Samsung and Google provide more details on Knox contribution to Android L

Samsung and Google provide more details on Knox contribution to Android L

Summary: As businesses look beyond BlackBerry for smartphone security, Samsung and Google step up to the plate. Knox integration is coming in Android L.

Samsung and Google provide more details on Knox contribution to Android L
(Image: Samsung)

While the material design features of Android L captured most of the attention at Google I/O, the Samsung contribution of Knox is important to the enterprise audience considering future Android devices. Yesterday, Google and Samsung posted more details on Knox integration coming in Android L.

Google and Samsung designed enterprise APIs focused on device and data security, support for IT management, and mobile application management. Similar to what we see in BlackBerry 10, data separation is one of the core functions where personal and corporate applications will remain separated.

Through this managed profile, IT administrators will be able to remotely deploy apps focused on the corporation business. Having a smartphone with this type of data and application management, along with some IT control, should help alleviate some of the concerns with BYOD security.

Even though Samsung is sharing many of the Knox functions with Google on Android L, they will still offer a superior security solution on Samsung devices. This is due to several features requiring deep hardware integration that can only be managed directly by Samsung. As listed on the Samsung Knox blog, the following will remain specific to Samsung:

  • TrustZone-based Integrity Measurement Architecture (TIMA)
    • Real-time Kernel Protection
    • Client Certificate Management (CCM)
    • Trusted Boot-based Key store
    • Remote attestation
  • Trusted Boot
  • Biometric authentication
  • KNOX Smart Card Support
  • Government-certified KNOX components
    • Common Criteria
    • STIG standards (FIPS certified crypto library, FIPS VPN, audit, etc.)

With the continued work on Knox, Samsung is showing that they are serious about security and want to be the provider for businesses looking for secure solutions.

Topics: Mobility, Android, Security, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I don't want to be first

    There actually are people on this website that comment and take themselves and their opinion seriously.

  • I will

    Obviously a response to Apple and IBM partnership. Must be getting a little worried.
    Neither company can do anything without Apple doing it first. Sad.
    • What Apple have done first regarding this article?!

      A partnership with IBM!?!
      Samsung knox is not new and long before Samsung there was Blackberry.

      It's always possible to make anyone to look like they were the first - per example, stuff like this exists long before iPad:

      Rectangles with rounded corners... oh please my grand-grand mothers used that :)
  • Trusted Boot?

    does that mean UEFI style locked bootloaders? will this be a problem for rooting and/or flashing ROMs?
    • Flashing

      I doubt most enterprises that are concerned about security allow rooted devices and alternate ROMs on employees phones.
      • I'm not talking about for employees or enterprise

        I'm talking about for us regular folk. this is all going into Android L source code- it's not just there on enterprise devices.
        • As I understand

          Android L has already been rooted, and most root apps are being modified to work some official release time.
      • Not a problem

        The CyanogenMod team cracked it months ago.
    • It already does

      Look at the rooting guides for the Galaxy S5 or Note 3. They all have a disclaimer saying that once the bootloader attempts to boot from an unsigned kernel, it'll trip an eFuse that can't be reset even if you flash all the way back to stock ROM/kernel/bootloader. Samsung hasn't prevented booting of an unsigned kernel, but the tripped eFuse will void any and all warranty claims, even those that don't involve software issues.

      Google is also starting to frown upon rooters, since Play-bought video content will throw an error message. Similarly, most of Google's OS enhancements, for better or worse, are less frequently at the kernel level, and are either enhancements to Play Services, or to first party apps (Search/Now, Gmail, Maps, etc.). I don't see Google having a whole lot of incentive to keep to their hacker/modder friendly roots. That's not to say that they're going to start sending C&D letters to Chainfire or attempting to litigate the XDA community, but it *is* to say that I don't think that Google sees much value in continuing to focus their efforts on code that makes its way into the AOSP. If literally nothing else, doing so helps their now-direct-competitor Amazon.

      With Knox headed into the kernel, it'll be interesting to see if TPMs and similar "anti-freedom" circuitry starts becoming standard equipment, and exactly how much weight Android will start putting on it. If Google and the Android OEMs start requiring signed bootloaders and actual security exploits become necessary to achieve root access, I foresee the cycle starting all over again. Personally, I would find it hysterically poetic if Microsoft saw catering to the modding community as their entry into mobile, and started selling devices that modders would want and removing the roadblocks for doing so, in order to get a foothold in the market that both Microsoft and Google used to have, but both actively decided to abandon.

      • It already does also

        Both of those devices have been rooted without tripping the counters. Yes the kernals are locked, but roms are still being flashed with impunity. They can even be restored to "stock" and utilize the warranties. What can be secured, needs to be able to be unsecured. Otherwise the manufacturers and carriers would not be able to do updates at all. Even the "Super Secure" Microsoft Windows update system on desktops has been cracked when someone (Or some country) really wanted to.
  • "Defense grade security" As long as you don't use Google Play Services

    At that point all your data belongs to Google.