Samsung KNOX security layer has been much touted as being the current best security implementation available, and was recently approved by the Defense Department and just last week by the NSA for their devices. It seems to have some problems though.

The first problem is it stores the password hint PIN in a plain text file that can be accessed via a file browser, ADB, shell, etc.

Once you’ve entered the PIN you’ll get a password hint the user defined earlier, and also first and last letters of the password and how many characters the password is.

While that in itself isn’t a totally horrific breach of security, they also evidently didn’t bother to use code obfuscation so researchers were able to determine that the password is encrypted and stored on the device by using the Android ID (which any app can get,) together with a hardcoded plaintext string to encrypt the actual password.

So, as long as you looked to see what that string was (I listed it below,) and got your device’s Android ID you should be able to decrypt the password, thus gaining access to all that sensitive information.

In other words, installing an app that does nothing other than have permission to access the Android ID may be able to get you the password.

Grab plain text hint pin, get length, first and last letters, decrypt using Android ID + predetermined string, if password matches the hint you’re golden, if not do something else.

I’m pretty sure that isn’t security. Security by obscurity doesn’t work when the item is actively being looked at by people attempting to hack the NSA and the DoD.

In case you’re wondering, Mobile Security Blog (linked below,) says the hardcoded string is “eu>q5b0KPlLwyb@*#j9?!*ehjl(LHukkA([email protected]*#S&wpfv&#”. They also go into a very detailed analysis of why Samsung KNOX fails so hard.

Fortunately for those very few using KNOX, you can encrypt the whole phone with Android’s encryption, at which point the plaintext PIN requires a password. At least until Samsung gets this fixed and stops encrypting using relatively easy to overcome methods.

As for U.S. government agencies, my best guess is we probably just gave Samsung several billion dollars for equipment with software on it that doesn’t work to secure sensitive information.

[Mobile Security Blog]