Software:Samsung Knox

From HandWiki
Short description: Proprietary security framework by Samsung
Knox
Samsung Knox logo.svg
Developer(s)Samsung Group
Initial releaseMarch 2013 (2013-03)
Stable release
3.10 / 29 October 2023; 8 months ago (2023-10-29)[1]
Operating systemAndroid and Tizen
Website{{{1}}}

Samsung Knox (stylized as SΛMSUNG Knox) is a proprietary security and management framework pre-installed on most Samsung mobile devices. Its primary purpose is to provide organizations with a toolset for managing work devices, such as employee mobile phones or interactive kiosks.[2] Samsung Galaxy hardware, as well as software such as Secure Folder and Samsung Wallet, make use of the Knox framework.[3][4]

Knox's features fall within three categories: data security, device manageability, and VPN capability.[5] Knox also provides web-based services for organizations to manage their devices. Organizations can customize their managed mobile devices by configuring various functions, including pre-loaded applications, settings, boot-up animations, home screens, and lock screens.[6]

Knox provides more granular control over the standard work profile to manage capabilities found only on Samsung devices.[7] As of December 2020, organizations can use specific Samsung mobile device cameras as barcode scanners, using Knox services to capture and analyze the data.[8]

Overview

Samsung Knox provides hardware and software security features that allow business and personal content to coexist on the same device. Knox integrates web services to assist organizations in managing fleets of mobile devices, which allows IT administrators to register new devices, identify a Unified Endpoint Management (UEM) system, define the organizational rules that govern the use of devices, and upgrade device firmware over-the-air.[9] Developers can integrate these features with their applications using Knox SDKs and REST APIs.[10]

Services

Samsung Knox provides the following web-based services for organizations:

  • To manage mobile devices: Knox Suite, Knox Platform for Enterprise, Knox Mobile Enrollment, Knox Manage, and Knox E-FOTA.[9]
  • To customize and rebrand devices: Knox Configure[11]
  • To capture and analyze data: Knox Capture,[12] Knox Peripheral Management,[13] Knox Asset Intelligence[14]

Most services are registered and accessed through the Samsung Knox web consoles,[15] with some accessed through the Samsung Knox SDK.[16]

Knox Capture

Knox Capture uses a Samsung mobile device’s camera to capture all major barcode symbologies like UPC, Code 39, EAN, and QR. Through a web console, IT admins can manage the input, formatting, and output configuration of scanned barcode data, and associate a device app (for example, an Internet browser for QR data).[17]

Knox Asset Intelligence

Knox Asset Intelligence helps organizations improve the management, productivity, and lifecycle of mobile devices. Through a web console, IT admins can monitor device battery management, app usage insights, comprehensive device tracking, and detailed Wi-Fi analytics.[18]

Software

Container

When Samsung Knox debuted with the Galaxy S3 in 2013, it included a proprietary container feature that stored security-sensitive applications and data inside a protected execution environment.[19] Device users could switch between personal and business applications by tapping a Knox icon in the lower-left corner of the device screen.[20] The proprietary container, later called the Knox Workspace, was managed by organizations through a UEM system.[21]

Samsung then spun off consumer versions of the container feature, which did not require a UEM system to manage. These consumer versions included Personal Knox, later called My Knox starting in 2014. My Knox was replaced by Secure Folder in 2017.[22]

In 2018, Samsung partnered with Google to use its Android work profile to secure applications and data, and in 2019 deprecated the Knox Workspace container.[23] Samsung continues to pre-install the Secure Folder on most flagship mobile devices, but consumers must enable it for use.[24]

Samsung Real-Time Kernel Protection (RKP)

The Samsung RKP feature tracks kernel changes in real-time and prevents the phone from booting, as well as displaying a warning message about using "Unsecured" Samsung devices.[25] This feature is analogous to Android dm-verity/AVB and requires a signed bootloader.[26]

Security Enhancements for Android (SE for Android)

Although Android phones are already protected from malicious code or exploits by SE for Android and other features, Samsung Knox provides periodic updates that check for patches to further protect the system.[27]

Secure Boot

During Secure Boot, Samsung runs a pre-boot environment to check for a signature match on all operating system (OS) elements before booting in the main kernel. If an unauthorized change is detected, the e-fuse is tripped and the system's status changes from "Official" to "Custom".[28]

Other features

Several other features that facilitate enterprise use are incorporated in Samsung Knox, including Samsung KMS (SKMS) for eSE NFC services, Mobile device management (MDM), Knox Certificate Management (CEP), Single Sign-On (SSO), One Time Password (OTP), SIM PIN Management, Firmware-Over-The-Air (FOTA)[29] and Virtual Private Network (VPN).[30][31][32][33]

Samsung has patched the kernel to prevent root access from being granted to apps even after rooting was successful since the release of Android Oreo. This patch prevents unauthorized apps from changing the system and deters rooting.[34]

Hardware

Knox includes built-in hardware security features ARM TrustZone (a technology similar to TPM) and a bootloader ROM.[35] Knox Verified Boot monitors and protects the phone during the booting process, along with Knox security built at a hardware level (introduced in Knox 3.3).[36]

e-Fuse

Rooted Samsung Galaxy S10e with tripped e-fuse

Samsung Knox devices use an e-fuse to indicate whether or not an "untrusted" (non-Samsung) boot path has ever been run. The e-fuse will be set if the device boots with a non-Samsung signed bootloader, kernel, kernel initialization script, or data. When set, the text "Set warranty bit: <reason>" appears. Rooting the device or flashing a non-Samsung Android release also sets the e-fuse. Once the e-fuse is set, a device can no longer create a Knox Workspace container or access the data previously stored in an existing Knox Workspace.[37] In the United States, this information may be used by Samsung to deny warranty service to devices that have been modified in this manner.[38] Voiding consumer warranties in this manner may be prohibited by the Magnuson–Moss Warranty Act of 1975, at least in cases where the phone's problem is not directly caused by rooting.[39] In addition to voiding the warranty, tripping the e-fuse also prevents some Samsung-specific apps from running, such as Secure Folder, Samsung Pay, Samsung Health, and Samsung Browser's secret mode. For some older versions of Knox, it may be possible to clear the e-fuse by flashing a custom firmware.[40]

Samsung DeX

Options to manage Samsung DeX were added in Knox 3.3 to allow or restrict access using the Knox platform for added control and security.[41]

Samsung Knox TIMA

Knox's TrustZone-based Integrity Measurement Architecture (TIMA) allows storage of keys in the container for certificate signing using the TrustZone hardware platform.[42]

Notable security mentions

In June 2014, the Defense Information Systems Agency's (DISA) list of approved products for sensitive but unclassified use included five Samsung devices.[43]

In October 2014, a security researcher discovered that Samsung Knox stores PINs in plain text rather than storing salted and hashed PINs and processing them by obfuscated code.[44]

In October 2014, the U.S National Security Agency (NSA) approved Samsung Galaxy devices for use in a program for quickly deploying commercially available technologies. Approved products include Galaxy S4, Galaxy S5, Galaxy S6, Galaxy S7, Galaxy Note 3, and Galaxy Note 10.1 2014.[43]

In May 2016, Israeli researchers Uri Kanonov and Avishai Wool found three vulnerabilities in specific versions of Knox.[45]

In December 2017, Knox received "strong" ratings in 25 of 28 categories in a Gartner publication comparing device security strength of various platforms.[46]

References

  1. "What's new in Knox 3.9". Samsung Knox Team. 23 November 2022. https://www.samsungknox.com/en/blog/what-s-new-in-knox-3-9. 
  2. "Secure mobile platform and solutions". January 15, 2021. https://www.samsungknox.com/en. 
  3. "Samsung Wallet | Apps" (in en). https://www.samsung.com/global/galaxy/apps/samsung-wallet/. 
  4. "Secure Folder" (in en). https://www.samsungknox.com/en/solutions/personal-apps/secure-folder. 
  5. "Samsung Knox Feature Summary". https://docs.samsungknox.com/admin/whitepaper/kpe/feature-summary.htm. 
  6. "8 Steps to Customizing Mobile Devices With Knox Configure" (in en-US). 2020-01-07. https://insights.samsung.com/2020/01/07/8-steps-to-customizing-mobile-devices-with-knox-configure/. 
  7. "App Container | Knox Platform for Enterprise White Paper". https://docs.samsungknox.com/admin/whitepaper/kpe/app-container.htm. 
  8. Miller, Matthew. "Samsung Galaxy XCover Pro: Microsoft Teams Walkie Talkie experiences and Knox Capture release" (in en). https://www.zdnet.com/article/samsung-galaxy-xcover-pro-microsoft-teams-walkie-talkie-experiences-and-knox-capture-release/. 
  9. 9.0 9.1 "Knox for Enterprise Mobility" (in en). https://www.samsungknox.com/en/solutions/it-solutions. 
  10. "Knox Developer Documentation". https://docs.samsungknox.com/dev/index.htm. 
  11. "Knox for Device Customization" (in en). https://www.samsungknox.com/en/solutions/device-customization. 
  12. "Knox Capture" (in en). https://www.samsungknox.com/en/solutions/it-solutions/knox-capture. 
  13. "Peripherals Overview" (in en). https://docs.samsungknox.com/dev/knox-sdk/peripherals.htm. 
  14. "Knox Asset Intelligence" (in en). https://www.samsungknox.com/en/solutions/it-solutions/knox-asset-intelligence. 
  15. "Samsung Knox Documentation Ecosystem". https://docs.samsungknox.com/admin/fundamentals/welcome.htm. 
  16. "Samsung Knox Developer Documentation". https://docs.samsungknox.com/dev/knox-sdk/index.htm. 
  17. "Samsung Knox Capture". https://docs.samsungknox.com/admin/knox-capture/welcome.htm. 
  18. "Samsung Knox Asset Intelligence". https://docs.samsungknox.com/admin/knox-asset-intelligence/welcome.htm. 
  19. "New Samsung Galaxy Note 3 software features explained" (in en-US). 2013-09-04. https://www.androidauthority.com/samsung-galaxy-note-3-software-features-explained-261976/. 
  20. Ziegler, Chris (2013-02-25). "Samsung Knox: a work phone inside your personal phone (hands-on)" (in en). https://www.theverge.com/2013/2/25/4027040/samsung-knox-a-work-phone-inside-your-personal-phone-hands-on. 
  21. "Evaluating top MDMs for Android and iOS" (in en). https://searchmobilecomputing.techtarget.com/post/Evaluating-top-MDMs-for-Android-and-iOS. 
  22. "Samsung discontinues My Knox, urges users to switch to Secure Folder" (in en-US). 2017-06-02. https://www.androidauthority.com/samsung-discontinues-knox-switch-secure-folder-777140/. 
  23. "What's new in Knox 3.4?" (in en). https://www.samsungknox.com/en/blog/what-s-new-in-knox-3-4. 
  24. "What is the Secure Folder and how do I use it?" (in en-GB). https://www.samsung.com/uk/support/mobile-devices/what-is-the-secure-folder-and-how-do-i-use-it/. 
  25. "How we cracked Samsung's DoD- and NSA-certified Knox" (in en). ZDNet. https://www.zdnet.com/article/google-project-zero-how-we-cracked-samsungs-dod-and-nsa-certified-knox/. 
  26. "Samsung RKP". https://www.samsungknox.com/en/blog/real-time-kernel-protection-rkp. 
  27. "What is SE for Android? | Samsung Support Philippines" (in en-PH). https://www.samsung.com/ph/support/mobile-devices/what-is-se-for-android/. 
  28. Alendal, Gunnar; Dyrkolbotn, Geir Olav; Axelsson, Stefan (2018-03-01). "Forensics acquisition — Analysis and circumvention of samsung secure boot enforced common criteria mode" (in en). Digital Investigation 24: S60–S67. doi:10.1016/j.diin.2018.01.008. ISSN 1742-2876. https://www.sciencedirect.com/science/article/pii/S1742287618300409. 
  29. "Samsung Enterprise Firmware-over-the-air". https://docs.samsungknox.com/admin/efota-common/welcome.htm. 
  30. "Samsung SSO". https://www.samsungknox.com/de/blog/improved-single-sign-on-sso-in-samsung-knox. 
  31. "Samsung CEP". https://docs.samsungknox.com/knox-platform-for-enterprise/admin-guide/certificate-management.htm. 
  32. "Samsung OTP". https://support.samsungknox.com/hc/en-us/articles/115015955587-How-do-I-disable-two-step-authentication-in-Knox-Manage-. 
  33. "Samsung Knox VPN". https://docs.samsungknox.com/whitepapers/knox-platform/virtual-private-networks.htm. 
  34. "Disable DEFEX Security to Root Samsung Galaxy Devices on Oreo". 13 October 2018. https://www.thecustomdroid.com/disable-defex-security-samsung-galaxy-oreo-root/. 
  35. "Root of Trust | Knox Platform for Enterprise Whitepaper". https://docs.samsungknox.com/whitepapers/knox-platform/hardware-backed-root-of-trust.htm. 
  36. "vTZ: Virtualizing ARM TrustZone". https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-hua.pdf. 
  37. Ning, Peng (2013-12-04). "About CF-Auto-Root". https://www.samsungknox.com/en/blog/about-cf-auto-root. "The sole purpose of this fuse-burning action is to memorize that a kernel or critical initialization scripts or data that is not under Samsung's control has been put on the device. Once the e-fuse bit is burned, a Samsung KNOX-enabled device can no longer create a KNOX Container or access the data previously stored in an existing KNOX Container." 
  38. "Just how does Knox warranty void efuse burning work?" (in en-US). 28 June 2016. https://forum.xda-developers.com/t/just-how-does-knox-warranty-void-efuse-burning-work.3407518/. 
  39. Koebler, Jason (2016-08-17). "Companies Can't Legally Void the Warranty for Jailbreaking or Rooting Your Phone". Motherboard. https://motherboard.vice.com/en_us/article/yp3nax/jailbreaking-iphone-rooting-android-does-not-void-warranty. 
  40. "Disable Knox on Samsung Galaxy Devices [4 Ways | Android More"] (in en-US). https://androidmore.com/disable-samsung-knox/. 
  41. "Samsung DeX | Apps & Services | Samsung IN" (in en-IN). https://www.samsung.com/in/apps/samsung-dex/. 
  42. "Samsung TIMA Keystores". https://docs.samsungknox.com/dev/knox-sdk/about-keystores.htm. 
  43. 43.0 43.1 Ribeiro, John (2014-10-21). "NSA approves Samsung Knox devices for government use". PCWorld. http://www.pcworld.com/article/2836612/samsung-knox-devices-approved-for-government-use-by-nsa.html. 
  44. Mimoso, Michael (2014-10-24). "NSA-Approved Samsung Knox Stores PIN in Cleartext". Threatpost. https://threatpost.com/nsa-approved-samsung-knox-stores-pin-in-cleartext/109018/. 
  45. Forrest, Conner (2016-05-31). "Samsung Knox isn't as secure as you think it is". TechRepublic. https://www.techrepublic.com/article/samsung-knox-isnt-as-secure-as-you-think-it-is/. 
  46. "Introduction | Knox Platform for Enterprise Whitepaper". https://docs.samsungknox.com/whitepapers/knox-platform/samsung-knox.htm. 

External links