22 Feb 2019

Knox Code Bytes: Secure device hardware features

By Josh (Programmer Writer)

Welcome to the first in a series of blog posts, entitled “Knox Code Bytes”, about commonly used API calls from the Knox SDK. Over the course of the next few posts, we will walk you through some of our most popular API calls. This series is meant for those who are new to the SDK, have not used all the APIs yet, or want to improve their understanding of the Knox security platform.

This blog is about features that are commonly disabled on a device for security reasons.

 

Prerequisites

This tutorial assumes you have a basic understanding of Android Studio and have already set up the Knox SDK to call Knox APIs–installed the Knox SDKset up device admin, and licensed the Knox SDK.

 

What will we discuss in this blog post?

 

Code setup

Open the Android Studio project where you intend to implement these security features on your mobile app. Create a method that performs your intended tasks. Give it a descriptive name, such as secureDeviceHardware. Your main UI elements can then call this method, for example, through its onClick() method when the user clicks a button or through calling it from your mainActivity.

When writing this method, start with the following two API calls:

// Create an instance of a device manager that contains API methods for granular device control
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(this);

// Create the object to control individual settings and functionality on a Samsung device such as Wi-Fi, Bluetooth, and USB debugging
RestrictionPolicy restrictionPolicy = edm.getRestrictionPolicy();

Next, in the AndroidManifest.xml file, request the following permission with a signature-level protection to use the APIs:

<uses-permission android:name="com.samsung.android.knox.permission.KNOX_RESTRICTION_MGMT" />

 

 

Common hardware security tasks

After writing the first two API calls and requesting the Knox Restriction permission in your manifest file, you can use any of the following five code snippets. These five features do not require a paid license to manage, meaning you can use them to secure your device for free.

 

Disable USB, Wi-Fi, and Bluetooth tethering

public boolean setWifiTethering(boolean enable)

Mobile hotspots can be problematic because they are vulnerable to bandwidth theft, breaches, and even hacks. This API method lets you control the access to a mobile hotspot or Wi-Fi tethering.

To implement this call in your secureDeviceHardware method, type: restrictionPolicy.setWifiTethering(false);

public boolean setTethering(boolean enable)

In addition to being able to control your mobile hotspot, this API method lets you restrict USB, Wi-Fi, and Bluetooth tethering. Tethering is also battery-intensive, so using this method helps prolong the device’s battery life. 

To implement this call in your method, type: restrictionPolicy.setTethering(false);

 

Disable USB file transfers

public boolean setUsbMediaPlayerAvailability(boolean enable)

If you are not careful, connecting a mobile device to a desktop or laptop can be a security and privacy threat. This API method lets you control the Media Transfer Protocol (MTP) by blocking any kind of file transfer through USB.

To implement this call in your method, type: restrictionPolicy.setUsbMediaPlayerAvailability(false);

 

Disable USB debugging

public boolean setUsbDebuggingEnabled(boolean enable)

USB debugging is invaluable for developers who are troubleshooting their app issues on a mobile device. However, this feature should be disabled on end-user devices as it leaves these devices vulnerable to hackers. 

You can use this API method to disable the Dalvik Debug Monitor Server (DDMS) or adb debuggers for security and performance reasons. 

To implement this call in your method, type: restrictionPolicy.setUsbDebuggingEnabled(false);

 

Disable Google Cloud backups

public boolean setBackup(boolean enable)

Transferring your files and folders to Google Cloud servers can also pose a security and privacy threat. Some companies forbid the use of cloud resources outside of their corporate firewall. This API method lets you prevent Google Cloud backups. 

To implement this call in your method, type: restrictionPolicy.setBackup(false);

 

 

Putting it all together

The following is an example of how you would write the secureDeviceHardware method for all five hardware features. Although this snippet will work as-is, consider customizing it to ensure a better fit with your particular requirements and specifications for securing the different hardware features.

The best practice is to wrap API calls in a try-catch block to log any errors that might occur. If you want some examples of these code blocks, refer to the API reference sections that are linked in the sample code.

private void secureDeviceHardware() {

     EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(this);
     RestrictionPolicy restrictionPolicy = edm.getRestrictionPolicy();

     try {
          restrictionPolicy.setWifiTethering(false);
     } catch (SecurityException e) {
          Log.w(TAG, "SecurityException: " + e);
     }

     try {
          restrictionPolicy.setTethering(false);
     } catch (SecurityException e) {
          Log.w(TAG, "SecurityException: " + e);
     }

     try {
          restrictionPolicy.setUsbMediaPlayerAvailability(false);
     } catch (SecurityException e) {
          Log.w(TAG, "SecurityException: " + e);
     }

     try {
          restrictionPolicy.setUsbDebuggingEnabled(false);
     } catch (SecurityException e) {
          Log.w(TAG, "SecurityException: " + e);
     }

     try {
          restrictionPolicy.setBackup(false);
     } catch (SecurityException e) {
          Log.w(TAG, "SecurityException: " + e);
     }

}

 

 

Next steps

 

Knox Code Bytes 2019 blog series

Check our SEAP blog site every month for new posts on commonly used API calls in the Knox SDK. This blog series runs from February to August 2019.

 

A young man using his new Samsung S10 mobile device