Samsung adds security layer to Android to gain enterprise credibility

Posted:
in iPhone edited January 2014
In response to lackluster interest in Google's Android platform by corporate enterprise and government users, Samsung has announced plans to shore up its smartphones and tablets with third party security software in an initiative branded as "SAFE," or "Samsung For Enterprise."

Announced at last week's Mobile World Congress, Samsung has partnered with Centrify to add "fundamental security and management enhancements" in order "to address the shortcomings of the current open source Android platform."

Samsung Knox SAFE for work

Knox is intended "to address the shortcomings of the current open source Android platform"Branded as "Knox" by Samsung, the new software adds support for a series of enterprise features Android has lagged iOS in supporting. The first of these, support for "Advanced Microsoft Exchange ActiveSync features," was first addressed by Apple five years ago in 2008's iOS 2.0.

The second feature, "on-device AES 256-bit encryption," is a prerequisite of Microsoft's Exchange default policy settings. Apple began supporting hardware device encryption with the iPhone 3GS in 2009.

A third feature touted by Samsung is VPN support, a notable problem for Android users that want to connect to various remote networking systems. It's also a feature Apple began addressing along with Exchange support back in 2008's iOS 2.0. Apple has regularly enhanced its VPN support on iOS devices in subsequent releases over the last half decade.

Welcome to the sandbox, at least for the Galaxy-only version of Android

Another primary focus of Samsung's new Knox layer is app "containerization," a security access control feature that Apple refers to as "app sandboxing" on iOS.

iOS App Sandboxing


Sandboxing prevents one app from being able to read data or modify the code of other apps installed on the system (as portrayed by Apple in its developer documentation, pictured above). This feature helps to contain malware and other security threats, so that even if a vulnerable app is cracked via an exploit (or a malicious app manages to get itself installed on a device), it can't be used to gain further access to other software or data stored on the device.

This feature is critical to enterprise customers who don't want their users to store corporate data on an insecure device loaded with sideloaded home-brew software or malicious software that automatically has full, open access to everything else on the device. In itself, it's a principle reason why Android has such a small showing among enterprise users, despite Android's large presence in low end consumer offerings.

While Google's Android platform offers rudimentary sandboxing security that requires apps to specify what specific permissions they require, it is customary for app developers to request "long lists of permissions that their apps don?t really need."

As a result, users are tasked with approving complex, opaque security requests that essentially give many apps virtually unrestricted access to the user's private information, location and other sensitive data, resulting in issues with developers harvesting inappropriate data from their users, as well as malicious efforts to steal data using phony games and other titles that actually serve as spyware.

Samsung sees little enterprise opportunity; Knox would?

Knox also addresses Android's lack of coherent "single sign on" enterprise mobile authentication and fleet device management features, both of which enable enterprise users to secure their employees' devices with centralized policies (such as disabling Bluetooth or camera features, or preventing app installations) and remotely manage the devices from a central location.

Apple similarly had little previous exposure in the enterprise when it introduced the iPhone in 2007. However, the company immediately made implementing support for enterprise features a central priority, in conjunction with the opening of the App Store back in 2008. Since then, Apple has rapidly introduced new support for related features of interest to business users.

Apple's Macintosh platform had fought for years to be taken seriously in the enterprise; its mobile iOS platform also faced initial barriers of adoption from companies that were heavily invested in enterprise mobile solutions from Blackberry and Microsoft.

However, the usability and desirability of Apple's iPhone, along with an early and focused initiative by Apple to add serious security and management features to iOS, kicked off a global "Bring Your Own Device" trend, rapidly eroding the position of its entrenched competitors and vaulting Apple to the top of corporations' and government agencies' mobile deployment plans. BlackBerry and Microsoft now support more new iOS devices on their own proprietary enterprise servers than their own platforms' devices.

Somewhat ironically, Apple's historical minority share of the enterprise market on the Mac has been reversed with iOS; Apple now accounts for the majority of mobile devices being used in the enterprise, while Microsoft, BlackBerry, Samsung and everyone else share the scraps.

This reversal has also enabled Apple's Macintosh line to gain new access in government and corporate circles, aided by the commonality in software development of the two platforms and the BYOD breakdown of barriers that once protected Windows and BlackBerry from significant new competition.

Good for Samsung, bad for Android

As Android's primary successful and profitable licensee, Samsung is now running into severe barriers of enterprise adoption due to the haphazard and security policies of Google's Android platform, which not only lacks comprehensive, native support for app sandboxing and remote management, but also receives only secondary, limited support from many of the third parties focusing on securing mobile devices.

Apart from the antivirus and malware containment software tools that exist (by necessity) almost exclusively for Android, third party mobile security efforts aren't focused on Android. Instead, they target the iOS devices their enterprise clients are actually using, according to the mobile device management vendors AppleInsider has consulted.



In the regular reports issued by mobile management vendor Good Technology over the past several years, enterprise users have demonstrated "a clear preference" for Apple's iOS. The firm's most recent report noted that Apple held eight of the the top ten spots in mobile phones and tablets (depicted above), a particularly notable metric because Apple has only sold eight different iOS devices since 2010.

Samsung's efforts to make its devices more attractive to the enterprise aren't being shared back with the greater Android community. Instead, Samsung is branding its own "Knox enhanced" version of Android as "safe for business," a phrase that implicitly admits that the stock Android is not safe for business.

The more successful Samsung is in gaining support for its Knox initiative, the harder it will be for Google to have its own Motorola and Nexus branded devices to be taken seriously by enterprise users, not to mention the "white box" market and other smaller brands of Android, Android forks such as Amazon Kindle Fire, and other variants of Android that are collectively pooled to describe an "Android platform," despite various incompatibilities among the fractured third party features and OS API levels of different generations of Android now being sold worldwide.

Two Samsung models are "SAFE," the rest are not

The company has partnered with AT&T to promote Samsung's latest Galaxy SIII and Note II as "safe for business" in new billboards installed in San Francisco (shown below) albeit using advertising that depicts the devices running phony mockups of business presentation and project management software that doesn't really exist.

Samsung SAFESamsung SAFE


Samsung hasn't yet taken on the task of developing its own productivity software to rival Apple's touch-centric Pages, Numbers and Keynote. Instead, its "Galaxy at Work" promotional pages depict additional placeholder apps and the stylus doodle pad apps Samsung bundles on its Note II, performing tasks such as drawing a circle over a photo and scribbling "plans approved," or productively typing a "secure email" while watching a video of children playing in the corner of the screen.

Samsung SAFESamsung SAFE


Samsung's Knox layer is also being extended to Android developers in a way that will result in apps that only work securely on Samsung phones that include the Knox software layer. This excludes not just the vast majority of devices sold worldwide that make use of some version of Android, but also excludes the rest of Samsung's own phones (apart from the SIII and Note II) many of which ship with outdated versions of Google's platform, and which are unlikely to ever be upgraded to support Knox.

Combined with the fact that Samsung has historically refused to issue timely Android updates for its own users, this means that even among companies with liberal "BYOD" policies, very few Android devices can even qualify as having the minimal security required by enterprise users.

SAFE to replace all your hardware?

Some aspects of Knox, including hardware encryption and the Microsoft Exchange support it enables, can't simply be delivered in a software update. Existing Samsung users will simply have to replace their phones.

To address this expense in hardware upgrades, Samsung is offering to purchase company's existing devices in a "safe to switch" program that suggests business can defer as much as $30,000 in upgrade expenses on 100 phones valued at $300 each (about half the cost of buying all new "SAFE" hardware from Samsung).

Samsung SAFE


However, this only applies to the repurchase of brand new devices like a $750 16GB iPhone 5 in perfect condition. For other devices (such as an iPhone 3GS in top condition), Samsung is only offering $30. The company values its own 7 inch AT&T Galaxy Tab at a $65 trade in.
«13

Comments

  • Reply 1 of 51


    Safe will be applied by brush as a greasy layer painted over your Samsung phone for added security. However, if you want the most current version of Safe, you will need to buy a new phone to ensure you have all the latest security features.

  • Reply 2 of 51
    So much Samsung love from the AppleInsider Staff.
  • Reply 3 of 51
    philboogiephilboogie Posts: 7,675member
    Is it true that Android doesn't support WPA-Enterprise?
  • Reply 4 of 51
    chandra69chandra69 Posts: 638member
    Whatever it gives. If it is Google/Android... I am not going to buy! They are tracking everything. I feel like... some ghost is with me.
  • Reply 5 of 51


    It will be interesting to see how well Samsung supports this initiative. Will each device/version be thrown out there and then never updated or will they actually support it like Enterprises will very likely expect?


     


    If Knox implements app sandboxing, will you still be able to use a file manager to gain access to the file system? Will you still be able to use that SD slot? Etc

  • Reply 6 of 51
    slurpyslurpy Posts: 5,382member


    What a clusterfuck Android is. This is something Google needs to be providing, not Samsung. 

  • Reply 7 of 51
    lkrupplkrupp Posts: 10,557member

    Quote:

    Originally Posted by Slurpy View Post


    What a clusterfuck Android is. This is something Google needs to be providing, not Samsung. 



     


    But the clusterfuck is WINNING and Apple is DOOMED¡

  • Reply 8 of 51
    hill60hill60 Posts: 6,992member


    <-------------- Google Android


     


    Samsung Android ------------>

  • Reply 9 of 51
    jragostajragosta Posts: 10,473member
    I wonder how much this slows down the UI - which is already very laggy.
  • Reply 10 of 51
    solipsismxsolipsismx Posts: 19,566member
    Kudos to Samsung for providing what Google can't.
  • Reply 11 of 51
    lkrupplkrupp Posts: 10,557member

    Quote:

    Originally Posted by Suddenly Newton View Post



    So much Samsung love from the AppleInsider Staff.


     


    They're getting ready to make the switch when doomed Apple is shut down, the assets sold off, and the money returned to the shareholders. Oh wait! That's exactly what Einhorn and the analysts want¡

  • Reply 12 of 51
    drblankdrblank Posts: 3,385member

    Quote:

    Originally Posted by lkrupp View Post


     


    But the clusterfuck is WINNING and Apple is DOOMED¡



    Sounds like you listen to the delusional media.  Sounds about right. So, what version OS is Samsung shipping?  4.1.1 and older.  God, they can't even ship their Android crap with the latest OS.  

  • Reply 13 of 51


    The really funny thing is that a Samsung device that's "SAFE" is no longer as "open" as the Android lovers like to claim. You can't have your cake (being open and free to mods) and eat it too (being secure).

  • Reply 14 of 51
    gatorguygatorguy Posts: 24,176member

    Quote:

    Originally Posted by PhilBoogie View Post



    Is it true that Android doesn't support WPA-Enterprise?


    There's a thread on just that, found here:


    http://forums.androidcentral.com/google-nexus-7-tablet/203136-google-still-hasnt-fixed-wpa-enterprise.html


     


    If I read it right it did, then it didn't, then it does again.image

  • Reply 15 of 51
    9secondko9secondko Posts: 929member
    So... Android has to get "fixed" before it's even safe?!?!

    why bother?

    Just get iOS and have better hardware, better software, and its been safe for a while.

    The bottom line with Android is that no one needs it, its slower, its not as safe, and it even looks like junk.

    It's been a fun experiment for tinkerers, but the iOS devices are actual, polished, proper products.

    And it has been that way from the start.
  • Reply 16 of 51

    Quote:

    Originally Posted by drblank View Post


    Sounds like you listen to the delusional media.  Sounds about right. So, what version OS is Samsung shipping?  4.1.1 and older.  God, they can't even ship their Android crap with the latest OS.  



     


    FYI, an upside down exclamation mark ¡ = /s = sarcasm

  • Reply 17 of 51
    derekmorrderekmorr Posts: 237member
    Even for DED, this article has low standards. It's so full of distortions and cherry picked half-truths that it's disturbing to think anyone will take it seriously.
     
    A few points:
     
    * Android has had full-disk encryption for two years, since 3.0. It uses AES-128 in CBC mode with SHA256. You can read the full implementation details online. Conveniently, DED neglected to mention this. iOS's AES-256 is just an incremental improvement over AES-128.
     
    * Android has had app sandboxing since day one. Each application runs in a separate process space with randomized user and group ids. Apps can't access one another's internal files (filesystem permissions prevent this). Applications can choose to expose some of their functionality to other apps via services or content providers, but these can be protected by permissions. Further, critical system partitions are mounted read-only.
     
    The NSA has ported the SE Linux MAC framework to Android, and much of this code has been merged into AOSP (see here and here for specific commits). This code isn't yet enabled by default, pending further review. (Update: The Knox implementation uses SE Android.)
     
    But when DED says, "Sandboxing prevents one app from being able to read data or modify the code of other apps installed on the system" he neglects to say that this is already the case on Android and has been since version 1.0. 

    * DED neglects to mention that Android has supported VPNs since 1.6 (released in 2009).
    This was made more flexible in 4.0 (running on about 43% of devices), and again in 4.2. Cisco supports their proprietary VPN solution on Android.
     
    * Does DED have a source for his claims that Android apps request extra permissions that "give many apps virtually unrestricted access to the user's private information, location and other sensitive data, resulting in issues with developers harvesting inappropriate data from their users..." ? Further, is he aware of the study by Appthority that claims that iOS apps leak more personal information than Android apps?
     
    * DED claims that Android lacks centralized device policy support. This is false. It was added in 2.2, which was released in 2010. See this article for specifics. Google has an app which implements these policies.
     
    * DED also hypes up the "malware" FUD. Hasn't this horse been beaten enough? If you stick to legitimate, reputable app stores, you're fine. Rather than repeat myself, I'll just link to a comment I made six months ago with more detail.
     
     
    I know this is an Apple fan site, but could you at least try to get some of the details right?
  • Reply 18 of 51
    tallest skiltallest skil Posts: 43,388member


    Originally Posted by lkrupp View Post

    But the clusterfuck is WINNING…


     


    I'd love to quote this, but…





    Originally Posted by drblank View Post

    Sounds like you listen to the delusional media.


     


    ¡ is sarcasm.

  • Reply 19 of 51
    kdarlingkdarling Posts: 1,640member

    Quote:

    Originally Posted by derekmorr View Post




    Even for DED, this article has low standards. It's so full of distortions and cherry picked half-truths that it's disturbing to think anyone will take it seriously.



     


    Besides the fact that the article (and Samsung) made it sound like Android didn't already have this stuff, the author got the "app containerization" totally wrong.


     


    What Samsung has done, is used the Open Source NSA SE (Security Enhanced) version of Android to implement what they call KNOX (as in Fort Knox).


     


    What KNOX does, is divide the device into a personal container and an enterprise container.  This is very powerful, especially for BYOD.


     


    The user can do and install whatever they want on the personal side, even malware, and it cannot access nor harm the secure enterprise side.   Likewise, it means that enterprise management tools cannot look at or wipe out your personal life, even if they need to scan or wipe the enterprise side.


     


    The enterprise side of KNOX provides a secure environment where existing Android applications such as email, browsers, file sharing, and other apps can work without any rewriting.  

  • Reply 20 of 51

    Quote:

    Originally Posted by derekmorr View Post




    I know this is an Apple fan site, but could you at least try to get some of the details right?



     


    Yes. Let's get all the details right including the ones you also conveniently forgot to mention. Pot meet Kettle.

Sign In or Register to comment.