Samsung Knox

Last updated
Knox
Developer Samsung
Initial releaseMarch 2013 (2013-03)
Stable release
3.12 / 10 July 2025;6 months ago (2025-07-10) [1]
Operating system Android and Tizen
Website www.samsungknox.com/en OOjs UI icon edit-ltr-progressive.svg

Samsung Knox is a mobile device management (MDM) and trusted computing framework pre-installed on most Samsung mobile devices, and implements ARM TrustZone in hardware. It allows the management of work devices, such as employee mobile phones, interactive kiosks, and barcode scanners. [2] Like other MDMs, Knox allows organizations to control a device's pre-loaded applications, settings, boot-up animations, home screens, and lock screens. [3]

Contents

Overview

Knox provides trusted computing and mobile device management (MDM) features. Knox's hardware is based on an implementation of ARM TrustZone, a bootloader ROM, and secure boot (similar to dm-verity and AVB). [4] [5] These trusted computing environments are used to store sensitive data, like cryptographic materials and certificates. [6]

MDM allow businesses to customize their devices for their needs. IT administrators can register new devices, identify a unified endpoint management (UEM) system, define the organizational rules that govern the use of devices, and upgrade device firmware over-the-air. [7] Knox's MDM services are registered and accessed through the web, [8] APIs, or proprietary SDKs. [9]

A few Samsung devices with Knox were approved for US governmental use in 2014, as long as they're not used to store classified data. [10]

Since Android 8, Knox is used to prevent root access to apps even after a successful rooting. [11]

In October 2014, a security researcher discovered that Samsung Knox stores PINs in plain text rather than storing salted and hashed PINs and processing them by obfuscated code. [12]

In May 2016, Israeli researchers Uri Kanonov and Avishai Wool found three vulnerabilities in specific versions of Knox. [13]

Several security flaws were discovered in Knox in 2017 by Project Zero. [14] [15]

e-Fuse

Rooted Samsung Galaxy S10e with tripped e-fuse Root Verifier (open source) screenshot on a rooted Samsung S10e.jpg
Rooted Samsung Galaxy S10e with tripped e-fuse

Samsung Knox devices use an e-fuse to indicate whether or not an "untrusted" (non-Samsung) boot path has ever been run. The e-Fuse will be set in any of the following cases:


When set, the text "Set warranty bit: <reason>" appears. Once the e-fuse is set, a device can no longer create a Knox Workspace container or access the data previously stored in an existing Knox Workspace. [17] In the United States, this information may be used by Samsung to deny warranty service to devices that have been modified in this manner. [18] Voiding consumer warranties in this manner may be prohibited by the Magnuson–Moss Warranty Act of 1975, at least in cases where the phone's problem is not directly caused by rooting. [19] In addition to voiding the warranty, tripping the e-fuse also prevents some preinstalled apps from running, such as Secure Folder and Samsung Pay. [20] For some older versions of Knox, it may be possible to clear the e-fuse by flashing a custom firmware. [21]

AI and Privacy

Galaxy AI was first introduced on the Galaxy S24 series and later expanded to the Galaxy S25 series and foldable models such as the Samsung Galaxy Z Fold 7 and Samsung Galaxy Z Flip 7. On these devices, Samsung uses Knox as the security platform for selected Galaxy AI features. [22] [23] These features use on-device processing components, including the Personal Data Engine, which creates personalized outputs from data stored locally on the device. Information used or generated by these functions is saved in Knox Vault, [24] a hardware-backed secure environment designed to keep sensitive data separate from the main operating system. Some Galaxy AI features that operate across multiple Samsung devices use encrypted communication channels provided by Knox. [25] Users can also choose settings that limit cloud AI processing or require features to run only on the device. In enterprise environments, administrators using Knox Manage or other Knox tools can turn specific Galaxy AI features on or off, or restrict them based on organizational policies. [26]

See also

References

  1. "Samsung Knox 3.12 released". Samsung Knox. Retrieved 2025-09-18.
  2. "Secure mobile platform and solutions". Samsung Knox. January 15, 2021. Archived from the original on December 23, 2020. Retrieved January 15, 2021.
  3. "8 Steps to Customizing Mobile Devices With Knox Configure". Samsung Business Insights. 2020-01-07. Retrieved 2021-01-06.
  4. "Root of Trust | Knox Platform for Enterprise Whitepaper". docs.samsungknox.com. Archived from the original on 2018-11-14. Retrieved 2018-11-13.
  5. "New Samsung Galaxy Note 3 software features explained". Android Authority. 2013-09-04. Archived from the original on 2021-01-09. Retrieved 2021-01-07.
  6. "Samsung TIMA Keystores".
  7. "Knox for Enterprise Mobility". Samsung Knox. Retrieved 2021-01-06.
  8. "Samsung Knox Documentation Ecosystem". docs.samsungknox.com. Retrieved 2021-01-06.
  9. "Samsung Knox Developer Documentation". docs.samsungknox.com. Retrieved 2021-06-28.
  10. Ribeiro, John (2014-10-21). "NSA approves Samsung Knox devices for government use". PCWorld. Retrieved 2018-10-27.
  11. "Disable DEFEX Security to Root Samsung Galaxy Devices on Oreo". 13 October 2018.
  12. Mimoso, Michael (2014-10-24). "NSA-Approved Samsung Knox Stores PIN in Cleartext". Threatpost. Retrieved 2018-10-27.
  13. Forrest, Conner (2016-05-31). "Samsung Knox isn't as secure as you think it is". TechRepublic. Retrieved 2018-10-27.
  14. "How we cracked Samsung's DoD- and NSA-certified Knox". ZDNet.
  15. Ben (2017-02-08). "Project Zero: Lifting the (Hyper) Visor: Bypassing Samsung's Real-Time Kernel Protection". Project Zero. Retrieved 2025-08-02.
  16. Wu, John (2026-01-10). "Installation Magisk". topjohnwu.github.io. Archived from the original on 2025-07-21. Installing Magisk WILL trip your Knox Warranty Bit, this action is not reversible in any way.
  17. Ning, Peng (2013-12-04). "About CF-Auto-Root". Samsung . Archived from the original on 2015-09-05. The sole purpose of this fuse-burning action is to memorize that a kernel or critical initialization scripts or data that is not under Samsung's control has been put on the device. Once the e-fuse bit is burned, a Samsung KNOX-enabled device can no longer create a KNOX Container or access the data previously stored in an existing KNOX Container.
  18. "Just how does Knox warranty void efuse burning work?". XDA Developers Forums. 28 June 2016. Retrieved 2021-01-05.
  19. Koebler, Jason (2016-08-17). "Companies Can't Legally Void the Warranty for Jailbreaking or Rooting Your Phone". Motherboard. Retrieved 2018-10-27.
  20. Siddiqui, JohAamir (2026-01-10). "What is Samsung Knox and how does it work? - Android Authority". www.androidauthority.com. Archived from the original on 2024-08-09. Some apps like Samsung Pay, Samsung Pass, Samsung Health, and Secure Folder will also stop working when Knox is tripped, albeit you can use unofficial workarounds to get some of them to work again.
  21. "Disable Knox on Samsung Galaxy Devices [4 Ways] | Android More". AndroidMore. Archived from the original on 2021-01-05. Retrieved 2020-12-14.
  22. “Samsung expands Knox Vault security to more devices”, *Android Police*, 13 September 2024.
  23. “Galaxy S25 Edge sets new benchmarks for design, AI, and performance in Gulf region.” TahawulTech, 25 November 2025.
  24. “How Samsung Knox Vault works”, XDA Developers, January 10, 2023.
  25. "Samsung unleashes new security features with AI & quantum", *TelcoNews Australia*, 8 July 2025.
  26. "Samsung's Galaxy AI for Business helps companies become more competitive", *Entreprenerd*, 9 August 2025.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.