Samsung Knox
Named the "Knox Workspace" app container,[1] the software allows the user to switch between "Personal" and "Work" modes, with no reboot required.[2] Samsung has stated that this feature will be fully compatible with Android and Google devices and address possible security gaps.[3] For example, tripping the e-fuse will cause the container to become inaccessible. The feature is similar to the Android for Work software.
Samsung Defex
Starting from Android Oreo, Samsung has patched the kernel to prevent root access being granted to apps even after rooting was successful. This prevents unauthorized apps from changing the system and deters rooting.[4]
Samsung Real-Time Kernel Protection (RKP)
This feature that tracks kernel changes in real-time and prevents the phone from booting, as well as displaying a warning message about using "Unsecured" Samsung devices. This feature is analogous to Android dm-verity/AVB and requires a signed bootloader.[5]
Android SE
Although Android phones are already protected by the SE for Android feature, Samsung Knox provides periodic that check for patches to protect the system from malicious code or exploits.[citation needed]
Secure Boot
Before booting in the main Kernel, Samsung runs a "pre-boot" environment where it checks for the signature match of all elements of the OS. Should an unauthorized change be detected, the e-fuse will be tripped and the system's status will change from "Official" to "Custom".[citation needed]
Other features
Connected with Samsung Knox are other features that facilitate enterprise use, such as Samsung KMS (SKMS) for eSE NFC services, Mobile device management (MDM), Knox Certificate Management (CEP), Single Sign-On (SSO), One Time Password (OTP) and Virtual Private Network (VPN).[6][7][8][9]
Hardware
Knox includes built-in hardware security features: ARM TrustZone (a technology similar to TPM) and a bootloader ROM.[10] Knox Verified Boot monitors and protects during the booting process in addition to Knox security built at a hardware level (introduced in Knox 3.3).
e-Fuse
Samsung Knox devices also use an e-fuse to indicate whether or not an "untrusted" (non-Samsung) boot path has ever been run. The e-fuse will be set if the device is booted with a non-Samsung signed bootloader, kernel, kernel initialization script or data, with a message displaying "Set warranty bit: <reason>". Rooting the device or flashing a non-Samsung Android release will, therefore, set the e-fuse. Once the e-fuse is set, a device can no longer create a Knox Workspace container or access the data previously stored in an existing Knox Workspace.[11] This information may be used by Samsung to deny warranty service, in the United States, to devices that have been modified in this manner.[citation needed] This is the case even though, in the United States, voiding of consumer warranties in this manner may be prohibited by the Magnuson–Moss Warranty Act of 1975, at least in cases where the phone's problem is not directly caused by rooting.[12] In addition to voiding the warranty, tripping the e-fuse will also prevent some Samsung specific apps from running such as "Secure Folder", "Samsung Pay", "Samsung Health" and "Samsung Browser"'s Secret mode. For some older versions of Knox, it may be possible to clear the e-fuse by flashing a custom firmware.[citation needed]
Samsung DeX
Since Knox 3.3 the options to manage Samsung DeX were added to allow or restrict access using the Knox platform for added control and security.[citation needed]
Samsung Knox TIMA
Named Trust-zone-based Integrity Measurement Architecture (TIMA), the feature allows storage of keys in the container for certificate signing using the TrustZone hardware platform.[13]
Notable security mentions
In June 2014, five Samsung devices were included in the list of approved products for sensitive but unclassified use by the Defense Information Systems Agency (DISA) of the Department of Defense, which certifies commercial technology for defence use.[14]
In October 2014, a security researcher discovered that Samsung Knox stores PIN in plain-text instead of storing salted and hashed PIN (or better, using PBKDF2) and processed it by obfuscated code.[15]
In October 2014, U.S National Security Agency (NSA) approved Samsung Galaxy devices under a program for quickly deploying commercially available technologies. Approved products include Galaxy S4, Galaxy S5, Galaxy S6, Galaxy S7, Galaxy Note 3, Galaxy Note 10.1 2014.[14]
In May 2016, Israeli researchers, Uri Kanonov and Avishai Wool found three key vulnerabilities existing in specific versions of Knox.[16]
In December 2017, Knox received strong ratings in 25 of 28 categories in Gartner's December 2017 Mobile OSs and Device Security: A Comparison of Platforms.[17]
In June 2017, Samsung discontinued My Knox and urged users to switch to an alternate product, Secure Folder.[18]
References
- ^ "App Container | Knox Platform for Enterprise Whitepaper". Docs.SamsungKnox.com. Retrieved 2018-11-13.
- ^ Shaw, Ray (2013-03-23). "iTWire - Samsung Knox™ BlackBerry off Balance". iTWire. Retrieved 2018-10-27.
- ^ Goldman, David (2013-03-12). "Samsung Targets BlackBerry with Knox". CNN Business. Retrieved 2018-10-27.
- ^ "Disable DEFEX Security to Root Samsung Galaxy Devices on Oreo".
- ^ "Samsung RKP".
- ^ "Samsung SSO".
- ^ "Samsung CEP".
- ^ "Samsung OTP".
- ^ "Samsung Knox VPN".
- ^ "Root of Trust | Knox Platform for Enterprise Whitepaper". docs.samsungknox.com. Retrieved 2018-11-13.
- ^ Peng Ning (2013-12-04). "About CF-Auto-Root". Samsung.
The sole purpose of this fuse-burning action is to memorize that a kernel or critical initialization scripts or data that is not under Samsung's control has been put on the device. Once the e-fuse bit is burned, a Samsung KNOX-enabled device can no longer create a KNOX Container, or access the data previously stored in an existing KNOX Container.
- ^ Koebler, Jason (2016-08-17). "Companies Can't Legally Void the Warranty for Jailbreaking or Rooting Your Phone". Motherboard. Retrieved 2018-10-27.
- ^ "Samsung TIMA Keystores".
- ^ a b Ribeiro, John (2014-10-21). "NSA approves Samsung Knox devices for government use". PCWorld. Retrieved 2018-10-27.
- ^ Mimoso, Michael (2014-10-24). "NSA-Approved Samsung Knox Stores PIN in Cleartext". Threatpost. Retrieved 2018-10-27.
- ^ Forrest, Conner (2016-05-31). "Samsung Knox isn't as secure as you think it is". TechRepublic. Retrieved 2018-10-27.
- ^ "Introduction | Knox Platform for Enterprise Whitepaper". docs.samsungknox.com. Retrieved 2018-11-13.
- ^ Rutnik, Mitja (2017-06-02). "Samsung discontinues My Knox, urges users to switch to Secure Folder". Android Authority. Retrieved 2018-10-27.