Back to top

VPN Platform Enhancement

Introduction

This article describes the Knox 3.8 SDK APIs to improve the VPN platform.

These improvements will also enhance security in situations where VPN partners have not implemented their clients as expected to avoid any data leakage.

Automatic VPN Profile Recreation

The VPN profile recreation is required to avoid data leakage from an application. The VPN profile connection is responsible for controlling all the data shared by these applications via the network. If the Android Framework and the VPN client databases are not aligned, the VPN connection will not be performed and the application’s data shared via network will leak.

This problem can be caused by:

  1. When users clear the data from the VPN client via Android Settings UI. The data leak will happen if the EMM client does not restrict user clear data action using the Knox SDK.

  2. When some unexpected behavior happens with the VPN client during profile database insertion. For example:

    • VPN Application suddenly crashes
    • Device Reboot

Recreation Attempt

At this solution, is when the framework receives on of the intents (PACKAGE_DATA_CLEARED, LOCKED_BOOT_COMPLETED, or CONNECTIVITY_ACTION) the profile and VPN client validation process is triggered by the framework. If the VPN client and Android Framework are successfully bound but the framework detects that the VPN profile data is not present in the VPN client site, it attempts to recreate the VPN profile and start the VPN connection automatically.

Recreation Attempt Failures

If the VPN recreation process fails, the Android Frameworks needs to notify the EMM client so it can apply all the required actions (e.g. lock container/device, apply firewall rules, recreate VPN policies). This is to avoid the application’s data leak.

This mesage will be sent only if the profile has been activated via the Knox API (activateVpnProfile).

API Enhancements

Create VPN Profile

These APIs are used to create or activate a new VPN connection:

The Android Framework checks if the profile data in the VPN client database is synchronized with the Android Framework database. If not, the Android Framework will try to recreate the profile to restore the connection automatically before attempting to remove it. If the profile recreation fails, the framework will notify the EMM about this failure and remove the profile data from the database.

Get Error String

The getErrorString API is used by the EMM client to get the error state of the profile. It returns the current error code associated with the given profile or null if the profile does not exist.

Need more help?

For more information, see the:

Is this page helpful?