react-native-keychain icon indicating copy to clipboard operation
react-native-keychain copied to clipboard
verified publisher icon oblador

feat: Add Samsung Knox integration and biometric fallback to device passcode

Open athexweb3 opened this issue 1 month ago • 1 comments

Add Samsung Knox storage support

What this PR does

Adds Samsung Knox hardware-backed encryption as a new storage option. On Samsung devices, this gives you FIPS 140-2 compliant encryption with dedicated security hardware. On non-Samsung devices, it gracefully falls back to regular Android Keystore.

Also fixed an annoying bug where biometric auth would fail if you didn't have fingerprint/face hardware - now it properly falls back to device PIN/password.

Why Knox?

Samsung Knox provides better isolation than standard Android TEE. On newer Samsung devices (S21+), Knox Vault runs on a completely separate processor from the main Android OS. It's also got government certifications (FIPS 140-2, Common Criteria EAL4+) which matters for banking/healthcare/enterprise apps.

The implementation uses:

  • Knox Vault on API 31+ (Galaxy S21 and newer flagships)
  • TIMA KeyStore on API 23-30 (older Samsung devices)
  • Android Keystore as fallback (everything else)

New API

// New storage type
Keychain.STORAGE_TYPE.KNOX

// Check if Knox is available on current device
const hasKnox = await Keychain.isKnoxAvailable();

// Use it like any other storage type
await Keychain.setGenericPassword('user', 'pass', {
  storage: Keychain.STORAGE_TYPE.KNOX,
  accessControl: Keychain.ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE,
});

What changed

New files:

  • CipherStorageKnox.kt - Knox encryption implementation
  • KnoxUtils.kt - Knox helper functions
  • knox-integration.md - Documentation with security details
  • knoxTest.spec.js - E2E tests for Knox storage

Modified:

  • ResultHandlerInteractiveBiometric.kt - Added KeyguardManager fallback when BiometricPrompt isn't available
  • KeychainModule.kt - Integrated Knox and fixed passcode fallback logic
  • Various docs to mention Knox support

Package refactoring: Moved Knox code to com.athex.knoxkeychain for better organization.

Biometric fallback fix

While working on this, I noticed biometric auth was throwing errors on devices/emulators without biometric hardware. Fixed it by adding a KeyguardManager fallback that shows the device PIN/password prompt instead. This works globally for all storage types, not just Knox.

Testing

Created E2E tests but they need a real Samsung device to fully test Knox Vault features. The fallback to Android Keystore works fine on emulators and non-Samsung devices though.

When to use Knox

Good for:

  • Banking/fintech apps
  • Healthcare apps (HIPAA compliance)
  • Government/enterprise apps needing FIPS 140-2
  • Apps exclusive to Samsung ecosystem

Not needed for:

  • Regular credential storage (AES_GCM is fine)
  • Apps requiring identical behavior across all Android devices

Docs

Added comprehensive docs based on official Samsung Knox documentation:

  • Security architecture explanation
  • Comparison tables showing Knox vs standard TEE
  • Code examples and best practices
  • Migration guide from other storage types

Breaking changes

None - this is purely additive. Existing code continues to work exactly as before.

athexweb3 avatar Nov 21 '25 18:11 athexweb3