updated 05:49 pm EST, Fri January 10, 2014
Google and Samsung collaborate on report refuting security risk
Responding to allegations of problems with its vaunted Knox security suite, Samsung has said that a problem identified at the end of 2013 is not specific to Galaxy devices. Samsung, in conjunction with Google blame "legitimate Android functions" for the flaw, noting that customers who use "standard security technologies" would have prevented an attack.
Samsung Knox is Samsung's enterprise mobile security solution that addresses the needs of enterprise information technology without invading its employees' privacy. The service, first released on the Samsung Galaxy Note 3 mobile device, provides security features that enable business and personal content to coexist on the same mobile device. Samsung claims that the product "addresses all major security gaps in Android," yet appears to blame Android for this particular flaw.
Samsung says in its statement regarding the issue that "after discussing the research with the original researchers, Samsung has verified that the exploit uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from and to applications on the mobile device. This research did not identify a flaw or bug in Samsung Knox or Android; it demonstrated a classic Man in the Middle (MitM) attack, which is possible at any point on the network to see unencrypted application data."
It added that the research specifically "showed this is also possible via a user-installed program, reaffirming the importance of encrypting application data before sending it to the Internet. Android development practices encourage that this be done by each application using SSL/TLS. Where that's not possible (for example, to support standards-based unencrypted protocols, such as HTTP), Android provides built-in VPN and support for third-party VPN solutions to protect data. Use of either of those standard security technologies would have prevented an attack based on a user-installed local application."
Mobile security professor Patrick Traynor noted in Samsung's statement that "proper configuration of mechanisms available within Knox appears to be able to address the previously-published issue. Samsung should strongly encourage all of their users to take advantage of those mechanisms to avoid this and other common security issues."