Samsung Knox

Samsung Knox is a mobile device management (MBM) and trusted computing framework pre-installed on most Samsung mobile devices, and implements ARM TrustZone in hardware. It allows the management of work devices, such as employee mobile phones, interactive kiosks, and barcode scanners.^[2] Like other MBMs, Knox allows organizations to control a device's pre-loaded applications, settings, boot-up animations, home screens, and lock screens.^[3]

Knox
Developer(s)	Samsung
Initial release	March 2013 (2013-03)
Stable release	3.11 / 15 February 2025; 5 months ago (2025-02-15)[1]
Operating system	Android and Tizen
Website	www.samsungknox.com/en

Overview

Main articles: Mobile device management and ARM TrustZone

Knox provides trusted computing and mobile device management (MDM) features. Knox's hardware is based on an implementation of ARM TrustZone, a bootloader ROM, and secure boot (similar to dm-verity and AVB).^[4][5] These trusted computing environments are used to store sensitive data, like cryptographic materials and certificates.^[6]

MDM allow businesses to customize their devices for their needs. IT administrators can register new devices, identify a unified endpoint management (UEM) system, define the organizational rules that govern the use of devices, and upgrade device firmware over-the-air.^[7] Knox's MDM services are registered and accessed through the web,^[8] APIs, or proprietary SDKs.^[9]

A few Samsung devices with Knox were approved for US governmental use in 2014, as long as they're not used to store classified data.^[10]

Since Android 8, Knox is used to prevent root access to apps even after a successful rooting.^[11]

In October 2014, a security researcher discovered that Samsung Knox stores PINs in plain text rather than storing salted and hashed PINs and processing them by obfuscated code.^[12]

In May 2016, Israeli researchers Uri Kanonov and Avishai Wool found three vulnerabilities in specific versions of Knox.^[13]

Several security flaws were discovered in Knox in 2017 by Project Zero.^[14][15]

e-Fuse

Rooted Samsung Galaxy S10e with tripped e-fuse

Samsung Knox devices use an e-fuse to indicate whether or not an "untrusted" (non-Samsung) boot path has ever been run. The e-Fuse will be set in any of the following cases:

• The device boots with a non-Samsung signed bootloader, kernel, kernel initialization script, or data.
• The device is rooted.
• Custom firmware is detected on the device (such as non-Samsung Android releases).

On Galaxy Book devices starting with the Galaxy Book 4, upgrading from one Windows version to another (from 22H2 to 23H2) will not set the e-Fuse, but upgrading to a higher edition (from Home to Pro) will^{[citation needed]}.

When set, the text "Set warranty bit: <reason>" appears. Once the e-fuse is set, a device can no longer create a Knox Workspace container or access the data previously stored in an existing Knox Workspace.^[16] In the United States, this information may be used by Samsung to deny warranty service to devices that have been modified in this manner.^[17] Voiding consumer warranties in this manner may be prohibited by the Magnuson–Moss Warranty Act of 1975, at least in cases where the phone's problem is not directly caused by rooting.^[18] In addition to voiding the warranty, tripping the e-fuse also prevents some preinstalled apps from running, such as Secure Folder and Samsung Pay.^{[citation needed]} For some older versions of Knox, it may be possible to clear the e-fuse by flashing a custom firmware.^[19]

See also

• SafetyNet API
• Intel Management Engine