Samsung KNOX 2.0 vs. iOS 7 security: An overview

Credit: Ari Bakker via Flickr

At Mobile World Congress last month, Samsung announced the second iteration of its KNOX security platform for Android, which it plans to ship in the coming months. The release will include a range of new security features and updated enterprise mobility management capabilities. Despite the delays of Samsung's initial rollout last year, there remains an intense interest in the platform on the part of IT and security professionals and there is much in KNOX 2.0 to like from a security and management point of view.

The announcement coincided with Apple's release of a range of IT-oriented resources about iOS, tweaks to the company's app licensing system, and a much more streamlined process for deploying highly managed iOS devices to enterprise users. The moves make it clear that Apple is adapting to the needs of enterprise IT and that it will not give up ground in enterprise mobility without a fight.

The big difference: Containerization

The biggest difference between KNOX and iOS is the approach taken to separate corporate and personal data. From the outset, Samsung designed the KNOX container to be a separate and highly managed environment. This approach not only secures work-related apps and content, it creates a user experience in which work and personal use is clearly defined as separate.

Apple's managed app approach, which includes the ability to set basic rules about how or if managed (work) and unmanaged (personal) apps can share content with each other, is far less defined. As a result, the user experience remains the same regardless of the app type. Apple's system is functional, but it stops short of creating a truly containerized environment unless a third-party containerization solution, such as those from Good, MobileIron, or other vendors. It's worth noting, however, that KNOX relies on EMM solution for activation and management of its secure container and that as part of the KNOX 2.0 announcement, Samsung launched its own cloud-based EMM offering. 

It's also worth mentioning that while containerization is often seen as a best-in-class EMM model, it may not be appropriate in some circumstances. One of the themes of last year's CITE Conference was the discussion of when or how to implement containerization or dual-persona devices.

Head-to-head feature comparison

The following are 14 enterprise, IT, or security-focused features and capabilities touted by Samsung or Apple along with how each platform delivers them (or doesn't). This is meant to provide a broad overview of what each platform offers, and is not the result of exhaustive testing. Where both platforms offer a similar but not identical feature, this article does not attempt to judge which approach is better.

  • EMM costs -- Activation and management of KNOX requires requires a KNOX-specific license fee on top of the license fee charged by an EMM vendor. iOS and non-KNOX Android device management doesn't incur this fee, potentially making KNOX management more expensive. Advantage iOS.
  • Upgrade processes -- OS upgrades or updates for KNOX devices relies on the standard Android release process, meaning that mobile carriers are part of the upgrade process. As a result, there can be inconsistent release timelines as is the case for Android as a whole. Apple delivers updates directly to users, either over-the-air or through iTunes, and all supported devices can be updated as soon as Apple releases an update. Within three months of its release, 74% of iOS devices had been upgraded to iOS 7. Advantage iOS.
  • Range of devices supported -- KNOX-capable devices represent a subset of Samsung's mobile product line, which itself is a subset of all Android devices on the market. Even though research shows that about half of Android devices used in enterprise environments are Samsung devices, that means that half of them aren't, and the security and EMM capabilities of them can vary. In contrast, all iOS devices are made by Apple and offer the same set of EMM functionality. Advantage iOS.
  • Support for older devices -- The Galaxy S III, introduced less than two years ago, is the oldest Samsung device to support KNOX. By contrast iOS 7 is supported on devices as old as the iPhone 4, which was released in 2010, making its security and management capabilities available to a wider range of older devices. Advantage iOS.
  • Biometric or two-factor authentication -- Both the iPhone 5s, which shipped last fall, and the Galaxy S5, which Samsung announced last month but has yet to ship, include fingerprint scanners. Apple has kept the focus of the scanner and its Touch ID feature very narrow by allowing it only to serve as a proxy or shortcut to a user's passcode when unlocking a device or making iTunes/App purchases. Samsung plans a much broader implementation including two-factor authentication that uses both a fingerprint scan as well as a passcode. Advantage KNOX.
  • Multiple APN support -- KNOX 2.0 will include support for multiple APN settings for a single device. This means that a device can be associated with more than one wireless carrier account, allowing a single device to have separate billing for business and personal usage. iOS offers no such feature. Advantage KNOX.
  • Granular EMM policies -- Although Apple has expanded the range of device management policies since it launched MDM support in iOS 4, those policy options are typically broad device feature or app restrictions. Incorporating Samsung's SAFE program, KNOX delivers 300+ granular policy options. Advantage KNOX.
  • Secure Boot -- Both KNOX and iOS include a secure or trusted boot process that verifies the integrity of the OS at startup and that will prevent a device from starting up if the OS has been compromised. Even.
  • Ease of enrollment/management -- Both KNOX and iOS can be enrolled in mobile device management solutions from a wide range of vendors. The enrollment process can be accomplished by IT or by end users (including BYOD users). Apple recently began to offer a program that can pre-enroll devices purchased by an organization, while Samsung has announced its own EMM platform for managing KNOX devices. Even.
  • Per-app VPN -- Both platforms offer the ability to create per-app VPN connections, which increases privacy during personal use, decreases the load on an organization's VPN service, and typically delivers increased connection speed to non-VPN apps. Use of this feature requires a supported VPN solution. Even.
  • Secure key storage and certificate management -- Both platforms implement protected storage and secure management of cryptographic keys and both offer enterprise certificate management capabilities. Even.
  • Enterprise single sign-on -- Both KNOX 2.0 and iOS 7 support integration with enterprise identity systems like Active Directory for single sign-on, allowing users to access enterprise resources, websites, and apps without the need to enter a username and password at each access. Even.
  • Secure app data automatically -- Both platforms incorporate technology designed to ensure that app data is stored in a secure or encrypted form even if an app hasn't been designed to do so. Even.
  • Runtime security -- Both KNOX 2.0 and iOS 7 include runtime security components that maintain the integrity of their operating environment. KNOX uses real-time monitoring to achieve this functionality while iOS 7 employs a series of technologies including code signing and app sandboxing. Even.

Additional details about the underpinnings and security/management features of KNOX and iOS 7 can be found on Samsung's KNOX website and Apple's iOS 7 for business site as well as in Samsung's recent KNOX white paper and Apple's iOS Security guide, both of which were released late last month.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies