This document discusses mobile device management (MDM) and mobile security. It begins by providing background on the speaker, Yury Chemerkin, who is a multiskilled security researcher from Russia. It then discusses what workers and companies typically want from MDM as well as what third parties usually sell. The document goes on to describe the real approach to device management, including managing mobile devices, applications, and network access alongside compliance. It also discusses known issues with bypassing MDM solutions and gaining root access on Android devices. The document analyzes the security environments and permissions models of BlackBerry, iOS, and Android operating systems.
C0c0n 2011 mobile security presentation v1.2Santosh Satam
Mobile phone security has been a hot topic for debate in recent times. The top mobile manufacturers seem to claim that their mobiles and applications are secure, but recent news on mobile hacking and malware suggest otherwise.
One of the key challenges in mobile security is the diverse platforms and multitude of operating systems (both open and proprietary) in the market. This makes it almost impossible to devise a generic catch-all strategy for mobile application security. Every platform whether it is iOS, Android, Blackberry, Windows Mobile, Symbian etc. is unique and requires a specialized treatment.
In this talk, we will demystify mobile and related application security. We will understand the architectures of various mobile operating systems and the native security support provided by the manufacturers and operating system vendors. Then we will look at how hackers have come up with different techniques and tools to break mobile security, and what mobile companies are doing to mitigate these attacks.
Finally, we will look at secure practices for mobile deployment in the Enterprise using policy files and other technology solutions, We will also outline best practices for business users and road warriors, on how to ensure your company data is protected while still continuing to enjoy the flexibility provided by mobile phones.
A profile is an extremely sensitive optional configuration file which allows to re-define different system functionality parameters such as mobile carrier settings, Mobile Device Management (MDM) settings and networking settings. Through social engineering techniques such as email phishing or a fake URL, an attacker can convince a user to install a malicious profile and compromise the device settings to silently route network traffic from the device to a remote proxy over SSL using a self-signed certificate.
The impact:
Once the attacker has re-routed all traffic from the mobile device to their own server, they can begin to install other malicious apps and decrypt SSL communications.
The Future of Mobile Application SecuritySecureAuth
The rapid adoption of mobile technology in recent years has created an opportunity for enterprises to increase the productivity and flexibility of their organizations. This demand for greater mobility has forced enterprises to deliver sensitive applications and data across a wide array of devices and networks.
SecureAuth and Sencha have created an integrated approach to application, data, and user mobility that elegantly addresses these challenges.
-Secure enterprise application deployment
-End-to-end data security with strong encryption
-Managed application container that works on any device
-Developer SDK for creating rich application user experiences
C0c0n 2011 mobile security presentation v1.2Santosh Satam
Mobile phone security has been a hot topic for debate in recent times. The top mobile manufacturers seem to claim that their mobiles and applications are secure, but recent news on mobile hacking and malware suggest otherwise.
One of the key challenges in mobile security is the diverse platforms and multitude of operating systems (both open and proprietary) in the market. This makes it almost impossible to devise a generic catch-all strategy for mobile application security. Every platform whether it is iOS, Android, Blackberry, Windows Mobile, Symbian etc. is unique and requires a specialized treatment.
In this talk, we will demystify mobile and related application security. We will understand the architectures of various mobile operating systems and the native security support provided by the manufacturers and operating system vendors. Then we will look at how hackers have come up with different techniques and tools to break mobile security, and what mobile companies are doing to mitigate these attacks.
Finally, we will look at secure practices for mobile deployment in the Enterprise using policy files and other technology solutions, We will also outline best practices for business users and road warriors, on how to ensure your company data is protected while still continuing to enjoy the flexibility provided by mobile phones.
A profile is an extremely sensitive optional configuration file which allows to re-define different system functionality parameters such as mobile carrier settings, Mobile Device Management (MDM) settings and networking settings. Through social engineering techniques such as email phishing or a fake URL, an attacker can convince a user to install a malicious profile and compromise the device settings to silently route network traffic from the device to a remote proxy over SSL using a self-signed certificate.
The impact:
Once the attacker has re-routed all traffic from the mobile device to their own server, they can begin to install other malicious apps and decrypt SSL communications.
The Future of Mobile Application SecuritySecureAuth
The rapid adoption of mobile technology in recent years has created an opportunity for enterprises to increase the productivity and flexibility of their organizations. This demand for greater mobility has forced enterprises to deliver sensitive applications and data across a wide array of devices and networks.
SecureAuth and Sencha have created an integrated approach to application, data, and user mobility that elegantly addresses these challenges.
-Secure enterprise application deployment
-End-to-end data security with strong encryption
-Managed application container that works on any device
-Developer SDK for creating rich application user experiences
The Zero Trust Model of Information Security Tripwire
In today’s IT threat landscape, the attacker might just as easily be over the cubicle wall as in another country. In the past, organizations have been content to use a trust and verify approach to information security, but that’s not working as threats from malicious insiders represent the most risk to organizations. Listen in as John Kindervag, Forrester Senior Analyst, explains why it’s not working and what you can do to address this IT security shortcoming.
In this webcast, you’ll hear:
Examples of major data breaches that originated from within the organization
Why it’s cheaper to invest in proactive breach prevention—even when the organization hasn’t been breached
What’s broken about the traditional trust and verify model of information security
About a new model for information security that works—the zero-trust model
Immediate and long-term activities to move organizations from the "trust and verify" model to the "verify and never trust" model
Discover more about USP`s SES solution : say goodbye to Microsoft’s TMG and Hello to USP`s Smarter Web App Protection and Authentication!
by United Security Providers
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceIvanti
Join Ivanti cybersecurity experts as they share best practices for implementing an effective zero trust security strategy at the user, device and network-access levels to ensure the optimal security posture for your organization. Learn how you can implement a multi-tiered approach to mobile phishing protection to best protect against data breaches.
Defend your Everywhere Workplace through adaptive zero trust security and adapt to modern threats faster and experience better outcomes.
The 1st Step to Zero Trust: Asset Management for Cybersecuritynathan-axonius
Eight years after former Forrester analyst John Kindervag introduced the Zero Trust model, the concept has hit the mainstream. As current Forrester analyst Chase Cunningham says, 85% of his calls involve zero trust. With the amount of interest in the concept, many organizations are rushing to understand how to implement the zero-trust model. In this guide, we’ll look at the first step to implementing zero trust: asset management.
Usability and security are not two sides of a coin. They are equivalent and in fact can complement each other : good usability can improve security, but often needs more thought and better tools.
By United Security Providers
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Lacoon Mobile Security
CEO Michael Shaulov and Sr. Security Researcher Daniel Brodie will be presenting “A Practical Attack Against VDI Solutions” at this year’s conference in Las Vegas.
In a confusing web world of "Like" buttons, tweets, Instagram'ing, and files being stored in clouds like Dropbox, organizations are challenged with how to protect the network, while not hindering business. To make matters worse, vendors are confusing the deployment methods by introducing On Premise Web Security Gateways, Cloud Web Security Gateways and Next Generation Firewalls.
Despite advances in security, hackers continue to break through network defenses. In this hour-long webinar, network security specialist Catherine Paquet will examine the favorite methods and targets of hackers and will introduce you to the different categories of security technologies. In this foundational presentation, you will learn about the benefits of security solutions such as firewalls, VPNs, IPS, identity services and BYOD.
Cloud Smart is today’s IT modernization strategy designed to help Federal agencies adopt cloud solutions that streamline transformation and embrace modern capabilities. We will review the key aspects of the Cloud Smart strategy that agencies can focus on to meet those objectives. We will dive into the Security aspect of Cloud Smart as we focus on its impact on Trusted Internet Connections. We'll see how the new horizon of security services in AWS can help agencies implement Zero Trust Networking and we'll look at ways in which Government agencies can utilize AWS tools and services for architecture decisions that may not require TIC routing, while still meeting government-wide requirements.
Here are some Guidelines for CxO's relating to BYOD / Mobile-Device Security at work. Includes some recent Statistics and other Research on the Market.
The Zero Trust Model of Information Security Tripwire
In today’s IT threat landscape, the attacker might just as easily be over the cubicle wall as in another country. In the past, organizations have been content to use a trust and verify approach to information security, but that’s not working as threats from malicious insiders represent the most risk to organizations. Listen in as John Kindervag, Forrester Senior Analyst, explains why it’s not working and what you can do to address this IT security shortcoming.
In this webcast, you’ll hear:
Examples of major data breaches that originated from within the organization
Why it’s cheaper to invest in proactive breach prevention—even when the organization hasn’t been breached
What’s broken about the traditional trust and verify model of information security
About a new model for information security that works—the zero-trust model
Immediate and long-term activities to move organizations from the "trust and verify" model to the "verify and never trust" model
Discover more about USP`s SES solution : say goodbye to Microsoft’s TMG and Hello to USP`s Smarter Web App Protection and Authentication!
by United Security Providers
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceIvanti
Join Ivanti cybersecurity experts as they share best practices for implementing an effective zero trust security strategy at the user, device and network-access levels to ensure the optimal security posture for your organization. Learn how you can implement a multi-tiered approach to mobile phishing protection to best protect against data breaches.
Defend your Everywhere Workplace through adaptive zero trust security and adapt to modern threats faster and experience better outcomes.
The 1st Step to Zero Trust: Asset Management for Cybersecuritynathan-axonius
Eight years after former Forrester analyst John Kindervag introduced the Zero Trust model, the concept has hit the mainstream. As current Forrester analyst Chase Cunningham says, 85% of his calls involve zero trust. With the amount of interest in the concept, many organizations are rushing to understand how to implement the zero-trust model. In this guide, we’ll look at the first step to implementing zero trust: asset management.
Usability and security are not two sides of a coin. They are equivalent and in fact can complement each other : good usability can improve security, but often needs more thought and better tools.
By United Security Providers
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Lacoon Mobile Security
CEO Michael Shaulov and Sr. Security Researcher Daniel Brodie will be presenting “A Practical Attack Against VDI Solutions” at this year’s conference in Las Vegas.
In a confusing web world of "Like" buttons, tweets, Instagram'ing, and files being stored in clouds like Dropbox, organizations are challenged with how to protect the network, while not hindering business. To make matters worse, vendors are confusing the deployment methods by introducing On Premise Web Security Gateways, Cloud Web Security Gateways and Next Generation Firewalls.
Despite advances in security, hackers continue to break through network defenses. In this hour-long webinar, network security specialist Catherine Paquet will examine the favorite methods and targets of hackers and will introduce you to the different categories of security technologies. In this foundational presentation, you will learn about the benefits of security solutions such as firewalls, VPNs, IPS, identity services and BYOD.
Cloud Smart is today’s IT modernization strategy designed to help Federal agencies adopt cloud solutions that streamline transformation and embrace modern capabilities. We will review the key aspects of the Cloud Smart strategy that agencies can focus on to meet those objectives. We will dive into the Security aspect of Cloud Smart as we focus on its impact on Trusted Internet Connections. We'll see how the new horizon of security services in AWS can help agencies implement Zero Trust Networking and we'll look at ways in which Government agencies can utilize AWS tools and services for architecture decisions that may not require TIC routing, while still meeting government-wide requirements.
Here are some Guidelines for CxO's relating to BYOD / Mobile-Device Security at work. Includes some recent Statistics and other Research on the Market.
After conducting a user survey for the client, my next job was to create a research report which summarized my findings and offered suggestions on how we could improve the client's website based on the needs of the users.
Nowadays, like the technology itself, hacking activities against mobile phone is growing very rapidly, both for mobile devices (operating system) or mobile applications, some applications providers even dedicate a penetration testing activity for applications that they created right before it gets released to the public, while others open a bug bounty programs, and sadly the rest just watch and do nothing.
On the other side, malware developer arround the world also already move their main target and has been developing malware to take over the mobile devices which surely keep all our personal/private and our work, some of it even make us to pay for getting it back.
This talks will be focusing more on the trend of mobile device security lately, mobile security penetration testing activity, also in practice, showing several types of common weaknesses/vulnerabiliies within the mobile applications and how the exploitation is done by the attacker, malware is created and planted, until it is successfully to take over the target mobile device.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans, exploits that leads to the new security holes. Mostly this kind of extensions are known as usermode rootkits.
http://hakin9.org/theultimat/
iOS Security: The Never-Ending Story of Malicious ProfilesYair Amit
iOS is probably the most security mobile operating system nowadays. However, is it enough? Last year, we identified the malicious profiles attack, which leverages features of iOS to grant remote hackers deep control over victim’s devices. This presentation reviews recent threats, their evolvements and uncover a new vulnerability that makes it possible to effectively conceal attacks.
SAE 2014 - Cyber Security: Mission Critical for the Internet of CarsAndreas Mai
Connected vehicles are becoming rolling data centers. More attack surfaces expose vehicles to cyber threats that have become common in the IT industry. Connected vehicles will require an end-to-end security architecture spanning from chip level to cloud based security services that protect vehicles over the entire life cycle.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
1. MDM and Mobile Security: Compliance, Security,
Transparency, Elaboration, Simplification
YURY CHEMERKIN
HackerHalted 2013
2. [ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin
http://sto-strategy.com
MULTISKILLED SECURITY RESEARCHER, WORKS FOR RUSSIAN COMPANY
EXPERIENCED IN :
REVERSE ENGINEERING & AV, DEVELOPMENT (IN THE PAST)
MOBILE SECURITY, INCL. MDM, MAM, etc.
CYBER SECURITY & CLOUD SECURITY
COMPLIANCE & FORENSICS ON MOBILE & CLOUD
WRITING (STO BLOG, HAKING, PENTEST, eFORENSICS Magazines)
PARTICIPATION AT CONFERENCES:
INFOSECURITY RUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,
DEFCON MOSCOW, HACKERHALTED, HACKTIVITY, HACKFEST
CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL
ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY
yury.s@chemerkin.com
3. [ MOBILE DEVICE MANAGEMENT]
WHAT DO WORKERS WANT…
WHAT DO COMPANIES WANT…
4. [ MOBILE DEVICE MANAGEMENT]
WHAT DO THIRD PART Y USUALLY SELL…FIRST CASE WHAT DO THIRD PARTY USUALLY SELL…SECOND
CASE
5. [ MOBILE DEVICE MANAGEMENT]
WHAT’S THE REAL DEVICE MANAGEMENT APPROACH INCLUDE…NOT LESS THAN…
MOBILE DEVICE
MOBILE DEVICE MANAGEMENT SOLUTION
NATIVE / THIRD PARTY SOLUTION
MOBILE APPLICATION MANAGEMENT SOLUTION
EMBEDDED / NATIVE / THIRD PARTY SOLUTION
MOBILE EMAIL MANAGEMENT SOLUTION
NETWORK ACCESS CONTROL SOLUTION
NOT ENOUGH NEW IDEA, BUT QUITE USEFUL IN CLOUDS
ADDITIONAL SOLUTION
AV, LOG MANAGEMENT, DLP-BASED SOLUTION, FORENSICS SOLUTION
COMPLIANCE
GUIDELINES / BEST PRACTICES
6. [ OPINIONS ]
Blackberry Windows iOS Android
APPLE IS SO SERIOUS TO LET MALWARE BE SPREADED THROUGH THEIR MARKET, EXCEPT
Ch. MILLER CASE
JAILBREAK,CYDIA,BLACK&OTHER MARKETS
MICROSOFT (WINDOWS PHONE) HAS IMPLEMENTED THE SAME IDEA
GOOGLE HAS A WEAK POLICY THAT WHY EVERYONE GOT MALWARE IN OFFICAL MARKET EVEN
PLUS 3RD PARTY MARKET
PLUS REPACKAGES
BLACKBERRY IS THE SAFEST OS BECAUSE THAT'S ABOUT THE SIZE OF IT
7. [ SECURITY ENVIRONMENT ]
EACH OS EVALUATESEVERY REQUEST THAT APPLICATION S MAKESTO ACCESSTO…
BUT LEADS AWAY FROM ANY DETAILS AND APIs
MDM HELPS TO PROTECT DATA AND MANAGE BLACKBERRY, iOS, WINDOWS, AND ANDROID DEVICES.
MDM ENHANCED BY MANAGING THE BEHAVIOR OF THE DEVICE
SECURE BOOTLOADER, SYSTEM SOFTWARE SECURITY (UPDATES),
APPLICATION CODE SIGNING
RUNTIME PROCESS SECURITY (SANDBOX, APIs)
HARDWARE SECURITY FEATURES
FILE DATA PROTECTION
SSL, TLS, VPN
PASSCODE PROTECTION
SETTINGS (PERMISSIONS/ RESTRICTIONS, CONFIGURATIONS)
REMOTE MAGAGEMENT
MDM
REMOTE WIPE
8. [ KNOWN ISSUES. Examples ]
THREATSBOUNDSBECOME UNCLEAR…
BYPASS MDM SOLUTIONS
iOS, ANDROID
EXPLOITS, DUMP /MEM TO GET EMAILS
BLACKHAT EU’13 http://goo.gl/HN829p
BLACKBERRY PLAYBOOK
EXPLOITS, MITM, DUMP ‘.ALL’ FILES
SECTO’11R, INFILTRATE’12, SOURCE
BOSTON’13 http://goo.gl/KaTtFG
GAIN ROOT ACCESS
ANDROID
APP SIGNATURE EXPLOITATION
APP MODIFICATION
BLACKHAT USA’13 http://goo.gl/p5FhWG
COMPLIANCEBRINGS COMMONRECOMMENDATIONS
TIME-FRAME TO FIX
7+ MONTH or WAIT FOR A NEXT UPDATE
WAIT FOR A VENDOR’S INTEREST TO YOU
ANALYSIS OF APP’S DATA IN THE REST
BLACKBERRY, iOS
DATA LEAKAGE
REVEAL PASSWORDS, MASTERKEYS, ETC.
BLACKHAT EU’12 http://goo.gl/STpSll
ANDROID
DATA LEAKAGE
WEAKNESS OF CRYPTO ENGINGE
PHDAY III ‘13 http://goo.gl/x1PPGK
9. [ KNOWN ISSUES. Examples ]
THREATSBOUNDSBECOME UNCLEAR…
PLAYBOOK ARTIFACTS (see the previous slide)
BROWSERS HISTORY
NETWORKING IDs, FLAGS, MACs
VIDEO CALLS DETAILS
ACCESS TO INTERNAL NETWORK
KERNEL
BLACKBERRY Z10
DUMP MICROKERNEL
EVEN DEVELOPERS’ CREDENTIALS
(FACEBOOK, MOBILE, EMAILS) BLACKHAT
DEFCON MOSCOW http://goo.gl/R74leX
COMPLIANCEBRINGS COMMONRECOMMENDATIONS
GUI FAILS (my results)
BLACKBERRY OS
DATA LEAKAGE
REVEAL PASSWORDS, … ANYTHING
NO PERMISSIONS REQUESTED
BORROW PERMISSIONS OF ANOTHER APP
NullCon’13, CONFIDENCE’13
http://goo.gl/phMey2
Haven’t yet test on new blackberry devices
10. [ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACK’SVECTOR
GOALS - MOBILE RESOURCES / AIM OF ATTACK
DEVICE RESOURCES
OUTSIDE-OF-DEVICE RESOURCES
ATTACKS – SET OF ACTIONS UNDER THE THREAT
APIs - RESOURCES WIDELY AVAILABLE TO CODERS
SECURITY FEATURES
KERNEL PROTECTION , NON-APP FEATURES
PERMISSIONS - EXPLICITLY CONFIGURED
3RD PARTY
AV, FIREWALL, VPN, MDM
COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY
IN ALIGNMENT WITH COMPLIANCE TO…
Goals
AV, MDM,
DLP, VPN
Non-app
features
MDM features
Kernel
protection
Permissions
APIs
Attacks
APIs
11. [ DEVICE MANAGEMENT ]
Concurrencyover native & additional security features
𝚫 = 𝚨 ∪ 𝚩 ∪ 𝚪 ∪ 𝚼 , 𝚨 ⊂ 𝚩, 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀
𝛥 – set of OS permissions, 𝛢 – set of device permissions, 𝛣 – set
of MDM permissions, 𝛤 – set of missed permissions (lack of
controls), 𝜰 – set of rules are explicitly should be applied to gain
a compliance
𝚮 = 𝚬+ 𝚭, 𝚬 ⊃ 𝚨∪ 𝚩
𝛨 – set of APIs , 𝛦 – set of APIs that interact with sensitive data,
𝛧 – set of APIs that do not interact with sensitive data
To get a mobile security designed with full granularity the set 𝛤
should be empty set to get 𝚬 ⊇ 𝚨 ∪ 𝚩 instead of 𝚬 ⊃ 𝚨 ∪ 𝚩, so
the matter how is it closer to empty. On another hand it should
find out whether assumptions 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 are true and if it is
possible to get ⊆ 𝐀.
The situationis very serious
Set of permissions < Set of activities efficiency is
typical case < 100%,
ability to control each API = 100%
More than 1 permission per APIs >100%
lack of knowledge about possible attacks
improper granularity
AV, MDM, DLP,
VPN
Non-app features
MDM features
Kernel protection
Permissions
12. [ BLACKBERRY. PERMISSIONS ]
BB 10 Cascades SDK
Background processing
BlackBerry Messenger
Calendar, Contacts
Camera
Device identifying information
Email and PIN messages
GPS location
Internet
Location
Microphone
Narrow swipe up
Notebooks
Notifications
Player
Phone
Push
Shared files
Text messages
Volume
BB 10 AIR SDK
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
PB (NDK/AIR)
+
via invoke calls
+
+
via invoke calls
+
+
+
+
+
+
+
+
17. [ iOS. Info.plist(app capabilities) ]
Key
auto-focus-camera
Description
handle autofocus capabilities in the device’s still camera in case of a macro photography or image processing.
bluetooth-le
camera-flash
front-facing-camera
gamekit
gps
handle the presence of Bluetooth low-energy hardware on the device.
handle a camera flash for taking pictures or shooting video.
handle a forward-facing camera such as capturing video from the device’s camera.
handle a Game Center.
handle a GPS (or AGPS) hardware to track a locations in case of need the higher accuracy more than Cellular/Wi-Fi.
location-services
retrieve the device’s current location using the Core Location framework though Cellular/Wi-Fi
microphone
peer-peer
sms
handle the built-in microphone and its accessories
handle peer-to-peer connectivity over a Bluetooth network.
handle the presence of the Messages application such as opening URLs with the sms scheme.
still-camera
handle the presence of a camera on the device such as capturing images from the device’s still camera.
telephony
handle the presence of the Phone application such as opening URLs with the telephony scheme.
video-camera
handle the presence of a camera with video capabilities on device such as capturing video from the device’s camera.
wifi
access to the networking features of the device.
18. [ iOS. Settings ]
Component
Unit
Safari
Camera, FaceTime
iTunes Store, iBookstore
Siri
Manage applications*
Manage applications*
Explicit Language (Siri)
Privacy*, Accounts*
Content Type Restrictions*
Restrictions :: Native application
Restrictions :: 3rd application
Unit subcomponents
Privacy :: Location
Privacy :: Private Info
Accounts
Content Type Restrictions
Game Center
Manage applications
Per each 3rd party app
For system services
Contacts, Calendar, Reminders, Photos
Bluetooth Sharing
Twitter, Facebook
Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts
Find My Friends
Volume limit
Ratings per country and region
Music and podcasts
Movies, Books, Apps, TV shows
In-app purchases
Require Passwords (in-app purchases)
Multiplayer Games
Adding Friends (Game Center)
Installing Apps
Removing Apps
22. [ Windows. Permissions ]
Permission
Description
General use capabilities
musicLibrary
provides access to the user's Music library, allowing the app to enumerate and access all files w/o user interaction.
picturesLibrary
videosLibrary
removableStorage
provides access to the user's Pictures library, allowing to enumerate and access all files w/o user interaction.
provides access to the user's Videos library, allowing the app to enumerate and access all w/o user interaction.
provides access to files on removable storage, such as USB keys and external hard drives, filtered to the file type
microphone
provides access to the microphone’s audio feed, which allows to record audio from connected microphones..
webcam
provides access to the webcam’s video feed, which allows to capture snapshots, movies from a connected webcam.
location
provides access to location functionality like a GPS sensor or derived from available network info.
enables multiple devices in close proximity to communicate with one another via possible connection, incl.
Bluetooth, WiFi, and the internet.
proximity
internetClient,
internetClientServer
privateNetworkClientServer
enterpriseAuthentication
sharedUserCertificates
documentsLibrary
provides outbound (inbound is for server only) access to the Internet, public networks via the firewall.
provides inbound and outbound access to home and work networks through the firewall for games or for
applications that share data across local devices.
Special use capabilities
enable a user to log into remote resources using their credentials, and act as if a user provided their user name and
password.
enables an access to software and hardware certificates like smart card.
provides access to the user's Documents library, filtered to the file type associations
23. [ Windows. Significant APIs ]
Feature
Q. APIs
Notifications
Music library
Pictures library
Videos library
Removable storage
Microphone
Webcam
Location
Proximity
Internet and public networks
Home and work networks
68
1300
1157
1300
1045
274
409
37
54
488
488
Enterprise authentication
Shared User Certificates
Documents library
8
20
1045
Clipboard
Phone
SMS
Contacts
Device Info
132
18
122
97
221
Q. sign. APIs
General use capabilities
4
138
133
138
109
33
91
5
19
134
134
Special use capabilities
4
5
126
Non-controlled capabilities
20
6
25
31
30
% (sign. APIs)
Controlled?
5,88
10,62
11,50
10,62
10,43
12,04
22,25
13,51
35,19
27,46
27,46
+
+
+
+
+
+
+
+
+
+
+
50,00
25,00
12,06
+
+
+
15,15
33,33
20,49
31,96
13,57
-
30. [ Average quantitative indicators ]
100%
102.74
90%
80%
119.31
60.63
8.86
29.26
1.89
42.04
2.32
70%
60%
60.38
435.95
9.06
0.64
7.43
0.69
1.47
1.63
2.01
2.19
Q. of m.+a.
permissions
Q. of derived
permissions
17.07
30.48
5.94
48.06
32.79
16.99
9.21
50%
40%
62.37
3.84
67.48
9.23
9.68
54
20.97
58.06
22.76
30%
20%
394.86
10%
32.48
38.4
27.6
38.4
27.6
0%
Q. APIs
Q. sign APIs
Q. of m.+a.
activities
Q. of derived
activities
Android
Windows
iOS
% m+a activities %m+a derived vs % m+a vs perm
vs perm
perm
enhanced by
MDM
BlackBerry
% derived vs
perm enhanced
by MDM
31. MDM . Extend your device security capabilities
Android
CAMERA AND VIDEO
HIDE THE DEFAULT CAMERA APPLICATION
PASSWORD
DEFINE PASSWORD PROPERTIES
REQUIRE LETTERS (incl. case)
REQUIRE NUMBERS
REQUIRE SPECIAL CHARACTERS
DELETE DATA AND APPLICATIONS FROM THE
DEVICE AFTER
INCORRECT PASSWORD ATTEMPTS
DEVICE PASSWORD
ENABLE AUTO-LOCK
CONTROLLED FOUR GROUPS ONLY
LIMIT PASSWORD AGE
LIMIT PASSWORD HISTORY
RESTRICT PASSWORD LENGTH
MINIMUM LENGTH FOR THE DEVICE
PASSWORD THAT IS ALLOWED
ENCRYPTION
APPLY ENCRYPTION RULES
ENCRYPT INTERNAL DEVICE STORAGE
TOUCHDOWN SUPPORT
MICROSOFT EXCHANGE SYNCHRONIZATION
EMAIL PROFILES
ACTIVESYNC
32. MDM . Extend your device security capabilities
iOS
BROWSER
CONTROLLED 16 GROUPSONLY
DEFAULT APP,
AUTOFILL, COOKIES, JAVASCRIPT, POPUPS
MESSAGING (DEFAULT APP)
BACKUP / DOCUMENT PICTURE / SHARING
ONLINE STORE
CAMERA, VIDEO, VIDEO CONF
CERTIFICATES (UNTRUSTED CERTs)
MESSAGING (DEFAULT APP)
CLOUD SERVICES
PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)
PHONE AND MESSAGING (VOICE DIALING)
CONNECTIVITY
OUTPUT, SCREEN CAPTURE, DEFAULT APP
BACKUP / DOCUMENT / PICTURE / SHARING
ONLINE STORES , PURCHASES, PASSWORD
DEFAULT STORE / BOOK / MUSIC APP
PROFILE & CERTs (INTERACTIVE INSTALLATION)
NETWORK, WIRELESS, ROAMING
DATA, VOICE WHEN ROAMING
SOCIAL (DEFAULT APP)
CONTENT (incl. EXPLICIT)
RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS
CONTENT
DIAGNOSTICS AND USAGE (SUBMISSION LOGS)
STORAGE AND BACKUP
SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER
DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS
DEVICE BACKUP AND ENCRYPTION
VOICE ASSISTANT (DEFAULT APP)
33. MDM . Extend your device security capabilities
BlackBerry (new, 10, QNX)
CONTROLLED 7 GROUPSONLY
GENERAL
MOBILE HOTSPOT AND TETHERING
PLANS APP, APPWORLD
PASSWORD (THE SAME WITH ANDROID, iOS)
BES MANAGEMENT (SMARTPHONES, TABLETS)
SOFTWARE
OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER
TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE
BBM VIDEO ACCESS TO WORK NETWORK
VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK
SECURITY
CERTIFICATES & CIPHERS & S/MIME
HASH & ENCRYPTION ALGS AND KEY PARAMS
TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC
WI-FI PROFILES
WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE
VOICE CONTROL & DICTATION IN WORK & USER APPS
BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE
PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)
PERSONAL SPACE DATA ENCRYPTION
EMAIL PROFILES
NETWORK ACCESS CONTROL FOR WORK APPS
PERSONAL APPS ACCESS TO WORK CONTACTS
SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING
WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS
PROXY PASSWORD/PORT/SERVER/SUBNET MASK
VPN PROFILES
PROXY, SCEP, AUTH PROFILE PARAMS
TOKENS, IKE, IPSEC OTHER PARAMS
PROXY PORTS, USERNAME, OTHER PARAMS
34. MDM . Extend your device security capabilities
Blackberry (old)
THERE 55 GROUPS CONTROLLED IN ALL
EACH GROUP CONTAINS FROM 10 TO 30 UNITS
ARE CONTROLLED TOO
EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs
INSTEAD OF A WAY ‘DISABLE/ENABLED &
HIDE/UNHIDE’
EACH EVENT IS
CONTROLLED BY CERTAIN PERMISSION
ALLOWED TO CONTROL BY SIMILAR
PERMISSIONS TO BE MORE FLEXIBLE
DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME
MORE THAN OTHER DOCUMENTS
Huge amount of permissions are MDM & device built-in
EACH UNIT CAN’T CONTROL ACTIVITY UNDER
ITSELF
‘CREATE, READ, WRITE/SAVE, SEND,
DELETE’ ACTIONS IN REGARDS TO
MESSAGES LEAD TO SPOOFING BY
REQUESTING A ‘MESSAGE’ PERMISSION
ONLY
SOME PERMISSIONS AREN’T REQUIRED (TO
DELETE ANY OTHER APP)
SOME PERMISSIONS ARE RELATED TO APP,
WHICH 3RD PARTY PLUGIN WAS EMBEDDED
IN, INSTEAD OF THAT PLUGIN
36. [ Vulnerabilities of OS and apps ]
MIN & AVERAGE SCORE
Android Average, 8.2
iOS Average, 6.3
BB-Average, 6.3
BB Min, 2.1
Android Min, 1.9
iOS Min, 1.2
Min & Average Score
37. [ APPLICATION AUDIT , APP ANALYSIS TOOLS ]
HEYDUDE, WHYIS IT VULNERABLEAGAIN?
HOW MANY THE TOOLS ARE
(approximately):
iOS – 10
ANDROID – 50
WINDOWSPHONE – 40
BLACKBERRY - 10
SORRY,BOSS,I’HADJUST BEENCOMMITEDA WRONGBRANCH
QUANTITY OF BUGS /
SECURITY FLAWS
AVERAGE – 50
MIN – 20
MAX – INFINITY
BUGS TYPE (OBVIOUS |
LIKELY)
OBVIOUS BUGS
LIKELY BUGS LIKE SQL
WARNING BUGS
(CHECK IT OUT)
38. COMPLIANCE AND MDM
CSA Mobile Device Management: Key Components
Device diversity
Configuration management
Software Distribution
Device policy compliance & enforcement
Enterprise Activation
Logging
Security Settings
Security Wipe, Lock
IAM
Make you sure to start managing security under
uncertain terms without AI
NIST-124
Refers to NIST-800-53 and other
Sometimes missed requirements such as
locking device, however it is in NIST-800-53
A bit details than CSA
No statements on permission management
Make you sure to start managing security under
uncertain terms without AI
40. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account
country code, phone number
Device Hardware Key
login / tokens of Twitter & Facebook
Calls history
Name + internal ID
Duration + date and time
Address book
Quantity of contacts / viber-contacts
Full name / Email / phone numbers
Messages
FORENSICS EXAMINATION
Conversations
Quantity of messages & participants
per conversations
Additional participant info (full name,
phone)
Messages
Date & Time
content of message
ID
41. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account
country code, phone number
login / tokens Facebook wasn’t revealed
‘Buy me for….$$$’
Avatars :: phone+@s.whatsapp.net.j (jfif)
Address book
No records of address book were revealed…
Check log-file and find these records (!)
Messages
Messages
Date & Time
FORENSICS EXAMINATION
content of message
ID :: phone@s.whatsapp.net
42. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account
Phone number
Password, secret code weren’t revealed
Trace app, find the methods use it
Repack app and have a fun
No masking of data typed
Information
Amount
Full info in history section (incl. info about
who receive money)
FORENSICS EXAMINATION
Connected cards
Encryption?
No
Bank cards
Masked card number only
Qiwi Bank cards
Full & masked number
Cvv/cvc
All other card info
43. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account
ID , email, password
Information
Loyalty (bonus) of your membership
all you ever type
Date of birth
Passport details
Book/order history
Routes,
Date and time,
Bonus earning
Full info per each order
FORENSICS EXAMINATION
Connected cards
Encryption?
AES
256 bit
On password
anywayanydayanywayanyday
Store in plaintext
Sizeof(anywayanydayanywayanyday) =
192 bit
44. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account
ID ,bonus card number, password not revealed
Other id & tokens
Information
Date of birth
Passport details
History (airlines, city, flight number only)
Flights tickets, logins credentials
Repack app and grab it
FORENSICS EXAMINATION
45. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account
ID , password
Loyalty (bonus) card number
Information
Not revealed (tickets, history or else)
Repack app
FORENSICS EXAMINATION
46. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
FORENSICS EXAMINATION
Account
ID , email, password
Other id & tokens
Information
Loyalty (bonus) of your membership
all you ever type
Date of birth
Passport details
All PASSPORT INFO (not only travel data)
Your work data (address, job, etc.) you have never typed! (except preparing member card)
Flights tickets
Repack app and grab it
47. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
FORENSICS EXAMINATION
Account
ID , however password is encrypted
Information
Loyalty (bonus) of your membership, program name 901***** Skymiles
Flight
confirmations, depart time, flight #:: GCXXXX || 0467 || 2013-11-07T12:40:00+04:00 || DL90
"checkedIn": "false“, "seatNumber": "09B",
Issued date, ticket # :: "2013-10-26T15:37:00-04:00", 006xxxxxxxxxxx
Aeroports ::
SVO/ "Sheremetyevo Arpt, JFK/"John F Kennedy International“, NYC / "New York-Kennedy“…
49. [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
FORENSICS EXAMINATION
Account ::: PIN , Names, Status "74afbe19","Yury Chemerkin“, "*fly*“, "@ Holiday Inn (MOSCOW)"
Information
Barcode / QR history (when, what) "QR_CODE","bbm:2343678095c7649723436780","1382891450014"
Transferred files
"RemotePin“, "Path","ContentType“, "image/jpeg“, "23436780“,
"/storage/sdcard0/Android/data/com.skype.raider/cache/photo_1383731771908.jpg“
Transferred as a JFIF file :: FFD8FFE000104A464946
......JFIF
Invitations: "Pin","Greeting","Timestamp",”LocalPublicKey/PrivateKey","EncryptionKey«
Messages (Date, Text,…) :: "1383060689","Gde","Edu k metro esche, probka tut","Park pobedy”,"Aha","А
щас","Belorusskaja","Долго"
Logs
Revealing PINs, Email, device information,
Applications actions associated with applications modules *.c files, *.so, etc.
It helps to analyze .apk in future
50. ISSUES : USELESS SOLUTIONS
USERFULL IDEASAT FIRST GLANCE
BUT INSTEADMAKE NO SENSE
MERGING PERMISSIONS INTO GROUPS, e.g.
‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ SEPARATED (BlackBerry old)
‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ MERGED INTO ONE UNIT (BlackBerry new)
SCREEN CAPTURE
IS ALLOWED VIA HARDWARE BUTTONS ONLY
NO EMULATION OF HARDWARE BUTTONS AS IT WAS IN OLD BLACKBERRY DEVICES
LOCKS WHEN WORK PERIMITER HAS BECOME TO PREVENT SCREEN-CAPTURE LOGGERS
OFFICIALLY ANNOUNCED SANDBOX
MALWARE IS STILL A PERSONAL APPLICATION SUBTYPE IN TERMS OF (IN-)SECURITY
SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS
INABILITY OF BACKUP MAKE DEVELOPERS TO STORE DATA IN SHARED FOLDERS
51. CONCLUSION
PRIVILEGEDGENERAL PERMISSIONS
DENIAL OF SERVICE
REPLACING/REMOVING FILES
DOS’ing EVENTs, GUI INTERCEPT
INFORMATION DISCLOSURE
CLIPBOARD, SCREEN CAPTURE
GUI INTERCEPT
SHARED FOLDERS
DUMPING .COD/.BAR/APK… FILES
OWN APPs, NATIVE & 3RD PARTY APPs FEATURES
MITM (INTERCEPTION / SPOOFING)
MESSAGES
GUI INTERCEPT, THIRD PARTY APPs
FAKE WINDOW/CLICKJACKING
GENERAL PERMISSIONS
INSTEAD OF SPECIFIC SUB-PERMISSIONS
A FEW NOTIFICATION/EVENT LOGs FOR
USER
BUILT PER APPLICATION INSTEAD OF APP
SCREENs