(Pdf) yury chemerkin balccon_2013

347 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
347
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

(Pdf) yury chemerkin balccon_2013

  1. 1. (IN-)EFFICIENCY OF SECURITY FEATURES ON MOBILE SECURITY AND COMPLIANCE YURY CHEMERKIN Balkan Computer Congress (BalCCON 2013)
  2. 2. [ YURY CHEMERKIN ] www.linkedin.com/in/yurychemerkin http://sto-strategy.com  EXPERIENCED IN :       REVERSE ENGINEERING & AV SOFTWARE PROGRAMMING & DOCUMENTATION MOBILE SECURITY AND MDM CYBER SECURITY & CLOUD SECURITY COMPLIANCE & TRANSPARENCY FORENSICS AND SECURITY WRITING  HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA  PARTICIPATION AT CONFERENCES     INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS, DEFCONMOSCOW, HACTIVITY, HACKFEST CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY yury.s@chemerkin.com
  3. 3. [ OPINIONS ] BLACKBERRY IS SAFER THAN WINDOWS THAT IS SAFER THAN iOS THAT IS SAFER THAN ANDROID IN TURN  APPLE’S CENTRALIZED POINT OF DISTRIBUTION IS PROVIDING WITH CONFIDENCE THROUGH THE VALIDATION BY APPLE, EXCEPT   THE SUBMISSION OF SUSPICIOUS APP BY Ch. MILLER THAT HAD BEEN SUCCESSFULLY APPROVED BY APPLE  INSTALLING CYDIA &THE REST APPS AFTER THAT  MICROSOFT (WINDOWS PHONE) HAS A CENTRALIZED MARKET WITH DEEPER TESTING AND VALIDATION LIKE APPLE  GOOGLE PROVIDES A CENTRALIZED MARKET TOO, HOWEVER PROVIDES ABILITY TO INSTALL APPS FROM 3RD-PARTY SOURCES SUCH AS AMAZON.  ANY OTHER ARE ORIGINATE FROM MALWARE HOTSPOTS  ANY ALTERNATIVE MARKETS FOR SOCALLED “CRACKED” DISTRIBUTE FOR FREE REPACKAGES  BLACKBERRY IS THE SAFEST OS BECAUSE IT IS THE MOST MANAGEABLE AND SECURE MAINLY AS IT IS ON AN ENTERPRISE WAY
  4. 4. 2004 2005 2007 2007 2007 2008 2008 2008 2008 2008 2009 2009 2009 2009 2009 2009 2009 2009 2009 2010 2010 2010 2010 2010 2010 2010 2010 2011 2011 2011 2011 2011 2011 2011 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 [ Vulnerabilities of OS and apps ] 10 9 8 7 6 5 4 3 2 1 0 Score - iOS Score - Android Score - BB
  5. 5. [ Vulnerabilities of OS and apps ] MIN & AVERAGE SCORE Android Average; 8,2 iOS Average; 6,3 BB-Average; 6,3 BB Min; 2,1 Android Min; 1,9 iOS Min; 1,2 Min & Average Score
  6. 6. [ SOURCE & BINARY ANALYSIS TOOLS ] HEYDUDE, WHYIS IT VULNERABLEAGAIN? HOW MANY THE TOOLS ARE (approx):  iOS – 10  ANDROID – 50  WINDOWS PHONE – 40  BLACKBERRY - 10  QUANTITY OF BUGS / SECURITY FLAWS  AVERAGE – 50  MIN – 20  MAX – INFINITY   WARINING :: ADS  VERACODE THE MOST USEFUL  SORRY,BIGBOSS,I’D JUST BEENCOMMITEDA WRONGBRANCH BUGS TYPE (OBVIOUS | LIKELY)  MISSED CONSTRUCTIONS LIKE DOUBLE/TRIPLE FREE ()  DEBUG PATHS, KEY, AND ETC.  PLAINTEXT & HARD-CODE PASSWORDS, TOKENS, MASTER-KEYS, ETC.   NON-SECURE FLAWS, CONSTRUCTIONS, ETC. CHECK IT OUT   THE SQL-INJECTION IS POSSIBLE THERE IS NO HTTPS HERE
  7. 7. [ MOBILE SECURITY CAPABILITIES ] THE SAME CAPABILITIES AMONG MOBILE OPERATION SYSTEMS  SECURE BOOTLOADER  SYSTEM SOFTWARE SECURITY (UPDATES)  APPLICATION CODE SIGNING  RUNTIME PROCESS SECURITY  SANDBOX  APIs  HARDWARE SECURITY FEATURES  FILE DATA PROTECTION  SSL, TLS, VPN  PASSCODE PROTECTION  SETTINGS   PERMISSIONS/ RESTRICTIONS CONFIGURATIONS  REMOTE MAGAGEMENT   MDM REMOTE WIPE
  8. 8. [ SECURITY ENVIRONMENT ] EACH OS EVALUATESEVERY REQUEST THAT AN APPLICATION MAKES TO ACCESSTO… MDM SERVICES HELPS MANAGE AND PROTECT BLACKBERRY, IOS, WINDOWS, AND ANDROID DEVICES. MDM SERVICES PROVIDE UNIFIED COMMUNICATION AND COLLABORATION SOFTWARE AND SERVICE (SaaS) EACH OS IS DESIGNED TO PROTECT DATA IN TRANSIT, IN MEMORY AND STORAGE … AT ALL POINTS … MDM SERVICES ENHANCED BY MANAGING THE BEHAVIOR OF THE DEVICE OS PROVIDES A CAPABILITY TO PROTECT ANY APPLICATION DATA USING SANDBOXING OS PROVIDES A CAPABILITY TO MANAGE PERMISSIONS TO ACCESS ITS CAPABILITIES OS EVALUATES ALL REQUEST MADE BY APP ... BUT LEADS AWAY FROM ANY DETAILS AND APIs
  9. 9. [ KNOWN ISSUES ] THREATSBOUNDSBECOME UNCLEAR…  ALL CONTROLLED OBJECTS ARE LIMITED BY     SANDBOX PERMISSIONS SECURITY FEATURES ON DEVICEs & MDMs ADDITIONAL FEATURES AREN’T ACCESSIBLE ON DEVICE  USER-MODE MALWARE   SPYWARE, ROOTKITS EXPLOTS & ATTACKS  REVERSING NETWORK LAYER  RECOVERING DATA VS. SANBOX&MEMORY  EXPLOITING TO GET SUPER PRIVILIGIES MDM& COMPLIANCE BRINGS COMMON RECOMMENDATIONS  MDM vs. COMPLIANCE    COMMON RECOMMENDATIONS SET IS LESSER THAN SET OF MDM FEATURES QUITE BETTER TO MANAGE MDM SOLUTIONS THAN DEVICE AT ALL  TOO FAR FROM DETAILS  YOUNG STANDARDS  FIRST REVISIONS, DRAFT REVISIONS  MOBILE SECURITY SOFWARE     READ-ONLY MODE / INFORMATION ONLY APPLICATION FIREWALL (CALLS, MESSAGES…) NETWORK FIREWALL REQUIRES ROOT NO REAL SECURITY IF YOU BREAK A SANDBOX
  10. 10. [ KNOWN ISSUES. Examples ]  BYPASS MDM SOLUTIONS  iOS, ANDROID  EXPLOITS, DUMP /MEM TO GET EMAILS  BLACKHAT EU’13 http://goo.gl/HN829p  BLACKBERRY PLAYBOOK  EXPLOITS, MITM, DUMP ‘.ALL’ FILES  SECTO’11R, INFILTRATE’12, SOURCE BOSTON’13 http://goo.gl/KaTtFG  GAIN ROOT ACCESS  ANDROID  APP SIGNATURE EXPLOITATION  APP MODIFICATION  BLACKHAT USA’13 http://goo.gl/p5FhWG  TIME-FRAME TO FIX  7+ MONTH or WAIT FOR A NEXT UPDATE  WAIT FOR A VENDOR’S INTEREST TO YOU  ANALYSIS OF APP’S DATA IN THE REST  BLACKBERRY, iOS  DATA LEAKAGE  REVEAL PASSWORDS, MASTERKEYS, ETC.  BLACKHAT EU’12 http://goo.gl/STpSll  ANDROID  DATA LEAKAGE  WEAKNESS OF CRYPTO ENGINGE  PHDAY III ‘13 http://goo.gl/x1PPGK
  11. 11. [ KNOWN ISSUES. Examples ]  PLAYBOOK ARTIFACTS (see the previous slide)  BROWSERS HISTORY  NETWORKING IDs, FLAGS, MACs  VIDEO CALLS DETAILS  ACCESS TO INTERNAL NETWORK  KERNEL  BLACKBERRY Z10  DUMP MICROKERNEL  EVEN DEVELOPERS’ CREDENTIALS (FACEBOOK, MOBILE, EMAILS) BLACKHAT DEFCON MOSCOW http://goo.gl/R74leX  GUI FAILS  BLACKBERRY OS  DATA LEAKAGE  REVEAL PASSWORDS, … ANYTHING  NO PERMISSIONS REQUESTED  BORROW PERMISSIONS OF ANOTHER APP  NullCon’13, CONFIDENCE’13  http://goo.gl/phMey2
  12. 12. [ APPLICATION EXAMINATION ] ONLY THOSE I HAVE TO USE EVERY DAY  Account  country code, phone number  Device Hardware Key  login / tokens of Twitter & Facebook  Calls history  Name + internal ID  Duration + date and time  Address book  Quantity of contacts / viber-contacts  Full name / Email / phone numbers  Messages FORENSICS EXAMINATION  Conversations  Quantity of messages & participants per conversations  Additional participant info (full name, phone)  Messages  Date & Time  content of message  ID
  13. 13. [ APPLICATION EXAMINATION ] ONLY THOSE I HAVE TO USE EVERY DAY  Account  country code, phone number  login / tokens Facebook wasn’t revealed  ‘Buy me for….$$$’   Avatars :: phone+@s.whatsapp.net.j (jfif)  Address book  No records of address book were revealed…  Check log-file and find these records (!)  Messages  Messages  Date & Time FORENSICS EXAMINATION  content of message  ID :: phone@s.whatsapp.net
  14. 14. [ APPLICATION EXAMINATION ] ONLY THOSE I HAVE TO USE EVERY DAY  Account  Phone number  Password, secret code weren’t revealed  Trace app, find the methods use it  Repack app and have a fun  No masking of data typed  Information  Amount  Full info in history section (incl. info about who receive money) FORENSICS EXAMINATION  Connected cards  Encryption?  No   Bank cards  Masked card number only  Qiwi Bank cards  Full & masked number  Cvv/cvc  All other card info 
  15. 15. [ APPLICATION EXAMINATION ] ONLY THOSE I HAVE TO USE EVERY DAY  Account  ID , email, password  Information  Loyalty (bonus) of your membership  all you ever type  Date of birth  Passport details  Book/order history  Routes,  Date and time,  Bonus earning  Full info per each order FORENSICS EXAMINATION  Connected cards  Encryption?  AES  256 bit  On password anywayanydayanywayanyday  Store in plaintext  Sizeof(anywayanydayanywayanyday) = 192 bit
  16. 16. [ APPLICATION EXAMINATION ] ONLY THOSE I HAVE TO USE EVERY DAY  Account  ID ,bonus card number, password not revealed  Other id & tokens  Information  Date of birth  Passport details  History (airlines, city, flight number only)  Flights tickets, logins credentials  Repack app and grab it  FORENSICS EXAMINATION
  17. 17. [ APPLICATION EXAMINATION ] ONLY THOSE I HAVE TO USE EVERY DAY  Account  ID , password  Loyalty (bonus) card number  Information  Not revealed (tickets, history or else)  Repack app  FORENSICS EXAMINATION
  18. 18. [ APPLICATION EXAMINATION ] ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION  Account  ID , email, password  Other id & tokens  Information  Loyalty (bonus) of your membership  all you ever type  Date of birth  Passport details  All PASSPORT INFO (not only travel data)  Your work data (address, job, etc.) you have never typed!  Flights tickets  Repack app and grab it
  19. 19. [ DEVICE MANAGEMENT ] APPLICATION LEVEL ATTACK’SVECTOR  GOALS - MOBILE RESOURCES / AIM OF ATTACK  DEVICE RESOURCES  OUTSIDE-OF-DEVICE RESOURCES  ATTACKS – SET OF ACTIOSN UNDER THE THREAT  APIs - RESOURCES WIDELY AVAILABLE TO CODERS  SECURITY FEATURES  KERNEL PROTECTION , NON-APP FEATURES  PERMISSIONS - EXPLICITLY CONFIGURED  3RD PARTY  AV, FIREWALL, VPN, MDM  COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY IN ALIGNMENT WITH COMPLIANCE TO… Goals AV, MDM, DLP, VPN Non-app features MDM features Kernel protection Permissions APIs Attacks APIs
  20. 20. [ DEVICE MANAGEMENT ] Concurrencyover native & additional security features 𝚫 = 𝚨 ∪ 𝚩 ∪ 𝚪 ∪ 𝚼 , 𝚨 ⊂ 𝚩, 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 𝛥 – set of OS permissions, 𝛢 – set of device permissions, 𝛣 – set of MDM permissions, 𝛤 – set of missed permissions (lack of controls), 𝜰 – set of rules are explicitly should be applied to gain a compliance 𝚮 = 𝚬+ 𝚭, 𝚬 ⊃ 𝚨∪ 𝚩 𝛨 – set of APIs , 𝛦 – set of APIs that interact with sensitive data, 𝛧 – set of APIs that do not interact with sensitive data To get a mobile security designed with full granularity the set 𝛤 should be empty set to get 𝚬 ⊇ 𝚨 ∪ 𝚩 instead of 𝚬 ⊃ 𝚨 ∪ 𝚩, so the matter how is it closer to empty. On another hand it should find out whether assumptions 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 are true and if it is possible to get ⊆ 𝐀. The situationis very serious  Set of permissions < Set of activities  efficiency is  typical case < 100%,  ability to control each API = 100%  More than 1 permission per APIs >100%   lack of knowledge about possible attacks improper granularity AV, MDM, DLP, VPN Non-app features MDM features Kernel protection Permissions
  21. 21. [ BLACKBERRY. PERMISSIONS ] BB 10 Cascades SDK Background processing BlackBerry Messenger Calendar, Contacts Camera Device identifying information Email and PIN messages GPS location Internet Location Microphone Narrow swipe up Notebooks Notifications Player Phone Push Shared files Text messages Volume BB 10 AIR SDK + + + + + + + + + + + + + + + - PB (NDK/AIR) + via invoke calls + + via invoke calls + + + + + + + +
  22. 22. [ BLACKBERRY. Significant APIs ] Feature BlackBerry Messenger Calendar Camera Contacts Device identifying info Email & PIN messages Internet Microphone Notebooks Notifications Phone Push Shared files Text messages Account MediaPlayer NFC Radio & SIM Clipboard Q. APIs 77 443 47 316 15 347 161 21 123 32 27 25 78 10 66 66 24 68 6 Q. sign. APIs 70 126 41 150 14 211 145 15 86 24 22 22 70 6 21 63 11 51 4 % (sign .APIs) 90,91 28,44 87,23 47,47 93,33 60,81 90,06 71,43 69,92 75,00 81,48 88,00 89,74 60,00 31,82 95,45 45,83 75,00 66,67 Controlled ? + + + + + + + + + + + + + + -
  23. 23. [ BLACKBERRY. Common activities ] 34 35 30 25 21 18 20 17 14 15 10 6 5 0 7 5 4 1 3 8 6 3 2 1 1 1 Q. of m.+a. activity 4 3 2 2 2 4 2 1 1 4 1 Q. of m.+a. permission 4 1 4 3 1 2 2 5 1
  24. 24. [ BLACKBERRY. Derived activities ] 116 120 100 89 80 59 60 47 40 20 0 24 1 4 3 3 23 16 7 6 1 3 46 11 3 1 2 Q. of derived activities 2 2 9 3 1 2 Q. of derived perm 27 25 24 19 1 1 8 1 2 2 5 1
  25. 25. [ BLACKBERRY. Efficiency (%) ] 250,00 250,00 200,00 150,00 3,45 16,67 8,70 5,08 100,00 50,00 12,50 60,00 16,67 19,05 3,37 6,25 66,67 14,29 5,88 14,29 5,56 16,67 66,67 66,67 4,26 9,09 66,67 11,76 25,00 5,26 50,00 4,17 50,00 25,00 25,00 0,00 % m+a activity vs perm 8,00 88,89 2,17 % m+a derived activity vs perm 250,00 33,33 3,70 50,00 7,14
  26. 26. [ iOS. Info.plist(app capabilities) ] Key auto-focus-camera Description handle autofocus capabilities in the device’s still camera in case of a macro photography or image processing. bluetooth-le camera-flash front-facing-camera gamekit gps handle the presence of Bluetooth low-energy hardware on the device. handle a camera flash for taking pictures or shooting video. handle a forward-facing camera such as capturing video from the device’s camera. handle a Game Center. handle a GPS (or AGPS) hardware to track a locations in case of need the higher accuracy more than Cellular/Wi-Fi. location-services retrieve the device’s current location using the Core Location framework though Cellular/Wi-Fi microphone peer-peer sms handle the built-in microphone and its accessories handle peer-to-peer connectivity over a Bluetooth network. handle the presence of the Messages application such as opening URLs with the sms scheme. still-camera handle the presence of a camera on the device such as capturing images from the device’s still camera. telephony handle the presence of the Phone application such as opening URLs with the telephony scheme. video-camera handle the presence of a camera with video capabilities on device such as capturing video from the device’s camera. wifi access to the networking features of the device.
  27. 27. [ iOS. Settings ] Component Unit Safari Camera, FaceTime iTunes Store, iBookstore Siri Manage applications* Manage applications* Explicit Language (Siri) Privacy*, Accounts* Content Type Restrictions* Restrictions :: Native application Restrictions :: 3rd application Unit subcomponents Privacy :: Location Privacy :: Private Info Accounts Content Type Restrictions Game Center Manage applications Per each 3rd party app For system services Contacts, Calendar, Reminders, Photos Bluetooth Sharing Twitter, Facebook Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts Find My Friends Volume limit Ratings per country and region Music and podcasts Movies, Books, Apps, TV shows In-app purchases Require Passwords (in-app purchases) Multiplayer Games Adding Friends (Game Center) Installing Apps Removing Apps
  28. 28. [ iOS. Common activities ] 20 18 16 14 12 10 8 6 4 2 0 17 12 3 2 13 8 5 0 1 1 10 0 0 1 Q. of m.+a. activity 3 0 10 0 6 0 0 3 0 1 2 0 1 0 Q. of m.+a. permission 2 1 1 0 1 2 3 0 10 1 3 0 1 Q. of m.+a. perm plus parental perm 4
  29. 29. [ iOS. Derived activities ] 4 3 82 80 70 60 50 40 30 20 10 0 1 0 0 1 1 2 1 0 13 9 20 3 0 0 13 Q. of derived activities 0 9 0 18 12 0 0 10 Q. of derived perm 0 2 0 1 1 1 1 10 0 25 0 10 6 1 Q. of derived perm + plus parental perm 2 1
  30. 30. [ iOS. Efficiency (%) ] 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 11,11 15,00 7,69 20,00 % m+a activity vs perm 0,00 0,00 0,00 0,00 5,56 0,00 0,00 0,00 % m+a derived activity vs perm 7,69 8,00 40,00 50,00 16,67 0,00 0,00 0,00 0,00 16,67 0,00 0,00 4,88 10,00 16,67 7,69 25,00 10,00 33,33 50,00 5,56 0,00 0,00 0,00 11,76 0,00 0,00 50,00 10,00 0,00 0,00 50,00 16,67 Q. of m.+a. perm plus parental perm 0,00 0,00 0,00 0,00 33,33 3,66 4,00 0,00 0,00 30,00 5,88 Q. of derived perm + plus parental perm
  31. 31. [ Windows. Permissions ] Permission Description General use capabilities musicLibrary provides access to the user's Music library, allowing the app to enumerate and access all files w/o user interaction. picturesLibrary videosLibrary removableStorage provides access to the user's Pictures library, allowing to enumerate and access all files w/o user interaction. provides access to the user's Videos library, allowing the app to enumerate and access all w/o user interaction. provides access to files on removable storage, such as USB keys and external hard drives, filtered to the file type microphone provides access to the microphone’s audio feed, which allows to record audio from connected microphones.. webcam provides access to the webcam’s video feed, which allows to capture snapshots, movies from a connected webcam. location provides access to location functionality like a GPS sensor or derived from available network info. enables multiple devices in close proximity to communicate with one another via possible connection, incl. Bluetooth, WiFi, and the internet. proximity internetClient, internetClientServer privateNetworkClientServer enterpriseAuthentication sharedUserCertificates documentsLibrary provides outbound (inbound is for server only) access to the Internet, public networks via the firewall. provides inbound and outbound access to home and work networks through the firewall for games or for applications that share data across local devices. Special use capabilities enable a user to log into remote resources using their credentials, and act as if a user provided their user name and password. enables an access to software and hardware certificates like smart card. provides access to the user's Documents library, filtered to the file type associations
  32. 32. [ Windows. Significant APIs ] Feature Q. APIs Notifications Music library Pictures library Videos library Removable storage Microphone Webcam Location Proximity Internet and public networks Home and work networks 68 1300 1157 1300 1045 274 409 37 54 488 488 Enterprise authentication Shared User Certificates Documents library 8 20 1045 Clipboard Phone SMS Contacts Device Info 132 18 122 97 221 Q. sign. APIs General use capabilities 4 138 133 138 109 33 91 5 19 134 134 Special use capabilities 4 5 126 Non-controlled capabilities 20 6 25 31 30 % (sign. APIs) Controlled? 5,88 10,62 11,50 10,62 10,43 12,04 22,25 13,51 35,19 27,46 27,46 + + + + + + + + + + + 50,00 25,00 12,06 + + + 15,15 33,33 20,49 31,96 13,57 -
  33. 33. [ Windows. Common Activities ] 14 14 12 10 8 8 3 4 2 0 6 5 6 6 1 1 1 1 3 1 1 1 1 1 3 8 4 5 3 1 Q. of m.+a. activity 1 2 4 3 1 Q. of m.+a. permission 2 2 3 2 1 2 0 0 0 0 0
  34. 34. [ Windows. Derived Activities ] 25 21 20 15 0 1 2 12 8 7 5 1 15 11 10 8 10 5 16 14 2 2 1 3 12 11 8 6 6 3 8 8 5 1 1 Q. of derived activities 2 1 Q. of derived perm 2 2 0 0 0 0 0
  35. 35. [ Windows. Efficiency (%) ] 120,00 120,00 100,00 100,00 100,00 100,00 100,00 100,00 100,00 80,00 60,00 40,00 20,00 125,00 100,00 27,27 42,86 25,00 25,00 20,00 33,33 20,00 33,33 33,33 14,29 31,25 16,67 14,29 9,52 50,00 33,33 16,67 16,6716,67 0,00 % m+a activity vs perm % m+a derived activity vs perm 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00
  36. 36. [ A droid. Permissions ] List contains~150 permissions I have ever seen that on old BlackBerry devices ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION, OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_ ,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH, ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE, PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_ ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P ,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA ,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_ TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_ MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_ REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY, OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_ TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_ GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS, RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY, LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
  37. 37. [ A droid. Permission Groups ] But there only 30 permissions groups  ACCOUNTS  AFFECTS_BATTERY  APP_INFO  AUDIO_SETTINGS  BLUETOOTH_NETWORK  BOOKMARKS  CALENDAR  CAMERA  COST_MONEY  DEVELOPMENT_TOOLS  DEVICE_ALARMS  DISPLAY  HARDWARE_CONTROLS I have ever seen that on old BlackBerry devices too  LOCATION  MESSAGES  MICROPHONE  NETWORK  PERSONAL_INFO  PHONE_CALLS  SCREENLOCK  SOCIAL_INFO  STATUS_BAR  STORAGE  SYNC_SETTINGS  SYSTEM_CLOCK  SYSTEM_TOOLS  USER_DICTIONARY  VOICEMAIL  WALLPAPER  WRITE_USER_DICTIONARY
  38. 38. [ A droid. Efficiency (%) ] 50,00 45,00 40,00 33,33 35,00 30,00 25,00 20,00 15,00 10,00 28,57 25,00 20,00 20,00 15,38 15,38 20,00 9,52 0,00 0,00 2,91 10,71 5,00 0,00 2,00 7,14 0,00 4,55 8,33 7,14 0,00 % m+a activity vs perm % m+a derived activity vs perm 10,00 4,00 3,13 5,88 3,13 0,00
  39. 39. [ Average quantitative indicators ] 100% 102,74 90% 80% 119,31 60,63 8,86 29,26 1,89 42,04 2,32 70% 60% 60,38 435,95 9,06 0,64 7,43 0,69 1,47 1,63 2,01 2,19 Q. of m.+a. permissions Q. of derived permissions 17,07 30,48 5,94 48,06 32,79 16,99 9,21 50% 40% 62,37 3,84 67,48 9,23 9,68 54 20,97 58,06 22,76 30% 20% 394,86 10% 32,48 38,4 27,6 38,4 27,6 0% Q. APIs Q. sign APIs Q. of m.+a. activities Q. of derived activities Android Windows iOS % m+a activities %m+a derived vs % m+a vs perm vs perm perm enhanced by MDM BlackBerry % derived vs perm enhanced by MDM
  40. 40. MDM . Extend your device security capabilities Android  CAMERA AND VIDEO  HIDE THE DEFAULT CAMERA APPLICATION  PASSWORD  DEFINE PASSWORD PROPERTIES  REQUIRE LETTERS (incl. case)  REQUIRE NUMBERS  REQUIRE SPECIAL CHARACTERS  DELETE DATA AND APPLICATIONS FROM THE DEVICE AFTER  INCORRECT PASSWORD ATTEMPTS  DEVICE PASSWORD  ENABLE AUTO-LOCK CONTROLLED FOUR GROUPS ONLY     LIMIT PASSWORD AGE LIMIT PASSWORD HISTORY RESTRICT PASSWORD LENGTH MINIMUM LENGTH FOR THE DEVICE PASSWORD THAT IS ALLOWED  ENCRYPTION  APPLY ENCRYPTION RULES  ENCRYPT INTERNAL DEVICE STORAGE  TOUCHDOWN SUPPORT  MICROSOFT EXCHANGE SYNCHRONIZATION  EMAIL PROFILES  ACTIVESYNC
  41. 41. MDM . Extend your device security capabilities iOS   BROWSER   CONTROLLED 16 GROUPSONLY DEFAULT APP, AUTOFILL, COOKIES, JAVASCRIPT, POPUPS MESSAGING (DEFAULT APP)   BACKUP / DOCUMENT PICTURE / SHARING ONLINE STORE  CAMERA, VIDEO, VIDEO CONF  CERTIFICATES (UNTRUSTED CERTs)  MESSAGING (DEFAULT APP)  CLOUD SERVICES  PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)  PHONE AND MESSAGING (VOICE DIALING)  CONNECTIVITY      OUTPUT, SCREEN CAPTURE, DEFAULT APP BACKUP / DOCUMENT / PICTURE / SHARING ONLINE STORES , PURCHASES, PASSWORD DEFAULT STORE / BOOK / MUSIC APP  PROFILE & CERTs (INTERACTIVE INSTALLATION) NETWORK, WIRELESS, ROAMING DATA, VOICE WHEN ROAMING  SOCIAL (DEFAULT APP) CONTENT (incl. EXPLICIT) RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS    CONTENT      DIAGNOSTICS AND USAGE (SUBMISSION LOGS) STORAGE AND BACKUP   SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS DEVICE BACKUP AND ENCRYPTION VOICE ASSISTANT (DEFAULT APP)
  42. 42. MDM . Extend your device security capabilities BlackBerry (new, 10, qnx)  CONTROLLED 7 GROUPSONLY     GENERAL   MOBILE HOTSPOT AND TETHERING PLANS APP, APPWORLD  PASSWORD (THE SAME WITH ANDROID, iOS)  BES MANAGEMENT (SMARTPHONES, TABLETS)  SOFTWARE      OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE BBM VIDEO ACCESS TO WORK NETWORK VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK SECURITY       CERTIFICATES & CIPHERS & S/MIME HASH & ENCRYPTION ALGS AND KEY PARAMS TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC WI-FI PROFILES    WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE VOICE CONTROL & DICTATION IN WORK & USER APPS BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE PC ACCESS TO WORK & PERSONAL SPACE (USB, BT) PERSONAL SPACE DATA ENCRYPTION EMAIL PROFILES     NETWORK ACCESS CONTROL FOR WORK APPS PERSONAL APPS ACCESS TO WORK CONTACTS SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS PROXY PASSWORD/PORT/SERVER/SUBNET MASK VPN PROFILES    PROXY, SCEP, AUTH PROFILE PARAMS TOKENS, IKE, IPSEC OTHER PARAMS PROXY PORTS, USERNAME, OTHER PARAMS
  43. 43. MDM . Extend your device security capabilities Blackberry (old)  THERE 55 GROUPS CONTROLLED IN ALL  EACH GROUP CONTAINS FROM 10 TO 30 UNITS ARE CONTROLLED TOO  EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs INSTEAD OF A WAY ‘DISABLE/ENABLED & HIDE/UNHIDE’  EACH EVENT IS  CONTROLLED BY CERTAIN PERMISSION  ALLOWED TO CONTROL BY SIMILAR PERMISSIONS TO BE MORE FLEXIBLE  DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME MORE THAN OTHER DOCUMENTS Huge amount of permissions are MDM & device built-in  EACH UNIT CAN’T CONTROL ACTIVITY UNDER ITSELF  ‘CREATE, READ, WRITE/SAVE, SEND, DELETE’ ACTIONS IN REGARDS TO MESSAGES LEAD TO SPOOFING BY REQUESTING A ‘MESSAGE’ PERMISSION ONLY  SOME PERMISSIONS AREN’T REQUIRED (TO DELETE ANY OTHER APP)  SOME PERMISSIONS ARE RELATED TO APP, WHICH 3RD PARTY PLUGIN WAS EMBEDDED IN, INSTEAD OF THAT PLUGIN
  44. 44. ISSUES : USELESS SOLUTIONS USERFULL IDEASAT FIRST GLANCE BUT INSTEADMAKE NO SENSE  MERGING PERMISSIONS INTO GROUPS, e.g.  ‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ SEPARATED (BlackBerry old)  ‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ MERGED INTO ONE UNIT (BlackBerry new)  SCREEN CAPTURE  IS ALLOWED VIA HARDWARE BUTTONS ONLY  NO EMULATION OF HARDWARE BUTTONS AS IT WAS IN OLD BLACKBERRY DEVICES  LOCKS WHEN WORK PERIMITER HAS BECOME TO PREVENT SCREEN-CAPTURE LOGGERS  OFFICIALLY ANNOUNCED SANDBOX  MALWARE IS STILL A PERSONAL APPLICATION SUBTYPE IN TERMS OF (IN-)SECURITY  SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS  INABILITY OF BACKUP MAKE DEVELOPERS TO STORE DATA IN SHARED FOLDERS
  45. 45. ISSUES : USELESS SOLUTIONS USERFULL IDEASAT FIRST GLANCE BUT INSTEADMAKE NO SENSE  SECURE & INSECURE APP IN THE SAME TIME  HAS ENCRYPTED COMMUNICATION SESSIONS, AND MAY STORE CHAT COVERSATION WITHOUT ENCRYPTION  STORE SENSITIVE DATA IN PLAINTEXT (PASSW, PASSPORT DETAILS, CARD INFO) AND BELIEVE IN POWER OF SANDBOX  UPGRADE FEATURE AFFECT EVERYTHING  MAY UPDATE/REMOVE ANY OTHER APP - SURPRISE   REPACKAGES STILL HAVE AN ACCESS TO THE SAME DATA AS AN ORIGINAL APP  DEBUG/NOT ORIGINAL SIGNATURE PROBLEM – THAT’S NOT A PROBLEM  CLIPBOARD (SECURE CLIPBOARD HAS NEVER EXISTED ANYWHERE AND MIGHT HAVE EVER)    REVEAL THE DATA IN REAL TIME BY ONE API CALL ACCESSIBLE BY APIs AS WELL AS FILE DATA (DEPENDS ON YOUR OS) NATIVE WALLETS PROTECTS BY RETURNING NULL (ONLY OLD-BLACKBERRY)  WHILE THE ON TOP || JUST MINIMIZE OR CLOSE IT TO GET FULL ACCESS  EVERY USER MUST MINIMIZE APP TO PASTE A PASSWORD
  46. 46. ISSUES : USELESS SOLUTIONS USERFULL IDEASAT FIRST GLANCE BUT INSTEADMAKE NO SENSE  GUI EXPLOITATION HAPPENS (OLD BLACKBERRY, ANDROID REPACKAGES)   REDRAWING THE SCREENS (OLD BB ONLY), GRABBING THE TEXT FROM ANY FIELDs (INCL. PASSWORD FIELD)  ADDING, REMOVING THE FIELD DATA  ORIGINAL DATA IS INACCESSIBLE BUT NOT AFFECTED KASPERSKY MOBILE SECURITY PROVIDES AN INSECURITY,   NO PROTECTION FROM REMOVING.CODs & UNDER SIMULATOR  EXAMING THE TRAFFIC, BEHAVIOUR  JUST SHOULD CHECK API “IS SIMULATOR” ONLY SMS MANAGEMENT VIA “QUITE” SECRET SMS (NOT ENCRYPTED, HASH ONLY)…  THE SAME SECRET AMONG OPERATING SYSTEMS (BB, ANDROID, WINDOWS,…)  PASSWORD IS 4–16 DIGITS,AND MODIFIED IN REAL-TIME (OLD BLACKBERRY, OR ANDROID REPACKAGES)  SMS IS A HALF A HASH VALUE OF GOST R 34.11-94  HASH IMPLEMENTATION USES TEST CRYPTO VALUES AND NO SALT  TABLES (VALUEHASH) ARE EASY BUILT  OUTCOMING SMS CAN BE SPOOFED WITHOUT ANY NOTIFICATION, BECAUSE KMS DELETE THE SENT MESSAGES  OUTCOMING SMS COULD BLOCK/WIPE THE SAME/ANOTHER DEVICE
  47. 47. COMPLIANCE AND MDM CSA Mobile Device Management: Key Components Device diversity Configuration management Software Distribution Device policy compliance & enforcement Enterprise Activation Logging Security Settings Security Wipe, Lock IAM Make you sure to start managing security under uncertain terms without AI  NIST-124 Refers to NIST-800-53 and other  Sometimes missed requirements such as locking device, however it is in NIST-800-53 A bit details than CSA No statements on permission management Make you sure to start managing security under uncertain terms without AI 
  48. 48. CONCLUSION PRIVILEGEDGENERAL PERMISSIONS  DENIAL OF SERVICE  REPLACING/REMOVING FILES  DOS’ing EVENTs, GUI INTERCEPT  INFORMATION DISCLOSURE  CLIPBOARD, SCREEN CAPTURE  GUI INTERCEPT  SHARED FOLDERS  DUMPING .COD/.BAR/APK… FILES OWN APPs, NATIVE & 3RD PARTY APPs FEATURES  MITM (INTERCEPTION / SPOOFING)  MESSAGES  GUI INTERCEPT, THIRD PARTY APPs  FAKE WINDOW/CLICKJACKING  GENERAL PERMISSIONS  INSTEAD OF SPECIFIC SUB-PERMISSIONS  A FEW NOTIFICATION/EVENT LOGs FOR USER  BUILT PER APPLICATION INSTEAD OF APP SCREENs
  49. 49. CONCLUSION THE VENDOR SECURITY VISION              HAS NOTHING WITH REALITY AGGRAVATEDBY SIMPLICITY SIMPLIFICATION AND REDUCING SECURITY CONTROLS MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS THE SANDBOX PROTECT ONLY APPLICATION DATA USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY THE NATIVE SPOOFING AND INTERCEPTION FEATURES COMPLIANCE DOES NOT EXTEND MDM CAPABILITIES – JUST REPEATS IT THE MOST GRANULAR SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST
  50. 50. Q&A

×