Everything KNOX...

lawalty · Oct 10, 2013

FYI: Please don't get offended by me posting this thread. I searched and couldn't find anything dedicated to KNOX and discussions about it. So I created a thread where we can hammer out our ideas, and logic.

Firstly, here is a little video explaining what Samsung KNOX is:

My "cliff note" explanation of what KNOX is:

A virtual environment, on your phone, where running "un-approved" applications, will not affect the KNOX environment. In other words, it's like running a program like Virtual Box for your Note 3, and only pre-approved "limited" apps can run in this environment. In the video, it says how taking a picture, can be emailed and shared, yet outside of KNOX, you can't access this picture.

https://www.samsungknox.com/

KNOX has been in development for quite some time. What I have found out, it's like Fort Knox (get the pun?). Fort Knox is known to be impenetrable (http://ainulfarina.blogspot.com/2013/01/fort-knox-most-secure-vault-in-world.html). Samsung has partnered with various software and hardware companies to develop a platform for the infrastructure of business, with security in mind. We're talking about security on the hardware level. To market this, to tap into the business/enterprise world, using the Note 3 as the preferred paperless, go to device. To achieve this, they need sell the idea that security is king. However, they don't want to exclude the rest of the market of the common everyday individual. That's why Samsung tag line is "Work and play on one device".

This KNOX environment needs to be installed and set up. The desired list of apps would need to be pre-approved for your devise as part of the set-up process. I'm sure this is on an organizational level.

noc007 · Oct 10, 2013

I have a couple of questions on KNOX which I hope the answer is Yes to both:
Will it work if the phone is un-rooted, but had been previously rooted?
Will it prevent MDM applications from reading personal stuff like installed text messages and other stuff outside of KNOX on the phone?

There are a few things that I'd like to do which requires root to do. A couple of examples, among many, are removing bloatware that can't be disabled and BT pairing a PS3 controller.

My employer has selected MobileIron for their MDM due to the head of Security having some relative there (nepotism) when there were plans to use and sell as a SaaS solution the less intrusive AirWatch. Interest in MobileIron by our customers is much lower than AirWatch since it doesn't fit into the SaaS model like our other services.

The big problem with MobileIron from an end user perspective is how intrusive it is. It logs everything and sends that info to the management server; this includes text messages. On company issued equipment, no privacy is to be expected however, that privacy is expected on my personal stuff. I'm told MobileIron has the capability to go through the phones storage and download anything.

I'll consider leveraging KNOX if those two questions have "Yes" as an answer. Frankly, my employer is being unreasonable with their mobile requirements (long story) and the head of Security maintains his ass as his hat with more power than he should because of his relationship with a VP or the CEO. I have been using an alternate method to the silliness of walking around with two phones that facilitates their electronic checks; I just don't advocate the solution.

lawalty · Oct 10, 2013

noc007 said:
I have a couple of questions on KNOX which I hope the answer is Yes to both:
Will it work if the phone is un-rooted, but had been previously rooted?
Will it prevent MDM applications from reading personal stuff like installed text messages and other stuff outside of KNOX on the phone?

I have many friends who have rooted their phones, but none that I know use the KNOX environment. Even using the Note 2 for a full year, this is the first time i've heard of KNOX when exploring my Note 3.

I also want to know if triggering the KNOX flag, can that environment still be accessed, or even installed?

I can only assume the answer would be "yes" to your second questions, since it's a separate environment altogether. I understand that anything done outside KNOX mode is excluded from effecting it, however wouldn't it be the same from within?

To answer your first question, we would need someone who rooted their phone, and simply select KNOX from the app drawer, go through the install process and find out.

nygmam · Oct 11, 2013

While I haven't chosen to activate or use Knox, I believe you are limited to installing apps from the Knox store. You can see the apps available on the store at the Knox Website.

Not only will Knox basically run all apps in a sandbox, it will only run Knox approved apps, further locking down the possibility of something bad being installed. You can't even take a screen shot in the Knox environment. Think of it as a locked down virtual box on your phone, that separates your work life from your private, and protects the work related data.

wing_addict_usa · Oct 11, 2013

selinux

siraltus · Oct 11, 2013

lawalty said:
I also want to know if triggering the KNOX flag, can that environment still be accessed, or even installed?

Once the KNOX WARRANTY VOID bootloader flag is set to 0x1, the phone is considered compromised and the KNOX secure container cannot be created. In other words, once you root, the KNOX sandbox will never function again.

The flag is there for exactly this purpose - to disallow compromised devices from accessing secure apps and systems that require sandboxing; the fact Samsung also started using it to deny warranty claims is a side effect caused by their greed.

Steve Lazarus · Oct 12, 2013

siraltus said:
Once the KNOX WARRANTY VOID bootloader flag is set to 0x1, the phone is considered compromised and the KNOX secure container cannot be created. In other words, once you root, the KNOX sandbox will never function again.

The flag is there for exactly this purpose - to disallow compromised devices from accessing secure apps and systems that require sandboxing; the fact Samsung also started using it to deny warranty claims is a side effect caused by their greed.

I really think Samsung should of had a business line of Note 3 devices, as compared to every phone having the Knox "container", I think it's a contributing Factor to the bootloop issues that are widespread and creating more headaches than it's worth.

There's going to be a very small population of users that will actually consider even using Knox, yet as stated, is creating major issues in the Note 3 community.

Sent from my SM-N900T using XDA Premium 4 mobile app

lawalty · Oct 12, 2013

What was Samsung thinking of putting KNOX on the Note 3s with unlocked bootloaders? If simply rooting the phone triggers the KNOX flag, permanently flagging the phone for any future dealings with this secure mode for businesses, wouldn't it be simpler to only have the flag if rooted?

So if your phone is not rooted, then you can install KNOX. If you phone currently is rooted, then no KNOX.

My fear is that other companies, that don't like people rooting the phones where their apps are installed on, might hop on this, and consider this as a solution.

Sent from my SM-N900T using XDA Premium 4 mobile app

wing_addict_usa · Oct 12, 2013

knox flag is the same thing as the note ii warranty flag. wtf do they call it knox

anyway its bs i cant use knox if im rooted

muqali · Oct 12, 2013

siraltus said:
Once the KNOX WARRANTY VOID bootloader flag is set to 0x1, the phone is considered compromised and the KNOX secure container cannot be create.... the fact Samsung also started using it to deny warranty claims is a side effect caused by their greed.

Just open the phone, use some fine wires to pump enough voltage and current into it to fry some stuff. Make it look like a charger or battery issue. Warranty still "valid". They want to screw us, we can screw back.

Limeybastard · Oct 12, 2013

muqali said:
Just open the phone, use some fine wires to pump enough voltage and current into it to fry some stuff. Make it look like a charger or battery issue. Warranty still "valid". They want to screw us, we can screw back.

So I wasn't the only one. Did this once back in the Nokia 2110 days. They got smart and put tamper proof stickers on them these days. Some I heard even hide them.

Sent from my SM-N900T using Tapatalk 4

bobbyphoenix · Oct 13, 2013

You can root, install ROMs, trigger all the trip wires they have, and if something does go wrong, or there is a real issue that has nothing to do with rooting like dust under the screen, but now Samsung refuses to honor the warranty because the Knox is void, try to install a ROM that is not for the phone and hard brick it. 100% no chance of it ever booting again. No tamper evidence of opening the phone. "Gee Samsung I don't know what happened. I went to turn it on, and nothing happens. I'm under warranty, so I'll send it in for repair." "Hello customer, We confirm the phone will not turn on. We are replacing it for you under warranty. Here is your new phone." Hmm.. I can see people doing this because Samsung is trying to avoid warranty claims for legit issues.

zmore · Oct 13, 2013

bobbyphoenix said:
You can root, install ROMs, trigger all the trip wires they have, and if something does go wrong, or there is a real issue that has nothing to do with rooting like dust under the screen, but now Samsung refuses to honor the warranty because the Knox is void, try to install a ROM that is not for the phone and hard brick it. 100% no chance of it ever booting again. No tamper evidence of opening the phone. "Gee Samsung I don't know what happened. I went to turn it on, and nothing happens. I'm under warranty, so I'll send it in for repair." "Hello customer, We confirm the phone will not turn on. We are replacing it for you under warranty. Here is your new phone." Hmm.. I can see people doing this because Samsung is trying to avoid warranty claims for legit issues.

Actually, Samsung will still fix a KNOX-tripped device, as long as it's under 12-months old, just not for FREE. You pay shipping + materials + labor, which is still way better than having to a re-buy a new $700 device. We can argue all day that Samsung shouldn't be "lame" in refusing to fix certain hardware problems that could not possibly be blamed on rooting & ROMming, but that's their right.

(Read Samsung's warranty fine-print yourself if you'd like)

01010001 · Oct 13, 2013

zmore said:
Actually, Samsung will still fix a KNOX-tripped device, as long as it's under 12-months old, just not for FREE. You pay shipping + materials + labor, which is still way better than having to a re-buy a new $700 device. We can argue all day that Samsung shouldn't be "lame" in refusing to fix certain hardware problems that could not possibly be blamed on rooting & ROMming, but that's their right.

(Read Samsung's warranty fine-print yourself if you'd like)

That's like saying buying a laptop that comes with Windows and then installing Linux on it voids the warranty. They are getting absurd amounts of money from us, it's just pure greed on their part.

zmore · Oct 13, 2013

01010001 said:
That's like saying buying a laptop that comes with Windows and then installing Linux on it voids the warranty. They are getting absurd amounts of money from us, it's just pure greed on their part.

PC makers would do the same if they could. They started down that road with Trusted Computing and secureboot, but PCs have historically been more open.

lawalty · Oct 13, 2013

Steve Lazarus said:
I really think Samsung should of had a business line of Note 3 devices, as compared to every phone having the Knox "container".

I TOTALLY agree! Again, why would the brain-heads over at Sammys have this KNOX crap on all their flag ship phones, with unlocked bootloaders? Wouldn't it make more sense to sell a business/enterprise Note 3 directly to businesses with this KNOX crap pre-installed with locked bootloaders, and leave us flag ship unlocked bootloaders alone.

GEEZUS! [face-palm] It just doesn't make sense.

Sent from my SM-N900T using XDA Premium 4 mobile app

lawalty · Oct 13, 2013

I'm telling you all. If this doesn't get bypassed somehow, and it remains completely permanent, other companies will eventually get on board with this nonsense. Especially DRM with music and video. This KNOX flag just might stand the test, and remain.

Sent from my SM-N900T using XDA Premium 4 mobile app

d474corruption · Oct 13, 2013

Knox seems to me, to be a bit of a redundant idea.

If you cannot protect your own device, because let's be serious security starts at the USER not some software you have installed, then watch the websites you visit and the apps you load from third parties.

Knox is a false sense of security if you ask me. It makes the inexperienced user feel like their device is impenetrable, which it isn't.

Its like a desktop, your desktop will only be as secure as you make it, based on how you use it. There will always be security threats, always. You need to learn how to protect YOURSELF rather than depend on some bogus app.

moto211 · Oct 13, 2013

d474corruption said:
Knox seems to me, to be a bit of a redundant idea.

If you cannot protect your own device, because let's be serious security starts at the USER not some software you have installed, then watch the websites you visit and the apps you load from third parties.

Knox is a false sense of security if you ask me. It makes the inexperienced user feel like their device is impenetrable, which it isn't.

Its like a desktop, your desktop will only be as secure as you make it, based on how you use it. There will always be security threats, always. You need to learn how to protect YOURSELF rather than depend on some bogus app.

I think you misunderstand the purpose of knox. Knox does not exist to provide security to the end user. Knox is for BYOD business environments. Because the devices are user not employer provided, it would be an administrative nightmare to inspect every device that users want to bring into the corporate environment. By leveraging knox, a company can institute a policy that user provided devices cannot have the knox flag tripped if they want access to the corporate network resources and applications. Trip the flag, no access for you.

Sent from my SM-N900T using XDA Premium 4 mobile app

lawalty · Oct 13, 2013

moto211 said:
I think you misunderstand the purpose of knox. Knox does not exist to provide security to the end user. Knox is for BYOD business environments. Because the devices are user not employer provided, it would be an administrative nightmare to inspect every device that users want to bring into the corporate environment. By leveraging knox, a company can institute a policy that user provided devices cannot have the knox flag tripped if they want access to the corporate network resources and applications. Trip the flag, no access for you.

Sent from my SM-N900T using XDA Premium 4 mobile app

I agree, however it should be more a toggle than a permanent switch. Example, if your device is presently rooted with a custom recovery, then no knox. If your device was rooted but not anymore with oem recovery, then yes to knox.

This permanent flag is disheartening.

However, I can envision using this as a good selling point. Taking a pic of your phone's screen for ebay, showing to the world it has NEVER been rooted. I guess you would have proof.

Sent from my SM-N900T using XDA Premium 4 mobile app

Everything KNOX...

Senior Member

Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

Senior Member

Senior Member

Similar threads

Top Liked Posts