Network vulnerabilities in Android (and KNOX)

Architecture is the translation of strategy or business intent. To be successful with a BYOD strategy, the solution design needs to optimize for a strong separation between the personal and professional on the same device. A recent KNOX story showcases a design that aims for protecting the device as a whole, with insufficient granularity to enforce sufficient isolation within the device. This design may fall short on delivering a successful BYOD strategy for enterprises. Recently, security researchers at Ben Gurion University (BGU) reported a vulnerability in Android and KNOX that allows a malicious application residing in the user area to capture and expose all communications from the phone, including the secure container, putting all non-encrypted traffic at risk.

Samsung's official response was that encrypted traffic was safe and that as a workaround users could use a VPN in the secure container. Samsung added that they believe this would have prevented an attack based on a user-installed local application.

Or maybe not...

In a follow up post, BGU's researchers revealed a related vulnerability that enables malicious applications to bypass an active VPN configuration, with no ROOT permissions required, and redirect secure data communications to a different network address. They posted a video that demonstrates how a malicious application can redirect a VPN connection from the container, and capture the unencrypted communication.

The vulnerability is severe in that it not only allows arbitrary applications to tap and hijack any VPN connection, but in KNOX, it also seriously compromises VPN connections in the secure container. The KNOX secure container becomes untrusted, and gives users and IT administrators a false sense of security.

The vulnerability exposes a major weakness inherent in the KNOX architecture. The user area and the container are not truly isolated from one another, and separation is only imposed at the application layer. Moreover, the user area and the container both share the same underlying execution environment, in this case, the same network realm. This is what allows an application in the user area to intercept and effect traffic from the container. Similar sandboxing approaches suffer from the same inherent weakness. This vulnerability reflects, not only a security gap in Android, but a design that is not optimized for the hardened isolation required.

In stark contrast, Cellrox's multi-persona solution is unaffected by this vulnerability as the architecture of the solution represents a deeper level of isolation. Cellrox leverages operating system virtualization to create separate virtual execution environments for different personas. Each persona gets its own private set of resources, inaccessible to other personas. The isolation, enforced by the kernel, ensures that applications in one persona are unaware of other personas. With Cellrox’s network separation, malicious applications in one persona may only tap into the network interface of that persona, since they are unaware of the network interfaces of other personas.

While Android may soon fix this specific vulnerability, it is plausible that the next exploit of a shared resource is already underway. Absent proper controls for isolation, the KNOX security architecture may allow for such an exploit to reoccur. Cellrox's holistic approach to security protects the user from tomorrow's vulnerability by enforcing a strong separation between personas, from the operating system kernel and upward.