Apple's iPhone has received considerable attention for security that defied FBI investigators, but Samsung's Knox, an enterprise security layer for Android devices, scores better in a security evaluation conducted by research firm Gartner.
In a report published earlier this month, Gartner research director Patrick Hevesi compared 12 mobile device platforms -- Android 4, 5, and 6; BlackBerry 10; BlackBerry Android; iOS 8 and 9; Samsung Knox; Windows Phone 8.1 and 10 (Lumia); and Windows 8.1 and 10 (Surface). He awarded Knox more "strong" ratings than any other system.
Of all the platforms evaluated, Knox was the only one with "strong" ratings for every control in the corporate managed security section. The runner-up in terms of corporate managed security was BlackBerry 10, which received ratings of "strong" in every category except Device Firewall Management, where it was rated "average."
Knox 2.6 is the latest version of Samsung's security platform. It's available on the Galaxy S7 and S7 edge devices and can coexist with Google's managed container technology, Android for Work. A Samsung paper describes how Knox differs from Android for Work.
In a statement, Injong Rhee, EVP and head of R&D for Samsung Electronics' software and services for mobile communications business group, expressed pride that Gartner had recognized Knox's advantages.
Gartner's report examined a variety of core OS functions like biometrics, kernel security, and OS updates, as well as functions relevant to IT administration, such as encryption management, workspace isolation, and jailbreak/root protection.
The report avoids recommending a specific brand of device. Rather, it presents strengths and weaknesses, which should be considered in conjunction with the way devices will be used and business requirements. Gartner does advise organizations to avoid older mobile devices known to be exploitable or found lacking in the security or management controls available in more recent hardware.
In a phone interview Hevesi stressed that every client has different needs and that businesses should identify the risks that are relevant to them before choosing a particular platform. "There are obviously drawbacks to everything," he said. "Knox has done some really good things, but not all organizations need Knox."
Hevesi cited the Knox Warranty Fuse, a one-time programmable fuse that gets triggered if a Knox device is ever booted into an unapproved state. Once the fuse has fired, the device can no longer run Knox, and there's no IT reset switch. The feature may be more trouble than it's worth for administrators.
Hevesi also praised the BlackBerry Android's out-of-the-box experience for guiding users toward secure settings. He also gave a thumbs up to Microsoft's enterprise data protection in Windows Phone 10.
One of the gaps in mobile operating systems, Hevesi said, is that the network stack does not force secure communication, meaning a line-of-business app might still send sensitive information without encryption.
"The developers writing these applications need to start think about encrypting everything and [about] how they store keys on these devices," said Hevesi, noting that encryption also has to be supported by default settings that promote security. For example, default data encryption isn't worth much if the device allows the user to choose a weak four-number PIN rather than strong passcode.