Understand the use of the Trusted Execution Environment (TEE), and how it provides hardware-backed security in the Samsung Knox architecture.
- [Instructor] While the TEE isn't available to consumer developers, there is a halfway capability available. It's common now for enterprises to have bring your own device policy, which enables business activities to be conducted on personal mobile devices. Samsung has provided support for this, with their Samsung Enterprise Alliance program. This program provides business-to-business support to developers of secure applications for enterprise use, backed by hardware-based security in the trusted execution environment.
It provides all the SDKs necessary for enterprise developers to create secure applications, and in turn, uses the TEE to leverage hardware security support. The Knox framework allows the development of secure enterprise apps which run within what is known as a Knox container, protecting them from the personal apps and processes outside the container. Essentially, a Knox container is a highly trusted part of the REE, which provides a rich set of APIs for supporting mobile device management and enterprise app use.
Inside the Knox container, a number of frameworks including single sign on, virtual private networks, and smart card capability can be used to provide added security. It enhances security through services running in the TEE such as the trusted boot monitor, the TrustZone integrity management architecture, or TIMA, and also through use of adoption of the security-enhanced Android features. The TrustZone integrity management architecture continuously monitors the integrity of the Linux kernel, and forms the first line of defense against malicious attacks on the kernel and core bootstrap processes.
If it detects integrity violations, it can disable the kernel and restart the device to a known good state. This provides a high level of confidence, that when running, the device is secure. Know also has specific security features to support online payments, such as applying mandatory access controls to ensure that only the Samsung pay app is allowed to access payment-specific functionality, and using TrustZone-enabled user authentication. Knox architecture is delivered as standard on the Samsung Galaxy mobiles.
Developing and using Knox secure apps requires and enterprise license from Samsung. Google has worked with Samsung to adapt some of the Knox features to it's Android at work set of applications, also designed for enterprise use.
- Understanding Android OS, app, and hardware security components
- Using the Trusted Execution Environment
- Developing Android apps with security in mind
- Analyzing existing applications
- Understanding Android vulnerabilities
- Securing Android apps
- Developing secure enterprise apps