Related
I'm finding a lot of threads about changing from pin/password to pattern unlock, but not having any luck in completely disabling the security feature BS...
Is it possible to completely eliminate the password lock required by my exchange server? I have tried lockpicker and no lock, neither of which worked.
I would like to keep syncing but am not going to deal with this unlocking all the time (they JUST started enforcing it)...any help would be appreciated.
BTW, running Calkulin's EViO 2 v 1.7 (sense, so HTC mail)
Nope, this is tightly integrated down to the OS in order to pass MS requirements, and it reports the control level back to exchange so it can make sure it's in compliance with their mobile device policy.
In theory you can make an app that proxies the API and lies about what the phone can do ... but it wont be done with a simple APK/market app ... it's integration goes much deeper.
Honestly your best best: this is clearly a new policy. complain repeatedly to your IT staff. You're probably not the only one upset ... and noise will result in policy change ... because reality: IT staff hate dealing with people. They want to deal with servers.
Option 2: if you have a buddy on the exchange team he can put you on the same policy he undoubtedly created for himself and his team, that's 10x as lenient so he can mess with his little pet projects he plays with on the side.
Justin.G11 said:
Nope, this is tightly integrated down to the OS in order to pass MS requirements, and it reports the control level back to exchange so it can make sure it's in compliance with their mobile device policy.
In theory you can make an app that proxies the API and lies about what the phone can do ... but it wont be done with a simple APK/market app ... it's integration goes much deeper.
Honestly your best best: this is clearly a new policy. complain repeatedly to your IT staff. You're probably not the only one upset ... and noise will result in policy change ... because reality: IT staff hate dealing with people. They want to deal with servers.
Option 2: if you have a buddy on the exchange team he can put you on the same policy he undoubtedly created for himself and his team, that's 10x as lenient so he can mess with his little pet projects he plays with on the side.
Click to expand...
Click to collapse
Thanks...I figured it wouldn't be that easy but I had to ask.
Justin.G11 said:
Honestly your best best: this is clearly a new policy. complain repeatedly to your IT staff. You're probably not the only one upset ... and noise will result in policy change ... because reality: IT staff hate dealing with people. They want to deal with servers.
Click to expand...
Click to collapse
I get complaints all the time about policies. 99.999% of the time, the policies are created/approved by steering committees, the legal department or executive management. There is usually nothing IT can do about it as the policies are put into place for legal reasons or company security.
Additionally, if IT departments are not compliant in company policies there could be legal ramifications if the company has to comply with certain government guidelines.
And IT staff don't hate dealing with people...it sounds like your work environment is not like others.
Check out this thread to see if it does what you are looking for.
http://forum.xda-developers.com/showthread.php?t=775007
They modified the actual email.apk app to remove the security requirement that was hardcoded in it.
It was taken from CM7 which is AOSP, so I cannot say whether or not it will work on sense.
EDIT: After searching some more, droidforums has a modified email.apk file that you can install, that you use instead of the HTC mail, which tricks your exchange server into thinking that you have your security enabeled.
http://www.droidforums.net/forum/dr...onal-froyo-bypass-exchange-server-policy.html
Just download the zip, and extract the apk from it, then place the apk on your SDCard and install it just like a regular app.
Khilbron said:
Check out this thread to see if it does what you are looking for.
http://forum.xda-developers.com/showthread.php?t=775007
They modified the actual email.apk app to remove the security requirement that was hardcoded in it.
It was taken from CM7 which is AOSP, so I cannot say whether or not it will work on sense.
EDIT: After searching some more, droidforums has a modified email.apk file that you can install, that you use instead of the HTC mail, which tricks your exchange server into thinking that you have your security enabeled.
http://www.droidforums.net/forum/dr...onal-froyo-bypass-exchange-server-policy.html
Just download the zip, and extract the apk from it, then place the apk on your SDCard and install it just like a regular app.
Click to expand...
Click to collapse
Will look into that. Thank you very much!
I ended up using the modified email.apk from CM7...works like a charm!!! The Droid forums version kept coming up with security errors. THANKS AGAIN Khilbron!!!
awenthol said:
I ended up using the modified email.apk from CM7...works like a charm!!! The Droid forums version kept coming up with security errors. THANKS AGAIN Khilbron!!!
Click to expand...
Click to collapse
Can you please post a link to the one you used?
Sent from my PC36100 using XDA App
Justin.G11 said:
Nope, this is tightly integrated down to the OS in order to pass MS requirements, and it reports the control level back to exchange so it can make sure it's in compliance with their mobile device policy.
In theory you can make an app that proxies the API and lies about what the phone can do ... but it wont be done with a simple APK/market app ... it's integration goes much deeper.
Honestly your best best: this is clearly a new policy. complain repeatedly to your IT staff. You're probably not the only one upset ... and noise will result in policy change ... because reality: IT staff hate dealing with people. They want to deal with servers.
Option 2: if you have a buddy on the exchange team he can put you on the same policy he undoubtedly created for himself and his team, that's 10x as lenient so he can mess with his little pet projects he plays with on the side.
Click to expand...
Click to collapse
Yes..this reply really isn't correct. There have been some sqlite modifications that can be made or using the mail.apk from this link (http://forum.xda-developers.com/showthread.php?t=775007) works perfect, even with the new CM7-RC2
Bypassing Exchange security
I had this same issue with my work email. My way of bypassing it and still using the stock Mail app is by installing widgetlocker. Unfortunately the newest version does not bypass your encryption, but the older version before the most recent update does. Also it allows you to fully customize your lockscreen and add widgets and what have you. All in all pretty cool app.
widgetlocker.teslacoilsw.com/general/widgetlocker-1-2-9/
(unfortunately because i have never posted before i cannot post links so pm if the link does not work)
Amazing! So you guys have a device in your pocket that has complete access to your work mail server (something you don't own), and you apparently don't care if that falls into the wrong hands?
I don't want to get preachy but this is serious stuff:
1. Are you aware of the damage that can fall on an organization, its IP and reputation if a hacker/spammer has access to a mail account?
2. Your company's mail server is an assett of the company. Gaining access and leaving it unlocked is like borrowing something from work and leaving it on the street.
I understand that IT policies are annoying to the end user, but they are there for good reason.
Would you leave the company vehicle unlocked because it is annoying to get the key out? No.
Oh, and by the way, you can be held directly liable for damages for disabling/ hacking around policies. I have seen employees get fired for it.
Sent from my device.
ramiss said:
Amazing! So you guys have a device in your pocket that has complete access to your work mail server (something you don't own), and you apparently don't care if that falls into the wrong hands?
I don't want to get preachy but this is serious stuff:
1. Are you aware of the damage that can fall on an organization, its IP and reputation if a hacker/spammer has access to a mail account?
2. Your company's mail server is an assett of the company. Gaining access and leaving it unlocked is like borrowing something from work and leaving it on the street.
I understand that IT policies are annoying to the end user, but they are there for good reason.
Would you leave the company vehicle unlocked because it is annoying to get the key out? No.
Oh, and by the way, you can be held directly liable for damages for disabling/ hacking around policies. I have seen employees get fired for it.
Sent from my device.
Click to expand...
Click to collapse
The issue I have is with the idea that the company gets to dictate how my entire device functions. Your points are valid, but why not just require a password on the email app, not on the whole phone? Why do I have to consent to allowing them to order a full device wipe, instead of just a wipe of the company data?
bkrodgers said:
The issue I have is with the idea that the company gets to dictate how my entire device functions. Your points are valid, but why not just require a password on the email app, not on the whole phone? Why do I have to consent to allowing them to order a full device wipe, instead of just a wipe of the company data?
Click to expand...
Click to collapse
Those are some good points and questions:
If you just locked the mail app then the app would need to encrypt/decrypt all data, which would make it MUCH slower. However, the main reason is that the app lock approach is much more hackable..one simple example would be to load a proxy on the phone to intercept communication before it could be encrypted.
The idea behind the device lock is that it happens on a deeper level and is the most secure answer.
The question about having a choice with your device is actually a simple one to answer...if you don't agree with the work policy then don't use your personal device for work email.
The other thing is that, besides not having a choice, the forced answer is beneficial for everyone....if I lose my device then I definitely don't want strangers crank calling my family or getting personal info. I have read about some horrible stories.
The real question is...If your phone is lost why would you NOT want it to be secure and erased asap??
Sent from my "locked" device.
ramiss said:
Those are some good points and questions:
If you just locked the mail app then the app would need to encrypt/decrypt all data, which would make it MUCH slower. However, the main reason is that the app lock approach is much more hackable..one simple example would be to load a proxy on the phone to intercept communication before it could be encrypted.
The idea behind the device lock is that it happens on a deeper level and is the most secure answer.
Click to expand...
Click to collapse
Yes and no. There are approaches that are easier if you aren't securing the whole device, but that doesn't mean it can't still be hacked.
The question about having a choice with your device is actually a simple one to answer...if you don't agree with the work policy then don't use your personal device for work email.
Click to expand...
Click to collapse
Overall I agree with that, although I think at a company that offers mobile email, there's a sort of "peer pressure" to use it. Not to say that's a good reason. I'd imagine that it'd be hard for a company to actually require you to use mobile email on your personal device -- if your job truly requires it, I'd think they'd have to provide you a device if you don't have a compatible device or aren't willing to use it that way. So yes, you're probably right that you have the choice. It doesn't mean that we can't complain though.
The other thing is that, besides not having a choice, the forced answer is beneficial for everyone....if I lose my device then I definitely don't want strangers crank calling my family or getting personal info. I have read about some horrible stories.
The real question is...If your phone is lost why would you NOT want it to be secure and erased asap??
Click to expand...
Click to collapse
If it's really lost forever, yes. But what if:
- The exchange admin sends the wipe command to the wrong phone. ("Hi, I'm John Smith and I've lost my phone.")
- The "wipe after X invalid passcode" policy is enabled. A friend or a kid picks up the phone and tries to play with it. Whoops.
- Something else goes wrong...bottom line is that the company should have no right to wipe anything other than their own data.
I understand the need for locking the device...I really do. But, if someone does happen to find my phone (knock on wood but HIGHLY, HIGHLY unlikely, as I've never even almost forgotten any phone, anywhere, ever) they aren't going to find ANYTHING of value in my emails. I'm pretty low on the totem pole.
If I had sensitive data on my phone...no questions asked, I would keep it p-word locked.
matt2053 said:
Can you please post a link to the one you used?
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=775007
awenthol said:
I understand the need for locking the device...I really do. But, if someone does happen to find my phone (knock on wood but HIGHLY, HIGHLY unlikely, as I've never even almost forgotten any phone, anywhere, ever) they aren't going to find ANYTHING of value in my emails. I'm pretty low on the totem pole.
If I had sensitive data on my phone...no questions asked, I would keep it p-word locked.
Click to expand...
Click to collapse
Your Exchange Admin (or you depending on the version of Exchange you're using) has the ability to remotely wipe your device in the event it gets stolen/lost.
Could anyone give a brief possible explanation of why I can connect to my exchange server easily using Touchdown, but not using the Android integrated Exchange Account Sync?
Sent from my PC36100 using XDA App
Just found this thread as I've encountered the same issue on a HTC Sensation, just setup Exchange ActiveSync, and bam, have to set up the PIN lock on the phone.
However I've noticed that once you've done it, you can then go into Settings, Security and change the timeout before it locks up to 1 hour (I think that is dependent on your company setting). Mine was defaulting to every time the screen locked, but changing it to 1 hour I find I hardly ever have to unlock the phone now apart from first thing in the morning as I tend to use it regularly through the day.
Can anyone confirm that changing the date actually forces a check? Though the idea has been tossed around here like truth for a couple of days, I have seen only one post where someone said it works. Everyone else has said something along the lines of: I came home and it was up.
Everyone knows that if you set the clock forward, it says that the system was checked under system updates. Sorry, but that's not proof that it checks. That's proof that update check clock changes. I am asking if anyone has proof that changing the clock date actually forces a check. Proof would be either:
1) Someone has had the update actually happen immediately after changing the clock; or
2) There's evidence of internet activity consistent with checking for an update.
Can someone who's gotten the update explain what it looks like? When you turned it on, did it come up right after the animation? If you did the date trick, did you click "set" and it popped up immediately on screen? I am starting to think that the date change thing is only slowing this down; it just resets the clock for the update, it doesn't actually force the check.
Anyone have any other ideas? I am supposed to be studying for a final which is certainly why I'm obsessing about this, but I really can't help it. Anything to take my mind off studying for that horrible class. This final is going to kill me. (Then again, it's the last one I will EVER take!!!)
No it hasn't worked for me.
Coldheat1906 said:
No it hasn't worked for me.
Click to expand...
Click to collapse
Thanks. It hasn't worked for many people. I'm curious if anyone knows if it CAN work, or if it's just a myth.
the update will appear as a notification on the lower right hand of your Xoom kin a like a notification like you are downloading something from the market.
slack04 said:
Can anyone confirm that changing the date actually forces a check? ...
Click to expand...
Click to collapse
On my Wifi only Xoom it forces a check.
For example;
1. My Xoom says it last checked for an update at 1:10pm and it is now 6:10pm on the same day
2. I change the date to one day in advance
3. I go to sytem updates and it says it last checked at 6:10pm
So it did force a check.
Whether or not an update is available for your Xoom is a different story.
The date change will force a check but not force the actual update.
laredo7mm said:
On my Wifi only Xoom it forces a check.
For example;
1. My Xoom says it last checked for an update at 1:10pm and it is now 6:10pm on the same day
2. I change the date to one day in advance
3. I go to sytem updates and it says it last checked at 6:10pm
So it did force a check.
Whether or not an update is available for your Xoom is a different story.
The date change will force a check but not force the actual update.
Click to expand...
Click to collapse
Sorry, but that's not proof that it checks. That's proof that update check clock changes. I thought that was clear in my first post. I am asking if anyone has proof that changing the clock date actually forces a check. Proof would be either:
1) Someone has had the update actually happen immediately after changing the clock; or
2) There's evidence of internet activity consistent with checking for an update.
you can force an update check using these steps:
1. hold power+volup, the xoom will reboot
2. after reboot go to system settings and check for updates
doin this hasn't worked for me at all. Tried several times even with reboots. Yes the time changes but doesn't mean it really did anything. Frustrated the Wifi users are rolling today and here I sit with 3G and nothing still.
ruinah said:
doin this hasn't worked for me at all. Tried several times even with reboots. Yes the time changes but doesn't mean it really did anything. Frustrated the Wifi users are rolling today and here I sit with 3G and nothing still.
Click to expand...
Click to collapse
Yesterday I re-imaged my xoom to stock but realized too late that I was using 3.0 instead of 3.0.1. I went in and changed the date and set it back to automatic. My Xoom immediately started downloading the 3.0.1 patch. That is about as much proof as I can provide.
Yes it does force a check
This is what shows up in the logcat after changing the date:
D/SystemClock( 8596): Setting time of day to sec=1307904965
D/SystemClock( 133): Setting time of day to sec=1305226357
D/Beautiful Widgets( 846): Received Weather refresh Intent
E/Beautiful Widgets( 846): Acquiring new WakeLock on an existing notheld instance
D/Beautiful Widgets( 846): Service for Weather started
V/Beautiful Widgets( 846): Service AccuWeather onStart()
D/Beautiful Widgets( 846): Service AccuWeather Thread started
I/Beautiful Widgets( 846): Provider is network
I/Beautiful Widgets( 846): Requesting location update
I/EventLogService( 247): Aggregate from 1307904746624 (log), 1307904746506 (data)
E/TelephonyManager( 247): Hidden constructor called more than once per process!
E/TelephonyManager( 247): Original: com.google.android.location, new: com.google.android.gsf
I/CheckinService( 247): Preparing to send checkin request
I/EventLogService( 247): Accumulating logs since 1307904965403
D/dalvikvm( 846): GC_CONCURRENT freed 867K, 13% free 8280K/9479K, paused 3ms+4ms
I/CheckinTask( 247): Sending checkin request (1486 bytes)
D/dalvikvm( 846): GC_CONCURRENT freed 561K, 12% free 8406K/9479K, paused 3ms+3ms
V/AlarmClock( 8642): AlarmInitReceiver finished
D/dalvikvm( 133): GC_CONCURRENT freed 3891K, 29% free 21271K/29639K, paused 4ms+10ms
D/CalendarWidget( 8547): Scheduled next update at [1307941200000] 00:00:00 (+603 mins)
D/dalvikvm( 846): GC_CONCURRENT freed 963K, 14% free 8177K/9479K, paused 5ms+7ms
D/dalvikvm( 846): GC_CONCURRENT freed 494K, 12% free 8348K/9479K, paused 4ms+3ms
D/dalvikvm( 227): GC_FOR_ALLOC freed 1629K, 3% free 124319K/127879K, paused 77ms
D/dalvikvm( 227): GC_CONCURRENT freed 519K, 3% free 124143K/127879K, paused 2ms+13ms
I/CheckinTask( 247): Checkin success: https://android.clients.google.com/checkin (1 requests sent)
I/CheckinService( 247): From server: Intent { act=android.server.checkin.FOTA_CANCEL }
As you can see I still haven't gotten 3.1
El Daddy said:
This is what shows up in the logcat after changing the date:
D/SystemClock( 8596): Setting time of day to sec=1307904965
D/SystemClock( 133): Setting time of day to sec=1305226357
...
...
...
I/CheckinTask( 247): Checkin success: https://android.clients.google.com/checkin (1 requests sent)
I/CheckinService( 247): From server: Intent { act=android.server.checkin.FOTA_CANCEL }
Click to expand...
Click to collapse
slack04 said:
Sorry, but that's not proof that it checks. That's proof that update check clock changes. I thought that was clear in my first post...
Click to expand...
Click to collapse
Well, there you have your proof. Now, go study and quit being such a d-bag. I guess you were not clear since you had to go back and edit your post after I submitted my initial response.
laredo7mm said:
Well, there you have your proof. Now, go study and quit being such a d-bag. I guess you were not clear since you had to go back and edit your post after I submitted my initial response.
Click to expand...
Click to collapse
Excuse me? Yeah, I edited the post to make my question more clear.
Your post was not useful; in fact it showed that you hadn't really thought through the process before you posted. I wasn't rude to you, I just pointed out the error in your logic, which made me realize that I should go back and clarify my question. Who's the "d-bag" here?
Huh? I edited my post to bold the checkin. I skimmed through this thread and thought I would confirm to people it did indeed check in. I'm not trying to show anyone up. Just trying to be helpful.
Wtf?
Sent from my Xoom using XDA Premium App
El Daddy said:
Huh? I edited my post to bold the checkin. I skimmed through this thread and thought I would confirm to people it did indeed check in. I'm not trying to show anyone up. Just trying to be helpful.
Wtf?
Sent from my Xoom using XDA Premium App
Click to expand...
Click to collapse
Thanks dude, you answered the question. He was actually talking to me; I couldn't tell you what his problem is, though. In any case, you've answered the question, so I'm going to go back to clock-changing-update-checking right now! Thank you!
well I'm just glad its been proven. And I don't agree with the ops original statement that it would have caused an issue if it didn't actually force a check. Only because I don't feel that changing the date would actually affect anything to do with checking for an update, either way it is checking the same server w/the same access codes.
For example, if someone would have 3.0 and set the date back to the xooms launch day and ran a check for an update would still be updated to 3.01 or if lucky 3.1.
Like the date on your xoom is only for creating time stamps on the xoom.
I explained how this works in my post below:
http://forum.xda-developers.com/showthread.php?t=1076295
RadDudeTommy said:
well I'm just glad its been proven. And I don't agree with the ops original statement that it would have caused an issue if it didn't actually force a check. Only because I don't feel that changing the date would actually affect anything to do with checking for an update, either way it is checking the same server w/the same access codes.
For example, if someone would have 3.0 and set the date back to the xooms launch day and ran a check for an update would still be updated to 3.01 or if lucky 3.1.
Like the date on your xoom is only for creating time stamps on the xoom.
Click to expand...
Click to collapse
It's moot at this point, but it was when you wrote your post also. What I was suggesting was that, if it wasn't actually checking by changing the date, then we could be stopping the actual update check from happening by trying, therefore setting us back by 12 hours (about the frequency of the automatic checks) every time we tried to "cheat." Of course, now that it's shown that the check does actually query the server (and that makes very little difference to when you actually get your update) my original guess (not statement) is obviously incorrect.
laredo7mm said:
Well, there you have your proof. Now, go study and quit being such a d-bag. I guess you were not clear since you had to go back and edit your post after I submitted my initial response.
Click to expand...
Click to collapse
+1
Really getting tired of this guy talking down to everyone. Don't know when I have ever see someone as condescending.
Sent from my ADR6300 using XDA App
RadDudeTommy said:
well I'm just glad its been proven. And I don't agree with the ops original statement that it would have caused an issue if it didn't actually force a check. Only because I don't feel that changing the date would actually affect anything to do with checking for an update, either way it is checking the same server w/the same access codes.
For example, if someone would have 3.0 and set the date back to the xooms launch day and ran a check for an update would still be updated to 3.01 or if lucky 3.1.
Like the date on your xoom is only for creating time stamps on the xoom.
Click to expand...
Click to collapse
Suppose our entire solar system was contained in a drop of water abiut to get wiped by a windshield wiper?
kyoteqwik said:
+1
Really getting tired of this guy talking down to everyone. Don't know when I have ever see someone as condescending.
Sent from my ADR6300 using XDA App
Click to expand...
Click to collapse
That's friendly.
I just purchased Galaxy Note 3 (SM-N900) , Saw a new entity called "KNOX" ......What the hell is it ?? What is it's use ??
I have not tapped it's icon as yet as i am very unclear regarding it's functioning....Please explain in details if possible....
nuclear equiped walking death mobile
http://www.samsung.com/global/business/mobile/solution/security/samsung-knox
---------- Post added at 01:11 PM ---------- Previous post was at 01:07 PM ----------
nuclear equiped walking death mobile
http://www.samsung.com/global/business/mobile/solution/security/samsung-knox
Yeah, read the white paper, it explains what actually trips the KNOX_WARRANTY_VOID flag.
Basically, the contents of each partition in the phone are digitally signed with an X.509 certificate that's installed into the phone memory at manufacture and is unique to each phone (my guess, generated based on serial and/or IMEI).
Each time the bootloader boots, it checks the signature of the contents of each partition against the permanently installed certificates. If any of those partitions have been altered, the signature becomes invalid, and the bootloader displays the following (recovery in this example):
RECOVERY IS NOT SEANDROID ENFORCING
Set Warranty Bit: 1 recovery
I also saw it display "Set Warranty Bit: 1 cache" when I used Chainfire's Auto-Root.
There is an ARM chip inside the phone that does hardware on-the-fly encryption-decryption of the KNOX container so that it is transparent to the end-user. It also runs the TIMA layer of the KNOX system, which actually means it's monitoring the contents of the critical partitions IN REAL TIME as the phone runs for tampering. My suspicion, the KNOX warranty flag is stored in that chip. It sounds like it's a separate SoC that has its own little OS (kind of like the Android secure element, but much, much more powerful and complex), so hacking into it may very likely be like trying to convince the US Congress to quit because they're doing a very bad job.
However, since older phones that didn't ship with KNOX are getting it in a software update this winter, there are two possibilities - either they already have the ARM cryptographic chip on board and it was never used, OR the KNOX warranty flag is a software solution (not an eFuse) which can be reversed.
Someone with a LOT more knowledge than most XDA "devs" here will need to do some serious reverse engineering to figure out where and how the KNOX flag is stored.
siraltus said:
Yeah, read the white paper, it explains what actually trips the KNOX_WARRANTY_VOID flag.
Basically, the contents of each partition in the phone are digitally signed with an X.509 certificate that's installed into the phone memory at manufacture and is unique to each phone (my guess, generated based on serial and/or IMEI).
Each time the bootloader boots, it checks the signature of the contents of each partition against the permanently installed certificates. If any of those partitions have been altered, the signature becomes invalid, and the bootloader displays the following (recovery in this example):
RECOVERY IS NOT SE ENFORCING
Set Warranty Bit: 1 recovery
I also saw it display "Set Warranty Bit: 1 cache" when I used Chainfire's Auto-Root.
There is an ARM chip inside the phone that does hardware on-the-fly encryption-decryption of the KNOX container so that it is transparent to the end-user. It also runs the TIMA layer of the KNOX system, which actually means it's monitoring the contents of the critical partitions IN REAL TIME as the phone runs for tampering. My suspicion, the KNOX warranty flag is stored in that chip. It sounds like it's a separate SoC that has its own little OS (kind of like the Android secure element, but much, much more powerful and complex), so hacking into it may very likely be like trying to convince the US Congress to quit because they're doing a very bad job.
However, since older phones that didn't ship with KNOX are getting it in a software update this winter, there are two possibilities - either they already have the ARM cryptographic chip on board and it was never used, OR the KNOX warranty flag is a software solution (not an eFuse) which can be reversed.
Someone with a LOT more knowledge than most XDA "devs" here will need to do some serious reverse engineering to figure out where and how the KNOX flag is stored.
Click to expand...
Click to collapse
Is Knox the reason why I get the "custom" with the unlocked padlock symbol upon booting up now? No reason why since I just got it yesterday and haven't modded it.
Sent from my SAMSUNG-SM-N900A using XDA Premium 4 mobile app
jbbosu said:
Is Knox the reason why I get the "custom" with the unlocked padlock symbol upon booting up now? No reason why since I just got it yesterday and haven't modded it.
Sent from my SAMSUNG-SM-N900A using XDA Premium 4 mobile app
Click to expand...
Click to collapse
No, that's just the "Official/Custom" binary and system status indicators that have been present on Samsung devices for a while now. Those are resettable by wiping the phone and flashing a completely unaltered stock firmware image. There is also a custom binary flash counter that is resettable by TriangleAway.
KNOX is a totally different beast - a secure boot environment protected by a trust chain - the white paper explains it.
I wonder how it affects the battery life ? Sorry I didn't really understand anything you guys are throwing out .. I just don't like bloat ...
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Knox for Dummies:
Knox creates a secure and compartmentalized area on your phone which is encrypted and reserved mainly for corporate use.
Samsung is hoping to catch market share from Blackberry for corporate sales. Knox allows for BYOD, or Bring your own Device, so employees who like android can keep using it.
Your IT manager will load corporate stuff onto your phone remotely into the Knox area so your business data is kept compartmentalized and somewhat secure from your private download of virus laden crap. If you lose the phone and someone tries to access it, it will delete itself if the hacker tries more than 20 times to input a password. Knox also prevents the IT manager reading your private area.
However if you do not have a business use you can use Knox privately and have a secure area, so you can safely let family members use it without fear your own data like diary will be compromised. Unfortunately the private use of Knox is very limited and only has few applications like email, camera, gallery, S planner and my files, and some downloadable Knox applications.
For most people Knox is too much bother to use privately as requires password to access each time and it is not so easy to get data in and out the Knox area. For example Knox restrictions prevents Screen Write.
I guess Samsung put it on the phone so users can get familiar to its being there and so will make less a fuss at work and likely to prefer Knox to having two phones to carry around.
Hope that helps.
Knox should create lots extra topics on forums like... "Help, my phone self-destructed all the picture gallery I kept in Knox". LOL
ketani73 said:
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Click to expand...
Click to collapse
siraltus said:
Yeah, read the white paper, it explains what actually trips the KNOX_WARRANTY_VOID flag.
Basically, the contents of each partition in the phone are digitally signed with an X.509 certificate that's installed into the phone memory at manufacture and is unique to each phone (my guess, generated based on serial and/or IMEI).
Each time the bootloader boots, it checks the signature of the contents of each partition against the permanently installed certificates. If any of those partitions have been altered, the signature becomes invalid, and the bootloader displays the following (recovery in this example):
RECOVERY IS NOT SE ENFORCING
Set Warranty Bit: 1 recovery
I also saw it display "Set Warranty Bit: 1 cache" when I used Chainfire's Auto-Root.
There is an ARM chip inside the phone that does hardware on-the-fly encryption-decryption of the KNOX container so that it is transparent to the end-user. It also runs the TIMA layer of the KNOX system, which actually means it's monitoring the contents of the critical partitions IN REAL TIME as the phone runs for tampering. My suspicion, the KNOX warranty flag is stored in that chip. It sounds like it's a separate SoC that has its own little OS (kind of like the Android secure element, but much, much more powerful and complex), so hacking into it may very likely be like trying to convince the US Congress to quit because they're doing a very bad job.
However, since older phones that didn't ship with KNOX are getting it in a software update this winter, there are two possibilities - either they already have the ARM cryptographic chip on board and it was never used, OR the KNOX warranty flag is a software solution (not an eFuse) which can be reversed.
Someone with a LOT more knowledge than most XDA "devs" here will need to do some serious reverse engineering to figure out where and how the KNOX flag is stored.
Click to expand...
Click to collapse
ketani73 said:
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Click to expand...
Click to collapse
You should at least thank him for taking the time out to inform you of it (whether you had the common sense to understand it or not). It's common courtesy.
ketani73 said:
Please explain my query in a simple language so that i really understand what is "KNOX" & why the hell is it preinstalled on my Note 3 !!!
Click to expand...
Click to collapse
You not understanding what I wrote is not my problem. If you want to know, go learn.
---------- Post added at 10:06 AM ---------- Previous post was at 09:34 AM ----------
arsi123 said:
You should at least thank him for taking the time out to inform you of it (whether you had the common sense to understand it or not). It's common courtesy.
Click to expand...
Click to collapse
Thanks man. Too many arrogant, self-entitled, impatient dweebs on this site who expect to be spoon-fed everything and cry foul when something requires reading comprehension beyond third grade.
fonejacker said:
Knox for Dummies:
Knox creates a secure and compartmentalized area on your phone which is encrypted and reserved mainly for corporate use.
Samsung is hoping to catch market share from Blackberry for corporate sales. Knox allows for BYOD, or Bring your own Device, so employees who like android can keep using it.
Your IT manager will load corporate stuff onto your phone remotely into the Knox area so your business data is kept compartmentalized and somewhat secure from your private download of virus laden crap. If you lose the phone and someone tries to access it, it will delete itself if the hacker tries more than 20 times to input a password. Knox also prevents the IT manager reading your private area.
However if you do not have a business use you can use Knox privately and have a secure area, so you can safely let family members use it without fear your own data like diary will be compromised. Unfortunately the private use of Knox is very limited and only has few applications like email, camera, gallery, S planner and my files, and some downloadable Knox applications.
For most people Knox is too much bother to use privately as requires password to access each time and it is not so easy to get data in and out the Knox area. For example Knox restrictions prevents Screen Write.
I guess Samsung put it on the phone so users can get familiar to its being there and so will make less a fuss at work and likely to prefer Knox to having two phones to carry around.
Hope that helps.
Knox should create lots extra topics on forums like... "Help, my phone self-destructed all the picture gallery I kept in Knox". LOL
Click to expand...
Click to collapse
thanks for the brief explanation... i'm new to android and was confuse about this too
Read the links in this Post: http://forum.xda-developers.com/showpost.php?p=45851579&postcount=1
Laymans terms, think of tAndroid as a container with no lid - things can go in or out.
Knox is a second container inside the 1st that has a lid. Anything done inside Knox stays inside Knox. You aren't able to utilise all the features of the original os, only the things Knox will let you.
Unfortunately it also effects the running of Android because to make sure that the Knox part doesn't get violated by anything not allowed it has to keep the whole OS "pure"...
That's why root access is a problem, it opens the lid a crack allowing things in and out that shouldn't be there so once you root it detects this, and no longer able to ensure complete safety of data, will no longer run as it should on your device. It just hangs around, a ghost in the system to pi$$ you off...
This is a simple idea of what Knox was intended to do, it actually has ties right to the kernel and bootloader, hence the warranty void problem.
I have searched and read about it but I'm still not sure how it works. I understand the containers. I understand that one container cannot access another container and vice versa.
But what to prevent the data in one container from being shipped out to the web? How does it really protect the data?
testrider said:
I have searched and read about it but I'm still not sure how it works. I understand the containers. I understand that one container cannot access another container and vice versa.
But what to prevent the data in one container from being shipped out to the web? How does it really protect the data?
Click to expand...
Click to collapse
No, no, no, you have it all wrong... Its not to protect YOUR data... It's to protect Samsung's bottom line.. All those nasty people with legitimate claims for warranty, Knox destroys that so you can't present for warranty if something goes wrong....
testrider said:
I have searched and read about it but I'm still not sure how it works. I understand the containers. I understand that one container cannot access another container and vice versa.
But what to prevent the data in one container from being shipped out to the web? How does it really protect the data?
Click to expand...
Click to collapse
Read this: http://www.samsung.com/global/business/mobile/solution/security/samsung-knox
And this: https://www.samsungknox.com/overview/technical-details
This also: http://forum.xda-developers.com/showpost.php?p=46795903&postcount=149
Secure Android Platform
Samsung KNOX offers a multi-faceted security solution rooted in the tamper-resistant device hardware, through the Linux kernel and Android operating system. The first line of defense against malicious attacks, Samsung KNOX is currently approved to run on US Department of Defense networks. (If flag 0x0, my opinion).
More important then warranty is the security. Flag at 0x1 means NOT SECURE. The people is warning for that by Warranty Void.
Read this also: http://www.sammobile.com/2013/10/09...alaxy-note-3-causes-hardware-damage-say-what/
Rooting-and-flashing-custom-software-on-the-galaxy-note-3-causes-hardware-damage-say-what
Thank you. Will check it out.
Hi, I've been searching answers for this on Google for a while now but not found any sufficient answers.
I have a new phone that is completely locked down by company policies. I don't agree with these policies and they stop me from using my prefered launcher which needs root.
In short words, I want this crap off my phone!
Knox Enrollment Service is completely locked and cannot be disabled. Maas360 cannot be disabled and unlocked. I read that you cannot root a phone running Maas360 and KNOX the normal way.
Is there a ROM that would allow me to safely remove these services and turn my phone into a stock Samsung Galaxy S8 - or will that brick my phone?
Thanks for any advice
If its corporate policy, they will be notified if the phone is rooted or modified in any way and you could lose your job over it. They probably have strict policies in place to prevent access to company data. If you didnt agree then why did you add any company accounts to your phone?
whitedragon551 said:
If its corporate policy, they will be notified if the phone is rooted or modified in any way and you could lose your job over it. They probably have strict policies in place to prevent access to company data. If you didnt agree then why did you add any company accounts to your phone?
Click to expand...
Click to collapse
Thanks for your reply!
I don't know how these services work, but if I flash it with a custom rom that completely removes the old system and makes it into a "stock" Samsung phone. Then none of these services would be present to report any of these changes. I guess the receiving system would simply believe this phone is turned off and possibly after some weeks report that the phone hasn't reported in for X days. Thanks for worrying about me keeping my job, but that won't be a problem I assure you
mrkiwibanana said:
Thanks for your reply!
I don't know how these services work, but if I flash it with a custom rom that completely removes the old system and makes it into a "stock" Samsung phone. Then none of these services would be present to report any of these changes. I guess the receiving system would simply believe this phone is turned off and possibly after some weeks report that the phone hasn't reported in for X days. Thanks for worrying about me keeping my job, but that won't be a problem I assure you
Click to expand...
Click to collapse
It depends. I deploy MDM systems like this. Is this a corporate device or a personal device that is just enrolled?
whitedragon551 said:
It depends. I deploy MDM systems like this. Is this a corporate device or a personal device that is just enrolled?
Click to expand...
Click to collapse
Its a corporate device. When I first initialized the phone the KNOX or Maas360 started an enrollment service that was not optional.
mrkiwibanana said:
Its a corporate device. When I first initialized the phone the KNOX or Maas360 started an enrollment service that was not optional.
Click to expand...
Click to collapse
If its a corporate device there isnt anything you can do. It is enrolled at a physical hardware level in Android for Work. It will activate KNOX and call home every single time the device is wiped before you can proceed with any other functions. If it doesnt phone home to get the config, you cannot proceed with the setup. Its similar to DEP for Apple devices.
whitedragon551 said:
If its a corporate device there isnt anything you can do. It is enrolled at a physical hardware level in Android for Work. It will activate KNOX and call home every single time the device is wiped before you can proceed with any other functions. If it doesnt phone home to get the config, you cannot proceed with the setup. Its similar to DEP for Apple devices.
Click to expand...
Click to collapse
Thanks! Bad news for me, I guess I just have to bite into this sour lemon and accept. I will keep my hopes up that someone will find a way to blast past this in the future
Need help removing maas360
Hey, so my galaxy s8 had gone through the partial touch failure so as I was recommended I factory reset my phone and long story short I am stuck with maas360 and can't restore all my settings and such so I need to get it off preferably without a computer. (Also help with the touch screen would be nice but not crucial at this time)
Jok3Smok3 said:
Hey, so my galaxy s8 had gone through the partial touch failure so as I was recommended I factory reset my phone and long story short I am stuck with maas360 and can't restore all my settings and such so I need to get it off preferably without a computer. (Also help with the touch screen would be nice but not crucial at this time)
Click to expand...
Click to collapse
I love reading stories about MaaS360, I actually admin it for a company. If its a corporate device you may be sol, you may ask the admin to remove control, if it's a personal device to remove maas360.
Go into maas360- settings top right you should see 3 squares. hit remove MDM control after you remove control you can uninstall any part of MaaS360.
jmall84 said:
I love reading stories about MaaS360, I actually admin it for a company. If its a corporate device you may be sol, you may ask the admin to remove control, if it's a personal device to remove maas360.
Go into maas360- settings top right you should see 3 squares. hit remove MDM control after you remove control you can uninstall any part of MaaS360.
Click to expand...
Click to collapse
Hello . i installed an official software through odin to my s8 plus. Long story short, after factory resetting , i got this wierd app called "custom blocker" and in my device admin, i have knox customisation, knox enrollement and custom blocker restriction. this device is my own and not of any company. Why did these random apps appeared on my phone and how do i get rid of them? i am unable to update my phone or access the playstore.
Any help will be appreciated. Thanks.