Samsung Knox, introduced in 2013, is Samsung’s defense-grade mobile security platform built
into newest devices.Knox is an integrated suite of security features that protects sensitive data on a Knox-enabled mobile device. Some protections are built into the hardware and software of the device, while other Knox protections can be activated later.
Knox provides protection of enterprise data by building a hardware rooted trusted environment. A trusted environment ensures that enterprise-critical operations,such as decryption of enterprise data, can only occur when core system components are proven to not be compromised.
Key Features of Samsung Knox:
- Provides Secure Booting facility that prevents unauthorized bootloaders and operating systems from loading during the startup process. Secure Boot is implemented by each bootloader cryptographically verifying the signature of the next bootloader in the sequence using a certificate chain that has its root-of-trust resident in hardware. The boot process is terminated if verification fails at any step.
- With Trusted Boot option, measurements of the bootloaders are recorded in secure memory during the boot process. At runtime, TrustZone applications use these measurements to make security-critical decisions, such as verifying the release of cryptographic keys from the TIMA KeyStore, container activation, and so on
- ARM® TrustZone® -based Integrity Measurement Architecture (TIMA), The TIMA KeyStore does not allow access to cryptographic keys if the device is compromised, and TIMA Client Certificate Management (CCM) ensures keys are never exposed to the Android operating system.TIMA leverages hardware features, specifically TrustZone, to ensure that it cannot be preempted or disabled by malicious software.
- The Knox platform now includes the SE for Android Management Service that provides Application Programming Interface level control of the security policy engine. It is primarily used internally by the Knox Workspace container, but is also available to third-party vendors to secure their own container solutions. The APIs allow software permissions to be tailored for each organization.
- TrustZone-based Security Services – As explained above, if the Trusted Boot measurements do not match the authorized values, or if the Knox warranty bit is voided, the entire TIMA CCM functions shut down, ensuring the protection of enterprise data in case of device compromise.
With the latest release of KNOX platform, Samsung explicitly added three default features available for Android for Work.
- Sensitive Data Protection is enabled by default for apps inside Managed Profiles. There is no license requirement, but the APIs must be integrated to use this feature.
- The TIMA KeyStore is used by default.
- The integrity of the device must be in an approved state or Android for Work cannot be used.
Android for Work,introduced in 2014, is an enterprise program to provide separation of work apps and data from personal apps and data for enterprises using Bring Your Own Device (BYOD) or Corporate-Owned Personally Enabled (COPE) devices. Business data in Managed Profiles allows IT Admins to apply policies to prevent data leakage, prevent installation of apps from unknown sources, and apply app policies. For more information on Android for Work, see the following link: https://www.android.com/work/
With the launch of Knox 2.9 incorporates below features:
- Real-time permission monitoring : Receive notification when an app running in background mode accesses defined permissions. Users can enable/disable this monitoring feature, and view detailed information about the permission access attempt by the app. Monitored permissions include camera, microphone, SMS, video recording, and background screen capture activities
- USB class control for enterprise use : Enables granular control of USB functions on mobile devices. The enterprise can configure which USB classes are allowed for an employee’s device.
- Network Platform Analytics : A new framework provides authorized apps with the ability to monitor network activity patterns without inspecting the contents of data packets. This feature is being released jointly with a compatible Cisco product that, in combination, provides a complete end-to-end network analytics solution
- Memory layout isolation and randomization : The Knox platform now isolates and randomizes the memory address layout of system apps separately from non-system apps. This minimizes the chance of bypassing address space layout randomization for critical system apps. Memory allocation for apps will no longer be granted in contiguous blocks; the memory associated with a given app is spread over all the available memory space in random blocks.
Some of the prominent use cases looks to be where enterprises can benefit from is using a combination of Knox Workspace and Android for Work.
- Financial institutions and banks: Deploying Knox to employees, Android for Work to contractors
Enterprises may adopt both Bring Your Own Device (BYOD) and Corporate Owned, Personally Enabled (COPE) device management models. For example, employees may have COPE devices while contractors use BYOD devices. For COPE deployments, enterprises supply the devices, so they can ensure that these devices are Knox-enabled. Contractors may bring in a wide range of devices, some of which may not support Knox.In these cases,Android for work can be deployed.
- Hospital: Knox to doctors, Android for Work to patients: Doctors who work in a hospital may be issued devices to access patient records and other information. Patients may also need to access their health records on their personal mobile devices.Hospitals can issue Knox devices and deploy Knox Workspace to those devices to ensure that patient records are secured.Since patients use their own devices to access their medical records, it’s likely that some of these devices may not support Knox. In this case, the hospital can allow patients to access their own information using an Android for Work Managed Profile.
Hope, I have covered some of key features,use-cases of Knox.If I have missed out anything else,please add it in the comments section.