Application Security

In addition to securing the platform, Samsung KNOX provides solutions to address the security needs of individual applications including KNOX Workspace, Virtual Private Network support, and Single Sign-on.

KNOX Workspace

Samsung KNOX Workspace is a defense-grade dual persona container product designed to separate, isolate, encrypt, and protect enterprise data from attackers. This work/play environment ensures work data and personal data are separated and that only the work container is managed by the enterprise. Personal information such as photos and messages are not managed or controlled by the IT department. Once activated, the KNOX Workspace product is tightly integrated into the KNOX platform.

Applications and data inside Workspace are isolated from applications outside Workspace, that is, applications outside Workspace cannot use Android inter-process communication or data-sharing methods with applications inside Workspace. For example, photos taken with the camera inside Workspace are not viewable in the Gallery outside Workspace. IT Admins can allow or prevent the ability to copy and paste between Workspace and the personal side of the device. When allowed by IT policy, some application data such as contacts and calendar data can also be shared across the Workspace boundary. The end user can choose whether to share contacts and calendar events between Workspace and personal space; however, IT policy ultimately controls this option. The enterprise can manage Workspace like any other IT asset using an MDM solution. This container management process is called Mobile Container Management (MCM). Samsung KNOX supports many of the leading MDM solutions on the market. MCM is affected by setting policies in the same fashion as traditional MDM policies. Samsung KNOX Workspace includes a rich set of policies for authentication, data security, VPN, e-mail, application blacklisting, whitelisting, and so on.

Samsung KNOX Personal Environment and KNOX Workspace Environment

Figure 3 Samsung KNOX Personal Environment and KNOX Workspace Environment

Google Play for Work

IT Admins can install Google Play for Work inside KNOX Workspace for app management to silently install and uninstall apps and blacklist or whitelist apps. Enterprise employees can download apps in KNOX Workspace that are approved by IT Admins.

Sensitive Data Protection

KNOX defines two classes of data – protected and sensitive. All data written by apps in the secure Workspace is protected. Protected data is encrypted on disk when the device is powered off. In addition, the decryption key for protected data is tied to the device hardware. This makes protected data recoverable only on the same device. Furthermore, access controls are used to prevent applications outside the KNOX Workspace from attempting to access protected data.

Even stronger protection is applied to sensitive data. Sensitive data remains encrypted as long as the Workspace is locked, even if the device is powered on. When a user unlocks KNOX Workspace using their password, Sensitive Data Protection (SDP) allows sensitive data to be decrypted. When the user re-locks the Workspace, SDP keys are cleared. The SDP data decryption key is tied to both device hardware and to the user input. Therefore, the data is recoverable only on the same device and with user input.

SDP can be used in one of two ways. First, all emails received are considered sensitive, and are immediately protected by SDP encryption. Emails received when the Workspace is locked, are immediately encrypted, and can only be decrypted the next time Workspace is unlocked.

KNOX Enabled App (KEA)

KNOX Enabled App is a per-app invisible container designed for application developers and vendors to provide security services with minimum effort to Samsung device users. KEA allows service providers to deploy their applications while making full use of the Samsung KNOX platform security without the need for Mobile Device Management (MDM). Since KEA is an invisible, unmanaged container, the user experience is the same as the regular version of the application.

The KEA workspace is implemented based on KNOX Workspace and customized according to use case requirements. KNOX Workspace is created and managed by an MDM, and suitable for the enterprise environment. For individual app vendors and developers, creating, managing and configuring the KEA workspace presents challenges without an MDM. However, with KEA, the device automatically creates and manages the KEA workspace when the KEA app is installed.

To operate as a KEA app, additional information (metadata) is required. When a KEA app is installed in KEA-capable devices, the device detects the metadata and authenticates the app through a KNOX License Manager (KLM) Server. After authentication is completed, the KEA workspace is created, and the app is installed inside the workspace, including configuration of the SE for Android Management Service (SEAMS) container.

If the KEA app is installed in devices not capable of using KEA, including non-Samsung devices, the KEA metadata is ignored, and the app works as regular Android app, which eliminates the need for a separate version of the app.

Service flow of KNOX Enabled Apps

Figure 4 Service flow of KNOX Enabled Apps

Virtual Private Network Support

The KNOX platform offers additional comprehensive support for enterprise Virtual Private Networks (VPN). This support enables businesses to offer their employees an optimized, secure path to corporate resources from their BYOD or Corporate-Owned Personally Enabled (COPE) devices.

KNOX offers the following VPN features for IPsec and SSL:

  • Per-app connections

  • On-demand connections

  • Always-on connections

  • Device-wide connections

  • VPN chaining (nested connections)

  • Blocking routes to prevent data leakage if a mandatory VPN connection drops

  • Pushing VPN profiles to multiple managed devices

  • Traffic usage tracking

  • HTTP Proxy over VPN

Single Sign-On

Single Sign-On (SSO) is a feature that provides common access control to several related, but independent software systems. The user logs in once and has access to all systems without being prompted to log in again. For example, SSO allows access to the Workspace container (and participating apps that require credentials within the container) with one password.