Samsung Knox Security Blunder

samsungknox.pngThere’s an anonymous single-post blog at blogger.com that takes a look at Samsung’s Knox. Surprisingly, Knox relies on security by obscurity to hide the encryption key, the method of generation of which is now public information. It’s now known that it’s generated using the device’s Android ID and a hardcoded string.

As the author states, a stronger key should be derived using Password-Based Key Derivation Function 2(PBKDF2), from the user’s password, that shouldn’t be stored on the device.

Related to this, if you are instead relying on Android OS disk encryption, you might like to read how this has changed over time. Prior to Android 4.4 it was based on a PBKDF2 with only 2000 iterations, using the lockscreen PIN or password which tends to be short and more amenable to brute force attack.

UPDATE: Samsung have now refuted the problem but there seems to be a confusion/discrepancy between the versions of Knox mentioned by Samsung and the version that comes pre-installed on Samsung phones.