Android security: Which smartphones can enterprises trust. Samsung knox security phones list

Samsung Knox

Samsung Knox is platform available for compatible Samsung Android devices that can be used to enhance device security when combined with a Mobile Device Management (MDM) platform, such as Systems Manager Enterprise. This article will discuss features available in Systems Manager Enterprise as part of this platform.

Note: While profiles containing Samsung KNOX settings can be applied to any device, they will only be effective on compatible Samsung devices.

Systems Manager Security Policies can also be used to control deployment of profiles to devices based on their compliance status.

We recommend enrolling Android devices into Systems Manager through Android Enterprise whenever possible. To see a comparison of features available through Android Enterprise vs KNOX, see the Android Enrollment article.

Kiosk Mode

Kiosk mode can be used to force a device to always run a single app full screen, with no access to other apps, device settings, etc. This is ideal for point-of-sale (POS) terminals, interactive displays, or similar applications.

• Navigate to Systems Manager Manage Settings.
• Select the desired Profile, or create a new one.
• Go to the Samsung Knox tab.
• Click the checkbox next to Enable Kiosk Mode.
• Select the desired managed Application from the list. Only managed apps can be used, and must be added on the Systems Manager Manage Apps page.
• Click Save Changes.

To use the profile, ensure that both it and the desired app have been applied to the device. Read the article on Pushing custom apps and profiles to devices or the article on deploying store apps to devices for more information. Once the app and profile are installed, the device will run the app in full-screen mode whenever it is online.

App Allow List and Block List

The block list functionality can be used to control which apps are allowed to be installed on devices. To enable:

• Navigate to Systems Manager Manage Settings.
• Select the desired Profile, or create a new one.
• Go to the Samsung Knox tab.
• Click the checkbox to Enable App Allow List/Block List.
• Configure as desired, based on the options discussed below.
• Click Save Changes.

Note: Managed apps (MDM Apps) are NOT exempt from these restrictions. Managed apps will fail to deploy if on the block list. Ensure these apps are either not on the block list, or covered in the allow list.

App Block List

The App Block List is used to indicate any apps (or patterns) that users are not allowed to install on the device. The app is listed by its package name (ex. “com.meraki.sm” for the Systems Manager app), and can use wildcards to block list groups of apps (ex. “com.meraki.” would block all Meraki apps).

Apps can easily be added by using the Select apps bar to search by display name, and then clicking the icon to add the app to the list.

Apps can also be manually entered by typing the desired package name, or pattern, in the textbox. Once the desired pattern has been entered, click Add option.

Once the packages are added, they’ll appear as individual bubbles in the field. To remove a package, click the X.

After the profile is pushed to the device, any user attempting to install apps that violate the block list will receive a message similar to the one shown below.

App Allow List

The App Allow List is used to indicate any apps that should be explicitly allowed, overriding the block list. Package names are entered in the same way as block list apps above.

Apps that were installed prior to the allow list being created will remain on the device. Only future app installations will be subject to the allow list.

Permissions Block List

The permissions block list will not allow users to install apps that require any of the permissions selected. Information about what is provided by each of these permissions is available in the Android Developer Documentation.

As an example, the ability to send or receive text messages (SMS/MMS) over cellular could be blocked by selecting the following permissions.

Overriding Block Lists with Allow List Profiles

Block List and Allow List settings will be combined across profiles on a device, with Allow List settings taking priority. Thus, a general profile could be deployed to all devices with more restrictive settings, and then more apps allowed through a second profile with Allow List options.

Android security: Which smartphones can enterprises trust?

Google’s Android operating system dominates smartphone usage throughout the world — in every region except North America and Oceania, in fact. Thus, businesses in many regions are likely to support and issue Android devices to employees as their mainstay mobile devices. Even in areas where Apple’s iPhone dominates or is comparable in market share, businesses are likely to support or issue Android devices at least as a secondary option.

But Android security has long been an IT concern, despite significant security improvements made to the platform a decade ago in response to security standards put in place for iPhones, which quickly gained the security seal approval as a result. That makes the buying and support decision around Android phones more complex for CISOs — whether as corporate-liable devices (that is, the devices that enterprises buy for their employees) or as employee-liable devices or bring-your-own devices (BYOD) that IT allows access at least to work email and calendars, and often to web-based services.

This article surveys the key considerations for Android security and then classifies the major Android vendors based on security level to help narrow IT’s purchase and support choices. (Our sister publication Computerworld details other enterprise buying considerations for Android devices.)

Security considerations for Android devices

Apple tightly controls the iPhone and its iOS operating system, which gives the CISO strong assurance about software updates, security patches, and manageability. By contrast, the Android world is highly diverse, with dozens of manufacturers using Google’s Android platform but offering varying levels of quality and support, and in many cases few or inconsistent OS and security updates.

In the early days of Android, security was a major IT concern for the emerging smartphone market. Research in Motion’s BlackBerry had set high standards in the 1990s and early 2000s for mobile security, whereas the early Android (and iOS) devices fell far short of IT expectations.

Apple and then Samsung moved to make mobile security at least as good as BlackBerry’s in the early 2010s, and Google followed suit a few years later by making encryption standard in Android and then making container-based separation of work and personal data and apps a standard part of 2015’s Android 5.0 Lollipop OS. By 2017, the Android platform had strong security capabilities. sophisticated capabilities became available through both hardware and software extensions, such as Samsung’s Knox platform in 2013 for its enterprise devices and Google’s Android for Work (later renamed Android Enterprise) for the rest of the Android world. Android Enterprise support became a standard feature in 2018’s Android 9.0 Pie.

Today, IT can count on all Android devices having the basic level of security needed. But some users — such as high-level executives who deal in sensitive corporate data, or operations staff managing critical infrastructure or supply chains — need more security.

The availability of Android vendors varies widely across the globe, so the choices of suitably secure devices where your organization operates also vary; our sister site Computerworld has outlined in which markets Android vendors have significant presence to guide you to the likely candidates for your business. Based on StatCounter data, 13 current Android vendors have 1% or more usage share in at least one region:

• Google
• Huawei
• Infinix Mobility
• Itel Mobile
• Lenovo-owned Motorola Mobility
• Nokia
• OnePlus
• Oppo
• Realme Chongqing Telecommunications
• Samsung Electronics
• Tecno Mobile
• Vivo Mobile Communication
• Xiaomi

Google has a certification called Android Enterprise Recommended (AER) that focuses on enterprise concerns around performance, device management, bulk device enrollment, and security update commitments. Google publishes an AER tool to help IT see which devices meet that certification in various regions, as well as explore supported Android versions and end dates for security updates. Just keep in mind that the AER tool’s results can be out of date and incomplete, so do not rely solely on it.

There are three Android security levels to consider, and many organizations will need more than one in place to cover different sets of employees.

Basic Android security defined

This level is appropriate on personal devices permitted to access basic corporate systems like email. The basic security level provides device encryption, password enforcement, remote lock and wipe, and sandboxed execution of security functions. All current Android devices support this level, with even just a basic management tool like Google Workspace or Microsoft 365 in place.

Moderate Android security defined

This level is appropriate for when IT requires or allows personal devices to be used for corporate access and apps, as well as for corporate-issued devices allowed to also be used for personal purposes. The moderate security level provides the basic level plus separation of work data and apps from personal data and apps via containers, via a unified endpoint management (UEM) platform that supports Google’s Android Enterprise platform or, only for Samsung devices, Samsung Knox platform. Tip: Compare the leading UEM platforms’ capabilities in Computerworld’s guide.

All current Android devices with at least 3MB of RAM support work/personal separation, but some UEM platforms may require that the devices run newer versions of Android than are deployed at your organization.

Advanced Android security defined

This level is appropriate for executives, human resources professionals, finance professionals, and anyone dealing with critical data and systems access such as in government, defense/military, finance, healthcare, and critical infrastructure like utilities, energy, and transport. The advanced security level provides the moderate level plus chip-based security enabled to reduce unauthorized access by spies and hackers, as well as compliance with the US’s recent Common Criteria security standard.

Chip-level security detects hacks to the operating system, firmware, memory, and other core systems, and locks down or shuts down the device as a result, via Android’s Keystore service. Such hardware-level security is not an Android Enterprise Recommended requirement, but it is essential for military-grade security.

Only a few devices use chip-level security to protect system integrity: Samsung’s Android Secured by Knox phones use Arm’s TrustZone chip for its Trusted Boot, Google’s Pixel series uses its own Titan-M chip for its Trusted Execution Environment (TEE), and Motorola says all its Android devices use Arm’s TrustZone chip for its Strongbox. (Apple’s iPhones have this capability too via the Secure Enclave.) The other Android vendors did not respond to my inquiries about their security capabilities but appear not to support hardware-based security, based on their websites’ specification data.

Common Criteria imposes specific security approaches that the US government thus knows it can rely on across devices. Although also not an Android Enterprise Recommended requirement, Common Criteria is a good advanced-security standard for IT to use anywhere in the world.

Android models from multiple vendors comply with Common Criteria: a few from Google, Huawei, Motorola, Oppo, Samsung, and Sony, as well as some front-line specialty devices from Honeywell and Zebra Technologies. (Filter by “Mobility” in the Common Criteria web tool to get the current list.) Apple’s iPhone also complies.

Government security certification for Android devices

Organizations may want to look to government certifications to determine their Android device selections for sensitive uses. When Apple and Samsung both gained US Defense Department, UK Government Communications Headquarters (GCHQ), and Australian Signals Directorate approval for use of their enterprise-class devices in the mid-2010s, it was huge news — breaking BlackBerry’s longstanding monopoly on government approval.

Today, such announcements are rare, and governments instead FOCUS on ensuring that approved UEM platforms are in place to manage the widely used iPhones and Android phones. Recently the US Department of Defense has approved several Samsung phones and some front-line Android devices from Honeywell and Zebra Technologies for sensitive uses, as it moves to using the Common Criteria standard. The Australia Signals Directorate has approved several Samsung phones recently as well.

Security and OS update assurances for Android devices

IT typically wants assurances that devices will get security updates and OS updates for several years to reduce the risk of being hacked via old devices that haven’t kept up their defenses. Google’s Android Enterprise Recommended certification requires only one future OS upgrade. For security updates, it has no minimum, requiring only that vendors publish their update commitments on their websites — and that information can be hard to find.

In my survey of Android vendor sites, three to five years is typical for Android security update commitments on business-class devices, and one to three future Android OS versions is typical for OS updates. (By contrast, Apple typically provides seven years of security updates and five years of iOS updates.) The stingiest Android vendors in terms of OS updates are Motorola, Oppo, and Xiaomi, which commit to just one major Android upgrade for their enterprise-class models. Google and Samsung have the best update commitments.

Vendors’ published update commitments for business-class Android devices include:

• Google: five years of security updates, three years of OS upgrades
• Motorola: three years of security updates, one year of OS upgrades
• Nokia: three years of security updates, two years of OS upgrades
• OnePlus: four years of security updates, three major OS upgrades
• Oppo: three years of security updates, one year of OS upgrades
• Realme: three years of security updates, two major OS upgrades
• Samsung: “at least” four years of security updates, three “generations” of OS upgrades
• Vivo: three years of security updates, three years of OS upgrades
• Xiaomi: three years of security updates, one major OS upgrade

I could not find update information at the Huawei, Infinix, Itel, and Tecno sites, and the companies did not respond to my requests for information.

For certified devices, you can also use Google’s Android Enterprise Recommended tool to narrow down by what date various vendors’ specific models’ security updates will end. Just keep in mind that the tool may not list recent models. I also recommend you verify whether vendors do what they promise by getting some older devices and seeing how recent the available security updates are: Have they kept up the promised duration?

Finally, keep in mind that cellular carriers can override, slow, or block updates in many countries, overriding whatever promises the device vendor has made. For example, Google notes on its Pixel page that Pixel phones bought directly from Google often get updates sooner than those bought through a carrier. That carrier control is a longstanding reality, well pre-dating modern mobile devices, with only Apple able to have fully wrested control over updates from the carriers.

Buying guide: How Android phones rank by security level

The Android market breaks down into four classes of security assurance, based on how vendors address key enterprise IT security concerns:

• Advanced security: These vendors provide high security levels appropriate even for government and military use and access to sensitive data.
• Moderate security: These vendors provide adequate security levels and adequate update assurance for basic use such as for productivity apps and web tools.
• Basic security: These vendors provide adequate security levels but inadequate update assurance.
• Untrusted: These vendors have strong opposition to their use by major governments.

Advanced security: The most secure Android vendors

There’s just one Android manufacturer with global device availability and enterprise-class (even military-grade) security, plus multiyear software and security updates after purchase: Samsung. That makes Samsung the best (and often only) choice for corporate-liable Android devices in every region of the world. Its enterprise-grade models (what Samsung calls Android Secured by Knox) include the Galaxy S, Galaxy A5x, Galaxy A3x, Note, XCover, Z Flip3, and Z Fold3 series. For these models, security updates are promised for five years after initial release; Samsung publishes the security lifespans for its enterprise-grade devices, which vary by device.

Google’s Pixel 7 series phones are similarly secure. Google, too, promises five years of security updates after initial release. However, the Pixel 7 series is available in just Australia, Canada, Denmark, France, Germany, India, Ireland, Italy, Japan, the Netherlands, Norway, Singapore, Spain, Sweden, Taiwan, the United Kingdom, and the United States.

Motorola’s enterprise-class Android devices, such as the Edge 30 Fusion and Ultra models, are also similarly secure. They’re available in 65 countries, including most of Europe, much of Latin America, Australia, New Zealand, India, China, Taiwan, Hong Kong, South Korea, Japan, Thailand, the Philippines, Malaysia, Saudi Arabia, the UAE, Canada, the US, and the UK. Where Motorola falls a bit short is in update support: It commits to just three years for security updates and to just one major Android OS version update.

Moderate security: The adequately secure Android vendors

The most secure Android devices are often too pricey for rank-and-file employees and for their businesses to buy for users other than executives or those handling sensitive information. Likewise, the most secure devices are often too expensive for employees to buy on their own for BYOD scenarios.

Fortunately, some Android vendors offer a range of inexpensive and moderately priced phones that provide good quality and adequate security: Nokia, OnePlus, Oppo, Sony, and Xiaomi. Samsung also has several moderately priced phones with adequate security, and Motorola has its Moto G and Edge Neo models for the moderate security level.

Basic security: The marginally secure Android vendors

Although they provide the standard Android security functions as the devices in the moderate-security group, the Android vendors Infinix, Itel, Realme, Tecno, and Vivo have two cautions that should cause the CISO organization to avoid them when possible and at most restrict their use to the most basic BYOD scenarios:

• The uncertain level of security and operating system upgrade support, which could allow these devices to fall behind on security even if they initially meet standards.
• As IDC analyst Kiranjeet Kaur noted, they often suffer from application compatibility issues, which indicates poor underlying implementation of the Android platform.

Untrusted: The one Android vendor to avoid

Although based on technical specs it should be in the basic security group, Huawei belongs in the class of untrusted Android devices that IT should not provide or permit access from.

IT will not find Huawei devices in Google’s Android Enterprise Recommended database. Google removed them in 2019 after public allegations from the US government that Huawei devices were spying on users via backdoors on behalf of the Chinese government. These concerns are not new: In 2012, I was having drinks with several US intelligence officials and defense contractors at an off-the-record conference of CIOs where they raised the same fears about Huawei, ZTE, and other Chinese computer and telecom manufacturers. Back then (under the Obama administration), US intelligence officials were quietly warning corporate CIOs about Huawei’s alleged spying operations across its whole technology stack.

Those fears about Huawei’s alleged being a conduit for spying are no longer quiet, with both the Trump and Biden administrations since speaking publicly. Multiple other governments have also made the same accusations, which Huawei denies.

Because Huawei devices are popular in several markets — China, of course, but also in many parts of Africa, Europe, the Middle East, and South America — concerned IT departments may want to use management tools to deny Huawei and other distrusted devices access to their resources. Be sure to check whether your management tool can block access based on device vendor. According to their websites, UEM platforms that can block devices by vendor include BlackBerry UEM, Microsoft Intune, and VMware Workspace One.

Samsung knox security phones list

Today’s borderless workers are always on and ready,no matter where they are. But with that mobility,are they ready for cyberattacks, data leaks, viruses,human error, and all sorts of new and emerging dangers?

At every layer, Knox ensures that confidential and sensitive data stays safe,no matter where your work takes you.Your entire device is safeguarded from the inside out, and in real time. This is protection you can be sure of.

In the past, anti-virus software may have been a “good enough” safeguard.

Not anymore. Now, threats have adapted.

They change form daily and can sneak past security apps undetected before hijacking the system from within.

That’s why Knox defense starts at the hardware level. It locks intrusions out, so control of your phone won’t be handed over to anyone else.

Knox Vault is an EAL5 certified, tamper-resistant environment that holds the data that matters most on your device. It physically isolates PINs, passwords, biometrics and security-critical keys away from the rest and stores them in the secure memory.

Even hackers armed with lasers and power glitch tactics cannot crack Knox Vault. If its sensors detect physical intrusion, the device locks downx, leaving no way for your information to be stolen.

Knox vault is supported by select Samsung Galaxy smartphones and tablets such as Galaxy S21 and following S series and Fold series.

Knox Vault on devices with Samsung Exynos processors is EAL5 certified. Knox Vault on devices with Qualcomm processors is EAL4 certified.

In the case of a device hijacking, the self-destruct sequence is initiated without user consent or additional backup of the security data stored in Knox Vault.

When it comes to risk assessments in the supply chain, there are no blind spots at Samsung.

In fact, we are in the unique position to design and manufacture our devices, including the components that go inside.

Ownership of the entire production lifecycle translates to complete control over the process and no weak links.

Protection that is always on

Do you remember the last time you turned your phone off. and then left it off?

It doesn’t happen often. Normally, a simple restart gives your phone the protection of an automatic secure boot.

But like you, your device is always on. In the digital world, this means it’s open to a wide array of attacks 24/7.

That’s why Knox provides real-time protection even while your device is running.

The kernel is the brain of your device. Full access to the kernel means full access to your phone.

As the core of your operating system, a successful breach of the kernel could lead to catastrophe. We’re talking data leaks and even remote monitoring from the inside.

Samsung’s Real-time Kernel Protection (RKP) is designed to prevent changes that compromise the kernel. With RKP, the kernel code and its data structures are kept authentic, and your device stays safe.

Between secure system boots, your apps need an extra layer of armor against unauthorized changes to app privileges.

Defeat Exploit, or DEFEX, prevents potential critical and illegal operations on your device by detecting and anticipating attacks.

As device use increases, so do the cyberthreats.

Scoped from all angles, your software, hardware, networks, and operating systems are all targets in the battle for your data.

In order to stay ahead of lurking danger, we partner with the biggest names in tech, like Google and Cisco, to explore every scenario and correct potential vulnerabilities before they become a problem.

By partnering with Google, Samsung Galaxy devices build upon Android’s hardened security platform and intelligent security services, like Google Play Protect.

This alliance paves the way for Samsung Knox to deliver additional government-grade hardware protections and critical controls that exceed the hardware and software expectations for business.

Public Wi-Fi delivers much needed access for users but it also carries some inherent risks.

That’s why Samsung has joined forces with Cisco to provide seamless, secure Wi-Fi onboarding through OpenRoaming. When an OpenRoaming network is available, Samsung devices connect automatically without the need for added passwords or credentials.

Unique encryption secures the connection, preventing session hijacking or web snooping. With our open collaboration, public Wi-Fi is safe and reliable.

Tackling the waves of threats that emerge daily is a daunting task. And we don’t expect to do it alone.

Instead, we team up with experienced researchers and partners in the cyberthreat community. Together with SoC providers, we designed our hardware processing unit.

For the latest intel, we engage with the Linux wider security research communities, academia, and mobile operators. And so worldwide, a strong network of observers is active and engaged in protecting Samsung devices from attack.

Mobile threats are not going away.

Are your work data, your employees, and your business fully protected?

Be sure they’re secure with round-the-clock, end-to-end mobile security.

• For IT admins
• Unified Endpoint Management
• For Frontline
• For School
• For Transportation

• For Service Providers
• Rebranding and Customization
• For Kids Phone
• For Publishers
• Fraud and Theft Protection
• Unified Endpoint Management
• Knox Suite
• Knox Platform for Enterprise
• Knox Mobile Enrollment
• Knox Manage
• Knox E-FOTA
• Knox Asset Intelligence
• Knox Capture

• Rebranding and Customization
• Knox Configure
• Fraud and Theft Protection
• Knox Guard

• Business Services
• Samsung Care for Business
• Samsung Enterprise Technical Support
• Samsung Software Customization Services

• Business Devices
• Galaxy Enterprise Edition

Copyright© 1995-2023 Samsung All rights reserved.

Samsung Electronics, and its partners, use cookies and similar technologies (collectively “technologies”) to store and access information on your device. Some of these technologies are technically essential to provide you with a secure, well-functioning and reliable website. We would also like to set optional/non-essential technologies to give you the best user experience. Through these technologies, we will collect information such as your interaction with our website, your preferences and your browsing habits.

If you are happy for technologies to be used for these purposes, click on “Accept All” to accept all of the technologies. Alternatively, you may click “Continue without accepting” to refuse all non-essential technologies. You can also make a choice by category by clicking “Configure”. You can withdraw your consent and modify your choices at any time by clicking on the “Cookie Preferences” button located at the bottom of our website. Further information is also available in our Cookie Policy and our Privacy Policy.

Manage your cookies

Cookies are small text files placed on your device which we use to improve your experience on our website and to show you relevant advertising. Our partners and the cookies placed on your device are detailed below. You are also able to manage which cookies are set on your device below. You can change your preferences at any time by clicking on the “Cookie Preferences” icon at the bottom of our website. Your choice will be retained for 13 months.

For more information, refer to our Cookie Policy.

Essential Cookies

These cookies are strictly necessary for the provision of the service that you have expressly requested or have the sole purpose of enabling or facilitating communication by electronic means. For example, they allow us to remember the items you have placed in your shopping basket. These cookies are automatically activated and cannot be deactivated because they are essential to enable you to browse our site. View cookies.

Advertising/Targeting Cookies

These cookies collect information about your browsing habits. They remember that you have visited our site and share this information with partners, such as advertisers, for the purpose of targeted advertising. The use of these cookies include displaying advertisements, impression capping, fraud prevention, billing, and measurement. View cookies.

Samsung knox security phones list

Samsung Knox is a proprietary security and management framework pre-installed on most Samsung mobile devices. Its primary purpose is to provide organizations with a toolset for managing work devices, such as employee mobile phones or interactive kiosks. Knox provides more granular control over the standard work profile to manage capabilities found only on Samsung devices. Knox’s features fall within three categories: data security, device manageability, and VPN capability. Knox also provides web-based services for organizations to manage their devices. Organizations can customize their managed mobile devices by configuring various functions, including pre-loaded applications, settings, boot-up animations, home screens, and lock screens. As of December 2020, organizations can use specific Samsung mobile device cameras as barcode scanners, using Knox services to capture and analyze the data.

Contributor MDPI registered users’ name will be linked to their SciProfiles pages. To register with us, please refer to https://encyclopedia.pub/register :

Overview

Samsung Knox provides hardware and software security features that allow business and personal content to coexist on the same device. Knox integrates web services to assist organizations in managing fleets of mobile devices, which allows IT administrators to register new devices, identify a Unified Endpoint Management (UEM) system, [1] define the organizational rules that govern the use of devices, and upgrade device firmware over-the-air. [2] Developers can integrate these features with their applications using Knox SDKs and REST APIs. [3]

1.1. Services

Samsung Knox provides the following web-based services for organizations:

• To manage mobile devices: Knox Suite, Knox Platform for Enterprise, Knox Mobile Enrollment, Knox Manage, and Knox E-FOTA. [2]
• To customize and rebrand devices: Knox Configure [4]
• To capture and analyze data: Knox Capture, [5] Knox Peripheral Management, [6] Knox Asset Intelligence [7]

Most services are registered and accessed through the Samsung Knox web consoles, [8] with some accessed through the Samsung Knox SDK. [9]

Knox Capture

Knox Capture uses a Samsung mobile device’s camera to capture all major barcode symbologies like UPC, Code 39, EAN, and QR. Through a web console, IT admins can manage the input, formatting, and output configuration of scanned barcode data, and associate a device app (for example, an Internet browser for QR data). [10]

Knox Asset Intelligence

Knox Asset Intelligence helps organizations improve the management, productivity, and lifecycle of mobile devices. Through a web console, IT admins can monitor device battery management, app usage insights, comprehensive device tracking, and detailed Wi-Fi analytics. [11]

Container

When Samsung Knox debuted with the Galaxy S3 in 2013, it included a proprietary container feature that stored security-sensitive applications and data inside a protected execution environment. [12] Device users could switch between personal and business applications by tapping a Knox icon in the lower-left corner of the device screen. [13] The proprietary container, later called the Knox Workspace, was managed by organizations through a UEM system. [14]

Samsung then spun off consumer versions of the container feature, which did not require a UEM system to manage. These consumer versions included Personal Knox, later called My Knox starting in 2014. My Knox was replaced by Secure Folder in 2017. [15]

In 2018, Samsung partnered with Google to use its Android work profile to secure applications and data, and in 2019 deprecated the Knox Workspace container. [16] Samsung continues to pre-install the Secure Folder on most flagship mobile devices, but consumers must enable it for use. [17]

Samsung Real-Time Kernel Protection (RKP)

The Samsung RKP feature tracks kernel changes in real-time and prevents the phone from booting, as well as displaying a warning message about using “Unsecured” Samsung devices. [18] This feature is analogous to Android dm-verity/AVB and requires a signed bootloader. [19]

Security Enhancements for Android (SE for Android)

Although Android phones are already protected from malicious code or exploits by SE for Android and other features, Samsung Knox provides periodic updates that check for patches to further protect the system. [20]

Secure Boot

During Secure Boot, Samsung runs a pre-boot environment to check for a signature match on all operating system (OS) elements before booting in the main kernel. If an unauthorized change is detected, the e-fuse is tripped and the system’s status changes from “Official” to “Custom”. [21]

Other features

Several other features that facilitate enterprise use are incorporated in Samsung Knox, including Samsung KMS (SKMS) for eSE NFC services, Mobile device management (MDM), Knox Certificate Management (CEP), Single Sign-On (SSO), One Time Password (OTP), SIM PIN Management, Firmware-Over-The-Air (FOTA) [22] and Virtual Private Network (VPN). [23] [24] [25] [26]

Samsung has patched the kernel to prevent root access from being granted to apps even after rooting was successful since the release of Android Oreo. This patch prevents unauthorized apps from changing the system and deters rooting. [27]

1.3. Hardware

Knox includes built-in hardware security features ARM TrustZone (a technology similar to TPM) and a bootloader ROM. [28] Knox Verified Boot monitors and protects the phone during the booting process, along with Knox security built at a hardware level (introduced in Knox 3.3). [29]

e-Fuse

Samsung Knox devices use an e-fuse to indicate whether or not an “untrusted” (non-Samsung) boot path has ever been run. The e-fuse will be set if the device boots with a non-Samsung signed bootloader, kernel, kernel initialization script, or data. When set, the text “Set warranty bit: ” appears. Rooting the device or flashing a non-Samsung Android release also sets the e-fuse. Once the e-fuse is set, a device can no longer create a Knox Workspace container or access the data previously stored in an existing Knox Workspace. [30] In the United States, this information may be used by Samsung to deny warranty service to devices that have been modified in this manner. [31] Voiding consumer warranties in this manner may be prohibited by the Magnuson–Moss Warranty Act of 1975, at least in cases where the phone’s problem is not directly caused by rooting. [32] In addition to voiding the warranty, tripping the e-fuse also prevents some Samsung-specific apps from running, such as Secure Folder, Samsung Pay, Samsung Health, and Samsung Browser’s secret mode. For some older versions of Knox, it may be possible to clear the e-fuse by flashing a custom firmware. [33]

Samsung DeX

Options to manage Samsung DeX were added in Knox 3.3 to allow or restrict access using the Knox platform for added control and security. [34]

Samsung Knox TIMA

Knox’s TrustZone-based Integrity Measurement Architecture (TIMA) allows storage of keys in the container for certificate signing using the TrustZone hardware platform. [35]

Notable Security Mentions

In June 2014, the Defense Information Systems Agency’s (DISA) list of approved products for sensitive but unclassified use included five Samsung devices. [36]

In October 2014, a security researcher discovered that Samsung Knox stores PINs in plain text rather than storing salted and hashed PINs and processing them by obfuscated code. [37]

In October 2014, the U.S National Security Agency (NSA) approved Samsung Galaxy devices for use in a program for quickly deploying commercially available technologies. Approved products include Galaxy S4, Galaxy S5, Galaxy S6, Galaxy S7, Galaxy Note 3, and Galaxy Note 10.1 2014. [36]

In May 2016, Israeli researchers Uri Kanonov and Avishai Wool found three vulnerabilities in specific versions of Knox. [38]

In December 2017, Knox received “strong” ratings in 25 of 28 categories in a Gartner publication comparing device security strength of various platforms. [39]

References

• codeproof.com. “Samsung Knox Mobile Enrollment (KME) enrollment”. https://www.codeproof.com/integrations/knox-mobile-enrollment/.
• “Knox for Enterprise Mobility” (in en). https://www.samsungknox.com/en/solutions/it-solutions.
• “Knox Developer Documentation”. https://docs.samsungknox.com/dev/index.htm.
• “Knox for Device Customization” (in en). https://www.samsungknox.com/en/solutions/device-customization.
• “Knox Capture” (in en). https://www.samsungknox.com/en/solutions/it-solutions/knox-capture.
• “Peripherals Overview” (in en). https://docs.samsungknox.com/dev/knox-sdk/peripherals.htm.
• “Knox Asset Intelligence” (in en). https://www.samsungknox.com/en/solutions/it-solutions/knox-asset-intelligence.
• “Samsung Knox Documentation Ecosystem”. https://docs.samsungknox.com/admin/fundamentals/welcome.htm.
• “Samsung Knox Developer Documentation”. https://docs.samsungknox.com/dev/knox-sdk/index.htm.
• “Samsung Knox Capture”. https://docs.samsungknox.com/admin/knox-capture/welcome.htm.
• “Samsung Knox Asset Intelligence”. https://docs.samsungknox.com/admin/knox-asset-intelligence/welcome.htm.
• “New Samsung Galaxy Note 3 software features explained” (in en-US). 2013-09-04. https://www.androidauthority.com/Samsung-Galaxy-note-3-software-features-explained-261976/.
• Ziegler, Chris (2013-02-25). “Samsung Knox: a work phone inside your personal phone (hands-on)” (in en). https://www.theverge.com/2013/2/25/4027040/Samsung-knox-a-work-phone-inside-your-personal-phone-hands-on.
• “Evaluating top MDMs for Android and iOS” (in en). https://searchmobilecomputing.techtarget.com/post/Evaluating-top-MDMs-for-Android-and-iOS.
• “Samsung discontinues My Knox, urges users to switch to Secure Folder” (in en-US). 2017-06-02. https://www.androidauthority.com/Samsung-discontinues-knox-switch-secure-folder-777140/.
• “What’s new in Knox 3.4?” (in en). https://www.samsungknox.com/en/blog/what-s-new-in-knox-3-4.
• “What is the Secure Folder and how do I use it?” (in en-GB). https://www.Samsung.com/uk/support/mobile-devices/what-is-the-secure-folder-and-how-do-i-use-it/.
• “How we cracked Samsung’s DoD- and NSA-certified Knox” (in en). ZDNet. https://www.zdnet.com/article/google-project-zero-how-we-cracked-samsungs-dod-and-nsa-certified-knox/.
• “Samsung RKP”. https://www.samsungknox.com/en/blog/real-time-kernel-protection-rkp.
• “What is SE for Android? | Samsung Support Philippines” (in en-PH). https://www.Samsung.com/ph/support/mobile-devices/what-is-se-for-Android/.
• “Forensics acquisition — Analysis and circumvention of Samsung secure boot enforced common criteria mode” (in en). Digital Investigation 24: S60–S67. 2018-03-01. doi:10.1016/j.diin.2018.01.008. ISSN 1742-2876. https://www.sciencedirect.com/science/article/pii/S1742287618300409.
• “Samsung Enterprise Firmware-over-the-air”. https://docs.samsungknox.com/admin/efota-common/welcome.htm.
• “Samsung SSO”. https://www.samsungknox.com/de/blog/improved-single-sign-on-sso-in-Samsung-knox.
• “Samsung CEP”. https://docs.samsungknox.com/knox-platform-for-enterprise/admin-guide/certificate-management.htm.
• “Samsung OTP”. https://support.samsungknox.com/hc/en-us/articles/115015955587-How-do-I-disable-two-step-authentication-in-Knox-Manage-.
• “Samsung Knox VPN”. https://docs.samsungknox.com/whitepapers/knox-platform/virtual-private-networks.htm.
• “Disable DEFEX Security to Root Samsung Galaxy Devices on Oreo”. https://www.thecustomdroid.com/disable-defex-security-Samsung-Galaxy-oreo-root/.
• “Root of Trust | Knox Platform for Enterprise Whitepaper”. https://docs.samsungknox.com/whitepapers/knox-platform/hardware-backed-root-of-trust.htm.
• “vTZ: Virtualizing ARM TrustZone”. https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-hua.pdf.
• Ning, Peng (2013-12-04). “About CF-Auto-Root”. https://www.samsungknox.com/en/blog/about-cf-auto-root. “The sole purpose of this fuse-burning action is to memorize that a kernel or critical initialization scripts or data that is not under Samsung’s control has been put on the device. Once the e-fuse bit is burned, a Samsung KNOX-enabled device can no longer create a KNOX Container or access the data previously stored in an existing KNOX Container.”
• “Just how does Knox warranty void efuse burning work?” (in en-US). https://forum.xda-developers.com/t/just-how-does-knox-warranty-void-efuse-burning-work.3407518/.
• Koebler, Jason (2016-08-17). “Companies Can’t Legally Void the Warranty for Jailbreaking or Rooting Your Phone”. Motherboard. https://motherboard.vice.com/en_us/article/yp3nax/jailbreaking-iPhone-rooting-Android-does-not-void-warranty.
• “Disable Knox on Samsung Galaxy Devices [4 Ways | Android “] (in en-US). https://androidmore.com/disable-Samsung-knox/.
• “Samsung DeX | Apps Services | Samsung IN” (in en-IN). https://www.Samsung.com/in/apps/Samsung-dex/.
• “Samsung TIMA Keystores”. https://docs.samsungknox.com/dev/knox-sdk/about-keystores.htm.
• Ribeiro, John (2014-10-21). “NSA approves Samsung Knox devices for government use”. PCWorld. http://www.pcworld.com/article/2836612/Samsung-knox-devices-approved-for-government-use-by-nsa.html.
• Mimoso, Michael (2014-10-24). “NSA-Approved Samsung Knox Stores PIN in Cleartext”. Threatpost. https://threatpost.com/nsa-approved-Samsung-knox-stores-pin-in-cleartext/109018/.
• Forrest, Conner (2016-05-31). “Samsung Knox isn’t as secure as you think it is”. TechRepublic. https://www.techrepublic.com/article/Samsung-knox-isnt-as-secure-as-you-think-it-is/.
• “Introduction | Knox Platform for Enterprise Whitepaper”. https://docs.samsungknox.com/whitepapers/knox-platform/Samsung-knox.htm.

©Text is available under the terms and conditions of the Creative Commons-Attribution ShareAlike (CC BY-SA) license; additional terms may apply. By using this site, you agree to the Terms and Conditions and Privacy Policy.