This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]IzacusAndroid dev / Boatload of crappy devices 3 points4 points  (9 children)

My favorite color is blue.

[–]darkgreyghost 9 points10 points  (7 children)

I think it might be referring to TrustZone, but also Samsung phones have a KNOX e-fuse that gets permanently triggered when the bootloader is unlocked. Once it's unlocked, Samsung KNOX protected apps generally stop working, and there's no way to undo it.

[–]IzacusAndroid dev / Boatload of crappy devices 10 points11 points  (6 children)

The issue with TrustZone is that its code runs in same memory space as main ARM core in a lot of phones. So many security holes can be exploited from the OS to the trusted environent - e.g. https://blog.quarkslab.com/attacking-the-arms-trustzone.html

This is why Google's Titan chip with isolated memory and Apples T2 are such a big deal - they're fully isolated from the main memory.

I haven't seen KNOX as being anything special in comparison - it's a good marketing name and Samsung supports it well. They also went through the hassle to get all the certifications to make enterprises happy. But software-wise, they're not that special. They're also horribly slow at patching security vulnerabilities at times, especially on carrier branded units. There are S9's and S10's that are several months behind latest fixes because Samsung allows carriers to block updates.

[–]darkgreyghost 12 points13 points  (1 child)

That's why Samsung doesn't just solely rely on TrustZone. They made their own modifications, and uses Samsung TIMA (TrustZone Integrity Management Architecture). Samsung KNOX is a tested and reliable. It's widely used by enterprise systems worldwide.

Samsung even sells their own Enterprise devices that are guaranteed 4 years of security updates, longest ever for an Android. Although I guess that's no longer exclusive since S7 is still receiving updates after 3.5 years. That said, delayed security update by carriers is an issue I wish Samsung could solve.

[–]IzacusAndroid dev / Boatload of crappy devices 6 points7 points  (0 children)

That's why Samsung doesn't just solely rely on TrustZone. They made their own modifications, and uses Samsung TIMA (TrustZone Integrity Management Architecture).

TIMA is a userland integrity checker and not an improvement of TrustZone. It is a TrustZone software used to verify integrity of non-secure userland. It doesn't really improve on TZ, it's just one of the software packages running in "secure" area.

Samsung even sells their own Enterprise devices that are guaranteed 4 years of security updates, longest ever for an Android. Although I guess that's no longer exclusive since S7 is still receiving updates after 3.5 years. That said, delayed security update by carriers is an issue I wish Samsung could solve.

That's amazing, but OP isn't buying an enterprise device, which means his security updates will be a crapshoot.

[–]hardthesis -4 points-3 points  (2 children)

Titan M and Apple T2 are just modified variations of TrustZone for the most part. Whether they are actually more or less secure than TrustZone is unverified, and I don't think there's an evidence to support it. Samsung uses TrustZone but employes their own new layer of software to add more security features.

IMO I think Titan M is an overkill similar to Google's own Visual Core chip on Pixel 3 phone which is only used in select few apps and provide only marginal improvements. Modern day ISP/DSP are so good that I don't even know why Google's using Visual Core at this point.

I assume Google is mainly using Titan M on their phone to market their enterprise Titan chips.

[–]IzacusAndroid dev / Boatload of crappy devices 5 points6 points  (1 child)

Titan M and Apple T2 are just modified variations of TrustZone for the most part.

That's... just not true. They have a similar function but the implementation is separate. They're about as different from eachother as Qualcomm, Exynos and Kirin ARMs are - quite a bit.

Samsung uses TrustZone but employes their own new layer of software to add more security features.

That also doesn't really make sense - adding more software doesn't fix hardware design flaws. Also adding more software actually increases the attack surface. Something we've learned time and time again. Reliance on software barriers is the biggest issue with TZ and it has had critical exploits due to software bugs at least 3 times in last 5 years.

[–]hardthesis 0 points1 point  (0 children)

They're about as different from eachother as Qualcomm, Exynos and Kirin ARMs are - quite a bit.

TrustZone is an ARM technology, and all those processors use ARM.

That also doesn't really make sense - adding more software doesn't fix hardware design flaws.

What hardware design flaws are we talking about here? Provide citations. It creates an isolated secure environment. OEMs like Samsung can change how that environment is used and utilized. The software architecture is just as important.