Understanding Samsung Knox Vault: Protecting the data that matters most

Eight years ago, Samsung set out on a mission to build the most trusted and secure mobile devices in the world. With the introduction of our Samsung Knox platform at MWC in 2013, we put in place the key elements of hardware-based security that would help defend Samsung mobile devices and our customers’ data against increasingly sophisticated cyber threats.

Samsung Knox has since evolved into more than a built-in security platform, now encompassing a full suite of mobile management tools for enterprise IT administrators. But our mobile product planners, developers and security engineers have remained laser-focused on answering the primary question: how do we remain a step ahead of hackers and keep our users safe at all times?

Samsung Knox Vault represents the latest step in that journey. It’s the logical evolution of something we’ve been working on for years: an isolated, hardware-based and highly secure environment for the most critical information on the device.

To understand what Samsung Knox Vault is, let’s first run through a quick history of how the principle of isolation has been fortifying Samsung’s Knox mobile security platform.

The evolution of the Samsung Knox platform

In the first days of Android, the main focus was building a more open and flexible mobile operating system. Security was state-of-the-art for the time, inherited from the world of Unix and mainframe computers. But from the start, it became clear that smartphones were different; they were the most personal computers anyone had ever built.

Samsung quickly realized that we needed to think harder about the threat model on such a personal device — particularly how to give extra protection to critical information such as private keys and digital certificates. That’s where the idea of using Trusted Execution Environments (TEEs) on our mobile devices came in. Within the ARM processors in our Galaxy smartphones, we pioneered the use of TEE-based protections using a feature called TrustZone.

The goal of TrustZone is to isolate the software that manages the most sensitive device data: passwords, biometrics, and cryptographic keys.  It does this by running a different OS alongside Android. In…