When IT professionals describe solid security design, they use the phrase “defense in depth.” The idea is simple: You can’t depend on just one defense to thwart attackers. Multilayered security is critical. Software can have bugs, configurations can be insecure, users can be misled, and even hardware can have vulnerabilities — despite engineers’ best efforts to build trustworthy products.
Malware is a broad term; it includes everything from adware to ransomware to more sophisticated attack tools that try to take over your entire device. It can infiltrate your device through an app, a web browser or through a hardware vector — even an innocuous-looking USB charging port in a coffee shop.
To ensure your personal and confidential information is always secure, Samsung applies extensive defense in depth to best-in-class hardware and software engineering.
Keeping malware from reaching phones
Your first line of defense against malware is right at the top: the Google Play Store and Google Play Protect. If you’re familiar with Windows antimalware solutions, Google Play Protect is roughly the same, but extended to include the Google Play Store itself, both before and after an app is installed. Aside from app analytics and controls in the store itself, Play Protect also has a scanning component that runs on every Android phone. Automatically updated from Google’s cloud, the scanner uses machine learning to identify malware — what Google calls Potentially Harmful Applications (PHAs). The daily Play Protect scan finds harmful apps anywhere on your device, including in apps from other app stores. Once these apps are found, Play Protect will notify you and so you can immediately delete the threat, and maintain device security.
Android app installation also comes with another useful protection, app signing, which gives a cryptographic “stamp” to each app from its developer. This prevents malware from masquerading as coming from this trusted developer, and also detects if an authentic app is modified along the path from the developer to the app store to your device. The app’s signature is also used to enable trusted communication between apps from the same vendor. If you’ve ever noticed how apps from the same vendor don’t require separate sign-ins, this is sometimes why. Android app developers know that sensitive account information and data is safe to share between their own apps (and not with third-party apps), through these trusted channels built right into Android. The cryptographic signatures that tag their apps provide this invisible sandboxing that simplifies the user experience — while better protecting the sensitive data their apps manage.
Enterprise IT managers can bolster Play Protect by both using Samsung Knox to create their own app controls, such as limiting which app stores are accessible to users, and setting up app allowlists and blocklists. These features are part of Knox App Management, one of the Knox application programming interfaces (APIs) used by mobile device management (MDM) solutions to give IT managers control over their enterprise’s Samsung devices. By using these MDM tools to configure tight app controls, IT managers gain an additional layer of antimalware.
Defending against malware on phones
If you can keep malware off your smartphones in the first place, you’ve won the battle already. But if something gets through the cracks, “defense in depth” means you’re still protected. Even when malware has made it onto your device, it’s only dangerous if it can perform a malicious action or leak sensitive data. So let’s take a look at Samsung’s defensive security layers that contain these threats:
Malware may first try to exceed its normal limits, such as what files it can read and write. Security-Enhanced Linux (SELinux) creates mandatory access controls (MACs) in Unix-based operating systems. In Android, it’s called SE for Android, a core technology that protects against apps reaching out beyond their intended limits. SE for Android provides app isolation far beyond what’s possible with normal Unix discretionary access controls and Android app permissions. SE for Android builds in mandatory rules that ensure certain actions are simply never allowed, regardless of how creative the attacker is. It can also ensure that some permissions may never be granted, except to apps and services created and signed by Samsung and Google, for example. These mandatory rules add an extra security layer on top of the typical app permission model and act as a critical safeguard in our mobile defense-in-depth design. And like many Android security features, it’s there because Samsung worked to create it.
SE for Android’s protections are OS-focused, but sometimes malware is aiming in another direction: trying to bypass device hardware policies to gain unauthorized access to peripherals like the camera or microphone to spy on users. While users and IT managers can use app permissions to inspect and control which apps have access to which peripherals, Samsung devices have an exclusive security layer — called Hypervisor Device Manager (HDM) — which adds critical hardware protection against this threat. HDM specifically targets physical sensors and communication chips like your camera, microphone, Bluetooth and Wi-Fi chip. If a malware author finds a software flaw that would otherwise grant them direct access to your microphone or camera, our HDM system can still block access at the hardware level. It can even trigger automatic physical lockout of such peripherals upon detection of device compromise or device rooting. Even in cases where the entire OS is replaced or compromised, HDM can still enforce your device’s peripheral polices. HDM is one of our strongest layers of defense in depth to prevent hacking of all types.
Evaluate your mobile security plan
White Paper
How mature is your business' mobile security? Take this short assessment to find out. Download Now
IT managers can add another layer of antimalware by using app containers, which isolate apps into different categories — essentially separate smartphones — typically one for work and one for home. When apps are isolated, they’re prevented from interacting with each other (and their stored data), which is enforced by the OS itself as a function of the app separation itself. If a user manages to install malware in their smartphone’s “home” container, the app can’t reach over into the “work” side to steal corporate data. Samsung’s new Separated Apps feature fine-tunes this idea by letting IT admins create a partition for a single app — a way of safely installing a smartphone app you don’t completely trust. Separated Apps could be used to allow installation of a third-party app, such as for ride sharing, while ensuring the app has no visibility into the phone’s data or contacts.
Alternatively, malware might take focus on stealing something highly valuable: your passwords or biometrics. This is where pairing Android with TrustZone Trusted Execution Environments (TEE) and Samsung Knox Vault are most effective. TrustZone has been integrated with Android for years as a way to isolate the management and storage of secure data, such as encryption keys. Normally, TrustZone TEEs are built right next to the Android OS and run in parallel on the main CPU chip. Knox Vault takes the concept a step further, providing a separate secure processor and isolated secure memory to provide greater shielding from side-channel attacks.
Safeguarding the mobile OS
If malware can’t easily grab your data, the next step for hackers is to try to crack into the OS in order to break through the fences surrounding it. Samsung’s Knox Active Protection and Defeat Exploits (DEFEX) technologies provide a layer of defense against this type of attack. Real-time Kernel Protection (RKP), for example, detects and prevents modifications to Android’s kernel. DM-Verity also ensures that the file system that stores the OS hasn’t been touched. DEFEX puts fences around privileged processes to ensure that only authorized apps can run with these permissions.
Sometimes malware takes yet another approach: Instead of cracking through the heavily armored OS, malware tries to break in by making changes that will compromise the system on next reboot, before any protections are loaded. Samsung phones secure the boot process and the integrity of the OS during boot via multiple built-in hardware protections: trusted boot, rollback prevention, tamper detection and TEE software that peeks over the wall into the OS to ensure malware hasn’t snuck in.
Defense in depth is something Samsung takes seriously. We’re always working to defeat malware, from the app level, all the way down to the hardware. If you want to learn even more about the extended security management capabilities built into our enterprise-grade smartphones and tablets, just reach out.
Get started with MDM so your organization can spend less and do more — securely and efficiently — with the help of our free beginner’s guide. Or learn more about how Samsung’s defense-grade Knox security helps protect your most important mobile data from the chip up.
