About Samsung Knox Enabled App

Knox Enabled App (KEA) automatically encrypts Data-at-Rest and places an Android app inside an invisible container. KEAs are isolated from other apps by two security layers:

  • A Knox container that separates all KEA apps from non-KEA apps.
  • Knox SEAMS containers which isolate KEA apps from each other.

A KEA app can only communicate with other KEA apps with the same SPID. When developers and Service Providers get KEA licenses, they are assigned Service Provider IDs (SPID) for identification and security purposes.

KEA apps that share the same SPID are placed in the same Knox SEAMS container and can communicate with each other. KEA apps with different SPIDs can’t communicate with each other. These security layers are made possible through changes to Android that enforce security policies. These Android changes are called Security Enhancement for Android, or just SE for Android.

From the Android OS perspective, the normal personal space and the Knox container are completely separate. By default, Android OS services, such as intent communication, don’t transfer information between the two spaces. If allowed by the Google-Managed Profile’s policy, intents from the Knox container are forwarded to the personal space if they can’t be handled by the Knox Enabled App environment.

A Knox Enabled App container is encrypted and its client certificates are protected by TIMA and stored in TrustZone.

If a device is rooted, users won’t be able to open the KEA; this protects the KEA’s data from being compromised.

The Knox container around the KEA is invisible to the end user and is automatically created when the app is launched for the first time. A KEA is differentiated from other apps by having a Knox badge displayed on its icon.

Each Samsung Knox device can support up to two Knox containers. While KEAs are placed in a Knox container, this container doesn't count against the limit. For example, a device could have 2 Knox Workspace containers and a KEA container.