13
Samsung KNOX Wayne Pau, Emerging Technologies SAP Mar 26, 2013
Samsung KNOXWayne Pau, Emerging Technologies SAPMar 26, 2013
© 2012 SAP AG. All rights reserved. 2Internal
Samsung KNOX
• Generally more “Secure” than existing Container/Quarantines
• Much “Deeper” solution than other Android SW options:
1. Customized Secure Boot
2. ARM TrustZone-based Integrity Measure Architecture (TIMA)
3. Security Enhanced Kernel
• Allows KNOX to constantly verify/monitor for intrusions/attacks
• Creates Samsung-only App Signing process (ie. KNOX-only App Store)
© 2012 SAP AG. All rights reserved. 3Internal
Samsung KNOX - Developers
• KNOX Offers Developers “out-of-the-box”:
1. Secure KNOX Container
2. Separate Encrypted File Systems (KNOX zone)
3. FIPS certified VPN client per app
4. Container Level SSO
• Only a “repackage”. No need to re-write or embed API
• Integration with MDM vendors for 65 Policies:
• Certificate management
• Audit Log
• SEAndroid Policy Enforcement
• Enterprise Container Management Policy Group
• Container Password Policy Group
• Enterprise Single-Sign-On
• Enterprise ISL Group
• Enterprise Premium VPN Policy Group
• SmartCard Policy Group
• Container VPN Policy Group
• Container Application Policy Group
• Container Firewall Policy Group
© 2012 SAP AG. All rights reserved. 4Internal
Inter-App Communication Spectrum
Apple iOS Samsung KNOX Google Android
← More Secure Less Secure →
© 2012 SAP AG. All rights reserved. 5Internal
Inter-App Communication Spectrum
← More Secure Less Secure →
© 2012 SAP AG. All rights reserved. 6Internal
iOS – Apple Sandbox
• No Inter-app Communication
• Each App installed in own Container
• Apps have to be signed by Apple
• Keychain from Apple for password/sensitive data
• Does not support External Storage (ie. SD Cards)
• Only 1x app in foreground
• Most apps close <10 min after UI context switch (change app)
• Industry “deemed” secure
© 2012 SAP AG. All rights reserved. 7Internal
Generic Android – Google Sandbox
• “Privileged- Separated” Operation System
• Apps apply and grant permissions to outside access
• Apps are “developer” signed (not by Google)
• Support External Storage (SD)
• Tradition Volume level encryption
• Vulnerable to USB/MTP mounting (see above)
• Easy to Root. Hard to 100% detect “Rooting”
• Industry “deemed” not very secure
© 2012 SAP AG. All rights reserved. 8Internal
Generic Android – Google Sandbox
• Apps are “repackaged” & signed by Samsung
• Apps run in Secure KNOX quarantine
• Secure Boot Loader & SE Kernel
• Secure focus only between in KNOX container vs. outside KNOX container
© 2012 SAP AG. All rights reserved. 9Internal
What does KNOX protect against?
• Spoofed, Fake or Dangerous Apps (quarantine + app signing)
• Automatic Data at Rest encryption (no need for custom encryption or encryption detection)
• Automatic Remote Kill (no need for data fading/Time-bomb)
• Baked-in SSO authentication
• Secure Corporate Email-Only integration
• 3rd Party Secure Viewer integration
© 2012 SAP AG. All rights reserved. 10Internal
Exchange ActiveSync & BYOD
• KNOX is ‘Optimized’ for BYOD
• KNOX Email Client – Only Wipes Out KNOX Container [corp. data]
• Ignores data outside KNOX Container [user personal data]
• No add’n changes @ Exchange Server
(Note: If user connects to Exchange with non-secure/non-KNOX email client, this will still wipe entire
device as per the current generic Android and iOS behaviour. For more info on EAS Remote Wipe see
http://
office.microsoft.com/en-us/support/delete-all-information-from-your-lost-phone-or-tablet-HA102834573.
aspx?CTT=1
)
© 2012 SAP AG. All rights reserved. 11Internal
Competition
Single Android Containers:
Enterproid “The Divide”
Android Containers & Wrappers:
Good Dynamics
Mocana
O/S & ROM level Solutions:
3LM
Cyanogen
Hardware & Kernel:
Blackberry Balance (BB10)
Samsung KNOX
© 2012 SAP AG. All rights reserved. 12Internal
More Links
http://www.bloomberg.com/news/2013-01-10/rim-leads-phones-letting-employees-use-own-devices-on-job-tech.html
http://forums.crackberry.com/news-rumors-f40/blackberry-balance-competition-ottawa-citizen-rim-aims-offer-dual-use-phones-762189/
https://www.redbend.com/images/stories/redbend_datasheets/red_bend_data_sheet_true_solution.pdf
http://www.slideshare.net/agent0x0/the-android-vs-apple-ios-security-showdown
https://threatpost.com/en_us/blogs/apple-details-ios-security-features-new-guide-053112
http://0xlab.org/~jserv/android-binder-ipc.pdf
