Skip to content

feat: Add Samsung Knox integration and biometric fallback to device passcode #781

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
athexweb3 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: Add Samsung Knox integration and biometric fallback to device passcode #781

athexweb3 wants to merge 1 commit into from

Conversation

@athexweb3
Copy link

@athexweb3 athexweb3 commented Nov 21, 2025

Add Samsung Knox storage support

What this PR does

Adds Samsung Knox hardware-backed encryption as a new storage option. On Samsung devices, this gives you FIPS 140-2 compliant encryption with dedicated security hardware. On non-Samsung devices, it gracefully falls back to regular Android Keystore.

Also fixed an annoying bug where biometric auth would fail if you didn't have fingerprint/face hardware - now it properly falls back to device PIN/password.

Why Knox?

Samsung Knox provides better isolation than standard Android TEE. On newer Samsung devices (S21+), Knox Vault runs on a completely separate processor from the main Android OS. It's also got government certifications (FIPS 140-2, Common Criteria EAL4+) which matters for banking/healthcare/enterprise apps.

The implementation uses:

  • Knox Vault on API 31+ (Galaxy S21 and newer flagships)
  • TIMA KeyStore on API 23-30 (older Samsung devices)
  • Android Keystore as fallback (everything else)

New API

// New storage type Keychain.STORAGE_TYPE.KNOX // Check if Knox is available on current device const hasKnox = await Keychain.isKnoxAvailable(); // Use it like any other storage type await Keychain.setGenericPassword('user', 'pass', { storage: Keychain.STORAGE_TYPE.KNOX, accessControl: Keychain.ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE, });

What changed

New files:

  • CipherStorageKnox.kt - Knox encryption implementation
  • KnoxUtils.kt - Knox helper functions
  • knox-integration.md - Documentation with security details
  • knoxTest.spec.js - E2E tests for Knox storage

Modified:

  • ResultHandlerInteractiveBiometric.kt - Added KeyguardManager fallback when BiometricPrompt isn't available
  • KeychainModule.kt - Integrated Knox and fixed passcode fallback logic
  • Various docs to mention Knox support

Package refactoring:
Moved Knox code to com.athex.knoxkeychain for better organization.

Biometric fallback fix

While working on this, I noticed biometric auth was throwing errors on devices/emulators without biometric hardware. Fixed it by adding a KeyguardManager fallback that shows the device PIN/password prompt instead. This works globally for all storage types, not just Knox.

Testing

Created E2E tests but they need a real Samsung device to fully test Knox Vault features. The fallback to Android Keystore works fine on emulators and non-Samsung devices though.

When to use Knox

Good for:

  • Banking/fintech apps
  • Healthcare apps (HIPAA compliance)
  • Government/enterprise apps needing FIPS 140-2
  • Apps exclusive to Samsung ecosystem

Not needed for:

  • Regular credential storage (AES_GCM is fine)
  • Apps requiring identical behavior across all Android devices

Docs

Added comprehensive docs based on official Samsung Knox documentation:

  • Security architecture explanation
  • Comparison tables showing Knox vs standard TEE
  • Code examples and best practices
  • Migration guide from other storage types

Breaking changes

None - this is purely additive. Existing code continues to work exactly as before.
@athexweb3
Copy link
Author

athexweb3 commented Dec 6, 2025

@mojotalantikite @bleonard @dryganets @jeanregisser
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@athexweb3