Samsung KNOX offers a multi-faceted security solution rooted in the tamper-resistant device hardware, through the Linux kernel and Android operating system. The first line of defense against malicious attacks, Samsung KNOX is currently approved to run on US Department of Defense networks.
Jump to details about:
Secure Android Platform
On most Android devices, the Android Boot Loader does not verify the authenticity of the kernel on the device. Those who want more control over their device can install a hacked Android kernel that roots a device. A hacked kernel provides superuser access to all data files, apps and resources. If the hacked kernel is corrupted the result can be a denial of service. If the kernel contains malware it can compromise the security of your enterprise's data.
Secure Boot is a security mechanism that prevents unauthorized boot loaders and kernels from being loaded during the startup process. Firmware images, such as operating systems and system components, cryptographically signed by known, trusted authorities, are considered authorized firmware. Secure Boot is a component that forms the first line of defense against malicious attacks on devices with KNOX.
Samsung KNOX uses systematic security checks to ensure that only valid kernels are used by the device. On the hardware level, the Primary Boot Loader confirms a PKI certificate to verify the integrity of the Secondary Boot Loader 1. Similarly, the Secondary Boot Loader 1 verifies the integrity of the Secondary Boot Loader 2, and the Secondary Boot Loader 2 verifies the integrity of the Android Boot Loader. The Android Boot Loader will only load a Samsung-authorized kernel with a Samsung certificate as its Root-of-Trust.
Secure Boot does not continue to check for authorized firmware after the system boot. For example, authorized firmware can be updated to remove vulnerabilities. However, both the updated and not updated firmware will be allowed to boot on the devices since both have proper signatures.
Also, the process to verify a boot loader's certificate has vulnerabilities that, if exploited, can cause the device to avoid Secure Boot altogether. The capability of custom Android OS on devices means Secure Boot cannot always be extended onto the OS kernel. As a result, devices cannot guarantee that their Android system will enforce OS level security (for example, SE for Android), which creates problems for the security of enterprise apps.
Trusted Boot on KNOX extends Secure Boot to further ensure kernel integrity. Trusted Boot uses the TrustZone, a tamper-resistant sector of an ARM processor. During the boot process, the TrustZone saves cryptographic fingerprints (called measurements) from all boot loader and OS kernels. At system run time, TrustZone apps on KNOX constantly compares all measurements. Critical security decisions are made based on the compared results.
For example, cryptographic keys used by the KNOX container are stored by the TIMA keystore (built on the ARM TrustZone framework). When KNOX-approved firmware runs on a device, it enforces SE for Android and protects the KNOX container keys. However, when custom Android OS runs on a device, there is no guarantee that the keys are protected. To guarantee the keys are protected, TIMA keystore stores the keys and will only release them when the TrustZone indicates that compared boot loader and kernel measurements match. If an unauthorized kernel is put on the device, the TIMA keystore detects that the measurements do not match and will refuse to release the keys.
BYOD has potential for employees to use rooted Android devices with customized firmware. An enterprise must validate the device's integrity before it installs a Samsung KNOX container on the device.
Attestation compares the original kernel measurements to the current kernel on the device to verify that a kernel is authorized before KNOX is installed. Attestation is based in the device's unique public/private key pair. In the factory, each device is given a unique pair of public/private keys along with a certificate for the public key, signed by a Samsung root private key. Attestation servers send random challenges to the device to test its integrity. An app in the TrustZone compares the measurements of the boot loaders and the kernel against the attestation challenge and sends the result back to the attestation server for final verification.
Security Enhancements (SE) for Android
UNIX and Linux allow users to grant themselves access to read, write, and execute files, an example of Discretionary Access Control (DAC). If malicious users obtain DAC, they could potentially obtain unauthorized access to data files, apps and resources. On rooted devices, malicious users can install apps that read passwords, email clients to send spam, upload sensitive documents to the Internet, or secretly turn on resources like the camera or microphone.
Samsung KNOX protects the OS through SE for Android, which is built on the SELinux technology.
SELinux defines which users or apps can access particular files and resources at the Linux level. It enforces Mandatory Access Control (MAC) with policy files. A corporate security administrator centrally controls policy for enterprise devices. Users cannot override this policy. To minimize the effects of device rooting, the system's superuser is also subject to MAC.
SE for Android secures the OS by separating it into distinct security domains. Within each domain, apps are given the minimal permission needed to operate. This process will contain the damage in one area and leave other areas uncompromised.
TrustZone-based Integrity Measurement Architecture (TIMA)
Devices are secured only at boot time, which leaves the device vulnerable to be compromised while it is in use. Secure Boot only verifies the Android kernel at boot time and SE for Android uses MAC, but relies on the kernel itself not being compromised. Platforms that permit external software to be loaded make the device more exposed to new or modified kernel modules.
Samsung KNOX introduces the TrustZone-based Integrity Measurement Architecture (TIMA). TIMA uses theTrustZone a tamper-resistant sector of an ARM processor. TIMA uses two techniques to ensure that the Linux kernel has not been compromised:
- Periodically verifies that the kernel has not changed, through measurements retrieved from the kernel and comparisons against the original factory kernel
- Authenticates kernel modules as they are dynamically loaded
Protected Apps and Information
Containers & App Wrapping
Data leakage can occur when one device is used to store both personal and business data. Employees could copy company-sensitive data onto apps, like notepad or email, or save confidential documents to an unprotected file system. Rogue apps, downloaded for personal use, can secretly collect and re-distribute this confidential data. Some apps can also secretly take screenshots when sensitive data is viewed.
The Samsung KNOX container is an Android environment within the device, complete with its own home screen, launcher, apps and widgets. Apps and data inside the container cannot interact with apps and data outside the container. The container enables enterprise IT to isolate and keep enterprise apps and data in a secure environment. Certain activities that can compromise security, such as screenshots, are restricted within the container.
For apps inside the container to be isolated from apps outside the container, they must be wrapped with an extra layer of security. Samsung KNOX provides an app wrapping service to protect enterprise apps and data from being compromised by third-party apps. This web-based service unpacks the app's APK file, extracts the developer certificate and repacks the binary with additional files to secure operation within the KNOX container. The new package is digitally signed with a certificate based on the original developer certificate. After an app has been wrapped, it is sent to Samsung's Quality Assurance (QA) process to be tested for device compatibility, basic functions, malware and risky behaviors. The QA process is done before an app is allowed to be installed in KNOX containers.
Samsung KNOX Apps
Google Play distributes almost a million apps worldwide to Android customers. Apps in the marketplace undergo only automated scans for malware or malicious activities. Apps can then be published and downloaded by customers instantly. Although apps can easily be published and downloaded, the apps' security is not guaranteed.
Samsung KNOX Apps in the KNOX container offers apps from reputable vendors with established Samsung partnerships. All apps in the container are wrapped to safely operate within the KNOX container. Samsung also provides a QA process to ensure that apps are compatible, functional and secure. Enterprises can wrap custom apps (for example, a company directory, or corporate email app) with Samsung's automated service. These custom apps are then pushed Over-The-Air (OTA) from the enterprise's MDM console to the KNOX container on devices.
On-Device Encryption (ODE)
Data that is stored unencrypted on a device can easily be read. Data recovery tools can also be used to restore deleted files, on both internal memory and external SD Cards.
Samsung KNOX enables ODE by default. ODE uses a 256-bit AES cipher algorithm to encrypt data on the entire device, including both the device’s internal storage and external SD Card. The enterprise IT admin can set a policy to encrypt data outside and inside the KNOX container. The key used for encryption is derived from the user-supplied password. Samsung KNOX meets the requirements for FIPS 140-2 Level 1 certification for both DAR and DIT.
Per-app Virtual Private Networking (VPN)
Unencrypted data sent wirelessly from a device can be monitored by sniffer devices situated throughout a network's infrastructure.
Samsung KNOX supports VPN encryption of data. Additionally, Samsung offers a per-app VPN that isolates corporate data-in-transit.
Enterprise IT admins can enforce secure VPN connectivity only for enterprise apps, web-based software as a service (SaaS) apps. This keeps personal apps from congesting enterprise VPN resources. Employee privacy is also ensured through the use of VPN for enterprise apps because personal data is kept off the enterprise network.
Powerful Control of Devices
Mobile Device Management
Enterprises face new challenges from mobile devices at work and the popularity of Bring Your Own Device (BYOD) programs:
- Manage and support employees who are local, remote or traveling
- Enforce corporate security policies consistently and reliably
- Handle security threats
- Manage lost or stolen devices that contain sensitive enterprise data
- Comply with new regulatory requirements
The Samsung KNOX platform can be managed with a Mobile Device Management (MDM) system. Samsung has partnered with MDM vendors to integrate KNOX capabilities into current MDM consoles used by enterprises.
Prior to KNOX, Samsung for Enterprise (SAFE) enabled enterprise IT admins to manage Samsung mobile devices through MDM consoles with a comprehensive suite of IT policies. Samsung KNOX adds even more security and management policies.
A MDM agent on a device implements an IT admin's policies by calling SAFE and KNOX Application Programming Interfaces (APIs) on the device. For example, your IT admin could invoke a policy to wipe a device if the kernel is compromised; the agent will call the APIs to carry out this order on the device.
Combined, SAFE and KNOX provide over 475 policies that IT admins can configure at their MDM consoles. Of these, over 205 are KNOX policies. All polices are supported by over 1035 APIs that MDM agents can call on the devices.
KNOX empowers enterprises to manage
security in these areas:
- SE for Android
- Integrity Management
- Single Sign-On (SSO)
- Common Access Card (CAC) or SmartCard
SAFE empowers enterprises to manage security in these areas:
- Restrict Access
- Geo Fencing
- Enterprise License Management (ELM)
KNOX technical details
- Install the KNOX container with a launcher icon, home screen and preloaded apps
- Lock the container, which requires the user to enter their KNOX password to unlock
- Uninstall the container
- Install or uninstall an app in the container through Samsung KNOX Apps
- Add or remove an app launcher icon on the KNOX home screen
- Define a whitelist or blacklist of apps that can be installed in the KNOX container
- Start or stop an app in the container
- Write data to an app's home directory
- Create a firewall around the container (for example, block the FTP port on the device from receiving connections, or block the device from connecting to the HTTP port on a web server)
- Define the password policy (same capabilities as the SAFE password)
- Enable or disable camera, non-secure keypad and share via list
SE for Android
- Set the enforce status of SE Linux
- Set the enforce status of the Android Activity Manager Service (AMS)
- Write SE Linux policy file to SE for Android
- Write policies for SE for Android security contexts
- Map apps to SE for Android security contexts
- Add apps to the baseline scan
- Perform a pre-baseline scan
- Establish the kernel measurement baseline
- Scan the kernel or installed apps in real time
- Start or stop the continuous runtime integrity monitoring
- Define a subscriber to receive integrity violations and results
- Update the existing baseline with the new scan result
- Add or remove a VPN profile
- Add or remove an app to or from a VPN profile so that when the app is launched, it uses a specific VPN
- Add all apps in the container to a VPN profile
- Enable a default forwarding route through defined network nodes
- Set the CA certificate or user certificate for a VPN profile
- Enable FIPS mode
Single Sign-On (SSO)
- Define a whitelist or blacklist of apps allowed to use the SSO service
- Set user information
- Force user to re-authenticate
Common Access Card (CAC) or SmartCard
- Enable or disable CAC or SmartCard authentication for the browser or email
SAFE technical details
- Start encryption and decryption on a device's internal memory or external SD card
- Wipe internal memory or the external SD card
- Lock out the device with a specific password
- Install or remove the certificates used to authenticate users for email, Wi- Fi or VPN
- Set the device enrollment status with the MDM server
- Power off a device
- Set the policy for user password patterns
- Set a blacklist of strings that are not allowed in passwords
- Set the number of failed password attempts before a device is disabled
- Set the time a password is valid, before it must be changed
- Set the number of previous passwords that cannot be used for a new password
- Show the user the password as it is entered
- Install, update or uninstall an app on a device
- Disable the uninstallation of an app
- Force all apps to be installed on an external SD card
- Get a list of the apps installed on a device
- Start or stop an app used on a device
- Check if an app is currently in use
- Get info about an app: package name, version, how much RAM/CPU/network traffic it is using, the size of code/data/cache required, last time it was launched and how long it was used
- Back up or restore a device’s app data and preferences
- Wipe data associated with an app
- Define a whitelist or blacklist of apps or widgets that can be installed
- Disable or re-enable the native browser, Play store, voice dialer, or YouTube
- Add an app launcher icon to the home screen and change an app's launcher icon
Enterprise License Management (ELM)
- Activate an enterprise license, which enables enterprise apps to access the MDM APIs
- Add or delete an MS Exchange ActiveSync account
- Set the account host, domain, username, email address, password
- Enable or disable Secure Sockets Layer (SSL) security
- Indicate if all certificates accepted for SSL
- Set the certificate to be used for SSL authentication
- Enable S/MIME certificates
- Synch the account with the device contacts, calendar, tasks and notes
- Enable device vibration for a new email
- Allow only IPsec or SSL/TLS connections
- Create, update or delete a VPN profile
- Configure the profile: ID, pre-shared key, CA certificate, user certificate, secret, encryption, DNS search domains/addresses and network node forwarding route
- Enable or disable Android Beam, apps not from Google Play, audio recording, background process limits, backups to Google cloud, Bluetooth, camera, cellular data, clipboard, factory reset, Home key, microphone, mock GPS locations, NFC, OTA O/S upgrades, power button, S Beam, SD card writing, S Voice, screen captures, settings changes by user, Share Via list, status bar, tethering, USB debugging, USB storage, video recording, VPN, wallpaper and Wi-Fi
- Enable or disable Kiosk mode, which provides a restricted version of the default Samsung home screen
- Enable or disable hardware keys, multi window mode or recently used apps display
- Hide the navigation bar, status bar or system bar
- Create or destroy a geofence area, which can be linear, circular or polygonal
- Determine if a device is within the geofence area
- Set the minimum distance and time interval to monitor a geofence
- Start or stop geofence monitoring
Robust Enterprise Ecosystem
Single Sign On (SSO)Add On
Multiple apps with different password requirements result in users who are overwhelmed with passwords. To simplify the process, some users create weak, easy-to-remember passwords.
Single Sign-On enables enterprise users to log in to multiple business apps with only their corporate login. Through Samsung KNOX's SSO, apps in the KNOX container can leverage an enterprise's Active Directory to authenticate employees. SSO ensures that employee passwords meet policies for enterprise apps.
CAC or SmartCard SupportAdd On
Regulated industries require a more robust employee authentication method than a simple login password. The method must prevent identity fraud, tampering, counterfeiting and exploitation.
Samsung KNOX supports US Department of Defense issued SmartCards, also known as Common Access Cards (CACs). The browser, email and VPN clients can use credentials on the CAC to log in, if the enterprise IT admin has configured this policy. Other third-party apps can also use the CAC through well- defined PKCS 11 APIs. CAC can be used for two-factor authentication on the device lock screen.
Theft RecoveryAdd On
A consequence of rapid smartphone growth is the equally rapid rise mobile device theft. Over 40% of robberies in major metropolitan cities are smartphone related. Reasons for the increase include: high resale value of the device, inability to disable a stolen device when stolen, and the ability to sell the personal information on the device.
Working in partnership with Absolute Software, Samsung KNOX offers a fully managed theft recovery solution for devices, enabling enterprises to:
- Monitor and manage devices within the Absolute Customer Center
- Remotely lock and delete data on lost devices and produce an audit log for proof of compliance with this process
- Report a device as stolen and engage the Absolute Theft Recovery Team, which comprises 42 recovery investigators and six forensic experts, who will work with local law enforcement to recover the device, even after it has had a factory reset
Absolute Software has recovered over 26,000 devices in 101 countries, leveraging relationships with over 6,700 law enforcement agencies worldwide.