Secusmart, the BlackBerry subsidiary that secures the German Chancellor Angela Merkel’s smartphone, will roll out a version of its SecuSuite security software compatible with Samsung Electronics’ Knox platform later this year.

That means that organizations looking for smartphones offering government-grade security will be able to buy the Samsung Galaxy S7 or, soon, the S8 rather than the now-discontinued BlackBerry OS smartphones like the one Merkel uses.

In addition to encrypting communications and data stored on the device, the new SecuSuite also secures voice calls using the SNS standard set by Germany’s Federal Office for Information Security (BSI). Organizational app traffic is passed through an IPsec VPN, while data from personal apps can go straight to the internet. Encrypted voice calls go through a different gateway, not the VPN.

When it goes on sale, likely around July, an S7 running SecuSuite for Samsung Knox will cost around €1900, said BlackBerry Secusmart managing director Christoph Erdmann. That’s the same price as the existing BlackBerry 10 version, and includes the phone, a microSD smartcard to secure the encryption keys, and the first year of service.

Secusmart is demonstrating the new system on its stand at the Cebit trade show in Hanover, Germany this week.

This is not Secusmart’s first collaboration with Samsung: Two years ago at Cebit, in conjunction with IBM, the companies unveiled an ultrasecure (and ultra-expensive) version of the Galaxy Tab S 10.5 tablet, called the Secutablet. It cost $2,300.

Users of SecuSuite for Samsung Knox will see the icons of applications managed by their employer tagged with a small padlock. When these applications are launched, they will ask for a PIN to authorize use of the encryption keys in the microSD card. Without these, neither the app nor its associated data can be accessed.

Other applications, including popular messaging platforms such as Twitter, Facebook, and WhatsApp, can be installed in accordance with the employer’s security policies: Some organizations, like the German government, will allow only limited whitelists, while others may allow full access to the Google Play Store.

The controls are imposed by the organization’s MDM (mobile device management) and MAM (mobile applications management) servers, typically BES 12 and EASE respectively.

Even if a user inadvertently downloads and installs one of the malicious apps that occasionally sneaks into the Google Play Store, data in the work-related apps is still securely protected, said Erdmann.

“Every good OS has to have a way to stop processes reading other processes’ memory,” he said, adding that the Android OS is one of the ones that does.

“On a non-manipulated OS, one app trying to read from the memory of another app would simply crash the OS. It’s a segmentation violation,” he said.

Ensuring that the OS in the phone has not been manipulated is the key. In the case of SecuSuite for Samsung Knox, certification authorities can examine the source code to ensure that Android’s memory protections have not been bypassed, and rely on Samsung’s secure boot system to be sure the signed OS image that is loaded is the same one they examined.

“This is why secure boot is important, to ensure that the system has not been manipulated,” Erdmann said.

So far, only a couple of Android manufacturers offer devices with secure boot systems: Samsung, and TCL, the company that now manufactures BlackBerry-brand Android phones under license.

That opens up the possibility, at least, that the German Chancellor’s BlackBerry replacement could also be a BlackBerry.

“There’s great potential” for running SecuSuite on non-Knox Android phones, Erdmann said, but it won’t happen right away.

“Getting these solutions to the security level that the BSI and top-secret government agencies require is very time-consuming,” he said. “When we started on the Samsung solution, there was no BlackBerry Android, but with the BlackBerry Androids getting up to speed it’s a natural evolution.”