Samsung KNOXWayne Pau, Emerging Technologies SAPMar 26, 2013
Samsung KNOX•    Generally more “Secure” than existing Container/Quarantines•    Much “Deeper” solution than other Android...
Samsung KNOX - Developers•        KNOX Offers Developers “out-of-the-box”:    1.     Secure KNOX Container    2.     Separ...
Inter-App Communication Spectrum            Apple iOS                 Samsung KNOX   Google Android             ← More Sec...
Inter-App Communication Spectrum          ← More Secure               Less Secure →© 2012 SAP AG. All rights reserved.    ...
iOS – Apple Sandbox                                      •   No Inter-app Communication                                   ...
Generic Android – Google Sandbox                                      •   “Privileged- Separated” Operation System        ...
Generic Android – Google Sandbox                                      •   Apps are “repackaged” & signed by Samsung       ...
What does KNOX protect against?•       Spoofed, Fake or Dangerous Apps (quarantine + app signing)•       Automatic Data at...
Exchange ActiveSync & BYOD•       KNOX is ‘Optimized’ for BYOD•       KNOX Email Client – Only Wipes Out KNOX Container [c...
Competition      Single Android                                       O/S & ROM level       Containers:                   ...
More Linkshttp://www.bloomberg.com/news/2013-01-10/rim-leads-phones-letting-employees-use-own-devices-on-job-tech.htmlhttp...
Thank youContact information:Wayne Pau (wayne.pau@sap.com)Emerging Technologies
Upcoming SlideShare
Loading in...5
×

Introduction to Samsung KNOX

5,781

Published on

Basic overview of new Samsung KNOX and how it compares to Generic Android and iOS offerings.

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,781
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
256
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • http://www.slideshare.net/agent0x0/the-android-vs-apple-ios-security-showdownhttp://forums.crackberry.com/news-rumors-f40/do-enterprises-still-believe-samsungs-safe-knox-779008/http://www.theverge.com/2013/3/6/4071766/galaxy-s-iii-bug-bypasses-lockscreenhttp://www.theverge.com/2013/2/14/3987830/ios-6-1-security-flaw-lets-anyone-make-calls-from-your-iphonehttp://theiphonewiki.com/wiki/ASLRhttps://blog.duosecurity.com/2012/07/exploit-mitigations-in-android-jelly-bean-4-1/https://blog.duosecurity.com/2012/02/a-look-at-aslr-in-android-ice-cream-sandwich-4-0/https://threatpost.com/en_us/blogs/apple-details-ios-security-features-new-guide-053112
  • http://theiphonewiki.com/wiki/ASLR
  • AIDL/Binder type of Intent to support IPCOffers Explicit & Implicit Intents + Intent FiltersLeverage Android Permission Modelhttp://developer.android.com/guide/components/aidl.htmlhttp://developer.android.com/reference/android/content/Intent.htmlhttp://0xlab.org/~jserv/android-binder-ipc.pdfhttp://www.cs.berkeley.edu/~emc/papers/mobi168-chin.pdfhttps://lkml.org/lkml/2009/6/25/3https://www.owasp.org/images/c/ca/ASDC12-An_InDepth_Introduction_to_the_Android_Permissions_Modeland_How_to_Secure_MultiComponent_Applications.pdf
  • AIDL/Binder type of Intent to support IPCOffers Explicit & Implicit Intents + Intent FiltersLeverage Android Permission Modelhttp://developer.android.com/guide/components/aidl.htmlhttp://developer.android.com/reference/android/content/Intent.htmlhttp://0xlab.org/~jserv/android-binder-ipc.pdfhttp://www.cs.berkeley.edu/~emc/papers/mobi168-chin.pdfhttps://lkml.org/lkml/2009/6/25/3https://www.owasp.org/images/c/ca/ASDC12-An_InDepth_Introduction_to_the_Android_Permissions_Modeland_How_to_Secure_MultiComponent_Applications.pdf
  • Note: BB10 runs on QNX which has a different invocation framework. Not the same with Android’s based.
  • Introduction to Samsung KNOX

    1. 1. Samsung KNOXWayne Pau, Emerging Technologies SAPMar 26, 2013
    2. 2. Samsung KNOX• Generally more “Secure” than existing Container/Quarantines• Much “Deeper” solution than other Android SW options: 1. Customized Secure Boot 2. ARM TrustZone-based Integrity Measure Architecture (TIMA) 3. Security Enhanced Kernel• Allows KNOX to constantly verify/monitor for intrusions/attacks• Creates Samsung-only App Signing process (ie. KNOX-only App Store)© 2012 SAP AG. All rights reserved. Internal 2
    3. 3. Samsung KNOX - Developers• KNOX Offers Developers “out-of-the-box”: 1. Secure KNOX Container 2. Separate Encrypted File Systems (KNOX zone) 3. FIPS certified VPN client per app 4. Container Level SSO• Only a “repackage”. No need to re-write or embed API• Integration with MDM vendors for 65 Policies:• Certificate management • Enterprise Single-Sign-On • Container Application Policy Group• Audit Log • Enterprise ISL Group • Container Firewall Policy Group• SEAndroid Policy Enforcement • Enterprise Premium VPN Policy Group• Enterprise Container Management Policy Group • SmartCard Policy Group• Container Password Policy Group • Container VPN Policy Group© 2012 SAP AG. All rights reserved. Internal 3
    4. 4. Inter-App Communication Spectrum Apple iOS Samsung KNOX Google Android ← More Secure Less Secure →© 2012 SAP AG. All rights reserved. Internal 4
    5. 5. Inter-App Communication Spectrum ← More Secure Less Secure →© 2012 SAP AG. All rights reserved. Internal 5
    6. 6. iOS – Apple Sandbox • No Inter-app Communication • Each App installed in own Container • Apps have to be signed by Apple • Keychain from Apple for password/sensitive data • Does not support External Storage (ie. SD Cards) • Only 1x app in foreground • Most apps close <10 min after UI context switch (change app) • Industry “deemed” secure© 2012 SAP AG. All rights reserved. Internal 6
    7. 7. Generic Android – Google Sandbox • “Privileged- Separated” Operation System • Apps apply and grant permissions to outside access • Apps are “developer” signed (not by Google) • Support External Storage (SD) • Tradition Volume level encryption • Vulnerable to USB/MTP mounting (see above) • Easy to Root. Hard to 100% detect “Rooting” • Industry “deemed” not very secure© 2012 SAP AG. All rights reserved. Internal 7
    8. 8. Generic Android – Google Sandbox • Apps are “repackaged” & signed by Samsung • Apps run in Secure KNOX quarantine • Secure Boot Loader & SE Kernel • Secure focus only between in KNOX container vs. outside KNOX container© 2012 SAP AG. All rights reserved. Internal 8
    9. 9. What does KNOX protect against?• Spoofed, Fake or Dangerous Apps (quarantine + app signing)• Automatic Data at Rest encryption (no need for custom encryption or encryption detection)• Automatic Remote Kill (no need for data fading/Time-bomb)• Baked-in SSO authentication• Secure Corporate Email-Only integration• 3rd Party Secure Viewer integration © 2012 SAP AG. All rights reserved. Internal 9
    10. 10. Exchange ActiveSync & BYOD• KNOX is ‘Optimized’ for BYOD• KNOX Email Client – Only Wipes Out KNOX Container [corp. data]• Ignores data outside KNOX Container [user personal data]• No add’n changes @ Exchange Server (Note: If user connects to Exchange with non-secure/non-KNOX email client, this will still wipe entire device as per the current generic Android and iOS behaviour. For more info on EAS Remote Wipe see http://office.microsoft.com/en-us/support/delete-all-information-from-your-lost-phone-or-tablet- HA102834573.aspx?CTT=1) © 2012 SAP AG. All rights reserved. Internal 10
    11. 11. Competition Single Android O/S & ROM level Containers: Solutions: Enterproid “The 3LM Divide” Cyanogen Android Containers Hardware & Kernel: & Wrappers: Blackberry Balance Good Dynamics (BB10) Mocana Samsung KNOX© 2012 SAP AG. All rights reserved. Internal 11
    12. 12. More Linkshttp://www.bloomberg.com/news/2013-01-10/rim-leads-phones-letting-employees-use-own-devices-on-job-tech.htmlhttp://forums.crackberry.com/news-rumors-f40/blackberry-balance-competition-ottawa-citizen-rim-aims-offer-dual-use-phones-762189/https://www.redbend.com/images/stories/redbend_datasheets/red_bend_data_sheet_true_solution.pdfhttp://www.slideshare.net/agent0x0/the-android-vs-apple-ios-security-showdownhttps://threatpost.com/en_us/blogs/apple-details-ios-security-features-new-guide-053112http://0xlab.org/~jserv/android-binder-ipc.pdf © 2012 SAP AG. All rights reserved. Internal 12
    13. 13. Thank youContact information:Wayne Pau (wayne.pau@sap.com)Emerging Technologies
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×