What is Samsung Knox and how does it work?

Samsung’s smartphones are some of the best you can buy on the market, so it’s no wonder they are a beloved choice in the consumer and corporate worlds alike. But if you’ve ever used a Samsung Galaxy smartphone, you may have seen the “Secured by Knox” branding on the packaging and boot screen. That may leave you wondering: what is Samsung Knox and what does it do? So in this article, let’s take a closer look at the often-overlooked security feature and how it helps Samsung position itself as a secure smartphone brand.

What is Samsung Knox?

Samsung defines Samsung Knox as:

Samsung Knox is a business platform for configuring and managing mobile devices – offering efficient and customized use in various industries.

At the heart of it, Knox revolves around managing work devices efficiently. But to do so, the solution had to extend itself to serve several other security and enterprise needs beyond just basic MDM (mobile device management).

To understand what Samsung Knox is, we first have to rewind a bit and look at its history.

Why did Samsung create Knox?

If you’ve followed smartphones for longer than a decade, you obviously have heard of BlackBerry. At its prime, one of BlackBerry’s key selling points was how it promised security to its corporate customers. Your company would issue a BlackBerry phone on which your corporate email account and other work data would reside securely. This worked well when BlackBerry phones were ahead of the curve, but after a point, they were behind rival brands in terms of features. As a result, employees would continue to be issued work-specific BlackBerry devices, while they would prefer an Android or iPhone for their personal use.

Competitors took advantage of this situation by offering “BYOD” (Bring Your Own Device) solutions. Employees would bring their own smartphones to use on the corporate network, skipping the work-issued BlackBerry altogether. Samsung hopped onto the BYOD trend in the corporate sphere with the Samsung Galaxy S3, which also debuted Samsung Knox.

At its inception, Knox was a security platform built into the phone serving one fundamental purpose: keeping corporate data protected and separate. It did so by adopting proprietary means to run and store security-sensitive apps and data inside a protected execution environment on the phone. What this meant was that you could have your personal apps and data reside on the same phone as your work apps and data, and all of your work data would continue to remain secure and uncompromised. Enterprise users appreciated this approach, and Samsung reacted to their needs and demands with the release of the wider “Knox Platform for Enterprise.”

From there on, the platform evolved to incorporate more robust device management solutions, including those that relied on the cloud. By 2015, the platform gained features like EMM (Enterprise Mobility Management), OS version control, device configuration, theft protection, and more. IT admins gained access to centralized consoles that provided a better UX and a more cohesive and unified solution to manage the growing number of these features across even larger fleets of devices. Closer to the current day, the platform gained features that allow for automated device enrollment, and even customer service to enterprises.

The Samsung Knox portfolio

The Knox branding has grown to cover the following:

• Secured by Knox: The primary security platform
• Knox Suite: Samsung’s Unified Endpoint Management solution that further comprises the following:
  • Knox Platform for Enterprise
  • Knox Mobile Enrollment: For bulk device setup and deployment
  • Knox Manage: For mobile management
  • Knox E-FOTA: For controlling OS updates
  • Knox Asset Intelligence: For providing usage analytics
• Knox Configure: For remotely configuring devices
• Knox Guard: For restricting the use of fraudulent devices
• Knox Capture: For enterprise-grade barcode scanning
• Knox Deployment Program: For rebranding devices

What is “Secured by Knox”?

To most people, the “Secured by Knox” branding is going to be the most recognizable form of Knox that they encounter. When you see this branding, you can rest assured that Samsung’s security solution is active and working on your device. Unlike antivirus apps that provide security against viruses through software, Knox provides security to your device against many more threat models, and it does so with a combination of software and hardware safeguards.

Knox’s primary security platform includes the following features:

• Root of Trust
• Knox Vault
• Trusted Boot
• Real-time Kernel Protection
• Device Health Attestation
• Sensitive Data Protection
• App Security

What is Knox Vault?

One of the features that Knox boasts as part of its primary security platform is the Knox Vault. Think of it as a safe within a safe, designed to protect your most valuable data such as PINs, passwords, biometrics, and more from attackers that try to cause your device to malfunction and expose this information.

More technically speaking, Knox Vault is an isolated and tamper-proof secure subsystem with its own processor, memory, and interface to dedicated, non-volatile secure storage. It is an extension of Samsung TrustZone, the Trusted Execution Environment (TEE) that Samsung pioneered. While TrustZone runs a different OS alongside Android on the primary application processor, Knox Vault operates completely independently from the primary processor running the Android OS. This separation means Knox Vault protects sensitive data even if the primary processor itself is completely compromised.

Knox Vault stores sensitive data such as hardware-backed Android Keystore keys, the Samsung Attestation Key, biometric data, and blockchain credentials. Knox Vault is integrated into Samsung devices starting from the Galaxy S21 series.

What is Trusted Boot?

Trusted Boot is a Knox Platform feature that identifies and distinguishes unauthorized or out-of-date bootloaders before they can compromise the device. Enterprises can check for device integrity on demand through Knox Attestation, which reads the measurement data collected by Trusted Boot, along with an SE for Android enforcement setting, to give a verdict on the device’s security health.

Samsung sets a hardware tamper fuse on the device. If an unauthorized or out-of-date bootloader component is detected by Trusted Boot, this tamper fuse is tripped, causing sensitive work apps and data to be permanently encrypted and inaccessible since the integrity of the device is no longer guaranteed. The device user can still boot the device and launch personal apps, but the e-fuse remains permanently and irreversibly tripped, and several Knox features are no longer available. Some apps like Samsung Pay, Samsung Pass, Samsung Health, and Secure Folder will also stop working when Knox is tripped, albeit you can use unofficial workarounds to get some of them to work again.

What is Real-time Kernel Protection?

Another acclaimed feature of Knox is Real-time Kernel Protection (RKP). It is one of the strongest protection against kernel threats and exploits in the industry, and it works seamlessly out-of-the-box, with no setup required.

As the name implies, Real-time Kernel Protection protects the kernel through a variety of means. The primary means involves employing a security monitor within an isolated execution environment. This security monitor intercepts and inspects critical kernel actions before allowing them to execute. This way, real-time kernel protection prevents a compromised kernel from bypassing other security protections.

It further prevents modification of kernel code and logic, critical kernel data structures, and the kernel control flow. Real-time Kernel Protection also includes a feature called Periodic Kernel Measurement (PKM). This feature periodically monitors the kernel to detect if legitimate kernel code and data were modified maliciously. During a device firmware build, the SHA1 hash of every kernel code and read-only data page is calculated and gathered into a measurement file. These measurements are signed by Samsung to ensure data integrity and authenticity. PKM periodically recalculate the measurements of the running kernel and compares them to the signed measurement files. If any discrepancy is detected, a violation is reported to both system logs and the user.

What is Secure Folder?

Secure Folder is a feature on recent Samsung Galaxy smartphones that allows you to further secure your personal apps and data. Samsung says that Secure Folder “leverages the defense-grade Samsung Knox security platform to create a private, encrypted space on your Samsung Galaxy phone.” Apps and data moved to Secure Folder are sandboxed separately on the device and gain an “additional layer of security and privacy.”

However, the company stops short of providing further technical details on how it does so, but it does mention that users need to re-authenticate themselves through PIN, password, pattern unlock, or registered biometric authentication such as fingerprints in order to access content within the Secure Folder.

Essentially, Secure Folder lets you hide apps and data from the home screen, and requires you to pass authentication to access it again. It is similar to third-party app-locking apps found on the Google Play Store but just distributed as a first-party solution baked into Galaxy smartphones.

Secure Folder also provides the ability to manage two separate app accounts on the same device, without needing to log in and out of them. If an app does not support quick-switching between two different accounts, then you can create a copy of the app within Secure Folder to access the second account, without needing to cycle through login flows repeatedly. You can also uninstall the app outside the Secure Folder without affecting the app inside of it, in case you want to hide the app from your home screen.

Secure Folder vs Separated Apps

Secure Folder is different from Knox’s Separated Apps feature that is available to IT admins. Separated Apps isolates third-party apps (such as airline apps, hotel apps…) in a sandboxed folder on the work profile. The third-party apps cannot intercommunicate with work apps or access confidential work data.

Whereas, Secure Folder restricts itself to handling users’ personal files and data. Apps within Secure Folder still retain access to other apps and data found on the phone.

Do all Samsung devices have Knox?

Most Samsung smartphones and tablets come with Knox built-in. However, there are some exceptions, namely some budget smartphones and tablets running on a stripped-down version of One UI called One UI Core that do not come with Knox protection. This is because enabling all of the critical Knox features requires extra hardware and resources.

You can check whether your phone comes with Knox by identifying any Knox branding on the box or other marketing or promotional material. If you already own the device, you can go to Settings > About phone > Software Information and locate the “Knox version” entry. If your phone supports Knox, this entry will display a version number. If your phone does not support Knox, this entry will not exist.

Samsung also maintains a list of devices with their Knox version information on its website. Look for “Android – Secured by Knox” to identify Knox-supported devices.

Samsung Knox-related FAQs