Samsung bites back over Knox security concerns

Samsung has come to the defence of its Knox mobile security platform following allegations the system stores some log-in details in cleartext.

Samsung took to its Knox blog over the weekend to deny allegations published by an unidentified German blogger, who had claimed the platform had a "security by obscurity" design.

After analysing the pre-installed Knox Container App (or Knox Personal) on a Samsung S4, the blogger claimed to have discovered that Knox generates weak encryption keys and stores the PINs required to log in to the Knox app in plain text.

Knox requires a password and a PIN to log in. The author of the post claimed that if an attacker got hold of the PIN, they could use it to gain access to the user's password hint via the 'forgotten password' function, which displays the first and last letters of the password and its length.

From there, the hacker could potentially work out the password and gain access to Knox-secured data, the blogger wrote.

The claims were made after nine Samsung devices equipped with the Knox platform became certified for use with classified US government data.

On Saturday, Samsung published an unauthored blog post to respond to the claims.

Knox Enterprise containers do not store PINs for password recovery, the company's statement claims. But it did not directly deny that it stored plaintext PINs in Knox Personal.

"We would like to reassure our customers that Knox enterprise containers do not store any alternative PIN for password recovery purposes, relying instead on IT admins to change and reset passwords through their MDM agent," the Samsung representative wrote.

The statement conceded that Knox Personal version 1.0 either stores an alternative PIN or uses a Samsung account to recover forgotten passwords.

But the company pointed out that the version was discontinued earlier this year and replaced with the My Knox app - which is derived from Knox Enterprise and provides password reset functionality, removing the need for password hints.