Samsung Knox

Last updated
Knox
Developer(s) Samsung Group
Initial releaseMarch 2013 (2013-03)
Stable release
3.10 / 29 October 2023;8 months ago (2023-10-29) [1]
Operating system Android and Tizen
Website www.samsungknox.com/en OOjs UI icon edit-ltr-progressive.svg

Samsung Knox is a proprietary security and management framework pre-installed on most Samsung mobile devices. Its primary purpose is to provide organizations with a toolset for managing work devices, such as employee mobile phones or interactive kiosks. [2] Samsung Galaxy hardware, as well as software such as Secure Folder and Samsung Wallet, make use of the Knox framework. [3] [4]

Contents

Knox's features fall within three categories: data security, device manageability, and VPN capability. [5] Knox also provides web-based services for organizations to manage their devices. Organizations can customize their managed mobile devices by configuring various functions, including pre-loaded applications, settings, boot-up animations, home screens, and lock screens. [6]

Knox provides more granular control over the standard work profile to manage capabilities found only on Samsung devices. [7] As of December 2020, organizations can use specific Samsung mobile device cameras as barcode scanners, using Knox services to capture and analyze the data. [8]

Overview

Samsung Knox provides hardware and software security features that allow business and personal content to coexist on the same device. Knox integrates web services to assist organizations in managing fleets of mobile devices, which allows IT administrators to register new devices, identify a Unified Endpoint Management (UEM) system, define the organizational rules that govern the use of devices, and upgrade device firmware over-the-air. [9] Developers can integrate these features with their applications using Knox SDKs and REST APIs. [10]

Services

Samsung Knox provides the following web-based services for organizations:

Most services are registered and accessed through the Samsung Knox web consoles, [15] with some accessed through the Samsung Knox SDK. [16]

Knox Capture

Knox Capture uses a Samsung mobile device’s camera to capture all major barcode symbologies like UPC, Code 39, EAN, and QR. Through a web console, IT admins can manage the input, formatting, and output configuration of scanned barcode data, and associate a device app (for example, an Internet browser for QR data). [17]

Knox Asset Intelligence

Knox Asset Intelligence helps organizations improve the management, productivity, and lifecycle of mobile devices. Through a web console, IT admins can monitor device battery management, app usage insights, comprehensive device tracking, and detailed Wi-Fi analytics. [18]

Software

Container

When Samsung Knox debuted with the Galaxy Note 3 in 2013, it included a proprietary container feature that stored security-sensitive applications and data inside a protected execution environment. [19] Device users could switch between personal and business applications by tapping a Knox icon in the lower-left corner of the device screen. [20] The proprietary container, later called the Knox Workspace, was managed by organizations through a UEM system. [21]

Samsung then spun off consumer versions of the container feature, which did not require a UEM system to manage. These consumer versions included Personal Knox, later called My Knox starting in 2014. My Knox was replaced by Secure Folder in 2017. [22]

In 2018, Samsung partnered with Google to use its Android work profile to secure applications and data, and in 2019 deprecated the Knox Workspace container. [23] Samsung continues to pre-install the Secure Folder on most flagship mobile devices, but consumers must enable it for use. [24]

Samsung Real-Time Kernel Protection (RKP)

The Samsung RKP feature tracks kernel changes in real-time and prevents the phone from booting, as well as displaying a warning message about using "Unsecured" Samsung devices. [25] This feature is analogous to Android dm-verity/AVB and requires a signed bootloader. [26]

Security Enhancements for Android (SE for Android)

Although Android phones are already protected from malicious code or exploits by SE for Android and other features, Samsung Knox provides periodic updates that check for patches to further protect the system. [27]

Secure Boot

During Secure Boot, Samsung runs a pre-boot environment to check for a signature match on all operating system (OS) elements before booting in the main kernel. If an unauthorized change is detected, the e-fuse is tripped and the system's status changes from "Official" to "Custom". [28]

Other features

Several other features that facilitate enterprise use are incorporated in Samsung Knox, including Samsung KMS (SKMS) for eSE NFC services, Mobile device management (MDM), Knox Certificate Management (CEP), Single Sign-On (SSO), One Time Password (OTP), SIM PIN Management, Firmware-Over-The-Air (FOTA) [29] and Virtual Private Network (VPN). [30] [31] [32] [33]

Samsung has patched the kernel to prevent root access from being granted to apps even after rooting was successful since the release of Android Oreo. This patch prevents unauthorized apps from changing the system and deters rooting. [34]

Hardware

Knox includes built-in hardware security features ARM TrustZone (a technology similar to TPM) and a bootloader ROM. [35] Knox Verified Boot monitors and protects the phone during the booting process, along with Knox security built at a hardware level (introduced in Knox 3.3). [36]

e-Fuse

Rooted Samsung Galaxy S10e with tripped e-fuse Root Verifier (open source) screenshot on a rooted Samsung S10e.jpg
Rooted Samsung Galaxy S10e with tripped e-fuse

Samsung Knox devices use an e-fuse to indicate whether or not an "untrusted" (non-Samsung) boot path has ever been run. The e-Fuse will be set in any of the following cases:

  • The device boots with a non-Samsung signed bootloader, kernel, kernel initialization script, or data.
  • The device is rooted.
  • Custom firmware is detected on the device (such as non-Samsung Android releases).

On Galaxy Book devices starting with the Galaxy Book 4, upgrading from one Windows version to another (from 22H2 to 23H2) will not set the e-Fuse, but upgrading to a higher edition (from Home to Pro) will.

When set, the text "Set warranty bit: <reason>" appears. Once the e-fuse is set, a device can no longer create a Knox Workspace container or access the data previously stored in an existing Knox Workspace. [37] In the United States, this information may be used by Samsung to deny warranty service to devices that have been modified in this manner. [38] Voiding consumer warranties in this manner may be prohibited by the Magnuson–Moss Warranty Act of 1975, at least in cases where the phone's problem is not directly caused by rooting. [39] In addition to voiding the warranty, tripping the e-fuse also prevents some Samsung-specific apps from running, such as Secure Folder, Samsung Pay, Samsung Health, and Samsung Browser's secret mode (as well as certain Samsung apps preloaded on Galaxy Books). For some older versions of Knox, it may be possible to clear the e-fuse by flashing a custom firmware. [40]

Samsung DeX

Options to manage Samsung DeX were added in Knox 3.3 to allow or restrict access using the Knox platform for added control and security. [41]

Samsung Knox TIMA

Knox's TrustZone-based Integrity Measurement Architecture (TIMA) allows storage of keys in the container for certificate signing using the TrustZone hardware platform. [42]

Notable security mentions

In June 2014, the Defense Information Systems Agency's (DISA) list of approved products for sensitive but unclassified use included five Samsung devices. [43]

In October 2014, a security researcher discovered that Samsung Knox stores PINs in plain text rather than storing salted and hashed PINs and processing them by obfuscated code. [44]

In October 2014, the U.S National Security Agency (NSA) approved Samsung Galaxy devices for use in a program for quickly deploying commercially available technologies. Approved products include Galaxy S4, Galaxy S5, Galaxy S6, Galaxy S7, Galaxy Note 3, and Galaxy Note 10.1 2014. [43]

In May 2016, Israeli researchers Uri Kanonov and Avishai Wool found three vulnerabilities in specific versions of Knox. [45]

In December 2017, Knox received "strong" ratings in 25 of 28 categories in a Gartner publication comparing device security strength of various platforms. [46]

See also

Related Research Articles

<span class="mw-page-title-main">Privilege escalation</span> Gaining control of computer privileges beyond what is normally granted

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application or user with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Android is a mobile operating system based on a modified version of the Linux kernel and other open-source software, designed primarily for touchscreen mobile devices such as smartphones and tablets. Android is developed by a consortium of developers known as the Open Handset Alliance, though its most widely used version is primarily developed by Google. It was unveiled in November 2007, with the first commercial Android device, the HTC Dream, being launched in September 2008.

<span class="mw-page-title-main">Samsung Galaxy (original)</span> Smartphone manufactured by Samsung that uses the open source Android operating system

The Samsung GT-I7500 Galaxy is a smartphone manufactured by Samsung that uses the open source Android operating system. It was announced on 27 April 2009 and was released on 29 June 2009 as the first Samsung Mobile device to use the Android operating system introduced in the HTC Dream, and the first in what would become the long-running Galaxy series. It was succeeded by the Samsung Galaxy S in 2010.

Rooting is the process by which users of Android devices can attain privileged control over various subsystems of the device, usually smartphones and tablets. Because Android is based on a modified version of the Linux kernel, rooting an Android device gives similar access to administrative (superuser) permissions as on Linux or any other Unix-like operating system such as FreeBSD or macOS.

<span class="mw-page-title-main">TouchWiz</span> User interface by Samsung Electronics

TouchWiz is a discontinued user interface developed by Samsung Electronics with partners, featuring a full touch user interface. It is sometimes incorrectly referred to as an operating system. TouchWiz was used internally by Samsung for smartphones, feature phones and tablet computers, and was not available for licensing by external parties. The Android version of TouchWiz also comes with the Samsung-made app store Galaxy Apps. It was replaced by Samsung Experience in 2017 with the release of Android 7.0 “Nougat”*

<span class="mw-page-title-main">Hacking of consumer electronics</span>

The hacking of consumer electronics is a common practice that users perform to customize and modify their devices beyond what is typically possible. This activity has a long history, dating from the days of early computer, programming, and electronics hobbyists.

<span class="mw-page-title-main">Samsung Galaxy 3</span> Android smartphone manufactured by Samsung

The Samsung Galaxy 3, also known as the Samsung Galaxy Apollo, Samsung Galaxy Mini in Italy, or Samsung Galaxy 580 in Hong Kong, is a smartphone manufactured by Samsung that runs the open source Android operating system. Announced and released by Samsung in July 2010, the Galaxy 3 succeeds the Samsung Galaxy Spica.

<span class="mw-page-title-main">Replicant (operating system)</span> Free software version of Android

Replicant is a free operating system (OS) based on the Android mobile platform that intends to replace all proprietary Android components with free-software counterparts. It is available for several smartphones and tablet computers. It is written in the same programming languages as Android. The modifications are mostly in the C language; the changes are mostly to the lower-level parts of the OS, such as the Linux kernel and drivers that use it.

<span class="mw-page-title-main">Samsung Captivate Glide</span> Smartphone with Slide keyboard

The Samsung Captivate Glide (SGH-i927) as it is called in the United States, and sold as the Samsung Galaxy S Glide (SGH-i927R) in Canada, is the first physical QWERTY Galaxy S class smartphone running under the Android operating system to be released by Samsung for AT&T (US) and Rogers Wireless (Canada).

<span class="mw-page-title-main">Samsung Galaxy Ace 2</span> Android smartphone by Samsung Electronics

Samsung Galaxy Ace 2 (GT-I8160) is a smartphone manufactured by Samsung that runs the Android operating system. Announced and released by Samsung in February 2012, the Galaxy Ace 2 is the successor to the Galaxy Ace Plus.

<span class="mw-page-title-main">Odin (firmware flashing software)</span> Utility software developed by Samsung

Odin is a utility software program developed and used by Samsung internally which is used to communicate with Samsung devices in Odin mode. It can be used to flash a custom recovery firmware image to a Samsung Android device. Odin is also used for unbricking certain Android devices. Odin is the Samsung proprietary alternative to Fastboot.

<span class="mw-page-title-main">Samsung Galaxy J5</span> Android smartphone produced by Samsung

The Samsung Galaxy J5 is an Android smartphone produced by Samsung Electronics. It was unveiled and released in June 2015. It has Qualcomm Snapdragon 410 SoC that is backed by 1.5 GB RAM and that has a 64 bit processor, 32bit mode OS.

<span class="mw-page-title-main">Kali NetHunter</span> Free & open-source mobile penetration testing platform for non-rooted and rooted Android devices

Kali NetHunter is a free and open-source mobile penetration testing platform for Android devices, based on Kali Linux. Kali NetHunter is available for non-rooted devices, for rooted devices that have a standard recovery, and for rooted devices with custom recovery for which a NetHunter specific kernel is available (NetHunter). Official images are published by Offensive Security on their download page and are updated every quarter. NetHunter images with custom kernels are published for the most popular supported devices, such as Google Nexus, Samsung Galaxy and OnePlus. Many more models are supported, and images not published by Offensive Security can be generated using NetHunter build scripts. Kali NetHunter is maintained by a community of volunteers, and is funded by Offensive Security.

<span class="mw-page-title-main">Samsung Internet</span> Android web browser developed by Samsung

Samsung Internet Browser is a desktop and mobile web browser developed by Samsung Electronics, based on the open-source Chromium project. It comes pre-installed on Samsung Galaxy devices and, since 2015, has been available for download from Google Play for all Android devices.

<span class="mw-page-title-main">Samsung Experience</span> Software overlay by Samsung Electronics

Samsung Experience was the name of the software overlay by Samsung for its Galaxy devices running Android 7.x “Nougat” and Android 8.x “Oreo”. It was introduced in late 2016 on a beta build based on Android 7.0 “Nougat” for the Galaxy S7, succeeding TouchWiz. It has been succeeded in 2018 by One UI based on Android 9 “Pie” and later versions.

<span class="mw-page-title-main">Samsung DeX</span> Feature that enables users to extend their phone to a desktop-like experience

Samsung DeX is a feature included on some high-end Samsung handheld devices that enables users to extend their device into a desktop-like experience by connecting a keyboard, mouse, and monitor. The name "DeX" is a contraction of "Desktop eXperience".

postmarketOS Free and open-source operating system for smartphones, based on Alpine Linux

postmarketOS is an operating system primarily for smartphones, based on the Alpine Linux distribution.

<span class="mw-page-title-main">One UI</span> Software overlay by Samsung Electronics Limited

One UI is a user interface (UI) "Android skin" developed by Samsung Electronics for its Android devices running Android 9 "Pie" and later. Succeeding Samsung Experience and TouchWiz, it is designed to make using larger smartphones easier and be more visually appealing. To provide more clarity, some elements of the UI are tweaked to match colors that are based on the color of the user's phone. It was announced at Samsung Developer Conference in 2018, and was unveiled in Galaxy Unpacked in February 2019 alongside the Galaxy S10 series, Galaxy Buds and the Galaxy Fold.

<span class="mw-page-title-main">Bootloader unlocking</span> Process of disabling secure device booting

Bootloader unlocking is the process of disabling the bootloader security that makes secure boot possible. It can make advanced customizations possible, such as installing a custom firmware. On smartphones this can be a custom Android distribution or another mobile operating system. Some bootloaders are not locked at all, others can be unlocked using a standard command, others need assistance from the manufacturer. Some do not include an unlocking method and can only be unlocked through a software exploit.

The booting process of Android devices starts at the power-on of the SoC and ends at the visibility of the home screen, or special modes like recovery and fastboot. The boot process of devices that run Android is influenced by the firmware design of the SoC manufacturers.

References

  1. "Samsung Knox 3.10 released". Samsung Knox Team. 6 November 2023. Retrieved 23 July 2024.
  2. "Secure mobile platform and solutions". Samsung Knox. January 15, 2021. Archived from the original on December 23, 2020. Retrieved January 15, 2021.
  3. "Samsung Wallet | Apps". The Official Samsung Galaxy Site. Retrieved 2023-10-04.
  4. "Secure Folder". Samsung Knox. Retrieved 2023-10-04.
  5. "Samsung Knox Feature Summary". docs.samsungknox.com. Retrieved 2021-01-06.
  6. "8 Steps to Customizing Mobile Devices With Knox Configure". Samsung Business Insights. 2020-01-07. Retrieved 2021-01-06.
  7. "App Container | Knox Platform for Enterprise White Paper". docs.samsungknox.com. Retrieved 2021-01-07.
  8. Miller, Matthew. "Samsung Galaxy XCover Pro: Microsoft Teams Walkie Talkie experiences and Knox Capture release". ZDNet. Retrieved 2021-01-06.
  9. 1 2 "Knox for Enterprise Mobility". Samsung Knox. Retrieved 2021-01-06.
  10. "Knox Developer Documentation". docs.samsungknox.com. Retrieved 2021-01-06.
  11. "Knox for Device Customization". Samsung Knox. Retrieved 2021-01-06.
  12. "Knox Capture". Samsung Knox. Retrieved 2021-01-06.
  13. "Peripherals Overview". Samsung Knox. Retrieved 2021-06-28.
  14. "Knox Asset Intelligence". Samsung Knox. Retrieved 2021-06-28.
  15. "Samsung Knox Documentation Ecosystem". docs.samsungknox.com. Retrieved 2021-01-06.
  16. "Samsung Knox Developer Documentation". docs.samsungknox.com. Retrieved 2021-06-28.
  17. "Samsung Knox Capture". docs.samsungknox.com. Retrieved 2021-06-28.
  18. "Samsung Knox Asset Intelligence". docs.samsungknox.com. Retrieved 2021-06-28.
  19. "New Samsung Galaxy Note 3 software features explained". Android Authority. 2013-09-04. Archived from the original on 2021-01-09. Retrieved 2021-01-07.
  20. Ziegler, Chris (2013-02-25). "Samsung Knox: a work phone inside your personal phone (hands-on)". The Verge. Retrieved 2021-01-07.
  21. "Evaluating top MDMs for Android and iOS". SearchMobileComputing. Retrieved 2021-01-07.
  22. "Samsung discontinues My Knox, urges users to switch to Secure Folder". Android Authority. 2017-06-02. Retrieved 2021-01-07.
  23. "What's new in Knox 3.4?". Samsung Knox. Retrieved 2021-01-07.
  24. "What is the Secure Folder and how do I use it?". Samsung uk. Retrieved 2021-01-07.
  25. "How we cracked Samsung's DoD- and NSA-certified Knox". ZDNet.
  26. "Samsung RKP".
  27. "What is SE for Android? | Samsung Support Philippines". Samsung ph. Retrieved 2021-01-04.
  28. Alendal, Gunnar; Dyrkolbotn, Geir Olav; Axelsson, Stefan (2018-03-01). "Forensics acquisition — Analysis and circumvention of samsung secure boot enforced common criteria mode". Digital Investigation. 24: S60–S67. doi:10.1016/j.diin.2018.01.008. hdl: 11250/2723051 . ISSN   1742-2876.
  29. "Samsung Enterprise Firmware-over-the-air".
  30. "Samsung SSO".
  31. "Samsung CEP".
  32. "Samsung OTP".
  33. "Samsung Knox VPN".
  34. "Disable DEFEX Security to Root Samsung Galaxy Devices on Oreo". 13 October 2018.
  35. "Root of Trust | Knox Platform for Enterprise Whitepaper". docs.samsungknox.com. Retrieved 2018-11-13.
  36. "vTZ: Virtualizing ARM TrustZone" (PDF).
  37. Ning, Peng (2013-12-04). "About CF-Auto-Root". Samsung . Archived from the original on 2015-09-05. The sole purpose of this fuse-burning action is to memorize that a kernel or critical initialization scripts or data that is not under Samsung's control has been put on the device. Once the e-fuse bit is burned, a Samsung KNOX-enabled device can no longer create a KNOX Container or access the data previously stored in an existing KNOX Container.
  38. "Just how does Knox warranty void efuse burning work?". XDA Developers Forums. 28 June 2016. Retrieved 2021-01-05.
  39. Koebler, Jason (2016-08-17). "Companies Can't Legally Void the Warranty for Jailbreaking or Rooting Your Phone". Motherboard. Retrieved 2018-10-27.
  40. "Disable Knox on Samsung Galaxy Devices [4 Ways] | Android More". AndroidMore. Archived from the original on 2021-01-05. Retrieved 2020-12-14.
  41. "Samsung DeX | Apps & Services | Samsung IN". Samsung India. Retrieved 2021-01-04.
  42. "Samsung TIMA Keystores".
  43. 1 2 Ribeiro, John (2014-10-21). "NSA approves Samsung Knox devices for government use". PCWorld. Retrieved 2018-10-27.
  44. Mimoso, Michael (2014-10-24). "NSA-Approved Samsung Knox Stores PIN in Cleartext". Threatpost. Retrieved 2018-10-27.
  45. Forrest, Conner (2016-05-31). "Samsung Knox isn't as secure as you think it is". TechRepublic. Retrieved 2018-10-27.
  46. "Introduction | Knox Platform for Enterprise Whitepaper". docs.samsungknox.com. Retrieved 2018-11-13.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.