If you’re someone who owns or has owned a Samsung smartphone, you may have come across the “protected by Knox” slogan during your use of the phone. If you haven’t seen it, then know that Samsung has baked in a platform into most of their smartphones that have been designed to offer a robust set of security features. But Knox is more than just a “virus scanner” or “malware detector” or even just a “security feature.” It is a robust set of provisions that starts at the hardware level of a Samsung device and goes all the way through to the software in multiple layers. The Knox platform is Samsung's solution for allowing people to maintain both personal and confidential work data on the same device, without compromising on security. Interestingly, Samsung Knox is built into most of Samsung's modern smartphones, even those dating back to 2015 such as the Galaxy J5. We sat down with Mr. Sukesh Jain, Senior Vice President, IT & Mobile Enterprise Business, Samsung India to understand just how Knox works to secure the phone.
What is Knox
Samsung Knox is an enterprise-grade security solution that comes pre-loaded on most Samsung devices. Samsung has built Knox from the ground up and encompasses both hardware and software encryption and security policies. Mr. Jain elaborate that “We (Samsung) actually create a trusted zone at the hardware level which keeps on performing encryption tests and tests for any unwanted activity on a regular basis. So, it’s a combination of encryption done at the hardware layer level and the OS level.” Designed to be an enterprise-grade solution, Knox allows for a total segregation of personal and business data on the same device. For an average consumer, this means that you can protect any app of your choosing from more than just prying eyes.
The Secure Folder
The most obvious place where you see Samsung Knox in action is on the Secure Folder app on your Samsung device. This is where the secure enclave kicks in. Unlike other apps which allow you to password protect apps, the Secure Folder is a separate conclave created on the storage, secured by hardware encryption. The secure folder is its own environment, inaccessible from the outside. Let’s say you move a copy of the camera app and the gallery app into the Secure Folder. If you take any photos with the “secured camera app,” you will not be able to see the photos using the gallery app outside of the Secure Folder. However, the gallery app you just moved to the secure folder will have access to that content. Of course, without biometric or pin-based authentication, you cannot enter the Secure Folder. The biometric/PIN is used to encrypt the secure enclave. For an average consumer, moving basic apps like WhatsApp or Google Photo may be a little inconvenient because some features would break. For example, my WhatsApp was set to automatically backup my chats to Google Drive at a pre-set time, but being in the Secure Folder, this didn’t work unless I had expressly left the folder unlocked. Same behaviour was noticed for Google Photos’ backup feature. In fact, copy-paste is also disabled for apps within Secure Folder. Consumers will find adding their financial management apps here to be the aptest use of the Secure Folder.
Securing against Intrusion
Samsung’s Knox employs multiple techniques in order to safeguard not just the content stored in the secure zone, but also itself from intrusions. It all begins at the factory, shares Mr. Jain. “there is something on the hardware layer that is linked to the boot-sequence. So, the boot keys need to be secure. then the boot sequence is fragmented in such a way that even if someone is able to get access to the bootloader, there is a two-factor authentication of the bootloader. There are two bootloaders, the job of the second one being to authenticate whether the first bootloader has been compromised or not and then accordingly boot. Then there is the third layer which is a hardware root of trust which has registered switches on the devices which are configured in such a way to detect if anyone has tried to access the bootloader or the bootkeys.” Essentially, Samsung has built multiple checks to ensure that the Knox platform isn’t compromised before boot and all of it relies on the keys that are written to the hardware at the manufacturing stage and are not re-writable. Samsung also implements a roll-back prevention system which prevents any OS build with an older version of Knox from being installed.
Samsung has built an “e-fuse” into the platform which is triggered in the even there is any unwarranted modification of the Knox Platform. Once the fuse is flipped, Knox becomes invalidated and the data and applications stored in the secure folder is lost forever. In fact, once the e-fuse is triggered, Samsung has a policy of not offering any kind of after-sales service for the device. This, Mr. Jain says, is because the e-fuse was designed to detect tampering of the device and once its triggered, there is no way for them guarantee the security of the device. The E-Fuse is also why you shouldn’t be downloading firmware which may be for your particular smartphone but belongs to a different region. Mr. Jain explained that for each region and carrier, Samsung builds specific firmware files, often denoted by the Country Specific Code (CSC). Some CSCs may be cross-compatible, but some definitely won’t be and flashing the wrong firmware file will again trigger the e-fuse, killing Knox. For an average consumer, this means no more secure folder, and no more Samsung Pay.
Knox on other Hardware
We asked Mr. Jain what keeps Samsung from licencing the technology to other hardware OEMs. He responded by saying that Knox as a platform relies on both hardware and software and that since Samsung cannot control the hardware of OEMs, it becomes difficult to provide the level of security you would get from a Samsung-made device on the devices of other device manufacturers. The hardware component of the Knox platform is deeply integrated into Samsung’s own version of Android and since with other OEMs, both the hardware and software would differ, Samsung does not currently have any such licensing deals being discussed.
For everyone, but not really
The Knox Platform is built into most Samsung devices, however, its full capabilities won’t be utilised by most of us. Since it was designed as an enterprise solution, Knox can be used to completely customise what you can and cannot do with a smartphone. If deployed in an enterprise environment, the admin can set the phone up in more ways than we can list out here. The admin can control app installations, deletions, copy-paste feature, what apps are available and even mandate certain security measures. A parent, for example, would love to have the ability to lock down their child’s phone to prevent unwanted kind of access. Or maybe you would want to make sure that when you’re gifting your child a phone, all their activity is secured by Knox, and by default, everything lies within the Secure Folder. This would help make sure that if the phone was stolen, the data within would be secure. Unfortunately, this kind of customisation which can be availed by enterprises only and when we asked Mr. Jain how much it would cost to get one or two devices configured this way, he simply smiled and said: “the costs vary based on many factors.” Needless to say, consumers are going to have to settle for the Secure Folder, Samsung Cloud’s remote wipe capabilities and Samsung Pay for now.
Samsung Knox is for sure a far more robust platform for the security conscious, moving past just a “password barrier” to your content. During our conversation, it also became evident that Knox could play a role in why Samsung’s OS updates take so much time to roll out. We asked Mr. Jain what portion of ROM development time was taken up by ensuring Knox functionality, to which he casually chuckled and said that he could not give me a definitive answer. He said this is because a lot of the development on ROMs happen in parallel, so it would be hard to ascertain specific hours taken up by the Knox team to ensure full compliance with the ROM. He did share that at one point, Samsung engineers spent up to 4 weeks to ensure that the update that was supposed to roll out wasn’t going to break anything within the Knox ecosystem. The Knox Platform offers incredible flexibility and functionality for an enterprise, but we can’t help but wish that Samsung would offer the same kind of functionality to customers as well.