Rooting your phone...you can no longer get away with that if you own a Samsung smartphone.

[Overmind One]

They got me. . I have had my rooted Galaxy S4 for a couple of years, rooted from within an hour of purchasing it. But that was when it was running Jelly Bean. Kit Kat brought Knox with it and thus the booby trap was laid. Do you know that the phone has a binary counter which tells it whether or not you have changed the kernel? Well, it does, and if you have gained root and then tried to UNroot, it will trip the Knox counter from 0x0 (valid) to 0x1 (warranty violation). It looks like this (not my phone)

The Knox trigger cannot be flipped no matter what you do. No hack for it exists. It essentially bricks your phone. So, even though my pre-Knox rooted kernel was within warranty, UNrooting it flipped the switch. My T-mobile equipment protection would have been void if left rooted, but UNrooting it voided the Samsung warranty as well. AND it bricks the phone.

So, suddenly without a phone I have purchased an LG G2 (because it is almost exactly the specs of a Samsung GS4, but a tad better), and I will be leaving Samsung because of Knox which I did not ask for and is now mandatory across all smartphone devices Samsung makes. It stinks of clandestine government tampering with the Samsung infrastructure. Let me explain:

In a rooted Galaxy device running Knox, you cannot do the following:

Set up an encrypted Exchange account using Activesync
Set up a 3rd party encrypted folder on an SDcard

This is strange, because those two operations involve using an encryption using keys that Samsung does not provide and cannot get. But you can easily do it on a non-rooted device. WHY? It stinks of NSA. It is a dealbreaker and I will never buy another Samsung. Makes sense because Samsung rules more than 1/2 the market for premium smartphones. And NO, Apple is nowhere near being concerned with user privacy. They have been working with the NSA more deeply than perhaps any other manufacturer. Microsoft is the worst offender, but they have a miniscule market share in comparison to Apple or Samsung.

I will post the review of the phone when it arrives tomorrow.

 

[Overmind One]

More:

http://www.tomsguide.com/us/samsung-knox-security-flaw,news-19828.html

Excerpt:

Samsung Knox, a security environment developed for Samsung Android devices, may have some serious problems. So says a mysterious German security researcher who pens a blog under the name "Ares." Samsung denies Ares' findings and insists that Knox is as secure as the fort it's named after.

Designed to help people keep business data secure on personal phones, Samsung Knox creates a secure partition, or storage space. Users can store their business information and any other sensitive data in this storage space.

What is not mentioned is the "passive" effects of Knox on the phone itself. Samsung has sandboxed several elements of its premium devices in order to protect them from decompilers, hex editors and other oft used "hacker" tools. And, of course, rooting. It should be noted that no Nexus phone or tablet has any of this shit going on, and that may be my next device. If this LG G2 bridges the gap for me for the next year or so, I think I will go Nexus from that point forward. I will simply activate it on Tmobile (or whomever) and buy the unlocked phone directly from Motorola or whomever makes it (likely Motorola since Google now owns it).

 

[Joelist]

Which is in part why when we dropped Blackberry and we needed a new platform Samsung phones were categorically prohibited for corporate use. The current allowed phones are iPhones and (for now) the Motorola X. Both require an installation of MobileIron prior to being allowed to access corporate resources.

https://mobileiron.com/en

MobileIron creates the secure memory space without the nonsense Knox put in place.

 

[Overmind One]

Which is in part why when we dropped Blackberry and we needed a new platform Samsung phones were categorically prohibited for corporate use. The current allowed phones are iPhones and (for now) the Motorola X. Both require an installation of MobileIron prior to being allowed to access corporate resources.

https://mobileiron.com/en

MobileIron creates the secure memory space without the nonsense Knox put in place.

Both iPhones and the Motorola X are even less secure than any Android phone, including Samsung. The Moto X, for instance, has an "always listening" feature that records ambient conversations and transmits them to 3rd parties like the Samsung smart TV does. The Apple offerings (any of them) cannot be secured with an enterprise encryption key. Both are banned in all government offices. The Blackberry is still preferred as far as security goes, with Microsoft second. Unlike the user implemented encryption with private keys which can be loaded into a Blackberry or a Windows phone, all "encryption" offered by Apple and Samsung (not all of Android) uses a skeleton key which can be given to authorities when requested.

 

[Joelist]

I can find no backup to the idea that iPhones are banned in government offices. The closest was a rumor (that was debunked) that the Chinese government did so.

We dropped Blackberry because it is dead. Enterprises are dropping Blackberry like a hot potato and have been for over a year. And we (Fortune 50 company) did a comprehensive security review both on dropping Blackberry and on the direction we decided to take. The X is there (maybe temporarily) because we could wipe off the version of Android it shipped with and put on a different mod. The iPhone (has to be 5S or higher) is there because it passed the security audit which included crypto standards (FIPS 140-2, which is what Blackberry was) as well as the type of encryption and the key standards.

MobileIron is the MDM solution in part because it supports the high encryption we use and in part because down the road it will let us go to a Bring Your Own Device program.

As to the "skeleton key" I don't know about Samsung per se but Apple got rid of it with iOS 8 (and got flamed by law enforcement for doing it). Also part of our security setup on iPhones disables iCloud so nothing goes anywhere but the phone or our corporate servers (we retarget backup using MDM to our own secure servers).

If I had to guess, we'll be adding a Windows Phone later this year when Windows 10 rolls out (on phones and PCs) and may drop the X as the number of people who requested it were in single digits (in a user base north of 30,000) and the mobile device world will be iPhone 6, Windows Phone TBD and hopefully BYOD.

 

[Overmind One]

iPhones limited ban by US government (still in effect)

http://www.businessinsider.com/the-us-government-just-agreed-to-a-limited-ban-on-the-iphone-2013-6

Link to the actual order in PDF form: http://www.usitc.gov/secretary/fed_reg_notices/337/337-794_notice06042013sgl.pdf

The iPhone 6 can be used but not purchased by any government agency. Apple is the least manageable phone on the market as far as security goes. Enterprises cannot secure it with endpoint protection or private encryption methods. They cannot be locked down or out by installed private kill programs. Samsung's Knox is just as bad because Knox is owned by Samsung and cannot be managed by corporate security on the enterprise level. Only Windows and Blackberry phones meet the government standard.

Remember, you are not working for a government agency or contractor. If you were, you would be very aware of this. You cannot even bring an iPhone or Apple device (any model) into a secured area. Seeing TV shows with Apple products being used to track criminals with high tech software or iPhones being used to communicate "securely" is a complete fantasy.

 

[Joelist]

Neither link says at all what you said they do - they are both pertaining to what was then an ongoing patent lawsuit between Apple and Samsung. The article is 18 months old as is the document and neither have anything to do with Apple devices being under some sort of security ban.

And yes iPhones (again they need to be iOS 7 or above) are every bit as manageable as other ones - we are doing exactly that. Endpoint Encryption is part of the solution we put into place with MobileIron. Plus I already noted we meet the Government standard and so do iPhones starting with the 5 (FIPS 140-2). And yes they can be locked down and locked out by private kill programs - that is part of the MDM and EMM profile we run with MobileIron.

I'm up to speed on this because we just went through this travail during the last year, and it is ongoing as also get tablets enabled for the mobile workforce we have. Plus we had to work with vendors like Salesforce.com to get their offerings to work properly in this environment (it was challenging but fun and we were successful).

 

[Overmind One]

Neither link says at all what you said they do - they are both pertaining to what was then an ongoing patent lawsuit between Apple and Samsung. The article is 18 months old as is the document and neither have anything to do with Apple devices being under some sort of security ban.

And yes iPhones (again they need to be iOS 7 or above) are every bit as manageable as other ones - we are doing exactly that. Endpoint Encryption is part of the solution we put into place with MobileIron. Plus I already noted we meet the Government standard and so do iPhones starting with the 5 (FIPS 140-2). And yes they can be locked down and locked out by private kill programs - that is part of the MDM and EMM profile we run with MobileIron.

The problem is the ecosystem of the phones, not the brands. You cannot load an enterprise encryption key onto ANY Apple product. MobileIron is an app, not an encryption protocol or layer. It is impossible to load a private key into any Apple device, phone or otherwise. Blackberry is still the top of the list for government devices, with Windows/Microsoft being the bulk of the rest of the operating systems used by the government. You will see iPhones in Congress, but not in the Pentagon. You cant lock down any iPhone no matter what you load on it. But Apple can.

I'm up to speed on this because we just went through this travail during the last year, and it is ongoing as also get tablets enabled for the mobile workforce we have. Plus we had to work with vendors like Salesforce.com to get their offerings to work properly in this environment (it was challenging but fun and we were successful).

You are up to speed on it in your private enterprise and in the private sector, but some of what you have said regarding government standard is not true. You cannot lock down an iPhone using a private encryption protocol. The structure of iOS simply does not have the ability to do so. It does not even allow the browsing of the internal file system. Yes, the article is a year old, but it is still in effect across the secured offices of the US government. It will likely remain in effect. Apple is not part of the government infrastructure of the United States, but Microsoft is. Blackberries are still purchased in bulk by the government and are issued as official phones. No office in the US government purchases iPhones, nor do they issue them to personnel.

Why are you attempting to defend them? They dont make the grade. It is because they are closed and locked down to a degree deemed unacceptable by the US government. Apple will not unlock phones for any government agency or law enforcement. That is in opposition to NSA requirements for government devices. MobileIron is a private company not affiliated with or certified with the US government, even though it is fine for the private sector.

 

[Overmind One]

https://www.mobileiron.com/en/customers

Not one government agency listed except USDA which is not a secured Bureau. Mobile Iron is a app, which runs on top of iOS. You cannot encrypt the iOS operating system privately.

 

[Joelist]

Actually each thing you have claimed could not be done we did (as have a lot of other enterprises that moved from BB to Apple and others). You claimed lockout and lockdown were not able to be enabled - we did so. And that it does not support private key encryption. Again yes it does.

As to MobileIron, it is an MDM/EMM solution platform not just an app. And some of the clients listed on the page you linked (which is incomplete as they don't have us up on it yet) include not just the USDA but DISA which is the Defense Information Systems Agency:


In other words, the people responsible for IT and communications for the whole US National Defense system.

Also, we could have used other solutions. MobileIron simply was the one which gave us all the capabilities desired for the best price.

 

[Overmind One]

Actually each thing you have claimed could not be done we did (as have a lot of other enterprises that moved from BB to Apple and others). You claimed lockout and lockdown were not able to be enabled - we did so. And that it does not support private key encryption. Again yes it does.

As to MobileIron, it is an MDM/EMM solution platform not just an app. And some of the clients listed on the page you linked (which is incomplete as they don't have us up on it yet) include not just the USDA but DISA which is the Defense Information Systems Agency:


In other words, the people responsible for IT and communications for the whole US National Defense system.

Also, we could have used other solutions. MobileIron simply was the one which gave us all the capabilities desired for the best price.

The Mobile Iron is an APPLICATION. I can tell you have never worked in a government office. I have been working in them for decades. You keep claiming that it can encrypt the device and it simply cannot. Show me proof. I went to their website, I can see the app and it's features. They list their clients. I know the Apple operating system and that it cannot be encrypted by any app outside of Apple.

Moto X always listening:

http://www.techradar.com/news/phone...s-always-listening-and-so-is-the-nsa--1170553

Apple does not allow any app to gain root access. Even jailbreaking does not allow root access to any Apple device. Apple encrypts the data FOR YOU by default. This means that you are not providing the key. You cannot remove the Apple encryption nor can you decrypt the Apple encrypted portions of your device. Apple can brick any iPhone no matter what you have loaded on it.

MDM (mobile device management) and EMM (enterprise mobile management) does not equal total device encryption or endpoint protection. It is a new commercial product that anyone can buy. Government encryption solutions involve using private keys of varying types of encryption and they encrypt the entire filesystem of the device. This can be done in a Blackberry and a Windows phone, but not Android or iOS or any of the others.

The government does NOT use MobileIron anywhere. That should tell you something. Symantec is the goto choice for government encryption solutions, even though they have basically failed the consumer market. No app in existence can encrypt the iOS filesystem at root level which means it cannot ever be made secure enough for high security government use.

If you want to verify what I have said, ask somebody who is not selling you a product. Ask somebody working in government. MobileIron is basically a newbie, and they are not doing business with the government. They are not certified by the government.

 

[Joelist]

MobileIron is an example of an EMM/MDM platform. The app is just one end of it (and Symantec has a VERY similar app that forms one end of their solution as well). I also specifically noted government agencies using MobileIron beyond USDA. I guess the Department of Defense is not a US Government agency.

MobileIron is part of the solution, and does both support encryption and do it itself (the CSS component). In the case of iOS, contrary to your assertions the file system is encrypted (with an AES 256 crypto engine and keys).

As to Moto X always listening, I suggest you read the article. It makes the claim then does not explain at all how specifically the Moto X is always listening. Instead it claims (likely rightly) that the NSA is snooping emails at the server level. But remember we wipe the X and re-rom it with an OS with no Google pieces or apps prior to implementing it for corporate resources. And I think the X is going away as adoption (less than 10) was horrible.

Longer term I expect we'll be just iOS and Windows on mobile devices.

Finally, I may not work in a government office but our business by its nature has very high security requirements that by law in many areas mirror or exceed government ones. The challenge is complying with that and still maintaining usability. Working as I do on the Database and Analytics side of the house I get touched by it repeatedly and as a result when Blackberry was dropped (like a lot of enterprises we refused to go to Blackberry X) our unit was part of the new mobile device strategy.

 

[Joelist]

Which by the way is how I got informed on iOS security. Part of my role in the process required me to read all of the white papers on the OSes in question which includes the current iOS security and encryption infrastructure, and then compare them to what we needed for security. That in part is why older iPhones are verboten - you have to be a 5 series of higher (and since BYOD is not running yet effectively the requirement is a 6 since we are not buying 5s).

 

[Overmind One]

Which by the way is how I got informed on iOS security. Part of my role in the process required me to read all of the white papers on the OSes in question which includes the current iOS security and encryption infrastructure, and then compare them to what we needed for security. That in part is why older iPhones are verboten - you have to be a 5 series of higher (and since BYOD is not running yet effectively the requirement is a 6 since we are not buying 5s).

I believe the iPhone 6 and moving forward will eventually supplant Windows phones in government. But right now they are being blocked purely for greed reasons since Microsoft has a headlock on government agencies and military infrastructure. They have disappointed the government on many levels.

 

[Bluce Ree]

They got me. . I have had my rooted Galaxy S4 for a couple of years, rooted from within an hour of purchasing it. But that was when it was running Jelly Bean. Kit Kat brought Knox with it and thus the booby trap was laid. Do you know that the phone has a binary counter which tells it whether or not you have changed the kernel? Well, it does, and if you have gained root and then tried to UNroot, it will trip the Knox counter from 0x0 (valid) to 0x1 (warranty violation). It looks like this (not my phone)

View attachment 30828

The Knox trigger cannot be flipped no matter what you do. No hack for it exists. It essentially bricks your phone. So, even though my pre-Knox rooted kernel was within warranty, UNrooting it flipped the switch. My T-mobile equipment protection would have been void if left rooted, but UNrooting it voided the Samsung warranty as well. AND it bricks the phone.

The Knox counter is only an indicator that your phone was flashed with non-sanctioned software. It isn't what bricked your phone nor is it a contributor to such in any manner.

Go to the XDA Dev site, download ODIN and grab a stock ROM for your phone and load it. You'll be back in business and you can even root it again.

 

[Bluce Ree]

The government "ban" on iPhone covers only older AT&T models because of a particular component used. That's from the article you linked. Otherwise, government is happily using iPhones.

http://appleinsider.com/articles/13...-security-clearance-to-apples-iphone-and-ipad

Security clearance from the Pentagon.

 

[Joelist]

It's stuff like that that endears XDA to me. Plus it shows they have Samsung engineers in their ranks as they consistently have Samsungs tools up on the site.

Which ROM do you recommend? I would say pick one that is "bare" (no Google apps or any Google stuff as much as possible). For example CyanogenMod has either accomplished that in their latest release or are working towards it.

 

[Gatefan1976]

The Knox counter is only an indicator that your phone was flashed with non-sanctioned software. It isn't what bricked your phone nor is it a contributor to such in any manner.

Go to the XDA Dev site, download ODIN and grab a stock ROM for your phone and load it. You'll be back in business and you can even root it again.

Odin is not known for letting you root whatever you want, you would be better off with ZEUS..................

 

[Bluce Ree]

Odin is not known for letting you root whatever you want, you would be better off with ZEUS..................

Pffffft! He is the Allfather of gods and ruler of Asgard. I think if he wants to root a lowly phone device I'm sure he could handle it.

 

[Bluce Ree]

It's stuff like that that endears XDA to me. Plus it shows they have Samsung engineers in their ranks as they consistently have Samsungs tools up on the site.

Which ROM do you recommend? I would say pick one that is "bare" (no Google apps or any Google stuff as much as possible). For example CyanogenMod has either accomplished that in their latest release or are working towards it.

I like good, bare ROMs like CM especially when they enable all the disabled customization features in the AOSP base code. But, in OM1's case, he will probably need to force his phone back to a stock ROM with ODIN in order to revive it from its slumber. His phone is most likely not bricked per se but rather may be corrupted at the bootloader and can only get into ODIN mode (vol-down + home + power).