Samsung Knox Raises Android Security Game

The handset makers are making a play to standardize management and security of their devices in enterprises and especially in BYOD scenarios. Well, some of them are making more of a play than others.

The first big example we got of this was BlackBerry and BES 10. As I explained last week, BES 10 includes some of the new techniques of EMM (Enterprise Mobility Management) such as MAM (Mobile Application Management) and a separation of user and business personalities. These are emerging as the two key technologies in the next generation of mobile device management.

Join us at Interop Las Vegas where the mobility track will explore best practices for management of mobile computing today and what's coming in the future. Register today!

Now Samsung has announced similar capabilities for its phones called Samsung Knox —. It's not an acronym, I guess it's an allusion to Fort Knox (where, since 1937, the Treasury Department has stored the highly-secure United States Bullion Depository). There's more to Knox than MAM and personal/user "partitioning," as they call it, but I think these are the most appealing.

With MAM the company either compiles management hooks into the program or, in the case of third party programs, installs a "wrapper" program around it that provides management. This allows administrators to set policy for the use of program: for instance, they may say that it can only read from or write to certain locations, that it only communicate over SSL, or that it not put unencrypted data on the clipboard. One common MAM feature is the ability to create a custom VPN session just for that instance of the program.

The user/personal separation addresses the core problem created by BYOD: Neither users nor administrators want administrators to have control over personal user data. BlackBerry refers to the separate personal and business uses of its phones as personalities and Samsung calls them partitions. The division is baked into the operating system, so administrators not only can ignore personal data and programs, they actually have no access to it. The remote wipe becomes a wipe not of the whole phone, but of the business personality/partition.

One big difference between the BlackBerry and Samsung approaches is that BlackBerry is pushing BES 10 as a cross-platform management tool: You can use it to manage iOS and Android devices as well as its own BlackBerry phones. Superficially, SAFE is an open standard that other Android handset makers, perhaps even Google itself, could incorporate into its products, but fat chance of that. The truth is that Samsung is ascendant and BlackBerry needs to accommodate users of its competitors' products.

It's more complicated than that. Like the MDM APIs of old, Knox and Samsung's earlier SAFE (Samsung For Enterprise) APIs, the interfaces are open for third-party management platforms to access. Indeed, my briefing on Knox came not from Samsung but from AirWatch, which announced its support for Knox as Samsung announced it at the recent Mobile World Congress. Other independent mobile security vendors have support for SAFE and will likely support Knox, whereas companies need a BES to support BlackBerry devices. Of course, it's more complicated than that too, as BES also provides a secure communications channel for BlackBerry and, eventually, third party devices. Knox is in beta. AirWatch, incidentally, says that it implements the most SAFE APIs of any mobile security vendor.

There may be some limitations in the partitioning that are a bit disappointing. For instance, ideally I would want the two personalities to have different phone numbers and accounts. This requires that the phone have two NAMs (Number Assignment Modules) and probably two SIM cards. There are phones like this and I have seen a business/personal virtualization scheme using the two numbers demonstrated by Cellrox. Click here to read about that and see a video of it. So it can be done, but it's not clear if either BlackBerry or Samsung are supporting it. Neither demoed it. I asked an Airwatch spokesperson to try, on their Knox phone, to make a phone call in one personality and then switch to the other personality. The phone call persisted. Whether this is correct behavior is unclear to me. There are probably arguments on both sides.

It's pretty obvious that Knox will be supported in the Galaxy S IV, which will be announced this week in New York. Will it add support into older phones, such as the very popular Galaxy S III? No word on that yet.

So both BlackBerry and Samsung are advancing security for their customers. What about Microsoft and Apple, the other big mobile OS companies? Microsoft's APIs and products (basically Intune and System Center) are quite conventional, but Apple doesn't even try. Many years ago it released an MDM API that it cloned from BlackBerry. Apple's locked-down app-deployment process means that many security products are not possible — for instance, the business/personal division is basically impossible on iOS — although it has also prevented the development of any malware of note. I suggest that in the long term, companies like BlackBerry and Samsung that help the customer to better manage their devices, will be more appealing to enterprises.