Android has never has a big reputation for security, but Samsung’s Knox, which has been certified by the NSA for government use and which is being adopted by Google as their standard solution in Android L, was meant to fix it.
Now a security researcher has revealed that the secure container, which was meant to have a separate partition for corporate data with its own encryption, stores its PIN in plain text, available for anyone to read after rooting the device.
The unnamed researcher suggests passwords should never be stored on a device like this, and that in generating the encryption key Samsung simply used Security by Obscurity, saying:
“Samsung really tried to hide the functionality to generate the key, following the security by obscurity rule,” the report says. “In the end it just uses the Android ID together with a hardcoded string and mix them for the encryption key. I would have expected from a product, called Knox, a different approach.”
Google’s inability to secure Android explains why the OS is still behind iOS in enterprise, even while owning 85% of the smartphone market. It is also a weakness Microsoft has been able to exploit in growing Windows Phone’s market share in the same enterprise arena. Hopefully long will it continue.
Read more at Threatpost.com