Samsung knox uses a special area of the processor, the ARM TrustZone, to place secret keys and data in a place that apps on the device can’t access. Only a small number of programs written by Samsung can access this trust zone in very limited ways.

When an attacker wants to get into your device they may try rooting your phone. Most root methods involve unlocking the bootloader and changing the OS ROM or some part of the boot process. When this is modified the device will be able to tell when booting up because the “fingerprints” of these changed components will be different than what Samsung put on there.

There are also features like roll back prevention, which prevents a device from going to an older version of Samsung code which may have unpatched vulnerabilities.

While the device is running, Samsung devices have Periodic Kernel Measurement and Realtime Kennel Protection to help prevent the device from being tampered with while it is running. These programs are ran inside the trust zone so nothing on the Android OS can interfere with their operations and checks.

In addition, the trust zone also stores things like the encryption key for decrypting the device, so if an attacker stole your phone and copied the entire contents of the internal storage, they wouldn’t have the actual key to decrypt it, thus making the copied data useless.