KNOX Sensitive Data Protection

Overview

Protecting sensitive data-at-rest (DAR) is an increasing concern as mobile devices are at an increased risk of being lost or stolen. Doing so takes substantial effort, and as such, is often overlooked. Thus, the Samsung KNOX added Sensitive Data Protection (SDP) in order to provide adequate protection to those sensitive data.

The KNOX Sensitive Data Protection provides a framework and APIs that enables developers to mark data files individually as sensitive or create a directory that automatically marks all files stored within. When the device is in the locked state, the data marked as sensitive will be encrypted using a cryptographic key under SDP. So when these sensitive files are somehow acquired by others, they will be unable to get any readable information.

Setting up the Environment

The following software and tools are needed to develop a sample app that implements KNOX Sensitive Data Protection (SDP).

  • Windows Workstation

    • Android Studio 2.0

    • Android 6.0 Marshmallow

    • Java SE Development Kit 8

  • Samsung Galaxy Device

    • Android 6.0 Marshmallow

    • KNOX 2.6 or later

    • USB cable

  • Samsung Account

  • Sample App

Generating an SDP License

The SDP license from Samsung allows your app to access the premium security and encryption features built into the SDP framework. The SDP key is passed to every device that you manage with your solution. When the SDP key has been compromised, Samsung can invalidate it, and any app that uses the compromised key will no longer be able to control the device.

a. Navigate to SEAP Enrollment Form ( https://seap.samsung.com/enrollment ) then log in to your Samsung Account.

Figure 1 Getting Started with Samsung Account

Figure 1 Getting Started with Samsung Account

b. Fill in the SEAP form to complete your enrollment then click submit.

Figure 2 SEAP Enrollment Form

Figure 2 SEAP Enrollment Form

c. Navigate to License Keys page ( https://seap.samsung.com/license-keys ).

d. Click Generate License Keys and select the KNOX ISV SDK.

e. Add a Key Alias (for example, ISVKEY).

f. Click Generate License Key.

Figure 3 Generating KNOX ISV License Key

Figure 3 Generating KNOX ISV License Key

g. Click Agree to accept the KNOX Independent Software Vendor SDK License agreement and continue the key creation process.

h. When the ISV License Key is successfully created, the License Key will be displayed on your SDP License Keys.

Figure 4 License Key

Figure 4 License Key

Download the ISV SDK

a. Navigate to ISV SDK page ( https://seap.samsung.com/sdk/knox-isv-android ).

b. Click Download SDK.

Step 1. Create a New Android Project

Note

For your convenience, Samsung already prepared the basic codes. You can open “Before_SDP code” located on the desktop. You can skip from 3-a to 3-c.

a. Launch the Android Studio IDE and create a new project. In this tutorial, SDPSample will be used as the project name.

Figure 5 Creating a New Project in Android Studio IDE

Figure 5 Creating a New Project in Android Studio IDE

b. In Create New Project dialog, add an Empty Activity named MainActivity. This will generate the layout file named activity_main.xml.

c. Click Finish to create the new android project.

d. Open the activity_main.xml and add the following views.

<Button
	android:layout_width="wrap_content"
	android:layout_height="wrap_content"
	android:text="Activate SDP License"
	android:id="@+id/btnActivateELM"
	android:layout_alignParentTop="true"
	android:layout_centerHorizontal="true" />
<EditText
	android:layout_width="fill_parent"
	android:layout_height="50dp"
	android:id="@+id/fileNameText"
	android:hint="File Name"
	android:singleLine="true"
	android:layout_alignRight="@+id/btnActivateELM"
	android:layout_alignEnd="@+id/btnActivateELM"
	android:layout_alignLeft="@+id/btnActivateELM"
	android:layout_alignStart="@+id/btnActivateELM"
	android:layout_below="@+id/btnActivateELM" />
<Button
	android:layout_width="wrap_content"
	android:layout_height="wrap_content"
	android:text="Make text file"
	android:id="@+id/btnMakeData"
	android:layout_below="@+id/fileNameText"
	android:layout_alignRight="@+id/fileNameText"
	android:layout_alignEnd="@+id/fileNameText"
	android:layout_alignLeft="@+id/fileNameText"
	android:layout_alignStart="@+id/fileNameText"  />
<Button
	android:layout_width="wrap_content"
	android:layout_height="wrap_content"
	android:text="Set Sensitive Data"
	android:id="@+id/btnSetSensitive"
	android:layout_below="@+id/btnMakeData"
	android:layout_alignRight="@+id/btnMakeData"
	android:layout_alignEnd="@+id/btnMakeData"
	android:layout_alignLeft="@+id/btnMakeData"
	android:layout_alignStart="@+id/btnMakeData" />
<TextView
	android:layout_width="wrap_content"
	android:layout_height="wrap_content"
	android:id="@+id/edmScreenOutput"
	android:text="License Result"
	android:layout_below="@+id/btnSetSensitive"
	android:layout_alignRight="@+id/btnSetSensitive"
	android:layout_alignEnd="@+id/btnSetSensitive"
	android:layout_alignLeft="@+id/btnSetSensitive"
	android:layout_alignStart="@+id/btnSetSensitive" />

e. Open the MainActivity.java and find the MainActivity class implement View.onClickListener as shown below. This will generate the onClick() method.

public class MainActivity extends Activity implements View.OnClickListener { … }

f. Declare each views and set event listener for the buttons.

mbtnActivateSDP = (Button) this.findViewById(R.id.btnActivateELM);
mbtnActivateSDP.setOnClickListener(this);
mbtnSetSensitive = (Button) this.findViewById(R.id.btnSetSensitive);
mbtnSetSensitive.setOnClickListener(this);
mbtnMakeData = (Button) this.findViewById(R.id.btnMakeData);
mbtnMakeData.setOnClickListener(this);
fileName = (EditText) findViewById(R.id.fileNameText);

g. Modify the onClick() method as shown below.

switch (v.getId()) {
	case R.id.btnActivateELM:
		break;
	case R.id.btnMakeData:
		break;
	case R.id.btnSetSensitive:
		break;
}

Step 2. Add SDP Support to Your App

a. Navigate to the location of Samsung KNOX ISV SDK and open the libs folder.

b. Copy the sdp.jar and license.jar file from the SDK. Add these files to the libs folder of your Android project.

c. Open your AndroidManifest.xml file and locate the <application> element. Add the following child <meta-data>. This enables SDP for your app.

<application
	android:allowBackup="true"
	android:icon="@mipmap/ic_launcher"
	android:label="@string/app_name"
	android:theme="@style/AppTheme" >
	<meta-data android:name="sdp" android:value="enabled"/>
	<activity
		android:name=".MainActivity" 

d. Add the following permissions.

<uses-permission android:name= "android.permission.sec.MDM_LICENSE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />

Step 3. Register a License Activation Broadcast Receiver

a. Create the BroadcastReceiver class. The following code will display custom text to indicate whether the license activation was successful or not.

public class TestBroadcaster extends BroadcastReceiver {

	private static final String TAG = "Test";

		@Override
		public void onReceive(Context context, Intent intent) {
		String action = intent.getAction();
		if (action.equals(EnterpriseLicenseManager.ACTION_LICENSE_STATUS)) {
		String status = intent.getStringExtra(EnterpriseLicenseManager.EXTRA_LICENSE_STATUS);
		int errorCode = intent.getIntExtra(EnterpriseLicenseManager.EXTRA_LICENSE_ERROR_CODE, 1);
		int extraResult = intent.getIntExtra(EnterpriseLicenseManager.EXTRA_LICENSE_RESULT_TYPE, 1);
		edmBroadcastOutput = (TextView) findViewById(R.id.edmScreenOutput);
		edmBroadcastOutput.setText("EDM Status = " + status + ",  " + "Error Code= " + errorCode + ",  " + "Extra Result Type= " + extraResult);
		}
	}
}

b. Register the broadcast receiver.

IntentFilter edmLicenseIntent = new IntentFilter(EnterpriseLicenseManager.ACTION_LICENSE_STATUS);
TestBroadcaster edmLicenseBroadcast = new TestBroadcaster();
registerReceiver(edmLicenseBroadcast, edmLicenseIntent);

Step 4. Activate the SDP License

a. To activate the SDP license, create an instance of EnterpriseLicenseManager and use activateLicense() method as shown below.

case R.id.btnActivateELM:
	try {
		EnterpriseLicenseManager edm = EnterpriseLicenseManager.getInstance(getApplicationContext());
		edm.activateLicense("DemoISVKey", "com.samsung.developer.sdpsample");

	} catch (Exception e) {

	}
	break;

b. Replace “DemoISVKey” with the License Key.

Step 5. Mark Generated Data as Sensitive

a. Construct a new SdpFileSystem object which can be used to manipulate file(s) as sensitive. In the sample app, a text file will be created to serve as a sample data. Use setSensitive API to mark the text file as sensitive

case R.id.btnMakeData:
	textFile = fileName.getText().toString();
	try {
		sdpFileSystem = new SdpFileSystem(this, null);
		File makeData = new File(sdpFileSystem.getFilesDir(), textFile);
		FileOutputStream fileOutputStream = new FileOutputStream(makeData);
		edmBroadcastOutput.append("\n" + "File created in: " + sdpFileSystem.getFilesDir());
	} catch (SdpEngineNotExistsException e) {
		e.printStackTrace();
	} catch (Exception e) {
		e.printStackTrace();
	}
	break;
case R.id.btnSetSensitive:
	try {
		File file = new File(sdpFileSystem.getFilesDir(),textFile);
		if (!sdpFileSystem.isSensitive(file)){
		boolean result = sdpFileSystem.setSensitive(file);
		toast.setText("setSensitive returned: "+result);
		toast.show();
	}
	} catch (Exception e) {
		e.printStackTrace();
	}
break;

Step 6. Build and Run the Sample App

a. Click the Run ‘app’ button in your Android Studio. This will automatically build your app with Gradle, asks you to select a deployment target (choose your connected Samsung Galaxy device), and then deploy your app to your device.

b. In the sample app, click Activate SDP License button to activate the KNOX SDP License. Activating it for the first time will display the Samsung KNOX Privacy Notice popup. Check the box to agree then click Confirm.

Figure 5 Samsung KNOX Privacy Notice Popup

Figure 5 Samsung KNOX Privacy Notice Popup

c. After some seconds, a response from the cloud-based Samsung server will send a response as shown in the screenshot below.

Figure 6 License Result

Figure 6 License Result

d. Enter a file name of your choice in the textfield then click Make Text File button to generate a text file. The path will be displayed in the app as shown below.

Figure 7 Sample Data

Figure 7 Sample Data

e. Click Sensitive Data button to mark the text file as sensitive. A toast will be displayed when the data is now set as sensitive.

Figure 8 Sensitive Data

Figure 8 Sensitive Data