Samsung Knox


Samsung Knox is a comprehensive set of security features for personal and enterprise use pre-installed in most of Samsung's smartphones, tablets, and wearables.
On March 5, 2018, Samsung announced devices running Knox 3.0 and above integrate seamlessly with similar Android Enterprise features.

Overview

Samsung Knox provides a list of security features—both hardware and software—that allow business and personal content to securely coexist on the same handset, and allows other developers to communicate with these features throughout its SDKs. Some of these features coexist with already existing security enhancements provided by Android.

Software

Samsung Knox Container

Named the "Knox Workspace" app container—allows a user to press an icon that switches immediately between Personal and Work mode with no reboot required. Samsung has claimed that this feature will be fully compatible with Android and Google, and will provide full separation of work and personal data on mobile devices and "addresses all major security gaps in Android". Tripping the e-fuse will cause the container to remain inaccessible. The feature is similar, but not connected with, "Android for Work".

Samsung Defex

Starting from Android Oreo, Samsung has patched the kernel to prevent root access being granted to apps even after rooting was successful. This is to prevent unauthorised apps from changing the system and deter rooting.

Samsung Real-time Kernel Protection (RKP)

Samsung has implemented a feature that tracks kernel changes in real time and prevents the phone from booting as well as displaying a warning message about using "Unsecured" Samsung devices. This feature is analogous to Android dm-verity/AVB and requires a signed bootloader.

Android SE

Although Android phones are already protected by "SE for Android" feature, Samsung Knox provides periodic checks for patches that protects the system from malicious code or exploits.

Secure Boot

Before booting in the main Kernel, Samsung runs a "pre-boot" environment where it checks for the signature match of all elements of the OS. Should an unauthorised change be detected, the e-fuse will be tripped and the system's status will change from "Official" to "Custom".

Other Features

Connected with Samsung Knox are other features that facilitate enterprise use such as Samsung KMS for eSE NFC services, Mobile device management, Knox Certificate Management, Single Sign-On, One Time Password and Virtual Private Network.

Hardware

Knox includes built-in hardware security features: ARM TrustZone and a bootloader ROM. Knox Verified Boot monitors and protects during the booting process in addition to Knox security built at a hardware level.

e-fuse

Samsung Knox devices also use an e-fuse to indicate whether or not an "untrusted" boot path has ever been run. The e-fuse will be set if the device is booted with a non-Samsung signed bootloader, kernel, kernel initialization script or data, with a message displaying "Set warranty bit: <reason>". Rooting the device or flashing a non-Samsung Android release will, therefore, set the e-fuse. Once the e-fuse is set, a device can no longer create a Knox Workspace container, or access the data previously stored in an existing Knox Workspace. This information may be used by Samsung to deny warranty service, in the United States, to devices that have been modified in this manner. This is the case even though, in the United States, voiding of consumer warranties in this manner may be prohibited by the Magnuson–Moss Warranty Act of 1975, at least in cases where the phone's problem is not directly caused by rooting. In addition to voiding the warranty, tripping the e-fuse will also prevent some Samsung specific apps from running such as "Samsung Pay", "Samsung Health" and "Samsung Browser"'s Secret mode. For some older versions of Knox, it may be possible to clear the e-fuse by flashing a custom firmware.

Samsung DeX

Since Knox 3.3 the options to manage Samsung DeX were added to allow or restrict access using the Knox platform for added control and security.

Samsung Knox TIMA

Named Trust-zone-based Integrity Measurement Architecture, the feature allows storage of keys in the container for certificate signing using the TrustZone hardware platform.

Notable security mentions

In June 2014, five Samsung devices were included in the list of approved products for sensitive but unclassified use by the Defense Information Systems Agency of the Department of Defense, which certifies commercial technology for defense use.
In October 2014, a security researcher discovered that Samsung Knox stores PIN in plain-text instead of storing salted and hashed PIN and processed it by obfuscated code.
In October 2014, U.S National Security Agency approved Samsung Galaxy devices under a program for quickly deploying commercially available technologies. Approved products include Galaxy S4, Galaxy S5, Galaxy S6, Galaxy S7, Galaxy Note 3, Galaxy Note 10.1 2014.
In May 2016, Israeli researchers, Uri Kanonov and Avishai Wool, found three key vulnerabilities existing in specific versions of Knox.
In December 2017, Knox received strong ratings in 25 of 28 categories in Gartner's December 2017 Mobile OSs and Device Security: A Comparison of Platforms.
In June 2017, Samsung discontinued My Knox and urged users to switch to an alternate product, Secure Folder.