Is samsung knox better?

someone1223

While researching on privacy and especially security, I've come across Samsung's Knox based security model. It has some cool features like real time kernel protection, and I wonder how does it compare to GOS based pixel (and maybe stock pixel?)

raccoondad

someone1223 On a privacy level, Samsung devices don't have the ability to use a custom OS.

There is also a stronger enterprise focus on Knox

de0u

someone1223 I don't know who might have done an analysis of the Lapsus$ dump, or how much Knox information is in it, but my sense is that before then Samsung kept details about Knox to themselves.

[deleted]

https://twitter.com/GrapheneOS/status/1731629519348617522

Nowadays, Knox is essentially just branding for standard security features. Pixels have better hardware security than Galaxy phones, but Galaxy phones have nearly all of what we need. They just don't allow use to use it like Pixels do, but they could start allowing it.

https://twitter.com/GrapheneOS/status/1731629745509445658

Pixel 8 added hardware memory tagging which is now one of our requirements. That's a massive security features not available on iPhones or non-Pixel Android phones. MediaTek added it to their new SoC and hopefully Qualcomm does so most Android phones at least have SoC support.

https://twitter.com/GrapheneOS/status/1731632350881103949

Knox DID pioneer a lot of Android security features but they ended up being standard and done better in Pixels. Samsung has gradually shifted to the standard approaches but had to keep around some cruft for backwards compatibility. There's not really much of Knox left now.

https://twitter.com/GrapheneOS/status/1731632523187294362

They still have some useful user-facing security features branded as Knox and a bit of hardening that's still useful, but most has been obsoleted and Knox has turned into branding for standard features. Many other vendors are still missing many / most of these features though...

https://twitter.com/GrapheneOS/status/1731632870672740529

Samsung phones with the stock OS were more secure than Nexus phones with the stock OS, but Pixels ended up overtaking them quite significantly. Samsung didn't provide proper alternate OS support back then either but other devices were missing most of the security features anyway.

https://twitter.com/GrapheneOS/status/1728580067381436729

Samsung devices would meet everything other than the memory tagging requirement if they allowed an alternate OS to use the hardware-based security features. They'd need to launch a new device to support this since it's highly unlikely they'd add it to an existing one.

someone1223

[deleted] Pixel 8 added hardware memory tagging which is now one of our requirements.
what about older pixels?

[deleted]

someone1223

5 Nov, 2022
~ 1 year before the launch of Pixel 8 and 8 Pro

https://twitter.com/GrapheneOS/status/1588667810334457857

If Samsung allowed an alternate OS to use all the hardware security features and had more universal models, we [GrapheneOS] would happily support the flagship Galaxy phones and tablets meeting our requirements.
They aren't as secure as Pixels [but] would be good enough if they let us support them.

26 June, 2023
https://twitter.com/GrapheneOS/status/1673049204065746946

Pixels and Galaxy phones meet our security requirements. Pixels are more secure, but we'd be able to support Galaxy phones if they allowed alternate operating systems to use the all the hardware security features like Pixels. Samsung has very poor alternate OS support right now.

https://twitter.com/GrapheneOS/status/1677057874336391169

Samsung has devices with secure elements rather than only a TEE, and on those devices they've implemented the Weaver feature. It's not as good as the implementation on Pixels because their secure element is much less good than the Titan M2 on the Pixel 6 and later though.