- Welcome
- Basics
- Device apps
- Overview
- Knox licenses
- Knox SDK
- Overview
- About the SDK
- What's new
- What's new
- Migrations
- Android 11
- Android Enterprise
- Device admin deprecation
- DA deprecation and Samsung
- DA deprecation and VMware
- FAQs
- FAQ Index
- What is DA Deprecation?
- What is being deprecated with device admin?
- What is API level 29, as it relates to DA deprecation?
- What is the impact of DA deprecation to Knox?
- As a Knox partner, what do I need to do?
- What happens to DA apps when upgraded to Android Q?
- When can I safely upgrade to Android Q?
- What if a device already has Android Q?
- Can my DA app coexist with a UEM app running as DO?
- Are there changes to Knox Configure due to DA deprecation?
- Can I use my DA app alongside Knox Configure?
- Does KME still support device enrollment using DA?
- As DA is not in Android Q, can I enroll via KME to Work Profile?
- Get started
- Sample app tutorials
- Features
- Independent Software Vendors
- ML Developers
- Introduction
- Whitepaper
- Model Protection APIs
- Protect ML model
- ML Encryption Tool
- Knox ML Encryption Tool Revision
- FAQs
- Are there any additional steps for Linux to give execute permissions to conversion tool?
- Do I to change my app to run the encrypted model?
- Where are the encrypted files saved?
- Which devices support Knox for Model Protection?
- Which ML file types are supported by Knox for Model Protection?
- Which operating systems (OS) support Knox ML Model Conversion Tool?
- Independent Software Vendors (DA)
- MDM Providers
- System Integrators
- VPN Providers
- Storage Providers
- API Reference
- Tools
- FAQs
- FAQ Index
- General
- What is the Samsung Knox SDK?
- Where can I obtain a white paper for Samsung Knox?
- What versions of Android support the Knox SDK?
- How can I check if my device firmware is an engineering or commercial build?
- How can I access the binaries before they are released?
- What is a deprecated API method?
- What kind of support is offered after an API is deprecated?
- Why were the API classes deprecated?
- What are the features by default set to hidden/disabled in ProKiosk mode?
- What are credentials?
- What is Knox TIMA CCM?
- Is Knox supported on other platforms, such as windows?
- Which hardware control features can be managed inside Knox Workspace, using the Knox SDK?
- Why do a few Knox SDK APIs not work on some devices?
- Can Google Play used to deploy Knox apps?
- Can I use managed configurations for Samsung Knox features?
- Can a third-party app use the Knox SDK to get LDAP information?
- How do I enable users to select a 3rd party keyboard?
- How does my device's serial number change with Knox 3.2.1?
- If I don’t use the UCM APIs of the Knox SDK, what are my options for credential storage?
- What are the changes in Samsung Calendar data sharing in Knox SDK 3.8?
- What are the alternative Google APIs for Samsung Knox Wi-fi deprecation?
- Installation
- How do I use an SDK packaged as an Eclipse IDE add-on with the Android Studio IDE?
- Is it possible to install an app silently on a device using Knox SDK?
- Why am I still able to download an app even though I have added it to blacklist with the method addAppPackageNameToBlackList(), from the Knox SDK?
- How can an app find out which apps are installed in and outside a container, using the Knox SDK?
- How can an app block the installation of a non-trusted app, using the Knox SDK?
- What does "Security policy prevents installation of this application" mean?
- Can I prevent an end user from installing certificates, with the Knox SDK?
- Does API method installApplication(String packageName) download apps from the play store and install them silently?
- Does the API method setApplicationUninstallationDisabled disable the uninstallation of apps inside the container, when using the Knox SDK?
- Why is the installCertificate API method not successfully installing a certificate on my device?
- Licensing
- How do I use license keys?
- What is the KPE Premium license key and why should I use it?
- What is the backwards compatible key?
- When do I need to use the backwards compatible key?
- Do I need to associate my app with a backwards compatible key?
- How have license key names changed?
- Which keys can be used in combination with each other?
- What is automatic license seat release?
- What are license permissions?
- What is the difference between Standard and Premium permissions?
- How do I declare permissions?
- Deprecated licenses
- Operations
- Are the Knox SDK browser policies applicable to Chrome as well?
- How can an enterprise disable roaming access over an enterprise APN, using the Knox SDK?
- Can an app using the Knox SDK clear an email signature?
- Can I add system or pre-installed app packages, using the Knox SDK, to the notification blacklist?
- Can I use Google push notifications inside a Knox Workspace container?
- Can I use SDP for an app that is outside the Knox container?
- Can multi-window mode be disabled through blocklisting, using the Knox SDK?
- Does my launcher app need a special intent to work in Kiosk mode?
- Does the API method enforceMultifactorAuthentication(), in the Knox SDK, come into effect immediately?
- How can I disable GPS on the device using the Knox SDK?
- How can I move an app from the user's personal mode to the Knox container using an API in the Knox SDK?
- How does the Knox API method EmailPolicy.setAllowEmailForwarding work?
- How does the Knox SDK method, setAllowChangeDataSyncPolicy(), sync contacts with the container so they are visible on the personal side?
- How do I disable the USB port except for charging, using the Knox SDK?
- How do I use the Knox SDK to allow or block phone numbers?
- How do I use the SDK to prevent launching the screen saver when an app is running?
- Is an APN validated when I use the Knox SDK to add it to a device?
- Is it possible to block application access to data while roaming, using the Knox SDK?
- Is there a limit to the number of applications that can be blocked or allowed using the Knox SDK?
- Is there any way to create IMAP, POP, or Exchange accounts in the emulator?
- What does the RCPPolicy.NOTIFICATIONS argument do in the API method setAllowChangeDataSyncPolicy?
- What Keystores can I use?
- What kind of phone numbers are allowed after setting setEmergencyCallOnly(true) in the Knox SDK?
- What secure hardware can I use with the UCM APIs to store credentials?
- What should I do if I find API errors?
- Why are app shortcuts not showing up in Kiosk mode for the Knox SDK?
- Why are Knox Customization policies still active on my device even after my app is uninstalled?
- Why can't you enable the camera inside a container when it is blocked in the personal space?
- Why does the allowOTAUpgrade API method, in the Knox SDK, have no effect when allowFirmwareRecovery() is set to false?
- Why does the API method call setEnableApplication(), using the Knox SDK, disable the app?
- Why does the createVpnProfile method, in the Knox SDK, fail when a Profile name has whitespace?
- Why does the SDK return a NullPointerException when I access the SMS/MMS content URI?
- Why is video recording also blocked when I use the Knox SDK to block audio recording?
- Standard features
- Can I force a device to update to the latest firmware?
- Can multi-window mode be disabled through blacklisting, using the Knox SDK?
- Does the API method setApplicationUninstallationDisabled disable the uninstallation of apps inside the container, when using the Knox SDK?
- What is the difference between hideStatusBar() and hideSystemBar() in the Knox SDK?
- What Knox SDK API methods are available to manage device firmware?
- Why do a few Knox SDK APIs not work on some devices?
- Will the legacy ELM and KLM keys still work with the Knox Platform for Enterprise (KPE) key?
- Premium features
- Customization
- Security
- As a developer, how can I access the device root key?
- Can an app prevent access to specific networks, using the Knox SDK?
- Can fingerprint be used as a substitute for other forms of screen unlock methods, when using the Knox SDK?
- Can I use the Knox SDK to disable the "Unlock Via Google" password unlock option?
- Can I use the Knox SDK to encrypt the SD card?
- Can I use the Knox SDK to modify the fingerprint passcode requirements?
- Does a Knox container enforce authentication by default?
- Do the SDP APIs support a security standard?
- How can I ensure that certificates are stored in the TIMA KeyStore, using the Knox SDK?
- How does SDP secure the cryptographic keys used for data encryption?
- How do you programmatically unlock the container after the maximum amount of failed attempts, using the Knox SDK?
- What does "Security policy prevents installation of this application" mean?
- What is the maximum length allowed for a Wi-Fi SSID, when using the Knox SDK?
- What is the scope of the setPasswordVisibilityEnabled() API method, in the Knox SDK?
- When I call the Knox SDK API method setExternalStorageEncryption, why doesn't the device prompt the user to encrypt?
- Why are HTTPS requests bypassing global proxy settings in the Knox SDK?
- Why doesn't the Knox method "isActivePasswordSufficient" check for forbidden strings?
- Why do I see "Cannot safely connect to server" when I create an email account using SSL??
- Why is my timeout of 15 minutes not working for the resetContainerPassword() method, using the Knox SDK?
- Why is the Knox API method setMaximumTimeToLock() not showing the time I configured?
- SDP
- UCM
- VPN
- VPN Provider
- Does the Knox framework store any type of data passed during profile creation?
- Do I need a license to use the Knox VPN SDK?
- How can I verify if the VPN connection that is starting belongs to the Knox profile or the default Android VPN profile?
- How do I add all apps inside AND outside the container to a VPN profile?
- How is the Knox container affected by VPN On-Premise Bypass?
- How should the network state change be handled by the VPN Client Integration?
- If the framework takes the responsibility of starting the VPN connection, and since it is MDM-controlled, how will the user be able to connect to the VPN if a time-out or networking error occurs?
- Under what circumstances does the framework trigger the start connection?
- What API do I use to create a On-Premise Bypass VPN profile?
- What is VPN On-Premise Bypass?
- When should the various Android VPN service APIs be called?
- Workspace
- Samsung DeX
- Containers
- How does an app detect if a container was created using the Knox SDK?
- How do I install the MDM agent inside the Knox container?
- I have created a "container only mode" container and I am locked inside, using the Knox SDK. How do I exit?
- Why do I get error KnoxContainerManager.ERROR_INTERNAL_ERROR(-1014) while creating a container?
- KBAs
- Knox POS SDK
- Knox Tizen SDK
- Overview
- About the SDK
- What's new
- Get started
- Tutorials
- API Reference
- Sample Apps
- FAQs
- FAQ Index
- General
- How is Tizen related to Knox?
- Which devices support the Knox Tizen SDK for Wearables?
- What version of the Tizen SDK should I install before installing the Samsung Knox Tizen SDK for Wearables?
- Should I install any extension SDK before installing the Samsung Knox Tizen SDK for Wearables?
- What are the modes in which you can use the Samsung wearable device?
- What are the supported Wi-Fi security types?
- How do I get the attestation blob?
- What is a nonce and why is it valid for a short time period?
- What is ProKiosk mode?
- Licensing
- Samsung India Identity SDK
- Overview
- About the SDK
- What's new
- Get started
- Features
- API Reference
- Sample Apps
- FAQs
- FAQ Index
- General
- Installation
- Licensing
- Usage
- How do I verify if my device supports Samsung India Identity SDK?
- Should I capture the IRIS image of one or both eyes?
- When do I use the UIDAI Staging server and UIDAI Production server?
- What are the URLs that need to be whitelisted for enterprise-managed devices using the Samsung India Identity SDK APIs?
- Who is impacted by the upgrade of the biometric public devices to registered devices?
- Is there any hardware change required to upgrade the public devices to registered devices?
- What are the application (APK) changes required to upgrade the public devices to registered devices?
- Web services
- Managed configurations
- Introduction
- Deploy managed configurations
- FAQs
- FAQ Index
- What are managed configurations?
- Why should I use managed configurations?
- How do managed configurations work?
- Can I use managed configurations for Samsung Knox features?
- What is a managed configurations XML schema file?
- Which Samsung apps support managed configurations?
- How do I deploy managed configurations on an MDM console?
- Where can I get the XML schemas for Samsung apps that support managed configurations?
- Is there sample code showing how an MDM web console can deploy an iframe that renders a managed configurations XML schema?
- What email app is preloaded on Samsung devices?
- Knox Service Plugin
- Samsung Email
Tutorial: Attestation (v2)
Samsung Knox Attestation lets you verify that a Samsung Android device has not been rooted or running unofficial firmware that can compromise the data integrity.
This v2 version of Attestation is used on devices running the Knox v3.3 or earlier. The v2 version uses the earlier AttestationPolicy class and v2 REST API. For information about the latest version of Attestation, see Attestation (v3). We recommend that you migrate any v2 deployements to v3 to take advantage of the latest security features.
About Attestation
TIMA
Attestation uses TIMA (TrustZone-based Integrity Measurement Architecture), a patented technology that is exclusively licensed by Samsung. TIMA checks the following:
- Linux kernel
- Loadable kernel modules
- Selected kernel data structures
- Key SE for Android data structures, in kernel memory
TIMA derives measurements from these components and stores them in a tamper-resistant part of TrustZone hardware. Measurements are initially made from a device's original factory kernel. While a device is being used, TIMA does:
- Periodic monitoring of kernel text and RO data sections
- Controlled loading of unauthorized kernel modules
TIMA can check if legitimate kernel code and unverified code are running at the kernel level, to prevent malicious attacks from corrupting the device.
Attestation
Knox Attestation has the ability to check device integrity on-demand, from a remote web server. When requested, a Knox Attestation agent on the device:
- Reads the previously stored measurement information
- Checks the Knox Warranty Bit value, which indicates if a device has been rooted
- Combines the data in a proprietary way to produce an attestation verdict, which indicates if tampering is suspected
This verdict is sent to the requesting web server. It includes a cryptographic signature that is based on the device's unique attestation certificate and embedded in the device during the manufacturing process. This process ensures that the attestation verdict cannot be altered during transfer.
Any further action is determined by the enterprise. If device tampering is suspected, an enterprise can choose to uninstall apps from the device, erase sensitive data, check the location of the device, or simply log the event for later action.
How Attestation works
To perform attestation for a device, you must create both:
- An Android app to initiate the attestation check on a device
- A web script to communicate with Samsung's Attestation server
Here is the end-to-end process:
- Get a nonce. A nonce is a random value that uniquely identifies each attestation request. Each nonce is valid for a short time period, after which the Attestation Server fails any request made using that nonce. This is to avoid a replay attack that could allow an attacker to reuse a past attestation result.
- Start attestation. You set up a service connection with the Knox Attestation Agent, to begin the attestation and handle the resulting blob (Binary Large OBject) through an intent.
- Get the attestation verdict. Finally, you send the blob to the Attestation Server, which indicates if a device passed or failed its integrity checks.
Attestation examples
Set up server
In the following examples, we use an Apache server on a Linux operating system with PHP as the scripting language. You can set up such a web server from scratch quite simply. If you don’t have a web server, you can enroll in a free or trial cloud service to get quick access to one.
If you are new to web server setup, here are some basic Linux commands to set up the server:
install Ubuntu 14.0sudo apt-get updatesudo apt-get install apache2sudo apt-get install php5 libapache2-mod-php5 php5-mcrypt php5-curlsudo /etc/init.d/apache2 restart
Alternatively, you can use a pre-built environment, such as that provided by Apache Friends.
Once you have a web server with PHP support, copy your scripts into the folder /var/www/html. In the sample Attestation app, there are two PHP scripts, called nonces.php and measurements.php, which you can copy into this folder.
Secure communication
For secure communication with the Attestation server, use an HTTPS connection and a SSL certificate to encrypt data sent over the connection. Make sure to purchase an SSL certificate from a trusted provider. Self-signed certificates are not trusted by the Attestation server. Also, make sure your certificate contains the complete certificate chain. For help, please consult with your web provider.
Vendor-Unique Attestation Key
In the header of every REST API call to the Attestation server, identify yourself by encoding your own unique Vendor-Unique Attestation Key, which you can get from the Knox Partner Portal.
Start attestation
Define an attestation intent in the manifest
When the AttestationPolicy has a blob containing the attestation measurements, com.samsung.android.knox.intent.action.KNOX_ATTESTATION_RESULT. To handle this intent your app must have permission that com.samsung.android.knox.permission.KNOX_REMOTE_ATTESTATION
Identify the class that handles this intent. In our sample app com.samsung.business.sdk.attestation, we use the class AttestationReceiver. Declare the class in the Android manifest file as follows:
<receiver android:name="com.samsung.business.sdk.attestation.AttestationReceiver" android:enabled="true">
<intent-filter>
<action android:name="com.samsung.android.knox.intent.action.KNOX_ATTESTATION_RESULT"/>
</intent-filter>
</receiver>
Start attestation using AttestationPolicy
Your app communicates with the Knox Attestation agent using the AIDL, as declared through the file IAttestation.aidl.
// import AttestationPolicy
import com.samsung.android.knox.integrity.AttestationPolicy;:
// declare AttestationPolicy to call api
private AttestationPolicy mPolicy;
mPolicy = new AttestationPolicy(Context);
// extract the nonce from the response.
String svrAddr = "http://attestation.example.com/nonces";
HttpPost httppost = null;
httppost = new HttpPost(addr);
httppost.addHeader("x-knox-attest-api-key", apiKey);
HttpResponse response = httpClient.execute(httppost);
InputStream inputStream = response.getEntity().getContent();
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
String readLine = bufferedReader.readLine();
StringBuffer stringBuffer = new StringBuffer("");
while (readLine != null) {
stringBuffer.append(readLine);
stringBuffer.append("\n");
readLine = bufferedReader.readLine();
}
String output = stringBuffer.toString();
String mNonce = output.substring(10, output.length() - 3);
// call startAttestation
mPolicy.startAttestation(mNonce);
Handle the attestation intent
Your app handles the intent com.samsung.android.knox.intent.action.KNOX_ATTESTATION_RESULT by passing it to AttestationReceiver.onReceive(). This method is where you handle the blob sent by the AttestationPolicy.
// import package that defines constants for values returned by AttestationPolicy
import com.samsung.android.knox.integrity.AttestationPolicy;
public class AttestationReceiver extends BroadcastReceiver {
private static final String TAG = "Attestation";
static AttestationFragment attestationFragment;
// Get the current fragment instance
public AttestationReceiver(AttestationFragment attestationFragment) {
AttestationReceiver.attestationFragment = attestationFragment;
}
@Override
public void onReceive(Context context, Intent intent) {
// Get the result of the intent
final int result = intent.getIntExtra(Attestation.EXTRA_RESULT, Integer.MIN_VALUE);
switch (result) {
// check if communication with the Knox Attestation Agent was successful
case Attestation.RESULT_ATTESTATION_SUCCESSFUL:
// Get the blob from the intent
byte[] blob = intent.getByteArrayExtra(Attestation.EXTRA_ATTESTATION_DATA);
// Get the status from within the blob
attestationFragment.getAttestationStatus(blob);
break;
Get Nonce
Get a nonce from your web script
In your Android app, request a nonce from your web server. On the web server, you need a script to take the request and forward it to Samsung’s Attestation server. In the sample Attestation app, there is a script called nonces.php that does this.
// identify the URL of your web server private static final String URL_MDM_SERVER_NONCE = "http://attestation.example.com/nonces"; // through HTTP, send a nonce request to your web server String response = HttpClient.getInstance().getNonce(URL_MDM_SERVER_NONCE, mEditApiKey.getText().toString());
In this example, we use a string variable called response to store the resulting nonce. Later, you will parse the response into a JSON object and pass it to the Attestation agent on the device.
Get a nonce from the Attestation server
In your web script, build the request to get a nonce from the Attestation Server. Our sample app does this using PHP, which you can find in the file nonces.php:
$curl = curl_init(); curl_setopt($curl, CURLOPT_URL,"https://attest-api.secb2b.com/v2/nonces"; curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($curl, CURLOPT_RETURNTRANSFER, false); $headers = array( 'x-Knox-attest-api-key: '.$api_key, 'Accept: '.$accept ); curl_setopt($curl, CURLOPT_HTTPHEADER, $headers); curl_exec($curl);
For details about the syntax of the REST API calls to the Attestation Server, see the Attestation REST API Reference.
Get verdict
Send a blob to your web server
Send the blob to your web server using the HTTP protocol. On the web server, you need a script to take the blob and forward it to Samsung’s Attestation server. In the sample Attestation app, there is a script called measurements.php that does the following:
String response = HttpClient.getInstance().getAttestationStatus(http://my.attestation.server.com/measurements + "?nonce=" + mNonce, blob, mEditApiKey.getText().toString());
In this example, we use a string variable called response to store the resulting verdict. Later, you will parse the response into a JSON object and display the verdict details.
Get a verdict from the Attestation server
In the web script, build a request to get the attestation verdict from the Attestation server. Our sample code does this using PHP, which you can find in the source code file measurements.php:
$curl = curl_init(); curl_setopt($curl, CURLOPT_URL, "https://attest-api.secb2b.com/v2/blobs?nonce=".$nonce); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, $entityBody); //Post Fields curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($curl, CURLOPT_RETURNTRANSFER, false); $headers = array( 'x-Knox-attest-api-key: '.$api_key, 'Accept: '.$accept, 'Content-type: '.$content_type ); curl_setopt($curl, CURLOPT_HTTPHEADER, $headers); curl_exec($curl);
You can process the verdict in either the web script or Android app.
Display the verdict;
Here, we use the Android app to convert the attestation response into a JSONObject to extract the results of the attestation, including the attestation verdict:
JsonObject = new JSONObject(mAttestationStatus);
// get the overall verdict
String verdict = jsonObject.getString("verdict");
buff.append("verdict = " + verdict);
// get the detailed measurements
String measurements = jsonObject.getString("measurements");
buff.append("measurements = " + measurements);
String mac = jsonObject.getString("MAC");
buff.append("mac = " + mac);
JSONObject rkp_dashboard = jsonObject.getJSONObject("RKP_Dashboard");
buff.append("RKP_Dashboard " + "\n");
// get UCM ODE info that derives verdict as No
JSONObject reasonVerdictNo = jsonObject.getJSONObject("reasonVerdictNo");
buff.append("\todeEnabled = " + reasonVerdictNo.getString("odeEnabled"));
buff.append("\tmeasurementMismatch = " + reasonVerdictNo.getString("measurementMismatch"));
buff.append("\tTamperFuseSet = " + reasonVerdictNo.getString("TamperFuseSet"));
String ucmOdePluginSignature = jsonObject.getString("ucmOdePluginSignature");
buff.append("ucmOdePluginSignature = " + ucmOdePluginSignature);
String ucmOdeVenderId = jsonObject.getString("ucmOdeVenderId");
buff.append("ucmOdeVenderId = " + ucmOdeVenderId);
// display each individual violation
JSONArray violations = rkp_dashboard.getJSONArray("violations");
for (int i = 0; i & lt; violations.length(); i++) {
JSONObject obj = violations.getJSONObject(i);
buff.append("violations " + i + "\n");
buff.append("\ttimestamp = " + obj.getString("timestamp"));
buff.append("\tcounter = " + obj.getString("counter"));
buff.append("\tserialNumber = " + obj.getString("serialNumber"));
}
For details about the fields returned in the verdict, see the Attestation REST API Reference.
Here is how the app displays the attestation results:
A verdict of:
- Yes — indicates that the device passed the integrity checks
- No — indicates that the device might have failed the integrity checks
- If UCM ODE is enabled the attestation blob might return a verdict of "no". You can check which vendor sactivated UCM ODE with JSON objects and handle the attestation results separately.
The tamperBit indicates whether or not the Knox Warranty Bit has been set.
- 0 — indicates that unauthorized firmware has never been installed on the device.
- 1 — indicates that unauthorized firmware has been installed on the device.
The status indicates whether or not the blob is authentic, based on its digital signature and public key certificate.
