Presented at the Data Science for Healthcare Graduate Programs, Section for Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on October 30, 2019
Presented at the Data Science for Healthcare Graduate Programs, Section for Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on October 30, 2019
After conducting a user survey for the client, my next job was to create a research report which summarized my findings and offered suggestions on how we could improve the client's website based on the needs of the users.
We are challenging everyone who reads this to a 24 day challenge using Advocare's 24 Day Challenge System to reclaim their life, their health and their financial future.
After conducting a user survey for the client, my next job was to create a research report which summarized my findings and offered suggestions on how we could improve the client's website based on the needs of the users.
We are challenging everyone who reads this to a 24 day challenge using Advocare's 24 Day Challenge System to reclaim their life, their health and their financial future.
"Evolving Cybersecurity Strategies" - Identity is the new security boundaryDean Iacovelli
As cyber attacks have matured and become more complex over the last number of years, the objective of most attacks has not changed: compromise and collect user credentials. This session will explore the changing cybersecurity landscape and how managing identity – both in the enterprise as well as across 3rd party applications - is becoming job #1 in managing your organization’s risk.
How to 2FA-enable Open Source Applications (Extended Session)
Presented at: Open Source 101 at Home 2020
Presented by: Mike Schwartz, Gluu
Abstract: Your organization loves open source tools like Wordpress, SuiteCRM, NextCloud, RocketChat, and OnlyOffice... but most of these tools are protected with plain old passwords. You want to use two-factor authentication... but how? In this workshop, you'll learn:
- Which 2FA technologies can be used without paying a license;
- How to enable users to enroll and delete 2FA credentials;
- How to configure open source applications to act as a federated relying party--delegating authentication to a central service
- How custom applications can act as a federated relying party
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Search and Society: Reimagining Information Access for Radical Futures
(Pdf) yury chemerkin balccon_2013
1. (IN-)EFFICIENCY OF SECURITY FEATURES
ON MOBILE SECURITY AND COMPLIANCE
YURY CHEMERKIN
Balkan Computer Congress (BalCCON 2013)
2. [ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin
http://sto-strategy.com
EXPERIENCED IN :
REVERSE ENGINEERING & AV
SOFTWARE PROGRAMMING & DOCUMENTATION
MOBILE SECURITY AND MDM
CYBER SECURITY & CLOUD SECURITY
COMPLIANCE & TRANSPARENCY
FORENSICS AND SECURITY WRITING
HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA
PARTICIPATION AT CONFERENCES
INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,
DEFCONMOSCOW, HACTIVITY, HACKFEST
CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL
ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY
yury.s@chemerkin.com
3. [ OPINIONS ]
BLACKBERRY IS SAFER THAN WINDOWS THAT IS SAFER THAN iOS THAT IS SAFER THAN ANDROID IN TURN
APPLE’S CENTRALIZED POINT OF DISTRIBUTION
IS PROVIDING WITH CONFIDENCE THROUGH THE
VALIDATION BY APPLE, EXCEPT
THE SUBMISSION OF SUSPICIOUS APP BY
Ch. MILLER THAT HAD BEEN SUCCESSFULLY
APPROVED BY APPLE
INSTALLING CYDIA &THE REST APPS AFTER
THAT
MICROSOFT (WINDOWS PHONE) HAS A
CENTRALIZED MARKET WITH DEEPER TESTING
AND VALIDATION LIKE APPLE
GOOGLE PROVIDES A CENTRALIZED MARKET
TOO, HOWEVER PROVIDES ABILITY TO INSTALL
APPS FROM 3RD-PARTY SOURCES SUCH AS
AMAZON.
ANY OTHER ARE ORIGINATE FROM
MALWARE HOTSPOTS
ANY ALTERNATIVE MARKETS FOR SOCALLED “CRACKED” DISTRIBUTE FOR FREE
REPACKAGES
BLACKBERRY IS THE SAFEST OS BECAUSE IT IS
THE MOST MANAGEABLE AND SECURE MAINLY
AS IT IS ON AN ENTERPRISE WAY
5. [ Vulnerabilities of OS and apps ]
MIN & AVERAGE SCORE
Android Average; 8,2
iOS Average; 6,3
BB-Average; 6,3
BB Min; 2,1
Android Min; 1,9
iOS Min; 1,2
Min & Average Score
6. [ SOURCE & BINARY ANALYSIS TOOLS ]
HEYDUDE, WHYIS IT VULNERABLEAGAIN?
HOW MANY THE TOOLS ARE (approx):
iOS – 10
ANDROID – 50
WINDOWS PHONE – 40
BLACKBERRY - 10
QUANTITY OF BUGS / SECURITY FLAWS
AVERAGE – 50
MIN – 20
MAX – INFINITY
WARINING :: ADS
VERACODE THE MOST USEFUL
SORRY,BIGBOSS,I’D JUST BEENCOMMITEDA WRONGBRANCH
BUGS TYPE (OBVIOUS | LIKELY)
MISSED CONSTRUCTIONS LIKE
DOUBLE/TRIPLE FREE ()
DEBUG PATHS, KEY, AND ETC.
PLAINTEXT & HARD-CODE PASSWORDS,
TOKENS, MASTER-KEYS, ETC.
NON-SECURE FLAWS, CONSTRUCTIONS,
ETC.
CHECK IT OUT
THE SQL-INJECTION IS POSSIBLE
THERE IS NO HTTPS HERE
7. [ MOBILE SECURITY CAPABILITIES ]
THE SAME CAPABILITIES AMONG MOBILE OPERATION SYSTEMS
SECURE BOOTLOADER
SYSTEM SOFTWARE SECURITY (UPDATES)
APPLICATION CODE SIGNING
RUNTIME PROCESS SECURITY
SANDBOX
APIs
HARDWARE SECURITY FEATURES
FILE DATA PROTECTION
SSL, TLS, VPN
PASSCODE PROTECTION
SETTINGS
PERMISSIONS/ RESTRICTIONS
CONFIGURATIONS
REMOTE MAGAGEMENT
MDM
REMOTE WIPE
8. [ SECURITY ENVIRONMENT ]
EACH OS EVALUATESEVERY REQUEST THAT AN APPLICATION MAKES TO ACCESSTO…
MDM SERVICES HELPS MANAGE AND PROTECT BLACKBERRY, IOS, WINDOWS, AND ANDROID DEVICES.
MDM SERVICES PROVIDE UNIFIED COMMUNICATION AND COLLABORATION SOFTWARE AND SERVICE (SaaS)
EACH OS IS DESIGNED TO PROTECT DATA IN TRANSIT, IN MEMORY AND STORAGE … AT ALL POINTS …
MDM SERVICES ENHANCED BY MANAGING THE BEHAVIOR OF THE DEVICE
OS PROVIDES A CAPABILITY TO PROTECT ANY APPLICATION DATA USING SANDBOXING
OS PROVIDES A CAPABILITY TO MANAGE PERMISSIONS TO ACCESS ITS CAPABILITIES
OS EVALUATES ALL REQUEST MADE BY APP ... BUT LEADS AWAY FROM ANY DETAILS AND APIs
9. [ KNOWN ISSUES ]
THREATSBOUNDSBECOME UNCLEAR…
ALL CONTROLLED OBJECTS ARE LIMITED BY
SANDBOX
PERMISSIONS
SECURITY FEATURES ON DEVICEs & MDMs
ADDITIONAL FEATURES AREN’T ACCESSIBLE ON
DEVICE
USER-MODE MALWARE
SPYWARE, ROOTKITS
EXPLOTS & ATTACKS
REVERSING NETWORK LAYER
RECOVERING DATA VS. SANBOX&MEMORY
EXPLOITING TO GET SUPER PRIVILIGIES
MDM& COMPLIANCE BRINGS COMMON
RECOMMENDATIONS
MDM vs. COMPLIANCE
COMMON RECOMMENDATIONS
SET IS LESSER THAN SET OF MDM FEATURES
QUITE BETTER TO MANAGE MDM SOLUTIONS
THAN DEVICE AT ALL
TOO FAR FROM DETAILS
YOUNG STANDARDS
FIRST REVISIONS, DRAFT REVISIONS
MOBILE SECURITY SOFWARE
READ-ONLY MODE / INFORMATION ONLY
APPLICATION FIREWALL (CALLS, MESSAGES…)
NETWORK FIREWALL REQUIRES ROOT
NO REAL SECURITY IF YOU BREAK A SANDBOX
10. [ KNOWN ISSUES. Examples ]
BYPASS MDM SOLUTIONS
iOS, ANDROID
EXPLOITS, DUMP /MEM TO GET EMAILS
BLACKHAT EU’13 http://goo.gl/HN829p
BLACKBERRY PLAYBOOK
EXPLOITS, MITM, DUMP ‘.ALL’ FILES
SECTO’11R, INFILTRATE’12, SOURCE
BOSTON’13 http://goo.gl/KaTtFG
GAIN ROOT ACCESS
ANDROID
APP SIGNATURE EXPLOITATION
APP MODIFICATION
BLACKHAT USA’13 http://goo.gl/p5FhWG
TIME-FRAME TO FIX
7+ MONTH or WAIT FOR A NEXT UPDATE
WAIT FOR A VENDOR’S INTEREST TO YOU
ANALYSIS OF APP’S DATA IN THE REST
BLACKBERRY, iOS
DATA LEAKAGE
REVEAL PASSWORDS, MASTERKEYS, ETC.
BLACKHAT EU’12 http://goo.gl/STpSll
ANDROID
DATA LEAKAGE
WEAKNESS OF CRYPTO ENGINGE
PHDAY III ‘13 http://goo.gl/x1PPGK
11. [ KNOWN ISSUES. Examples ]
PLAYBOOK ARTIFACTS (see the previous slide)
BROWSERS HISTORY
NETWORKING IDs, FLAGS, MACs
VIDEO CALLS DETAILS
ACCESS TO INTERNAL NETWORK
KERNEL
BLACKBERRY Z10
DUMP MICROKERNEL
EVEN DEVELOPERS’ CREDENTIALS
(FACEBOOK, MOBILE, EMAILS) BLACKHAT
DEFCON MOSCOW http://goo.gl/R74leX
GUI FAILS
BLACKBERRY OS
DATA LEAKAGE
REVEAL PASSWORDS, … ANYTHING
NO PERMISSIONS REQUESTED
BORROW PERMISSIONS OF ANOTHER APP
NullCon’13, CONFIDENCE’13
http://goo.gl/phMey2
12. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account
country code, phone number
Device Hardware Key
login / tokens of Twitter & Facebook
Calls history
Name + internal ID
Duration + date and time
Address book
Quantity of contacts / viber-contacts
Full name / Email / phone numbers
Messages
FORENSICS EXAMINATION
Conversations
Quantity of messages & participants
per conversations
Additional participant info (full name,
phone)
Messages
Date & Time
content of message
ID
13. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account
country code, phone number
login / tokens Facebook wasn’t revealed
‘Buy me for….$$$’
Avatars :: phone+@s.whatsapp.net.j (jfif)
Address book
No records of address book were revealed…
Check log-file and find these records (!)
Messages
Messages
Date & Time
FORENSICS EXAMINATION
content of message
ID :: phone@s.whatsapp.net
14. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account
Phone number
Password, secret code weren’t revealed
Trace app, find the methods use it
Repack app and have a fun
No masking of data typed
Information
Amount
Full info in history section (incl. info about
who receive money)
FORENSICS EXAMINATION
Connected cards
Encryption?
No
Bank cards
Masked card number only
Qiwi Bank cards
Full & masked number
Cvv/cvc
All other card info
15. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account
ID , email, password
Information
Loyalty (bonus) of your membership
all you ever type
Date of birth
Passport details
Book/order history
Routes,
Date and time,
Bonus earning
Full info per each order
FORENSICS EXAMINATION
Connected cards
Encryption?
AES
256 bit
On password
anywayanydayanywayanyday
Store in plaintext
Sizeof(anywayanydayanywayanyday) =
192 bit
16. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account
ID ,bonus card number, password not revealed
Other id & tokens
Information
Date of birth
Passport details
History (airlines, city, flight number only)
Flights tickets, logins credentials
Repack app and grab it
FORENSICS EXAMINATION
17. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account
ID , password
Loyalty (bonus) card number
Information
Not revealed (tickets, history or else)
Repack app
FORENSICS EXAMINATION
18. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
FORENSICS EXAMINATION
Account
ID , email, password
Other id & tokens
Information
Loyalty (bonus) of your membership
all you ever type
Date of birth
Passport details
All PASSPORT INFO (not only travel data)
Your work data (address, job, etc.) you have never typed!
Flights tickets
Repack app and grab it
19. [ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACK’SVECTOR
GOALS - MOBILE RESOURCES / AIM OF ATTACK
DEVICE RESOURCES
OUTSIDE-OF-DEVICE RESOURCES
ATTACKS – SET OF ACTIOSN UNDER THE THREAT
APIs - RESOURCES WIDELY AVAILABLE TO CODERS
SECURITY FEATURES
KERNEL PROTECTION , NON-APP FEATURES
PERMISSIONS - EXPLICITLY CONFIGURED
3RD PARTY
AV, FIREWALL, VPN, MDM
COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY
IN ALIGNMENT WITH COMPLIANCE TO…
Goals
AV, MDM,
DLP, VPN
Non-app
features
MDM features
Kernel
protection
Permissions
APIs
Attacks
APIs
20. [ DEVICE MANAGEMENT ]
Concurrencyover native & additional security features
𝚫 = 𝚨 ∪ 𝚩 ∪ 𝚪 ∪ 𝚼 , 𝚨 ⊂ 𝚩, 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀
𝛥 – set of OS permissions, 𝛢 – set of device permissions, 𝛣 – set
of MDM permissions, 𝛤 – set of missed permissions (lack of
controls), 𝜰 – set of rules are explicitly should be applied to gain
a compliance
𝚮 = 𝚬+ 𝚭, 𝚬 ⊃ 𝚨∪ 𝚩
𝛨 – set of APIs , 𝛦 – set of APIs that interact with sensitive data,
𝛧 – set of APIs that do not interact with sensitive data
To get a mobile security designed with full granularity the set 𝛤
should be empty set to get 𝚬 ⊇ 𝚨 ∪ 𝚩 instead of 𝚬 ⊃ 𝚨 ∪ 𝚩, so
the matter how is it closer to empty. On another hand it should
find out whether assumptions 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 are true and if it is
possible to get ⊆ 𝐀.
The situationis very serious
Set of permissions < Set of activities efficiency is
typical case < 100%,
ability to control each API = 100%
More than 1 permission per APIs >100%
lack of knowledge about possible attacks
improper granularity
AV, MDM, DLP,
VPN
Non-app features
MDM features
Kernel protection
Permissions
21. [ BLACKBERRY. PERMISSIONS ]
BB 10 Cascades SDK
Background processing
BlackBerry Messenger
Calendar, Contacts
Camera
Device identifying information
Email and PIN messages
GPS location
Internet
Location
Microphone
Narrow swipe up
Notebooks
Notifications
Player
Phone
Push
Shared files
Text messages
Volume
BB 10 AIR SDK
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
PB (NDK/AIR)
+
via invoke calls
+
+
via invoke calls
+
+
+
+
+
+
+
+
26. [ iOS. Info.plist(app capabilities) ]
Key
auto-focus-camera
Description
handle autofocus capabilities in the device’s still camera in case of a macro photography or image processing.
bluetooth-le
camera-flash
front-facing-camera
gamekit
gps
handle the presence of Bluetooth low-energy hardware on the device.
handle a camera flash for taking pictures or shooting video.
handle a forward-facing camera such as capturing video from the device’s camera.
handle a Game Center.
handle a GPS (or AGPS) hardware to track a locations in case of need the higher accuracy more than Cellular/Wi-Fi.
location-services
retrieve the device’s current location using the Core Location framework though Cellular/Wi-Fi
microphone
peer-peer
sms
handle the built-in microphone and its accessories
handle peer-to-peer connectivity over a Bluetooth network.
handle the presence of the Messages application such as opening URLs with the sms scheme.
still-camera
handle the presence of a camera on the device such as capturing images from the device’s still camera.
telephony
handle the presence of the Phone application such as opening URLs with the telephony scheme.
video-camera
handle the presence of a camera with video capabilities on device such as capturing video from the device’s camera.
wifi
access to the networking features of the device.
27. [ iOS. Settings ]
Component
Unit
Safari
Camera, FaceTime
iTunes Store, iBookstore
Siri
Manage applications*
Manage applications*
Explicit Language (Siri)
Privacy*, Accounts*
Content Type Restrictions*
Restrictions :: Native application
Restrictions :: 3rd application
Unit subcomponents
Privacy :: Location
Privacy :: Private Info
Accounts
Content Type Restrictions
Game Center
Manage applications
Per each 3rd party app
For system services
Contacts, Calendar, Reminders, Photos
Bluetooth Sharing
Twitter, Facebook
Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts
Find My Friends
Volume limit
Ratings per country and region
Music and podcasts
Movies, Books, Apps, TV shows
In-app purchases
Require Passwords (in-app purchases)
Multiplayer Games
Adding Friends (Game Center)
Installing Apps
Removing Apps
31. [ Windows. Permissions ]
Permission
Description
General use capabilities
musicLibrary
provides access to the user's Music library, allowing the app to enumerate and access all files w/o user interaction.
picturesLibrary
videosLibrary
removableStorage
provides access to the user's Pictures library, allowing to enumerate and access all files w/o user interaction.
provides access to the user's Videos library, allowing the app to enumerate and access all w/o user interaction.
provides access to files on removable storage, such as USB keys and external hard drives, filtered to the file type
microphone
provides access to the microphone’s audio feed, which allows to record audio from connected microphones..
webcam
provides access to the webcam’s video feed, which allows to capture snapshots, movies from a connected webcam.
location
provides access to location functionality like a GPS sensor or derived from available network info.
enables multiple devices in close proximity to communicate with one another via possible connection, incl.
Bluetooth, WiFi, and the internet.
proximity
internetClient,
internetClientServer
privateNetworkClientServer
enterpriseAuthentication
sharedUserCertificates
documentsLibrary
provides outbound (inbound is for server only) access to the Internet, public networks via the firewall.
provides inbound and outbound access to home and work networks through the firewall for games or for
applications that share data across local devices.
Special use capabilities
enable a user to log into remote resources using their credentials, and act as if a user provided their user name and
password.
enables an access to software and hardware certificates like smart card.
provides access to the user's Documents library, filtered to the file type associations
32. [ Windows. Significant APIs ]
Feature
Q. APIs
Notifications
Music library
Pictures library
Videos library
Removable storage
Microphone
Webcam
Location
Proximity
Internet and public networks
Home and work networks
68
1300
1157
1300
1045
274
409
37
54
488
488
Enterprise authentication
Shared User Certificates
Documents library
8
20
1045
Clipboard
Phone
SMS
Contacts
Device Info
132
18
122
97
221
Q. sign. APIs
General use capabilities
4
138
133
138
109
33
91
5
19
134
134
Special use capabilities
4
5
126
Non-controlled capabilities
20
6
25
31
30
% (sign. APIs)
Controlled?
5,88
10,62
11,50
10,62
10,43
12,04
22,25
13,51
35,19
27,46
27,46
+
+
+
+
+
+
+
+
+
+
+
50,00
25,00
12,06
+
+
+
15,15
33,33
20,49
31,96
13,57
-
39. [ Average quantitative indicators ]
100%
102,74
90%
80%
119,31
60,63
8,86
29,26
1,89
42,04
2,32
70%
60%
60,38
435,95
9,06
0,64
7,43
0,69
1,47
1,63
2,01
2,19
Q. of m.+a.
permissions
Q. of derived
permissions
17,07
30,48
5,94
48,06
32,79
16,99
9,21
50%
40%
62,37
3,84
67,48
9,23
9,68
54
20,97
58,06
22,76
30%
20%
394,86
10%
32,48
38,4
27,6
38,4
27,6
0%
Q. APIs
Q. sign APIs
Q. of m.+a.
activities
Q. of derived
activities
Android
Windows
iOS
% m+a activities %m+a derived vs % m+a vs perm
vs perm
perm
enhanced by
MDM
BlackBerry
% derived vs
perm enhanced
by MDM
40. MDM . Extend your device security capabilities
Android
CAMERA AND VIDEO
HIDE THE DEFAULT CAMERA APPLICATION
PASSWORD
DEFINE PASSWORD PROPERTIES
REQUIRE LETTERS (incl. case)
REQUIRE NUMBERS
REQUIRE SPECIAL CHARACTERS
DELETE DATA AND APPLICATIONS FROM THE
DEVICE AFTER
INCORRECT PASSWORD ATTEMPTS
DEVICE PASSWORD
ENABLE AUTO-LOCK
CONTROLLED FOUR GROUPS ONLY
LIMIT PASSWORD AGE
LIMIT PASSWORD HISTORY
RESTRICT PASSWORD LENGTH
MINIMUM LENGTH FOR THE DEVICE
PASSWORD THAT IS ALLOWED
ENCRYPTION
APPLY ENCRYPTION RULES
ENCRYPT INTERNAL DEVICE STORAGE
TOUCHDOWN SUPPORT
MICROSOFT EXCHANGE SYNCHRONIZATION
EMAIL PROFILES
ACTIVESYNC
41. MDM . Extend your device security capabilities
iOS
BROWSER
CONTROLLED 16 GROUPSONLY
DEFAULT APP,
AUTOFILL, COOKIES, JAVASCRIPT, POPUPS
MESSAGING (DEFAULT APP)
BACKUP / DOCUMENT PICTURE / SHARING
ONLINE STORE
CAMERA, VIDEO, VIDEO CONF
CERTIFICATES (UNTRUSTED CERTs)
MESSAGING (DEFAULT APP)
CLOUD SERVICES
PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)
PHONE AND MESSAGING (VOICE DIALING)
CONNECTIVITY
OUTPUT, SCREEN CAPTURE, DEFAULT APP
BACKUP / DOCUMENT / PICTURE / SHARING
ONLINE STORES , PURCHASES, PASSWORD
DEFAULT STORE / BOOK / MUSIC APP
PROFILE & CERTs (INTERACTIVE INSTALLATION)
NETWORK, WIRELESS, ROAMING
DATA, VOICE WHEN ROAMING
SOCIAL (DEFAULT APP)
CONTENT (incl. EXPLICIT)
RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS
CONTENT
DIAGNOSTICS AND USAGE (SUBMISSION LOGS)
STORAGE AND BACKUP
SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER
DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS
DEVICE BACKUP AND ENCRYPTION
VOICE ASSISTANT (DEFAULT APP)
42. MDM . Extend your device security capabilities
BlackBerry (new, 10, qnx)
CONTROLLED 7 GROUPSONLY
GENERAL
MOBILE HOTSPOT AND TETHERING
PLANS APP, APPWORLD
PASSWORD (THE SAME WITH ANDROID, iOS)
BES MANAGEMENT (SMARTPHONES, TABLETS)
SOFTWARE
OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER
TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE
BBM VIDEO ACCESS TO WORK NETWORK
VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK
SECURITY
CERTIFICATES & CIPHERS & S/MIME
HASH & ENCRYPTION ALGS AND KEY PARAMS
TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC
WI-FI PROFILES
WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE
VOICE CONTROL & DICTATION IN WORK & USER APPS
BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE
PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)
PERSONAL SPACE DATA ENCRYPTION
EMAIL PROFILES
NETWORK ACCESS CONTROL FOR WORK APPS
PERSONAL APPS ACCESS TO WORK CONTACTS
SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING
WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS
PROXY PASSWORD/PORT/SERVER/SUBNET MASK
VPN PROFILES
PROXY, SCEP, AUTH PROFILE PARAMS
TOKENS, IKE, IPSEC OTHER PARAMS
PROXY PORTS, USERNAME, OTHER PARAMS
43. MDM . Extend your device security capabilities
Blackberry (old)
THERE 55 GROUPS CONTROLLED IN ALL
EACH GROUP CONTAINS FROM 10 TO 30 UNITS
ARE CONTROLLED TOO
EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs
INSTEAD OF A WAY ‘DISABLE/ENABLED &
HIDE/UNHIDE’
EACH EVENT IS
CONTROLLED BY CERTAIN PERMISSION
ALLOWED TO CONTROL BY SIMILAR
PERMISSIONS TO BE MORE FLEXIBLE
DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME
MORE THAN OTHER DOCUMENTS
Huge amount of permissions are MDM & device built-in
EACH UNIT CAN’T CONTROL ACTIVITY UNDER
ITSELF
‘CREATE, READ, WRITE/SAVE, SEND,
DELETE’ ACTIONS IN REGARDS TO
MESSAGES LEAD TO SPOOFING BY
REQUESTING A ‘MESSAGE’ PERMISSION
ONLY
SOME PERMISSIONS AREN’T REQUIRED (TO
DELETE ANY OTHER APP)
SOME PERMISSIONS ARE RELATED TO APP,
WHICH 3RD PARTY PLUGIN WAS EMBEDDED
IN, INSTEAD OF THAT PLUGIN
44. ISSUES : USELESS SOLUTIONS
USERFULL IDEASAT FIRST GLANCE
BUT INSTEADMAKE NO SENSE
MERGING PERMISSIONS INTO GROUPS, e.g.
‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ SEPARATED (BlackBerry old)
‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ MERGED INTO ONE UNIT (BlackBerry new)
SCREEN CAPTURE
IS ALLOWED VIA HARDWARE BUTTONS ONLY
NO EMULATION OF HARDWARE BUTTONS AS IT WAS IN OLD BLACKBERRY DEVICES
LOCKS WHEN WORK PERIMITER HAS BECOME TO PREVENT SCREEN-CAPTURE LOGGERS
OFFICIALLY ANNOUNCED SANDBOX
MALWARE IS STILL A PERSONAL APPLICATION SUBTYPE IN TERMS OF (IN-)SECURITY
SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS
INABILITY OF BACKUP MAKE DEVELOPERS TO STORE DATA IN SHARED FOLDERS
45. ISSUES : USELESS SOLUTIONS
USERFULL IDEASAT FIRST GLANCE
BUT INSTEADMAKE NO SENSE
SECURE & INSECURE APP IN THE SAME TIME
HAS ENCRYPTED COMMUNICATION SESSIONS, AND MAY STORE CHAT COVERSATION WITHOUT ENCRYPTION
STORE SENSITIVE DATA IN PLAINTEXT (PASSW, PASSPORT DETAILS, CARD INFO) AND BELIEVE IN POWER OF SANDBOX
UPGRADE FEATURE AFFECT EVERYTHING
MAY UPDATE/REMOVE ANY OTHER APP - SURPRISE
REPACKAGES STILL HAVE AN ACCESS TO THE SAME DATA AS AN ORIGINAL APP
DEBUG/NOT ORIGINAL SIGNATURE PROBLEM – THAT’S NOT A PROBLEM
CLIPBOARD (SECURE CLIPBOARD HAS NEVER EXISTED ANYWHERE AND MIGHT HAVE EVER)
REVEAL THE DATA IN REAL TIME BY ONE API CALL
ACCESSIBLE BY APIs AS WELL AS FILE DATA (DEPENDS ON YOUR OS)
NATIVE WALLETS PROTECTS BY RETURNING NULL (ONLY OLD-BLACKBERRY)
WHILE THE ON TOP || JUST MINIMIZE OR CLOSE IT TO GET FULL ACCESS
EVERY USER MUST MINIMIZE APP TO PASTE A PASSWORD
46. ISSUES : USELESS SOLUTIONS
USERFULL IDEASAT FIRST GLANCE
BUT INSTEADMAKE NO SENSE
GUI EXPLOITATION HAPPENS (OLD BLACKBERRY, ANDROID REPACKAGES)
REDRAWING THE SCREENS (OLD BB ONLY), GRABBING THE TEXT FROM ANY FIELDs (INCL. PASSWORD FIELD)
ADDING, REMOVING THE FIELD DATA
ORIGINAL DATA IS INACCESSIBLE BUT NOT AFFECTED
KASPERSKY MOBILE SECURITY PROVIDES AN INSECURITY,
NO PROTECTION FROM REMOVING.CODs & UNDER SIMULATOR
EXAMING THE TRAFFIC, BEHAVIOUR
JUST SHOULD CHECK API “IS SIMULATOR” ONLY
SMS MANAGEMENT VIA “QUITE” SECRET SMS (NOT ENCRYPTED, HASH ONLY)…
THE SAME SECRET AMONG OPERATING SYSTEMS (BB, ANDROID, WINDOWS,…)
PASSWORD IS 4–16 DIGITS,AND MODIFIED IN REAL-TIME (OLD BLACKBERRY, OR ANDROID REPACKAGES)
SMS IS A HALF A HASH VALUE OF GOST R 34.11-94
HASH IMPLEMENTATION USES TEST CRYPTO VALUES AND NO SALT
TABLES (VALUEHASH) ARE EASY BUILT
OUTCOMING SMS CAN BE SPOOFED WITHOUT ANY NOTIFICATION, BECAUSE KMS DELETE THE SENT MESSAGES
OUTCOMING SMS COULD BLOCK/WIPE THE SAME/ANOTHER DEVICE
47. COMPLIANCE AND MDM
CSA Mobile Device Management: Key Components
Device diversity
Configuration management
Software Distribution
Device policy compliance & enforcement
Enterprise Activation
Logging
Security Settings
Security Wipe, Lock
IAM
Make you sure to start managing security under
uncertain terms without AI
NIST-124
Refers to NIST-800-53 and other
Sometimes missed requirements such as
locking device, however it is in NIST-800-53
A bit details than CSA
No statements on permission management
Make you sure to start managing security under
uncertain terms without AI
48. CONCLUSION
PRIVILEGEDGENERAL PERMISSIONS
DENIAL OF SERVICE
REPLACING/REMOVING FILES
DOS’ing EVENTs, GUI INTERCEPT
INFORMATION DISCLOSURE
CLIPBOARD, SCREEN CAPTURE
GUI INTERCEPT
SHARED FOLDERS
DUMPING .COD/.BAR/APK… FILES
OWN APPs, NATIVE & 3RD PARTY APPs FEATURES
MITM (INTERCEPTION / SPOOFING)
MESSAGES
GUI INTERCEPT, THIRD PARTY APPs
FAKE WINDOW/CLICKJACKING
GENERAL PERMISSIONS
INSTEAD OF SPECIFIC SUB-PERMISSIONS
A FEW NOTIFICATION/EVENT LOGs FOR
USER
BUILT PER APPLICATION INSTEAD OF APP
SCREENs
49. CONCLUSION
THE VENDOR SECURITY VISION
HAS NOTHING WITH REALITY
AGGRAVATEDBY SIMPLICITY
SIMPLIFICATION AND REDUCING SECURITY CONTROLS
MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER
NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY
ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL
A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS
THE SANDBOX PROTECT ONLY APPLICATION DATA
USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE
APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY
MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY
THE NATIVE SPOOFING AND INTERCEPTION FEATURES
COMPLIANCE DOES NOT EXTEND MDM CAPABILITIES – JUST REPEATS IT
THE MOST GRANULAR SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES
PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST