samsung knox sdks: more than security! sdks more than... · • minimize the device environment ......
TRANSCRIPT
Copyright© 1995-2016 SAMSUNG. All rights reserved. Copyright© 1995-2016 SAMSUNG. All rights reserved.
Samsung KNOX SDKs:
More than Security!
Victor Okunev SEAP Developer Evangelist
Samsung Electronics
Copyright© 1995-2016 SAMSUNG. All rights reserved. 2
Introduction
Hello! My name is Victor Okunev.
• Developer Evangelist • Vancouver Enterprise Lab
• Samsung Electronics Canada
• Email: [email protected]
Copyright© 1995-2016 SAMSUNG. All rights reserved. 3
Agenda Webinar Duration: 1 hour
1. Presenter Introduction
2. Samsung KNOX Platform
3. KNOX Standard SDK • Key Features
4. KNOX ISV SDK • Key Features
5. Introduction to SEAP
Copyright© 1995-2016 SAMSUNG. All rights reserved. 4
Mobile software requirements
Consumer vs Business
• Performance
• UX
• Security
• Scalability
• Generic platform
• all that… but
• Hardened Security
• Manageability
• Customization
• Best-suited platform
• No can do:
Copyright© 1995-2016 SAMSUNG. All rights reserved. 5
Samsung KNOX Platform
Tamper-resistant HW/SW Security Stack
• Built into Samsung Galaxy devices • Hardware Root of Trust
• Boot-time system integrity
• OS-level data and app protection
• Run-time kernel integrity
• Integrity-based security services
• Secure application and data container
• Includes Samsung APIs • SDKs are provided free of charge
• In-code license activation required
Copyright© 1995-2016 SAMSUNG. All rights reserved. 6
Samsung KNOX Security Certifications
https://www.samsungknox.com/en/security-certifications
CANADA
USA
UK
FRANCE
CHINA
AUSTRALIA
Copyright© 1995-2016 SAMSUNG. All rights reserved. 7
Samsung KNOX SDKs
Copyright© 1995-2016 SAMSUNG. All rights reserved. 8
KNOX Standard SDK
Copyright© 1995-2016 SAMSUNG. All rights reserved. 9
Mobile Device Management 101
What is a device policy?
Copyright© 1995-2016 SAMSUNG. All rights reserved. 10
Advanced MDM APIs for Android
KNOX Standard SDK
• Integrated with Samsung KNOX Platform
• 430+ device policies • App Management, HW/SW Component
Management, Expense Management, Security Management, Inventory monitoring, Services Provisioning, etc.
• Used in 120+ MDM products
Copyright© 1995-2016 SAMSUNG. All rights reserved. 11
KNOX Standard SDK: Core Features
Voice/Data Management
Location-based Services
Customized Device Mode
Device Inventory Help Desk
Application Management
Lock Screen
Remote Control
Kiosk Mode
App Control
Geo fencing
Roaming Phone
App Permissions
Location
Inventory
Remote Configuration
HW / SW Component Management
Security Management
Bluetooth
APN
Email Android VPN
Exchange
Firewall
LDAP
Password Security
Wi-Fi
Backup
Restrictions
Date and Time Settings
SSO
Browser
Multi User
Per user polices Per device polices
Copyright© 1995-2016 SAMSUNG. All rights reserved. 12
KNOX Standard SDK: Core Features
Voice/Data Management
Location-based Services
Customized Device Mode
Device Inventory Help Desk
Application Management
Lock Screen
Remote Control
Kiosk Mode
App Control
Geo fencing
Roaming Phone
App Permissions
Location
Inventory
Remote Configuration
HW / SW Component Management
Security Management
Bluetooth
APN
Email Android VPN
Exchange
Firewall
LDAP
Password Security
Wi-Fi
Backup
Restrictions
Date and Time Settings
SSO
Browser
Multi User
Per user polices Per device polices
Copyright© 1995-2016 SAMSUNG. All rights reserved. 13
Application Management
KNOX Standard SDK
• API examples • Silent install/uninstall of applications
• Restrict installation and un-installation of applications
• Disable and enable applications
• Use case example: POS system • Silently push an app update
• No user interaction required
• Even with extra new permissions
• Download an APK from your server
Copyright© 1995-2016 SAMSUNG. All rights reserved. 14
KNOX Standard SDK: Core Features
Voice/Data Management
Location-based Services
Customized Device Mode
Device Inventory Help Desk
Application Management
Lock Screen
Remote Control
Kiosk Mode
App Control
Geo fencing
Roaming Phone
App Permissions
Location
Inventory
Remote Configuration
HW / SW Component Management
Security Management
Bluetooth
APN
Email Android VPN
Exchange
Firewall
LDAP
Password Security
Wi-Fi
Backup
Restrictions
Date and Time Settings
SSO
Browser
Multi User
Per user polices Per device polices
Copyright© 1995-2016 SAMSUNG. All rights reserved. 15
Customized Device Mode
KNOX Standard SDK
• API examples • Customize Home screen
• Disable Settings changes
• Customize device lock screen with client's company logo
• Use case example: In-room hospitality devices • Minimize the device environment
• To prevent guest from misconfiguring it
• Provide access to relevant apps only
• Simplify the OS experience for non-Android users
KIOSK MODE
Calculator Contacts
Calendar Camera
Hidden
Notification
Bar
No default
Applications
Disable
Menu key
Custom
Wallpaper
Custom
Applications
Disable
Soft keys
Disable Hardware keys
Copyright© 1995-2016 SAMSUNG. All rights reserved. 16
KNOX Standard SDK: Core Features
Voice/Data Management
Location-based Services
Customized Device Mode
Device Inventory Help Desk
Application Management
Lock Screen
Remote Control
Kiosk Mode
App Control
Geo fencing
Roaming Phone
App Permissions
Location
Inventory
Remote Configuration
HW / SW Component Management
Security Management
Bluetooth
APN
Email Android VPN
Exchange
Firewall
LDAP
Password Security
Wi-Fi
Backup
Restrictions
Date and Time Settings
SSO
Browser
Multi User
Per user polices Per device polices
Copyright© 1995-2016 SAMSUNG. All rights reserved. 17
Location-Based Services
KNOX Standard SDK
• API examples • Define Polygonal, Circular, and Linear geofences
• Apply specific behavior based on the device location
• Configure frequency of GPS location querying
• Based on time and distance
• Use case example: Preventing data leakage from restricted area
• Detect when device enters the geofence
• Disable camera and Bluetooth on the device
• Detect when device leaves the geofence
• Restore device and Bluetooth functionality
Main gate
Copyright© 1995-2016 SAMSUNG. All rights reserved. 18
KNOX Standard SDK: Core Features
Voice/Data Management
Location-based Services
Customized Device Mode
Device Inventory Help Desk
Application Management
Lock Screen
Remote Control
Kiosk Mode
App Control
Geo fencing
Roaming Phone
App Permissions
Location
Inventory
Remote Configuration
HW / SW Component Management
Security Management
Bluetooth
APN
Email Android VPN
Exchange
Firewall
LDAP
Password Security
Wi-Fi
Backup
Restrictions
Date and Time Settings
SSO
Browser
Multi User
Per user polices Per device polices
Copyright© 1995-2016 SAMSUNG. All rights reserved. 19
Help Desk: Remote Control
KNOX Standard SDK
• API examples • Inject touch events
• Inject hardware key events
• Access the frame-buffer to capture the screen content
• Use case example: Customer support • Need to take control of the device
• Via standard VNC client
• Build a mobile VNC server
• No device rooting required!
• The user assistance is not needed
Device Screen Sharing
Keyboard/ Mouse Event Sharing
Copyright© 1995-2016 SAMSUNG. All rights reserved. 20
KNOX Standard SDK: Core Features
Voice/Data Management
Location-based Services
Customized Device Mode
Device Inventory Help Desk
Application Management
Lock Screen
Remote Control
Kiosk Mode
App Control
Geo fencing
Roaming Phone
App Permissions
Location
Inventory
Remote Configuration
HW / SW Component Management
Security Management
Bluetooth
APN
Email Android VPN
Exchange
Firewall
LDAP
Password Security
Wi-Fi
Backup
Restrictions
Date and Time Settings
SSO
Browser
Multi User
Per user polices Per device polices
Copyright© 1995-2016 SAMSUNG. All rights reserved. 21
Security Management
KNOX Standard SDK
• API examples • Configure firewall rules to allow, block, and reroute
traffic, based on app or server identity
• Configure HTTP proxy
• Encrypt SD Card
• Install user & CA certificates
• Force user to change device password
• Use case example: Restricted data usage • Allow business app only to use mobile network
• The rest of the apps can access data over Wi-Fi
• The user can't bypass this restriction
Copyright© 1995-2016 SAMSUNG. All rights reserved. 22
KNOX Standard SDK: Core Features
Voice/Data Management
Location-based Services
Customized Device Mode
Device Inventory Help Desk
Application Management
Lock Screen
Remote Control
Kiosk Mode
App Control
Geo fencing
Roaming Phone
App Permissions
Location
Inventory
Remote Configuration
HW / SW Component Management
Security Management
Bluetooth
APN
Email Android VPN
Exchange
Firewall
LDAP
Password Security
Wi-Fi
Backup
Restrictions
Date and Time Settings
SSO
Browser
Multi User
Per user polices Per device polices
Copyright© 1995-2016 SAMSUNG. All rights reserved. 23
HW/SW Component Management
KNOX Standard SDK
• API examples • Disable Wi-Fi, Bluetooth, NFC, SD Card
• Disallow factory reset
• Detect SIM change
• Disable tethering
• Perform full backup of application data
• Use case example: Fleet management solution • Force the GPS On
• No user confirmation is required
• Prevents user from turning the GPS Off
Copyright© 1995-2016 SAMSUNG. All rights reserved. 24
KNOX Standard SDK: Core Features
Voice/Data Management
Location-based Services
Customized Device Mode
Device Inventory Help Desk
Application Management
Lock Screen
Remote Control
Kiosk Mode
App Control
Geo fencing
Roaming Phone
App Permissions
Location
Inventory
Remote Configuration
HW / SW Component Management
Security Management
Bluetooth
APN
Email Android VPN
Exchange
Firewall
LDAP
Password Security
Wi-Fi
Backup
Restrictions
Date and Time Settings
SSO
Browser
Multi User
Per user polices Per device polices
Copyright© 1995-2016 SAMSUNG. All rights reserved. 25
Remote Configuration
KNOX Standard SDK
• API examples • Control & configure Wi-Fi access points settings
• Configure Android VPN settings
• Create, update, and delete VPN profiles
• Provision accounts for MS Exchange ActiveSync, IMAP, and POP
• Use case example: Secure app traffic over untrusted data connections
• Detect if Wi-Fi is a trusted profile
• If so, disconnect corporate VPN to save VPN server load
• Otherwise the data connection is not trusted, enable VPN
Copyright© 1995-2016 SAMSUNG. All rights reserved. 26
Learn from Samsung Partner Solutions
https://seap.samsung.com/solution-briefs
Copyright© 1995-2016 SAMSUNG. All rights reserved. 27
KNOX ISV SDK
Copyright© 1995-2016 SAMSUNG. All rights reserved. 28
KNOX ISV SDK: Core Features
Device Integrity
Attestation
Data Security
Sensitive Data Protection (SDP)
Secure Credential Storage
Universal Credential Management (UCM)
Copyright© 1995-2016 SAMSUNG. All rights reserved. 29
KNOX ISV SDK: Core Features
Device Integrity
Attestation
Data Security
Sensitive Data Protection (SDP)
Secure Credential Storage
Universal Credential Management (UCM)
Copyright© 1995-2016 SAMSUNG. All rights reserved. 30
Device Attestation
KNOX ISV SDK
• API examples • Request trusted device measurements
• Use case example: Ensure device is not compromised before installing banking app
• Initiate attestation sequence
• Receive attestation verdict
• Whether device has been rooted or is running unofficial firmware
• If device is uncompromised, install the app
Copyright© 1995-2016 SAMSUNG. All rights reserved. 31
Device Attestation
TrustZone Attestation
Agent Your App
Your Server
Attestation Server
Get nonce 1
Get nonce Nonce generated and stored with timestamp
Nonce Start attestation (nonce)
2 Start attestation
(nonce) Attest (nonce)
Blob with nonce, Measurements,
device ID, signature and certificate
Attest (blob) Attest (blob)
3
Get verdict (nonce, blob)
Verify blob signature, certificates; parse blob data
Verdict (success/fail)
How it Works:
Copyright© 1995-2016 SAMSUNG. All rights reserved. 32
KNOX ISV SDK: Core Features
Device Integrity
Attestation
Data Security
Sensitive Data Protection (SDP)
Secure Credential Storage
Universal Credential Management (UCM)
Copyright© 1995-2016 SAMSUNG. All rights reserved. 33
Sensitive Data Protection (SDP)
KNOX ISV SDK
• API examples • Protect selected databases and database columns
• Protect selected application files
• Create custom SDP engine
• Use case example: Ensure protection of patient's confidential data even in the event of security breach on the device
• Mark application file as sensitive
• Choose SDP engine
• Default or custom
• Let SDP infrastructure to do the rest
Copyright© 1995-2016 SAMSUNG. All rights reserved. 34
Sensitive Data Protection (SDP)
How it Works:
Decrypted Encrypted
Power on Power off
Unlock state Lock state
Write
Read
Copyright© 1995-2016 SAMSUNG. All rights reserved. 35
KNOX ISV SDK: Core Features
Device Integrity
Attestation
Data Security
Sensitive Data Protection (SDP)
Secure Credential Storage
Universal Credential Management (UCM)
Copyright© 1995-2016 SAMSUNG. All rights reserved. 36
Universal Credential Management (UCM)
KNOX ISV SDK
• API examples • Query available credential storages on the device
• Check if the storage is locked
• Install certificates to credential storage (Used by Email, Browser, Wi-Fi, VPN)
• Use case example: Provide financial application with credential storage access:
• Ability to support Embedded Secure Elements, Micro SD cards, SIM cards, and Common Access Card (CAC) smartcards from third-party vendors
• Do not create dependency on the vendor API
• Use generic API
• Take advantage of plugin architecture
Copyright© 1995-2016 SAMSUNG. All rights reserved. 37
Universal Credential Management (UCM)
How It Works:
Credential-consuming apps (Email, browser, WiFi, VPN, etc.)
Storage management apps
Copyright© 1995-2016 SAMSUNG. All rights reserved. 38
Where do I get Samsung B2B SDKs?
https://seap.samsung.com/
• SEAP – Samsung Enterprise Alliance Program
• Instant registration, start developing in minutes:
Copyright© 1995-2016 SAMSUNG. All rights reserved. 39
Samsung Enterprise Alliance Program
Sales Support • Dedicated sales support from Samsung sales
network based on Business Opportunities
Co-Marketing Activities • Partner Promotion via Samsung online channels
• Co-branded marketing materials
• Samsung event participation
• SEAP Newsletter & Logo
Access Samsung’s technology • KNOX SDKs and licenses
• Technical Q&A ticket
• Priority technical support
• Technical consultants
Marketing
Sales
Tech
Support
Copyright© 1995-2016 SAMSUNG. All rights reserved. Copyright© 1995-2016 SAMSUNG. All rights reserved.
Q&A and THANK YOU for your time.
Victor Okunev [email protected]