 Edition, were recently approved by the NSA under the Commercial Solutions for Classified Program Component List (CSfC) for use with classified government networks and data when using the KNOX management suite. This has proved an important boost for Samsung's SAFE (Samsung For Enterprise) campaign to promote its devices to enterprise and government clients.

The KNOX app requires users to log into it using a password and PIN, but a security researcher recently found that the PIN is stored in cleartext in a file called pin.xml. Anyone with access to the phone can read the cleartext PIN and use it to retrieve a forgotten password hint that turns out to be the exact length of the password with the first and last characters visible. Also, the encryption key used is just the device's Android ID and a hardcoded string.

On first reading this sounds like a major Samsung KNOX security issue, but as I've said before, it's always best to review the original research behind the headlines to see how real the problem is and whether it could actually endanger data and network security. This will avoid wasting money and manpower on threats that aren't relevant to a specific IT environment.

The claims made by the researcher are valid and have been replicated by others, but they apply to the preinstalled KNOX Personal app. KNOX EMM, a cloud-based management product for managing users, apps and cross-platform devices was not part of the analysis. Apparently the practice of saving a user's PIN in cleartext in order to supply the user with a password hint was limited to KNOX 1.0's Personal containers, which are designed to let consumers experience the KNOX container. That may be so, but storing any credential in plaintext is pretty lame, particularly as there is no mention on Samsung's site that the personal container is less robust than the enterprise container. Samsung has stated that "KNOX enterprise containers do not store any alternative PIN for password recovery purposes" and "Samsung KNOX devices have received multiple security certifications such as FIPS 140-2 and MDFPP (Mobile Device Fundamentals Protection Profile)."

While security certifications provide some level of assurance, various products that have received certifications such as FIPS 140-2 have been found to have serious flaws, including Apple's GotoFail SSL flaw and Blackberry OS 10 vulnerabilities related to Flash and Heartbleed. KNOX is not open source, so full analysis of how it implements security is not possible, and it is not clear which version was used when assessing KNOX for the CSfC program. Organizations with high security requirements should certainly ensure users are not relying on the Personal version of KNOX to keep sensitive data secure, and should always perform their own risk analysis on products that store or process sensitive data as certification doesn't guarantee security.

Administrators need to be aware of which versions of Samsung devices their users have and what security each actually supports. Security teams should follow Samsung and Google alerts to keep on top of developments, particularly as Android 5.0 Lollipop makes use of KNOX containerization technology. Meanwhile, it may be better to encrypt personal data using the built-in Android encryption as this uses Password-Based Key Derivation Function (PBKDF2), which does not persist on the device.

Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)

Next Steps

Is Samsung KNOX the answer the Android security woes? Find out here

This was last published in May 2015

Dig Deeper on BYOD and mobile device security best practices