Mobile Security Weekly – Have we seen the last of KNOX? (Update – 20th July)

Android takes the lead in mobile security news this week. With major decisions being made regarding how Google views the future of Android security, they’ve received another big wakeup call – between 60-70% of Android devices are vulnerable to a substantial vulnerability.

iOS users also discovered another blow to their security this week. Several months ago, our researchers at Lacoon Security discovered a vulnerability in the Gmail iOS app which enables a threat actor to perform a Man-in-the-Middle attack – and by doing so, view, and even modify, encrypted communications.


As mentioned, we’ve released a detailed blog post regarding a serious security issue with the Gmail app for iOS. Discovered back in February, the vulnerability was immediately disclosed to Google who are still yet to fix it. In short, the Gmail iOS app doesn’t perform certificate pinning (the Android version does) which is a method of overcoming the shortcomings of SSL and iOS configuration profiles.. As a result a threat actor can perform a MitM attack and open up the Gmail encrypted communications. The victim does not receive any indication of suspicious activity.

Our post contains a more detailed breakdown of the vulnerability and threats it poses to enterprise security, as well as methods of mitigation. You can find the post here.

Two vulnerabilities that could affect as many as 60% of Android devices connected to Google Play have just been disclosed. When used for malicious purposes, they can enable applications to carry out a variety of activities: ranging from making phone calls (including premium-rate calls), terminating other calls, listening to calls in progress and sending SMS messages. Worst of all, these can all be done without the owner of the device noticing.

Phone calls in progress can’t be completely hidden of course, but a threat actor could wait till the device isn’t being used or decide to place calls only in the middle of the night.

Without going into too many details, this is essentially a bypass of the Android security model and permission system. The flaw was found and reported to Google late last year and seems to have first been introduced in Android 4.1.x, (Jelly Bean). The vulnerability appears to have been fixed in Android 4.4.4 – but but there are still millions of devices still running vulnerable versions of Android: 4.1.x, 4.2.x and 4.3.x, as well as 4.4.1, 4.4.2 and 4.4.3. (the latest version of Android is only available for a limited number of devices).

Why is this significant?
These vulnerabilities might be exploited by malware for some time to come, especially since the patching cycle of Android devices is very long and many devices never get updated to newer versions of the OS. By exploiting the security hole, malicious software is able to place calls to premium-rate phone numbers, potentially resulting in hundreds of dollars worth of charges on the victim’s account.

Samsung is giving up on Knox, after 18 months of major development and marketing efforts.
Samsung KNOX has been the driving force behind Samsung’s effort to bring a more secure environment to the Android OS space, for those that had Samsung devices at least.

At the end of the day, KNOX never really got off the ground. Despite the fact that the U.S. Department of Defense has even recently approved KNOX as a security standard for use by people under government employ, it still underperformed sales wise.

So what’s going to happen? It looks like Google is developing its own organic container, named Android L. It’s Samsung Knox-like, but different. The initial specs of Android L are still murky but rumor has it that Google is creating a container will hold apps and data safe and separate at rest, but not while in transit where consumer and biz apps will flow across the same secure connection into the enterprise.

Why is this significant?
Only several weeks ago, things looked quite different – Android & Knox looked like a partnership that both sides were keen to uphold. Whatever ends up happening, it will be an important part of future mobile security. It’s widely agreed that the idea of an organic security solution built in the Android OS is a good one. There are obvious questions regarding backwards compatibility and distribution. Either way – watch this space.

Update – July 20th:
We’ve come to the conclusion that the Forbes article on which we based the KNOX item might have been slightly premature and inaccurate. Despite Forbes’s claim that Knox is on it’s way out, Samsung has since issued a formal statement declaring that Knox is very alive and well. Samsung have confirmed that they have indeed contributed parts of Knox’s technology to Google’s Android for Work solution, but this doesn’t seem to pose a threat to Knox.

“…Samsung is committed to the long term evolution of mobile security and the ongoing development of Samsung KNOX..”