The document discusses differences in how integration features affect the security sandbox on BlackBerry devices. It notes that BlackBerry evaluates every application request to access device capabilities. However, malware boundaries can become unclear as BlackBerry handles technologies like native apps, third-party apps like Android and iOS, each with different controls through sandboxes, permissions, and device/MDM security features. Compliance standards also bring useless recommendations that are less extensive than mobile device management (MDM) features. The document outlines the various capabilities controlled on BlackBerry, Android, and iOS platforms and notes issues like useless solutions, GUI exploitation on older BlackBerry devices, and conclusions regarding oversimplified security controls through general permissions rather than concrete permissions.
Now available from BlackBerry®, SecuSUITE® for Enterprise is a software-based solution that provides secure calling and text messaging on mobile devices, across multiple operating systems, including iOS®, Android™ and BlackBerry® 10.
With SecuSUITE® for Enterprise, technology that was designed to protect national security has been adapted and optimized to secure your organization’s voice and text communications against electronic eavesdropping and third-party attacks.
Experience SecuSUITE for Enterprise on your preferred device today.
Now available from BlackBerry®, SecuSUITE® for Enterprise is a software-based solution that provides secure calling and text messaging on mobile devices, across multiple operating systems, including iOS®, Android™ and BlackBerry® 10.
With SecuSUITE® for Enterprise, technology that was designed to protect national security has been adapted and optimized to secure your organization’s voice and text communications against electronic eavesdropping and third-party attacks.
Experience SecuSUITE for Enterprise on your preferred device today.
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
De nombreux entreprises, à travers leurs responsables informatiques et DSI ne reconnaissent toujours pas les logiciels malveillants mobiles comme une menace imminente. Selon une étude de Duo Security, un tiers des utilisateurs mobiles Android n'utilisent ne verrouillent pas l'écran de leurs appareils à l'aide d'un Mot de Passe, et la plupart ne prennent aucunes mesures de sécurité. En outre, les responsables informatiques et DSI déploient de nouvelles applications vers leurs clients et employés sans y intégrer de mesure de sécurité favorisant l'authentification et la mitigation des menaces.
Cependant, les logiciels malveillants mobiles ont évolué au fil des dernières années et constituent aujourd'hui des menaces réelle. Business Insider a noté que ces menaces sont désormais équivalentes à celles des PC en terme de distribution et de niveau de risque.
IoT to Human interactions - Stève Sfartz - Codemotion Milan 2016Codemotion
What if your surveillance drone could wake you up via a SMS in the middle of the night ? What if an interactive assistant could speak you the next CodeMotion session and give you directions ? Join this session to experience how to turn your data into engaging interactions. We'll show case an Innovative Drone demo, and an interactive Voice & Chat assistant for the CodeMotion event, then present the Cisco Spark & Tropo Cloud APIs. Want to try these by yourself ? pass by the codelabs where our technical mentors will help you ramp up and build your first Text to Speech and Bot prototypes.
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkIBM Security
The mobile banking and payments opportunity for financial institutions is tremendous, and those who offer the most secure apps will prevail over the competition. But this opportunity is not without hazards, and the effect on revenue and brand caused by hackers can be devastating.
In this webinar, IBM Security Trusteer and Arxan focuson the mobile threat landscape and leading protection techniques to safeguard mobile payments and apps.
Industry experts from IBM Security Trusteer and Arxan review:
The changes in technology that have made mobile applications so vulnerable
Emerging mobile threat vectors and what you can do to mitigate the risks
Musts for the future of your security model
View the on-demand recording: http://arxan.wistia.com/medias/036z0iw7y1
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
Mobile App Security is an issue which isn’t given much priority while your app is in the development stage, as a result of which hackers are able to target your iOS app.
This talk will feature the most common security mistake developers do, and how to fix them easily. It will also cover different security & privacy enhancements provided by Apple such as SecKey API, Differential Privacy, Cryptographic Libraries, et cetera in iOS 10 which will enable developers to ship secure applications in the Appstore
Unicom Conference - Mobile Application SecuritySubho Halder
Mobile adoption is strategic in every industry today. Although it can be a great catalyst for growth, the security risks that come with it cannot be overlooked. Even though this fact is established, many companies are still not following some of the mobile application security best practices. The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations during development. We will be covering from basic OWASP top 10 security issues to live demos on different use-case scenarios on how a hacker can hack your application, and how to prevent them.
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
Application development has come a long way in last two decades, but it is puzzling to see that despite major security breaches, security testing takes a back seat as compared to other forms of quality testing measures such as usability or functional testing.
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
De nombreux entreprises, à travers leurs responsables informatiques et DSI ne reconnaissent toujours pas les logiciels malveillants mobiles comme une menace imminente. Selon une étude de Duo Security, un tiers des utilisateurs mobiles Android n'utilisent ne verrouillent pas l'écran de leurs appareils à l'aide d'un Mot de Passe, et la plupart ne prennent aucunes mesures de sécurité. En outre, les responsables informatiques et DSI déploient de nouvelles applications vers leurs clients et employés sans y intégrer de mesure de sécurité favorisant l'authentification et la mitigation des menaces.
Cependant, les logiciels malveillants mobiles ont évolué au fil des dernières années et constituent aujourd'hui des menaces réelle. Business Insider a noté que ces menaces sont désormais équivalentes à celles des PC en terme de distribution et de niveau de risque.
IoT to Human interactions - Stève Sfartz - Codemotion Milan 2016Codemotion
What if your surveillance drone could wake you up via a SMS in the middle of the night ? What if an interactive assistant could speak you the next CodeMotion session and give you directions ? Join this session to experience how to turn your data into engaging interactions. We'll show case an Innovative Drone demo, and an interactive Voice & Chat assistant for the CodeMotion event, then present the Cisco Spark & Tropo Cloud APIs. Want to try these by yourself ? pass by the codelabs where our technical mentors will help you ramp up and build your first Text to Speech and Bot prototypes.
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkIBM Security
The mobile banking and payments opportunity for financial institutions is tremendous, and those who offer the most secure apps will prevail over the competition. But this opportunity is not without hazards, and the effect on revenue and brand caused by hackers can be devastating.
In this webinar, IBM Security Trusteer and Arxan focuson the mobile threat landscape and leading protection techniques to safeguard mobile payments and apps.
Industry experts from IBM Security Trusteer and Arxan review:
The changes in technology that have made mobile applications so vulnerable
Emerging mobile threat vectors and what you can do to mitigate the risks
Musts for the future of your security model
View the on-demand recording: http://arxan.wistia.com/medias/036z0iw7y1
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
Mobile App Security is an issue which isn’t given much priority while your app is in the development stage, as a result of which hackers are able to target your iOS app.
This talk will feature the most common security mistake developers do, and how to fix them easily. It will also cover different security & privacy enhancements provided by Apple such as SecKey API, Differential Privacy, Cryptographic Libraries, et cetera in iOS 10 which will enable developers to ship secure applications in the Appstore
Unicom Conference - Mobile Application SecuritySubho Halder
Mobile adoption is strategic in every industry today. Although it can be a great catalyst for growth, the security risks that come with it cannot be overlooked. Even though this fact is established, many companies are still not following some of the mobile application security best practices. The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations during development. We will be covering from basic OWASP top 10 security issues to live demos on different use-case scenarios on how a hacker can hack your application, and how to prevent them.
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
Application development has come a long way in last two decades, but it is puzzling to see that despite major security breaches, security testing takes a back seat as compared to other forms of quality testing measures such as usability or functional testing.
After conducting a user survey for the client, my next job was to create a research report which summarized my findings and offered suggestions on how we could improve the client's website based on the needs of the users.
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
Next Generation Embedded Systems Security for IOT: Powered by KasperskyL. Duke Golden
In an increasingly connected world full of new IOT technologies, the security risks are becoming the single biggest challenge as we advance toward a fully tech-enabled society. Kaspersky's security strategy is always - SECURE BY DESIGN.
Next Generation Embedded Security for IOT - Powered by Kaspersky Secure OS. This presentation examines our "Secure by Design" alternative to legacy Microsoft / Linux OS - together with an end-to-end IOT security strategy. This presentation was originally given publicly at the CEBIT 2017 Event in Hannover, Germany.
Building Cloud Applications Based On Zero TrustMahesh Patil
These days code is driving things we can't even imagine, but there is also an inherent problem with code. A Kubernetes audit recently revealed 34 vulnerabilities, and data from various organisations has been stolen multiple times. This raises the question of whom to trust. This presentation makes a case and provides a framework for zero trust in the cloud.
Security as a top of mind issue for mobile application developmentȘtefan Popa
Mobile technologies bring to life new capabilities and opportunities for consumers all around the world. However, the advent of mobile has also resulted in new points of attack for hackers. This presentation it's about how to assess security vulnerabilities in the development process, and how to deliver high-performing applications that provide functionality with security in mind.
An overview of why knowing programming can make you a better cyber security professional, a look at the most popular languages and some pitfalls to avoid
"Evolving Cybersecurity Strategies" - Identity is the new security boundaryDean Iacovelli
As cyber attacks have matured and become more complex over the last number of years, the objective of most attacks has not changed: compromise and collect user credentials. This session will explore the changing cybersecurity landscape and how managing identity – both in the enterprise as well as across 3rd party applications - is becoming job #1 in managing your organization’s risk.
The good, the bad, and the ugly on integration ai with cybersecurityMohammad Khreesha
AI is the simulation of human intelligence processes by machines, especially computer systems. These processes include learning, reasoning, and self-correction. Integrating it with Cybersecurity is beneficial because it improves how security experts analyze, study, and understand cyber-crime.
In this talk, we will discuss & explain AI and how to integrate it with Cybersecurity to detect many types of attacks. The talk will cover many applications in Cybersecurity in which we can apply AI to improve those applications. Finally, I will present a demo on how to build your development environment with some scripting examples.
Mobile SSO: Give App Users a Break from Typing PasswordsCA API Management
Why do we use mobile devices? Simple – they’re easy to use and very convenient. So, why do we make it so hard for mobile consumers to do business with us by confronting them with multiple login screens and passwords? While security is essential to protecting mobile usage, convenience cannot be sacrificed.
With the release of the CA Layer 7 Mobile Access Gateway 2.0 and its Mobile SDK, organizations can now achieve faster mobile consumer engagement, end-to-end mobile app security and convenient mobile Single Sign-On (SSO). In this webinar, Tyson Whitten and Leif Bildoy of CA Technologies explore the why and how of mobile SSO and the Mobile Access Gateway.
You will learn
• The mobile app choices you need to make to enable better consumer engagement
• The connectivity and security implications of these choices
• The mobile security solutions that balance security and convenience
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP
Businesses and organizations have numerous network devices, databases, servers, applications, and domains, and all of these IT assets are through IP addresses and Ports.
Attack Surface Management refers to the proactive detection and management of attack vectors such as open ports, server vulnerabilities, similar domains, phishing, and domains distributing malicious code.
Criminal IP ASM automatically monitors and generates a report on assets exposed to the attack surface.
All IT assets are thoroughly detected globally, with a streamlined introduction procedure requiring registration of only one primary domain.
Request a FREE Demo of Criminal IP ASM at:
https://www.criminalip.io/asm/attack-surface-management
The Future of Mobile Application SecuritySecureAuth
The rapid adoption of mobile technology in recent years has created an opportunity for enterprises to increase the productivity and flexibility of their organizations. This demand for greater mobility has forced enterprises to deliver sensitive applications and data across a wide array of devices and networks.
SecureAuth and Sencha have created an integrated approach to application, data, and user mobility that elegantly addresses these challenges.
-Secure enterprise application deployment
-End-to-end data security with strong encryption
-Managed application container that works on any device
-Developer SDK for creating rich application user experiences
Similar to (Pdf) yury chemerkin _ath_con_2013 (20)
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
(Pdf) yury chemerkin _ath_con_2013
1. THE SANDBOX DIFFERENCES OR HOW AN
INTEGRATION FEATURES AFFECT THE SANDBOX
INDEPENDENT SECURITY RESEARCHER / PhD.
YURY CHEMERKIN
AthCon‘2013
2. [ Yury Chemerkin ]
www.linkedin.com/in/yurychemerkin
http://sto-strategy.com
Experienced in :
Reverse Engineering & AV
Software Programming & Documentation
Mobile Security and MDM
Cyber Security & Cloud Security
Compliance & Transparency
and Security Writing
Hakin9 Magazine, PenTest Magazine, eForensics Magazine,
Groteck Business Media
Participation at conferences
InfoSecurityRussia, NullCon, CONFidence, PHDays
CYBERCRIME FORUM, Cyber Intelligence Europe/Intelligence-Sec
ICITST, CyberTimes, ITA, I-Society
yury.chemerkin@gmail.com
3. BLACKBERRY SECURITY ENVIRONMENT
BLACKBERRY EVALUATESEVERY REQUEST THAT AN APPLICATION MAKES TO ACCESS A CAPABILITY
BLACKBERRY ENTERPRISE SERVICE HELPS MANAGE AND PROTECT BLACKBERRY, IOS, AND ANDROID DEVICES.
UNIFIED COMMUNICATION AND COLLABORATION SOFTWARE
DESIGNED TO HELP PROTECT DATA THAT IS IN TRANSIT AT ALL POINTS AS WELL IS IN MEMORY AND STORAGE
ENHANCED BY A CONTROL OF THE BEHAVIOR OF THE DEVICE
PROTECTION OF APPLICATION DATA USING SANDBOXING
MANAGEMENT OF PERMISSIONS TO ACCESS CAPABILITIES
BB EVALUATES EVERY REQUEST THAT APP MAKES – BUT LEAD AWAY FROM ANY DETAILS AND APIs
4. KNOWN ISSUES
MALWARE BOUNDSBECOME UNCLEAR…
BLACKBERRY HANDLES SEVERAL TECHNOLOGIES
NATIVE
BLACKBERRY 10, BLACKBERY PLAYBOOK
OLD BLACKBERRY DEVICES
THIRD PARTY
ADOBE AIR FOR NEW BB DEVICES
ANDROID APPLICATIONS & DEVICES
IOS DEVICES
EVERY CONTROLLED LIMITED BY
SANDBOX
PERMISSIONS
SECURITY FEATURES ON DEVICEs & MDMs
COMPLIANCE BRINGS USELESS RECOMMENDATIONS
USER-MODE MALWARE
SPYWARE
ROOTKITS
EXPLOTS & ATTACKS
REVERSING NETWORK LAYER
PARTIALLY RECOVERING DATA VS. SANBOX
MDM vs. COMPLIANCE
A FEW RECOMMENDATIONS
SET IS LESSER THAN SET OF MDM FEATURES
YOUNG STANDARDS
FIRST REVISIONS
DRAFT REVISIONS
5. BLACKBERRY CAPABILITES - ANDROID
CONTROLLEDFOUR GROUPSONLY by BlackBerry
CAMERA AND VIDEO
HIDE THE DEFAULT CAMERA APPLICATION
PASSWORD
DEFINE PASSWORD PROPERTIES
REQUIRE LETTERS (incl. case)
REQUIRE NUMBERS
REQUIRE SPECIAL CHARACTERS
DELETE DATA AND APPLICATIONS FROM THE
DEVICE AFTER
INCORRECT PASSWORD ATTEMPTS
DEVICE PASSWORD
ENABLE AUTO-LOCK
CONTROLLED 74 OUT 200 APIs ONLY by Android
LIMIT PASSWORD AGE
LIMIT PASSWORD HISTORY
RESTRICT PASSWORD LENGTH
MINIMUM LENGTH FOR THE DEVICE
PASSWORD THAT IS ALLOWED
ENCRYPTION
APPLY ENCRYPTION RULES
ENCRYPT INTERNAL DEVICE STORAGE
TOUCHDOWN SUPPORT
MICROSOFT EXCHANGE SYNCHRONIZATION
EMAIL PROFILES
ACTIVESYNC
6. BLACKBERRY CAPABILITES - iOS
CONTROLLED16 GROUPS ONLY by BlackBerry
BROWSER
that‘s QUITE SIMLIAR to APPLE MDM SOLUTIONS
DEFAULT APP,
AUTOFILL, COOKIES, JAVASCRIPT, POPUPS
MESSAGING (DEFAULT APP)
BACKUP / DOCUMENT PICTURE / SHARING
ONLINE STORE
CAMERA, VIDEO, VIDEO CONF
CERTIFICATES (UNTRUSTED CERTs)
MESSAGING (DEFAULT APP)
CLOUD SERVICES
PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)
PHONE AND MESSAGING (VOICE DIALING)
CONNECTIVITY
OUTPUT, SCREEN CAPTURE, DEFAULT APP
BACKUP / DOCUMENT / PICTURE / SHARING
ONLINE STORES , PURCHASES, PASSWORD
DEFAULT STORE / BOOK / MUSIC APP
PROFILE & CERTs (INTERACTIVE INSTALLATION)
NETWORK, WIRELESS, ROAMING
DATA, VOICE WHEN ROAMING
SOCIAL (DEFAULT APP)
CONTENT (incl. EXPLICIT)
RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS
CONTENT
DIAGNOSTICS AND USAGE (SUBMISSION LOGS)
STORAGE AND BACKUP
SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER
DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS
DEVICE BACKUP AND ENCRYPTION
VOICE ASSISTANT (DEFAULT APP)
7. BLACKBERRY CAPABILITES – BLACKBERRY (QNX)
CONTROLLED7 GROUPS ONLY by BlackBerry
that‘s NOT ENOUGH TO MANAGE ALL APIs
GENERAL
MOBILE HOTSPOT AND TETHERING
PLANS APP, APPWORLD
PASSWORD (THE SAME WITH ANDROID, iOS)
BES MANAGEMENT (SMARTPHONES, TABLETS)
SOFTWARE
OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER
TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE
BBM VIDEO ACCESS TO WORK NETWORK
VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK
SECURITY
CERTIFICATES & CIPHERS & S/MIME
HASH & ENCRYPTION ALGS AND KEY PARAMS
TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC
WI-FI PROFILES
WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE
VOICE CONTROL & DICTATION IN WORK & USER APPS
BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE
PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)
PERSONAL SPACE DATA ENCRYPTION
EMAIL PROFILES
NETWORK ACCESS CONTROL FOR WORK APPS
PERSONAL APPS ACCESS TO WORK CONTACTS
SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING
WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS
PROXY PASSWORD/PORT/SERVER/SUBNET MASK
VPN PROFILES
PROXY, SCEP, AUTH PROFILE PARAMS
TOKENS, IKE, IPSEC OTHER PARAMS
PROXY PORTS, USERNAME, OTHER PARAMS
8. BLACKBERRY CAPABILITES – BLACKBERRY (OLD)
INCREDIBLE AMOUNT OF GROUPS, UNITS AND PERMISSIONS ARE CONTROLELD BY MDM AND DEVICE
THERE 55 GROUPS CONTROLLED IN ALL
EACH GROUP CONTAINS FROM 10 TO 30 UNITS ARE CONTROLLED TOO
EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs INSTEAD OF A WAY ‘DISABLE/ENABLED & HIDE/UNHIDE’
EACH EVENT IS
CONTROLLED BY CERTAIN PERMISSION
ALLOWED TO CONTROL BY SIMILAR PERMISSIONS TO BE MORE FLEXIBLE
DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME MORE THAN OTHER DOCUMENTS
EACH UNIT CAN’T CONTROL ACTIVITY UNDER ITSELF
‘CREATE, READ, WRITE/SAVE, SEND, DELETE’ ACTIONS IN REGARDS TO MESSAGES LEAD TO SPOOFING
BY REQUESTING A ‘MESSAGE’ PERMISSION ONLY
SOME PERMISSIONS AREN’T REQUIRED (TO DELETE ANY OTHER APP)
SOME PERMISSIONS ARE RELATED TO APP, WHICH 3RD PARTY PLUGIN WAS EMBEDDED IN, INSTEAD OF
THAT PLUGIN
9. ISSUES : USELESS SOLUTIONS - I
USERFULL IDEASAT FIRST GLANCE
BUT INSTEADMAKE NO SENSE
OLD BB: MERGING PERMISSION UNITS AND GROUPS
‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ SEPARATED (PREVIOUS BB)
‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ MERGED INTO ONE UNIT (LATEST BB)
QNX-BB: SCREEN CAPTURE
IS ALLOWED VIA HARDWARE BUTTONS ONLY
NO EMULATION OF HARDWARE BUTTONS AS IT WAS IN OLD BLACKBERRY DEVICES
LOCKS WHEN WORK PERIMITER HAS BECOME TO PREVENT SCREEN-CAPTURE LOGGERS
OLD BB: NO SANBOX HAS NEVER BEEN ANNOUNCED
ALL DATA ACCESSIBLE EXCEPT APP & SYSTEM DATA DUE TO GENERAL PERMISSION
QNX-BB: OFFICIALLY ANNOUNCED SANBOX
MALWARE IS A PERSONAL APPLICATION SUBTYPE IN TERMS OF BLACKBERRY’s SECURITY
SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS
10. ISSUES : USELESS SOLUTIONS - II
USERFULL IDEASAT FIRST GLANCE
BUT INSTEADMAKE NO SENSE
OLD BB: SECURE & INSECURE IM CHATS IN THE SAME TIME
HAS ENCRYPTED COMMUNICATION SESSIONS
STORE CHAT COVERSATION IN PLAIN TEXT WITHOUT ENCRYPTION (EVEN BBM)
INACCESSIBLE FROM THE DEVICE BECAUSE OF UNKNOWN FILE TYPE (.CSV)
UPGRADE FEATURE AFFECT EVERYTHING
UPDATE APP THAT CALLS THIS API – USE GENERAL API
REMOVE APP THAT CALLS THIS APPS – USE GENERAL API
REMOVE ANY OTHER APP UNDER THE SAME API WITHOUT NOTIFICATION
HANDLE WITH PC TOOLS ON OLD BB DEVICES WITHOUT DEBUG / DEVELOPMENT MODE
OLD BB: CLIPBOARD (HAS NEVER EXISTED ANYWHERE AND MIGHT HAVE EVER)
REVEAL THE DATA IN REAL TIME BY ONE API CALL
NATIVE WALLETS PROTECTS BY RETURNING NJULL
WHILE THE ON TOP || JUST MINIMIZE OR CLOSE IT TO GET FULL ACCESS
EVERY USER CASE MUST MINIMIZE APP TO PASTE A PASSWORD
11.
12. ISSUES : USELESS SOLUTIONS – III
THE GUI EXPLOITATION (OLD BB) –NATIVE APPs
INITIALLY BASED ON AUTHORIZED API COVERED
ALL PHYSICAL & NAVIGATION BUTTONS
TYPING TEXTUAL DATA, AFFECT ALL APPs
SECONDARY BASED ON ADDING THE MENU ITEMS
INTO THE GLOBAL / “SEND VIA” MENU
AFFECT ALL NATIVE APPLICATIONS
NATIVE APPs ARE DEVELOPED BY BLACKBERRY
WALLETS, SOCIAL, SETTINGS, IMs,…
GUI EXPLOITATION
REDRAWING THE SCREENS
GRABBING THE TEXT FROM ANY FIELDs (INCL. PASSWORD
FIELD)
ADDING, REMOVING THE FIELD DATA
ORIGINAL DATA IS INACCESSIBLE BUT NOT AFFECTED
ADDING GUI OBJECTS BUT NOT SHUFFLING
3RD PARTY SECURE SOLITUINS RUIN THE SECURITY
KASPERSKY MOBILE SECURITY PROVIDES
FIREWALL, WIPE, BLOCK, INFO FEATURES
NO PROTECTION FROM REMOVING.CODs & UNDER
SIMULATOR
EXAMING THE TRAFFIC, BEHAVIOUR
JUST SHOULD CHECK API “IS SIMULATOR” ONLY
SMS MANAGEMENT VIA “QUITE” SECRET SMS
PASSWORD IS 4–16 DIGITS,AND MODIFIED IN REAL-TIME
SMS IS A HALF A HASH VALUE OF GOST R 34.11-94
IMPLEMENTATION USES TEST CRYPTO VALUES AND NO SALT
TABLES (VALUEHASH) ARE EASY BUILT
OUTCOMING SMS CAN BE SPOOFED WITHOUT ANY
NOTIFICATION, BECAUSE KMS DELETE THE SENT MESSAGES
OUTCOMING SMS BLOCK/WIPE THE SAME/ANOTHERDEVICE
13.
14.
15.
16. CONCLUSION - I
PRIVILEGEDGENERAL PERMISSIONS
OWN APPs, NATIVE & 3RD PARTY APPs FEATURES
DENIAL OF SERVICE
GENERAL PERMISSIONS
REPLACING/REMOVING EXEC FILES
DOS’ing EVENTs, NOISING FIELDS
GUI INTERCEPT
INFORMATION DISCLOSURE
INSTEAD OF SPECIFIC SUB-PERMISSIONS
A FEW NOTIFICATION/EVENT LOGs FOR USER
BUILT PER APPLICATION INSTEAD OF APP SCREENs
CONCRETE PERMISSIONS
CLIPBOARD, SCREEN CAPTURE
GUI INTERCEPT
DUMPING .COD FILES, SHARED FILES
MITM (INTERCEPTION / SPOOFING)
MESSAGES
GUI INTERCEPT, THIRD PARTY APPs
FAKE WINDOW/CLICKJACKING
BUT COMBINED INTO GENERAL PERMISSION
A SCREENSHOT PERMISSION IS PART OF THE
CAMERA
GENERAL PERMISSIONS
INSTEAD OF SPECIFIC SUB-PERMISSIONS
A FEW NOTIFICATION/EVENT LOGs FOR USER
BUILT PER APPLICATION INSTEAD OF APP SCREENs
17. CONCLUSION - II
THE VENDOR SECURITY VISION
HAS NOTHING WITH REALITY
AGGRAVATEDBY SIMPLICITY
SIMPLIFICATION AND REDUCING SECURITY CONTROLS
MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER
NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY
ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL
A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS
THE SANDBOX PROTECT ONLY APPLICATION DATA
USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE
APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY
MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY
THE NATIVE SPOOFING AND INTERCEPTION FEATURES
BLACKBERRY ENTERPRISE SOLUTION / BLACKBERRY MOBILE FUSION IS NOT EFFECTIVE MUCH
THE BEST SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES
PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST