X

Android L builds on Samsung's Knox fortifications

Google spills the beans on how it plans to take some of the Knox enterprise technology and lock it into the next version of Android.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
2 min read

googleblog.png
A Samsung graphic showing which parts of Knox will be in the next Android. Samsung

With an eye to earning Android a bigger role in the workplace, Google has pulled back the curtain to show how Samsung's Knox technology will fit into the upcoming Android L.

Knox is Samsung's set of mobile security tools for businesses and governments. Not all of it is getting ported to the Android operating system, but enough, Google hopes, to reassure IT managers that Android-powered devices -- whether employees' own, or company-issued -- will meet their tougher standards for what's allowed on corporate networks.

Among other things, Android L will keep personal and corporate data and apps separate by building on the existing multiuser profile support in Android in a setup similar to the Knox Workspace.

"Personal and corporate applications will run as two separate Android users," Android product manager director Srikanth Rajagopalan wrote Monday. "Data is kept safe by using block-level disk encryption as well as verified boot technology."

A preview release of Android L, the eventual follow-on to the current KitKat version, debuted at the Google I/O conference last month. Key features of Android L will include faster app performance, improved power efficiency, better camera controls, and a new look for notifications.

What's new in Android L

See all photos

With workplace use of Android L in mind, Google and Samsung -- which haven't always seen eye to eye on Android matters -- have designed new application programming interfaces (APIs) to enable enterprise-grade security services, Rajagopalan said. They will be available only as part of Google services, and not built into the Android Open-Source Project, the version of Android that lacks Google Play and other Google services.

The new APIs are available now as part of the Android L Developer Preview. Rajagopalan said they will focus on three areas: device and data security, support for IT policies and restrictions, and mobile application management.

Also derived from Knox, new Android development kit APIs will let administrators create policies that include system setting configuration and authentication certificate management to restrict app usage. New back-end APIs will help with corporate app management and deployment.

Part of the Knox integration will include backward compatibility, so that developers who have already built apps for Samsung Knox won't have to rebuild them from scratch to the get them to work on Android L.

"Samsung will be providing a Knox Compatibility Library that will let such applications run on all Android L devices," Rajagopalan said.

However, Samsung detailed in a blog post of its own that it's not giving Google access to all of its Knox gold. Many hardware-based Knox features will remain exclusive to Samsung.

These include TrustZone-based Integrity Measurement Architecture, trusted boot, biometric authentication, and Knox Smart Card Support. Knox components approved for governmental use such as Common Criteria, and the FIPS-certified cryptographic library and virtual private network that are part of Security Technical Implementation Guide standards, will remain under Samsung's purview.