Samsung Knox
Proprietary security framework by Samsung
Knox
DeveloperSamsung
Initial releaseMarch 2013 (2013-03)
Stable release
3.12 / 10 July 2025; 5 months ago (2025-07-10)[1]
Operating systemAndroid and Tizen
Websitewww.samsungknox.com/en

Samsung Knox is a mobile device management (MDM) and trusted computing framework pre-installed on most Samsung mobile devices, and implements ARM TrustZone in hardware. It allows the management of work devices, such as employee mobile phones, interactive kiosks, and barcode scanners.[2] Like other MDMs, Knox allows organizations to control a device's pre-loaded applications, settings, boot-up animations, home screens, and lock screens.[3]

Overview

Knox provides trusted computing and mobile device management (MDM) features. Knox's hardware is based on an implementation of ARM TrustZone, a bootloader ROM, and secure boot (similar to dm-verity and AVB).[4][5] These trusted computing environments are used to store sensitive data, like cryptographic materials and certificates.[6]

MDM allow businesses to customize their devices for their needs. IT administrators can register new devices, identify a unified endpoint management (UEM) system, define the organizational rules that govern the use of devices, and upgrade device firmware over-the-air.[7] Knox's MDM services are registered and accessed through the web,[8] APIs, or proprietary SDKs.[9]

A few Samsung devices with Knox were approved for US governmental use in 2014, as long as they're not used to store classified data.[10]

Since Android 8, Knox is used to prevent root access to apps even after a successful rooting.[11]

In October 2014, a security researcher discovered that Samsung Knox stores PINs in plain text rather than storing salted and hashed PINs and processing them by obfuscated code.[12]

In May 2016, Israeli researchers Uri Kanonov and Avishai Wool found three vulnerabilities in specific versions of Knox.[13]

Several security flaws were discovered in Knox in 2017 by Project Zero.[14][15]

e-Fuse

Rooted Samsung Galaxy S10e with tripped e-fuse

Samsung Knox devices use an e-fuse to indicate whether or not an "untrusted" (non-Samsung) boot path has ever been run. The e-Fuse will be set in any of the following cases:

  • The device boots with a non-Samsung signed bootloader, kernel, kernel initialization script, or data.
  • The device is rooted.
  • Custom firmware is detected on the device (such as non-Samsung Android releases).

On Galaxy Book devices starting with the Galaxy Book 4, upgrading from one Windows version to another (from 22H2 to 23H2) will not set the e-Fuse, but upgrading to a higher edition (from Home to Pro) will[citation needed].

When set, the text "Set warranty bit: <reason>" appears. Once the e-fuse is set, a device can no longer create a Knox Workspace container or access the data previously stored in an existing Knox Workspace.[16] In the United States, this information may be used by Samsung to deny warranty service to devices that have been modified in this manner.[17] Voiding consumer warranties in this manner may be prohibited by the Magnuson–Moss Warranty Act of 1975, at least in cases where the phone's problem is not directly caused by rooting.[18] In addition to voiding the warranty, tripping the e-fuse also prevents some preinstalled apps from running, such as Secure Folder and Samsung Pay.[citation needed] For some older versions of Knox, it may be possible to clear the e-fuse by flashing a custom firmware.[19]

AI and Privacy

Galaxy AI was first introduced on the Galaxy S24 series and later expanded to the Galaxy S25 series and foldable models such as the Samsung Galaxy Z Fold 7 and Samsung Galaxy Z Flip 7. On these devices, Samsung uses Knox as the security platform for selected Galaxy AI features.[20][21] These features use on-device processing components, including the Personal Data Engine, which creates personalized outputs from data stored locally on the device. Information used or generated by these functions is saved in Knox Vault,[22] a hardware-backed secure environment designed to keep sensitive data separate from the main operating system. Some Galaxy AI features that operate across multiple Samsung devices use encrypted communication channels provided by Knox.[23] Users can also choose settings that limit cloud AI processing or require features to run only on the device. In enterprise environments, administrators using Knox Manage or other Knox tools can turn specific Galaxy AI features on or off, or restrict them based on organizational policies.[24]

See also

References

  1. ^ "Samsung Knox 3.12 released". Samsung Knox. Retrieved 2025-09-18.
  2. ^ "Secure mobile platform and solutions". Samsung Knox. January 15, 2021. Archived from the original on December 23, 2020. Retrieved January 15, 2021.
  3. ^ "8 Steps to Customizing Mobile Devices With Knox Configure". Samsung Business Insights. 2020-01-07. Retrieved 2021-01-06.
  4. ^ "Root of Trust | Knox Platform for Enterprise Whitepaper". docs.samsungknox.com. Archived from the original on 2018-11-14. Retrieved 2018-11-13.
  5. ^ "New Samsung Galaxy Note 3 software features explained". Android Authority. 2013-09-04. Archived from the original on 2021-01-09. Retrieved 2021-01-07.
  6. ^ "Samsung TIMA Keystores".
  7. ^ "Knox for Enterprise Mobility". Samsung Knox. Retrieved 2021-01-06.
  8. ^ "Samsung Knox Documentation Ecosystem". docs.samsungknox.com. Retrieved 2021-01-06.
  9. ^ "Samsung Knox Developer Documentation". docs.samsungknox.com. Retrieved 2021-06-28.
  10. ^ Ribeiro, John (2014-10-21). "NSA approves Samsung Knox devices for government use". PCWorld. Retrieved 2018-10-27.
  11. ^ "Disable DEFEX Security to Root Samsung Galaxy Devices on Oreo". 13 October 2018.
  12. ^ Mimoso, Michael (2014-10-24). "NSA-Approved Samsung Knox Stores PIN in Cleartext". Threatpost. Retrieved 2018-10-27.
  13. ^ Forrest, Conner (2016-05-31). "Samsung Knox isn't as secure as you think it is". TechRepublic. Retrieved 2018-10-27.
  14. ^ "How we cracked Samsung's DoD- and NSA-certified Knox". ZDNet.
  15. ^ Ben (2017-02-08). "Project Zero: Lifting the (Hyper) Visor: Bypassing Samsung's Real-Time Kernel Protection". Project Zero. Retrieved 2025-08-02.
  16. ^ Ning, Peng (2013-12-04). "About CF-Auto-Root". Samsung. Archived from the original on 2015-09-05. The sole purpose of this fuse-burning action is to memorize that a kernel or critical initialization scripts or data that is not under Samsung's control has been put on the device. Once the e-fuse bit is burned, a Samsung KNOX-enabled device can no longer create a KNOX Container or access the data previously stored in an existing KNOX Container.
  17. ^ "Just how does Knox warranty void efuse burning work?". XDA Developers Forums. 28 June 2016. Retrieved 2021-01-05.
  18. ^ Koebler, Jason (2016-08-17). "Companies Can't Legally Void the Warranty for Jailbreaking or Rooting Your Phone". Motherboard. Retrieved 2018-10-27.
  19. ^ "Disable Knox on Samsung Galaxy Devices [4 Ways] | Android More". AndroidMore. Archived from the original on 2021-01-05. Retrieved 2020-12-14.
  20. ^ “Samsung expands Knox Vault security to more devices”, *Android Police*, 13 September 2024.
  21. ^ “Galaxy S25 Edge sets new benchmarks for design, AI, and performance in Gulf region.” TahawulTech, 25 November 2025.
  22. ^ “How Samsung Knox Vault works”, XDA Developers, January 10, 2023.
  23. ^ "Samsung unleashes new security features with AI & quantum", *TelcoNews Australia*, 8 July 2025.
  24. ^ "Samsung's Galaxy AI for Business helps companies become more competitive", *Entreprenerd*, 9 August 2025.
  • Official website
Retrieved from "https://en.wikipedia.org/w/index.php?title=Samsung_Knox&oldid=1324389905"