Samsung Knox platform: Can it improve Android device security?

Application security expert Michael Cobb discusses the Samsung Knox platform and its ability to improve Android device security in the enterprise.

The U.S. Department of Defense approved the use of Android devices that utilize Samsung's Knox platform. My organization has been wary of allowing Androids on the corporate network, pushing users toward iPhones and BlackBerrys instead. Could you explain what Knox does to improve Android device security, and whether it may be a viable enterprise device platform, as well?

Although the security of the open source Android OS is considered by many to be as robust as Apple's iOS and the BlackBerry OS, devices running Android have generally been shunned by enterprises due to concerns over the number of malicious Android apps and the ease with which hackers have been able to distribute them due to lax submission policies on Google Play.

Samsung aimed to change that mindset with its Android-based Knox platform, a locked-down version of Android that enables work and personal data to safely coexist on the same device, while also retaining full compatibility with the Android ecosystem.

In 2013, the Samsung Knox platform was approved for use within the U.S. Department of Defense by the Defense Information Systems Agency. It was later approved for use within the National Security Agency and certified by government agencies in China, France and other nations. Knox has proven to be a popular solution for network administrators trying to control employee-owned devices in both enterprise and government agencies.

One of today's top BYOD concerns is data leakage caused by the mixing of professional and personal data and apps. Administrators have been reluctant to use remote wipe tools on lost devices; they typically erase the user's personal data, photos, music and other files, as well as corporate information.

Enterprise data stored on Android devices is also under threat from malicious apps downloaded by users via third-party app marketplaces. The Samsung Knox platform tackles these problems by using partitions -- called containers -- to isolate enterprise apps and to encrypt enterprise data both at rest and in motion. Therefore, administrators have no access to personal apps and data, as they remain outside the isolated business environment, and a remote wipe only erases the business partition.

Knox platform security features

Aside from the device's container model, the Samsung Knox platform includes a number of features designed to ensure a higher level of security.

  • Customizable Secure Boot, which ensures that only verified and authorized software can run on the device.
  • ARM's TrustZone-based Integrity Measurement Architecture, which provides continuous integrity monitoring of the Linux kernel, and which can disable and power down the device if it detects kernel or boot loader violations.
  • Security Enhancements for Android, which enforce the separation of information based on confidentiality and integrity requirements by isolating applications and data into different domains. This reduces the threat of tampering and bypassing application security mechanisms, while minimizing the damage that a malicious application can cause.

Also, an on-demand Federal Information Processing Standards (FIPS)-certified VPN client can be configured and provisioned on a per application basis.

In addition, recent updates to the Samsung Knox platform have added new features, such as enhanced kernel security with control flow protection, which encrypts return addresses in the stack; the Secure Folder feature, which creates a separate encrypted folder for users' sensitive data and apps; and VPN support for IPv6 networks.

The Android OS itself has also received a number of enhancements recently; Android Nougat security features include the addition of file-level encryption, seamless updates and enhanced protection for the Linux kernel.

Over the years, the Samsung Knox platform has also received fixes for some notable bugs and vulnerabilities. For example, in 2016, security researchers at Tel Aviv University discovered several vulnerabilities in older versions of the platform, including weak encryption key generation for eCryptfs and a shared certificate store bug that enabled man-in-the-middle attacks on Knox's VPN traffic. The vulnerabilities were addressed in newer versions of the platform.

As a platform, Android already owns the largest share of the smart device market, and the introduction of Samsung Knox helped boost Android device security for enterprises.

The Samsung Knox platform is compatible with multiple enterprise mobile device management products, and any Android apps that will run in the secure work partition must come from an app store curated by Samsung. While such enterprise apps will need to be checked and signed off on by Samsung, developers will not need to write their own enterprise features, such as FIPS-compliant VPN, on-device encryption or enterprise single sign-on, as Knox provides these.

The dual-persona platform became popular with both security teams and employees, as personal applications and data are kept private from network administrators; approximately two years after its launch, Knox had more than 4 million users. The Samsung Knox platform was also designed to be easy for users to handle; it does not leverage virtualization, and users can switch between personal and work use, with no reboot or wait time, simply by pressing an icon.

Next Steps

Top challenges of Android security IT pros should know

Test your knowledge about Android data security

Compare security in iOS and Android mobile operating systems

This was last published in July 2017

Dig Deeper on Network security