With “Android for Work” Initiative, Google’s Next OS Will Feature Samsung Knox Integration

Google made several important enterprise mobility-oriented announcements at its annual developer conference (Google I/O) earlier this week. The company provided details of its “Android for Work” initiative, which aims to help business users separate personal and corporate data. The effort is being supported by prominent handset OEMs (Samsung, Sony, Lenovo, Huawei and HTC), as well as PC OEMs, including Dell and HP. While these OEMs are eager to work with Google, it is likely that the company had to offer assurances (such as guaranteed timely access software updates and key security enhancements) to ensure a solid roster of vendors for the fall release of its next OS “Android L”. Google’s SVP of Android, Chrome and Apps Sundar Pichai shared key details of the next OS (and announced its beta release to developers), and demonstrated several new enterprise features for enhanced security and privacy. The OS will offer a “kill-switch” function (remote factory reset protection), new lockscreen enhancements, and alternative security features such as context and proximity that open up new opportunities for two-factor authentication scenarios (via a companion device such as a smartwatch etc.). The company also announced a new version of its popular consumer file storage, sync and share solution (Google Drive). Dubbed Drive for Work, the service combines the familiar experience of Google Drive with new admin controls, advanced file audit reporting, and eDiscovery services; key features that will allow the service to compete with established vendors such as Box and Dropbox. Google also announced several notable updates to its productivity software ― the company’s popular presentation software, Slides, is now available on mobile platforms. Google has also integrated QuickOffice with its app suite, and has brought the ability to work with Microsoft Office applications natively (no conversion required). However, the big announcement at I/O was the planned integration of Samsung’s Knox security service into the Android OS. While it is not definitive that Knox will serve as the foundational security element for the Android for Work initiative, VDC sees it as likely (Google has provided scant details relating to the integration in Android L’s documentation). Just last month, Google acquired Divide, a firm that developed a rich platform utilizing a similar containerization approach to separate personal and corporate data. While Divide created a superb UX and delivered core productivity apps (a PIM suite of email, contacts and calendar apps), the company’s security features pale in comparison to Samsung’s Knox. Here’s why:

Knox builds on the Security-Enhanced Linux (SE Linux) changes to the Linux kernel developed by the US National Security Agency (NSA) and debuted on the Galaxy S4 in 2013. Knox 2.0 was released earlier this year at Mobile World Congress and builds on the original Knox security feature set through upgraded certificate management, IPSec VPN capabilities and enhanced container security powers. Samsung’s latest Smartphone (the Galaxy S5) ships with Knox 2.0. Key Knox features include:

• TrustZone-protected certificate management and On Device Encryption (ODE) (via a Trusted Execution Environment (TEE) through a partnership with Trustronic
• A key store for managing encryption keys
• Real-time protection for system integrity
• Two-factor biometric authentication
• Per-app VPN functions for SSL VPN solutions (with tighter integration with Juniper planned)

The integration of these features has enabled the Knox solution to achieve “Common Criteria Certification”. Knox was evaluated under the internationally recognized Common Criteria Evaluation and Certification Scheme (CCEVS) with an Evaluation Assurance Level (EAL) and Protection Profile (PP) that qualify it as a "trusted" operating system. While this validates the cryptographic foundation of the solutions security features and deems it viable for accessing enterprise networks and high-value information assets, Samsung has only achieved EAL level 1 (there are seven levels in EAL classifications and competitors such as Good Technology have been certified at level 4). While uptake in enterprise settings for Android have been slow, VDC sees the enterprise features that continue to be implemented by Google, along with the upcoming integration of Knox giving CIOs and IT leaders fewer reason to not support the OS.

Where Does Divide Fit?

Divides solution offers FIPS 140-2 validated 256 bit encryption, the ability to encrypt email messages (using S/MIME), as well as basic MDM features. Google announced that it planned to release an application (no carrier involvement required) for Android 4.0 releases (Ice Cream Sandwich) through 4.3 (Jelly Bean) claiming that it will bring backwards compatibility to the aforementioned security enhancements that will be embedded in Android “L”. While this will help significantly with fragmentation, it still leaves the ~20% of Android devices that run OSes < v. 4.0 in the cold. This is very likely where and how Divide will fit into the company’s plans to quash fragmentation. We will be watching for updates relating to this initiative closely.

So What Really Happened?!

"We want to thank Samsung for its amazing work with Knox. It's so good we're going to integrate it directly into our platform,"

Google’s SVP of Android, Chrome and Apps Sundar Pichai, 6/25/14

The announcement that Knox would be “contributed” to Android (see above) was not only unexpected, but had many industry watchers (and Google competitors) guessing and prognosticating. The reality is that we won’t know for certain how the two companies arrived at this arrangement. There has been speculation of a rift between Google and Samsung. Samsung continues to experiment with a competing OS (Tizen) and has clearly been moving forward with its own interpretation/implementation of Android. One thing is certain, though: Samsung is definitely not abandoning its Knox development (the company has > 2,000 engineers working on Knox) and will continue to evolve the platform and target the enterprise with its solutions. VDC views Google’s partnership with Samsung as significant due to its potential impact on the broader Android ecosystem. With businesses embracing BYOD policies, and turning to enterprise-grade solutions that cater to these deployment environments the rapid upgrade cycles for modern mobile platforms has OEMs eager to crack the business market. That is what is most fascinating about the partnership – it will give handset OEMs who have been unsuccessful in targeting the enterprise thus far (such as HTC and Lenovo) a means to compete with Samsung using its own technology. Apple, BlackBerry, and Microsoft have all sharpened their security messaging and are vying for enterprise mindshare.

VDC will be releasing an in-depth mobile security Report in early July.