SlideShare uma empresa Scribd logo
1 de 49
Baixar para ler offline
(IN-)EFFICIENCY OF SECURITY FEATURES
ON MOBILE SECURITY AND COMPLIANCE
YURY CHEMERKIN
Hacktivity 2013
[ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin

http://sto-strategy.com

 MULTISKILLED SECURITY RESEARCHER
 EXPERIENCED IN :






REVERSE ENGINEERING & AV, DEVELOPMENT (IN THE PAST)
MOBILE SECURITY, INCL. MDM, MAM, etc.
CYBER SECURITY & CLOUD SECURITY
COMPLIANCE & FORENSICS ON MOBILE & CLOUD
WRITING (HAKING, PENTEST, EFORENSICS)

 PARTICIPATION AT CONFERENCES






INFOSECURITY RUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,
DEFCON MOSCOW, HACKERHALTED, HACKFEST
CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL
ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY

yury.s@chemerkin.com
[ MOBILE DEVICE MANAGEMENT]
WHAT DO WORKERS WANT…

WHAT DO COMPANIES WANT…
[ MOBILE DEVICE MANAGEMENT]
WHAT DO THIRD PART USUALLY SELL…FIRST CASE

WHAT DO THIRD PART USUALLY SELL…SECONDCASE
[ MOBILE DEVICE MANAGEMENT]
WHAT’S THE REAL DEVICE MANAGEMENT APPROACH INCLUDE…NOT LESS THAN…
MOBILE DEVICE
MOBILE DEVICE MANAGEMENT SOLUTION
 NATIVE / THIRD PARTY SOLUTION
MOBILE APPLICATION MANAGEMENT SOLUTION
 EMBEDDED / NATIVE / THIRD PARTY SOLUTION
MOBILE EMAIL MANAGEMENT SOLUTION
NETWORK ACCESS CONTROL SOLUTION
 NOT ENOUGH NEW IDEA, BUT QUITE USEFUL IN CLOUDS
ADDITIONAL SOLUTION
 AV, LOG MANAGEMENT, DLP-BASED SOLUTION, FORENSICS SOLUTION
COMPLIANCE
 GUIDELINES / BEST PRACTICES
[ OPINIONS ]
Blackberry Windows iOS Android
 APPLE IS SO SERIOUS TO LET MALWARE BE SPREADED THROUGH THEIR MARKET, EXCEPT 
 Ch. MILLER CASE
 JAILBREAK,CYDIA,BLACK&OTHER MARKETS
 MICROSOFT (WINDOWS PHONE) HAS IMPLEMENTED THE SAME IDEA
 GOOGLE HAS A WEAK POLICY THAT WHY EVERYONE GOT MALWARE IN OFFICAL MARKET EVEN
 PLUS 3RD PARTY MARKET
 PLUS REPACKAGES
 BLACKBERRY IS THE SAFEST OS BECAUSE THAT'S ABOUT THE SIZE OF IT 
[ SECURITY ENVIRONMENT ]
EACH OS EVALUATESEVERY REQUEST THAT APPLICATION S MAKESTO ACCESSTO…
BUT LEADS AWAY FROM ANY DETAILS AND APIs
 MDM HELPS TO PROTECT DATA AND MANAGE BLACKBERRY, iOS, WINDOWS, AND ANDROID DEVICES.
 MDM ENHANCED BY MANAGING THE BEHAVIOR OF THE DEVICE
 SECURE BOOTLOADER, SYSTEM SOFTWARE SECURITY (UPDATES),
 APPLICATION CODE SIGNING
 RUNTIME PROCESS SECURITY (SANDBOX, APIs)
 HARDWARE SECURITY FEATURES
 FILE DATA PROTECTION
 SSL, TLS, VPN
 PASSCODE PROTECTION
 SETTINGS (PERMISSIONS/ RESTRICTIONS, CONFIGURATIONS)
 REMOTE MAGAGEMENT



MDM
REMOTE WIPE
[ KNOWN ISSUES. Examples ]
THREATSBOUNDSBECOME UNCLEAR…
 BYPASS MDM SOLUTIONS
 iOS, ANDROID
 EXPLOITS, DUMP /MEM TO GET EMAILS
 BLACKHAT EU’13 http://goo.gl/HN829p

 BLACKBERRY PLAYBOOK
 EXPLOITS, MITM, DUMP ‘.ALL’ FILES
 SECTO’11R, INFILTRATE’12, SOURCE
BOSTON’13 http://goo.gl/KaTtFG

 GAIN ROOT ACCESS
 ANDROID

 APP SIGNATURE EXPLOITATION
 APP MODIFICATION
 BLACKHAT USA’13 http://goo.gl/p5FhWG

COMPLIANCEBRINGS COMMONRECOMMENDATIONS
 TIME-FRAME TO FIX
 7+ MONTH or WAIT FOR A NEXT UPDATE
 WAIT FOR A VENDOR’S INTEREST TO YOU
 ANALYSIS OF APP’S DATA IN THE REST
 BLACKBERRY, iOS
 DATA LEAKAGE
 REVEAL PASSWORDS, MASTERKEYS, ETC.
 BLACKHAT EU’12 http://goo.gl/STpSll

 ANDROID
 DATA LEAKAGE
 WEAKNESS OF CRYPTO ENGINGE
 PHDAY III ‘13 http://goo.gl/x1PPGK
[ KNOWN ISSUES. Examples ]
THREATSBOUNDSBECOME UNCLEAR…
 PLAYBOOK ARTIFACTS (see the previous slide)
 BROWSERS HISTORY
 NETWORKING IDs, FLAGS, MACs
 VIDEO CALLS DETAILS
 ACCESS TO INTERNAL NETWORK
 KERNEL
 BLACKBERRY Z10
 DUMP MICROKERNEL
 EVEN DEVELOPERS’ CREDENTIALS
(FACEBOOK, MOBILE, EMAILS) BLACKHAT
DEFCON MOSCOW http://goo.gl/R74leX

COMPLIANCEBRINGS COMMONRECOMMENDATIONS
 GUI FAILS (mine results)
 BLACKBERRY OS
 DATA LEAKAGE
 REVEAL PASSWORDS, … ANYTHING
 NO PERMISSIONS REQUESTED
 BORROW PERMISSIONS OF ANOTHER APP
 NullCon’13, CONFIDENCE’13
 http://goo.gl/phMey2
 Haven’t yet test on new blackberry devices
[ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACK’SVECTOR
 GOALS - MOBILE RESOURCES / AIM OF ATTACK
 DEVICE RESOURCES
 OUTSIDE-OF-DEVICE RESOURCES
 ATTACKS – SET OF ACTIONS UNDER THE THREAT
 APIs - RESOURCES WIDELY AVAILABLE TO CODERS
 SECURITY FEATURES
 KERNEL PROTECTION , NON-APP FEATURES
 PERMISSIONS - EXPLICITLY CONFIGURED
 3RD PARTY
 AV, FIREWALL, VPN, MDM
 COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY
IN ALIGNMENT WITH COMPLIANCE TO…

Goals
AV, MDM,
DLP, VPN

Non-app
features

MDM features

Kernel
protection

Permissions
APIs

Attacks

APIs
[ DEVICE MANAGEMENT ]
Concurrencyover native & additional security features
𝚫 = 𝚨 ∪ 𝚩 ∪ 𝚪 ∪ 𝚼 , 𝚨 ⊂ 𝚩, 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀
𝛥 – set of OS permissions, 𝛢 – set of device permissions, 𝛣 – set
of MDM permissions, 𝛤 – set of missed permissions (lack of
controls), 𝜰 – set of rules are explicitly should be applied to gain
a compliance
𝚮 = 𝚬+ 𝚭, 𝚬 ⊃ 𝚨∪ 𝚩
𝛨 – set of APIs , 𝛦 – set of APIs that interact with sensitive data,
𝛧 – set of APIs that do not interact with sensitive data
To get a mobile security designed with full granularity the set 𝛤
should be empty set to get 𝚬 ⊇ 𝚨 ∪ 𝚩 instead of 𝚬 ⊃ 𝚨 ∪ 𝚩, so
the matter how is it closer to empty. On another hand it should
find out whether assumptions 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 are true and if it is
possible to get ⊆ 𝐀.

The situationis very serious 
Set of permissions < Set of activities  efficiency is
 typical case < 100%,
 ability to control each API = 100%
 More than 1 permission per APIs >100%



lack of knowledge about possible attacks
improper granularity
AV, MDM, DLP,
VPN

Non-app features

MDM features

Kernel protection
Permissions
[ BLACKBERRY. PERMISSIONS ]
BB 10 Cascades SDK
Background processing
BlackBerry Messenger
Calendar, Contacts
Camera
Device identifying information
Email and PIN messages
GPS location
Internet
Location
Microphone
Narrow swipe up
Notebooks
Notifications
Player
Phone
Push
Shared files
Text messages
Volume

BB 10 AIR SDK
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-

PB (NDK/AIR)
+
via invoke calls
+
+
via invoke calls
+
+
+
+
+
+
+
+
[ BLACKBERRY. Significant APIs ]
Feature
BlackBerry Messenger
Calendar
Camera
Contacts
Device identifying info
Email & PIN messages
Internet
Microphone
Notebooks
Notifications
Phone
Push
Shared files
Text messages
Account
MediaPlayer
NFC
Radio & SIM
Clipboard

Q. APIs
77
443
47
316
15
347
161
21
123
32
27
25
78
10
66
66
24
68
6

Q. sign. APIs
70
126
41
150
14
211
145
15
86
24
22
22
70
6
21
63
11
51
4

% (sign .APIs)
90,91
28,44
87,23
47,47
93,33
60,81
90,06
71,43
69,92
75,00
81,48
88,00
89,74
60,00
31,82
95,45
45,83
75,00
66,67

Controlled ?
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
[ BLACKBERRY. Common activities ]
34

35
30
25

21
18

20

17
14

15
10

6

5
0

7

5
4

1

3

8

6

3
2

1

1

1

Q. of m.+a. activity

4

3
2

2

2

4

2
1

1

4

1

Q. of m.+a. permission

4

1

4

3
1

2

2 5
1
[ BLACKBERRY. Derived activities ]
116

120
100

89

80

59

60

47

40
20
0

24
1

4

3

3

23

16

7

6

1

3

46
11

3
1

2

Q. of derived activities

2

2

9

3
1

2

Q. of derived perm

27

25

24

19
1

1

8

1

2

2

5

1
[ BLACKBERRY. Efficiency (%) ]
250,00
250,00

200,00
150,00

3,45
16,67

8,70
5,08

100,00
50,00

12,50

60,00
16,67 19,05

3,37 6,25
66,67
14,29

5,88 14,29 5,56 16,67

66,67

66,67
4,26

9,09

66,67
11,76

25,00

5,26

50,00

4,17

50,00
25,00 25,00

0,00

% m+a activity vs perm

8,00

88,89
2,17

% m+a derived activity vs perm

250,00

33,33

3,70

50,00
7,14
[ iOS. Info.plist(app capabilities) ]
Key
auto-focus-camera

Description
handle autofocus capabilities in the device’s still camera in case of a macro photography or image processing.

bluetooth-le
camera-flash
front-facing-camera
gamekit
gps

handle the presence of Bluetooth low-energy hardware on the device.
handle a camera flash for taking pictures or shooting video.
handle a forward-facing camera such as capturing video from the device’s camera.
handle a Game Center.
handle a GPS (or AGPS) hardware to track a locations in case of need the higher accuracy more than Cellular/Wi-Fi.

location-services

retrieve the device’s current location using the Core Location framework though Cellular/Wi-Fi

microphone
peer-peer
sms

handle the built-in microphone and its accessories
handle peer-to-peer connectivity over a Bluetooth network.
handle the presence of the Messages application such as opening URLs with the sms scheme.

still-camera

handle the presence of a camera on the device such as capturing images from the device’s still camera.

telephony

handle the presence of the Phone application such as opening URLs with the telephony scheme.

video-camera

handle the presence of a camera with video capabilities on device such as capturing video from the device’s camera.

wifi

access to the networking features of the device.
[ iOS. Settings ]
Component

Unit
Safari
Camera, FaceTime
iTunes Store, iBookstore
Siri
Manage applications*
Manage applications*
Explicit Language (Siri)
Privacy*, Accounts*
Content Type Restrictions*

Restrictions :: Native application

Restrictions :: 3rd application
Unit subcomponents
Privacy :: Location

Privacy :: Private Info
Accounts

Content Type Restrictions

Game Center
Manage applications

Per each 3rd party app
For system services
Contacts, Calendar, Reminders, Photos
Bluetooth Sharing
Twitter, Facebook
Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts
Find My Friends
Volume limit
Ratings per country and region
Music and podcasts
Movies, Books, Apps, TV shows
In-app purchases
Require Passwords (in-app purchases)
Multiplayer Games
Adding Friends (Game Center)
Installing Apps
Removing Apps
[ iOS. Common activities ]
20
18
16
14
12
10
8
6
4
2
0

17
12

3

2

13
8

5

0

1

1
10

0

0

1

Q. of m.+a. activity

3

0

10

0
6

0

0
3

0

1

2

0

1
0

Q. of m.+a. permission

2

1

1

0

1
2
3

0
10

1
3

0

1

Q. of m.+a. perm plus parental perm

4
[ iOS. Derived activities ]
4
3

82
80
70
60
50
40
30
20
10
0

1
0
0

1

1

2

1

0
13

9

20 3

0

0

13

Q. of derived activities

0
9

0 18

12

0

0

10

Q. of derived perm

0

2

0

1

1
1

1

10

0
25

0

10

6

1

Q. of derived perm + plus parental perm

2
1
[ iOS. Efficiency (%) ]
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%

11,11

15,00 7,69

20,00

% m+a activity vs perm

0,00

0,00

0,00
0,00

5,56

0,00

0,00

0,00

% m+a derived activity vs perm

7,69

8,00
40,00

50,00 16,67

0,00

0,00

0,00
0,00 16,67
0,00
0,00

4,88

10,00
16,67

7,69

25,00
10,00 33,33

50,00

5,56

0,00

0,00
0,00

11,76
0,00
0,00

50,00 10,00

0,00
0,00

50,00

16,67

Q. of m.+a. perm plus parental perm

0,00
0,00
0,00
0,00

33,33

3,66

4,00
0,00
0,00

30,00
5,88

Q. of derived perm + plus parental perm
[ Windows. Permissions ]
Permission

Description
General use capabilities

musicLibrary

provides access to the user's Music library, allowing the app to enumerate and access all files w/o user interaction.

picturesLibrary
videosLibrary
removableStorage

provides access to the user's Pictures library, allowing to enumerate and access all files w/o user interaction.
provides access to the user's Videos library, allowing the app to enumerate and access all w/o user interaction.
provides access to files on removable storage, such as USB keys and external hard drives, filtered to the file type

microphone

provides access to the microphone’s audio feed, which allows to record audio from connected microphones..

webcam

provides access to the webcam’s video feed, which allows to capture snapshots, movies from a connected webcam.

location

provides access to location functionality like a GPS sensor or derived from available network info.
enables multiple devices in close proximity to communicate with one another via possible connection, incl.
Bluetooth, WiFi, and the internet.

proximity
internetClient,
internetClientServer
privateNetworkClientServer
enterpriseAuthentication
sharedUserCertificates
documentsLibrary

provides outbound (inbound is for server only) access to the Internet, public networks via the firewall.
provides inbound and outbound access to home and work networks through the firewall for games or for
applications that share data across local devices.
Special use capabilities
enable a user to log into remote resources using their credentials, and act as if a user provided their user name and
password.
enables an access to software and hardware certificates like smart card.
provides access to the user's Documents library, filtered to the file type associations
[ Windows. Significant APIs ]
Feature

Q. APIs

Notifications
Music library
Pictures library
Videos library
Removable storage
Microphone
Webcam
Location
Proximity
Internet and public networks
Home and work networks

68
1300
1157
1300
1045
274
409
37
54
488
488

Enterprise authentication
Shared User Certificates
Documents library

8
20
1045

Clipboard
Phone
SMS
Contacts
Device Info

132
18
122
97
221

Q. sign. APIs
General use capabilities
4
138
133
138
109
33
91
5
19
134
134
Special use capabilities
4
5
126
Non-controlled capabilities
20
6
25
31
30

% (sign. APIs)

Controlled?

5,88
10,62
11,50
10,62
10,43
12,04
22,25
13,51
35,19
27,46
27,46

+
+
+
+
+
+
+
+
+
+
+

50,00
25,00
12,06

+
+
+

15,15
33,33
20,49
31,96
13,57

-
[ Windows. Common Activities ]
14

14
12
10

8

8
3

4
2
0

6

5 6

6
1

1

1

1

3
1

1

1

1

1

3

8

4 5

3
1

Q. of m.+a. activity

1

2

4

3
1

Q. of m.+a. permission

2

2

3

2

1

2
0

0

0

0

0
[ Windows. Derived Activities ]
25

21

20
15

0

1

2

12

8

7

5
1

15

11

10

8

10
5

16

14

2

2

1

3

12

11
8

6

6 3

8

8

5
1

1

Q. of derived activities

2

1

Q. of derived perm

2

2

0

0

0

0

0
[ Windows. Efficiency (%) ]
120,00

120,00

100,00

100,00 100,00

100,00 100,00

100,00
100,00

80,00
60,00
40,00

20,00

125,00
100,00

27,27 42,86
25,00
25,00 20,00
33,33
20,00

33,33
33,33 14,29
31,25
16,67
14,29 9,52

50,00
33,33
16,67 16,6716,67

0,00

% m+a activity vs perm

% m+a derived activity vs perm

0,00 0,00 0,00 0,00 0,00
0,00 0,00 0,00 0,00 0,00
[ A droid. Permissions ]
List contains~150 permissions

I have ever seen that on old BlackBerry devices

ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION,

OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC

RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS

ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM

TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_

,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH,

ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE,

PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE

SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION

ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_

ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P

,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P

MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT

ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK

ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S

TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET

GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T

ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA

,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE

OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_

TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR

VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL

PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN

ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C

PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_

MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_

REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET

PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY,

OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_

TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC

BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA

CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE

TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI

MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO

R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L

STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN

NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M

OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_

GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W

ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C

SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS,

RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY,

LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE

READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET

TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN

ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
[ A droid. Permission Groups ]
But there only 30 permissions groups
 ACCOUNTS
 AFFECTS_BATTERY
 APP_INFO
 AUDIO_SETTINGS
 BLUETOOTH_NETWORK
 BOOKMARKS
 CALENDAR
 CAMERA
 COST_MONEY
 DEVELOPMENT_TOOLS
 DEVICE_ALARMS
 DISPLAY
 HARDWARE_CONTROLS

I have ever seen that on old BlackBerry devices too
 LOCATION
 MESSAGES
 MICROPHONE
 NETWORK
 PERSONAL_INFO
 PHONE_CALLS
 SCREENLOCK
 SOCIAL_INFO
 STATUS_BAR
 STORAGE
 SYNC_SETTINGS
 SYSTEM_CLOCK
 SYSTEM_TOOLS

 USER_DICTIONARY
 VOICEMAIL
 WALLPAPER
 WRITE_USER_DICTIONARY
[ A droid. Efficiency (%) ]
50,00
45,00
40,00
33,33

35,00
30,00
25,00
20,00
15,00

10,00

28,57
25,00

20,00
20,00
15,38 15,38

20,00
9,52
0,00
0,00

2,91

10,71

5,00

0,00

2,00

7,14
0,00

4,55
8,33
7,14

0,00

% m+a activity vs perm

% m+a derived activity vs perm

10,00
4,00
3,13

5,88
3,13
0,00
[ Average quantitative indicators ]
100%

102,74
90%

80%

119,31

60,63

8,86

29,26

1,89

42,04

2,32

70%
60%

60,38

435,95

9,06

0,64
7,43

0,69

1,47

1,63

2,01

2,19

Q. of m.+a.
permissions

Q. of derived
permissions

17,07

30,48

5,94

48,06

32,79

16,99
9,21

50%
40%

62,37

3,84

67,48

9,23

9,68

54

20,97

58,06

22,76

30%
20%

394,86

10%

32,48

38,4

27,6

38,4

27,6

0%

Q. APIs

Q. sign APIs

Q. of m.+a.
activities

Q. of derived
activities

Android

Windows

iOS

% m+a activities %m+a derived vs % m+a vs perm
vs perm
perm
enhanced by
MDM

BlackBerry

% derived vs
perm enhanced
by MDM
MDM . Extend your device security capabilities
Android
 CAMERA AND VIDEO
 HIDE THE DEFAULT CAMERA APPLICATION
 PASSWORD
 DEFINE PASSWORD PROPERTIES
 REQUIRE LETTERS (incl. case)
 REQUIRE NUMBERS
 REQUIRE SPECIAL CHARACTERS
 DELETE DATA AND APPLICATIONS FROM THE
DEVICE AFTER
 INCORRECT PASSWORD ATTEMPTS
 DEVICE PASSWORD
 ENABLE AUTO-LOCK

CONTROLLED FOUR GROUPS ONLY





LIMIT PASSWORD AGE
LIMIT PASSWORD HISTORY
RESTRICT PASSWORD LENGTH
MINIMUM LENGTH FOR THE DEVICE
PASSWORD THAT IS ALLOWED
 ENCRYPTION
 APPLY ENCRYPTION RULES
 ENCRYPT INTERNAL DEVICE STORAGE
 TOUCHDOWN SUPPORT
 MICROSOFT EXCHANGE SYNCHRONIZATION
 EMAIL PROFILES
 ACTIVESYNC
MDM . Extend your device security capabilities
iOS




BROWSER



CONTROLLED 16 GROUPSONLY

DEFAULT APP,
AUTOFILL, COOKIES, JAVASCRIPT, POPUPS

MESSAGING (DEFAULT APP)




BACKUP / DOCUMENT PICTURE / SHARING

ONLINE STORE



CAMERA, VIDEO, VIDEO CONF



CERTIFICATES (UNTRUSTED CERTs)



MESSAGING (DEFAULT APP)



CLOUD SERVICES



PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)



PHONE AND MESSAGING (VOICE DIALING)



CONNECTIVITY








OUTPUT, SCREEN CAPTURE, DEFAULT APP

BACKUP / DOCUMENT / PICTURE / SHARING

ONLINE STORES , PURCHASES, PASSWORD
DEFAULT STORE / BOOK / MUSIC APP



PROFILE & CERTs (INTERACTIVE INSTALLATION)

NETWORK, WIRELESS, ROAMING
DATA, VOICE WHEN ROAMING



SOCIAL (DEFAULT APP)

CONTENT (incl. EXPLICIT)
RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS






CONTENT








DIAGNOSTICS AND USAGE (SUBMISSION LOGS)

STORAGE AND BACKUP




SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER
DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS
DEVICE BACKUP AND ENCRYPTION

VOICE ASSISTANT (DEFAULT APP)
MDM . Extend your device security capabilities
BlackBerry (new, 10, qnx)


CONTROLLED 7 GROUPSONLY





GENERAL



MOBILE HOTSPOT AND TETHERING
PLANS APP, APPWORLD



PASSWORD (THE SAME WITH ANDROID, iOS)



BES MANAGEMENT (SMARTPHONES, TABLETS)



SOFTWARE







OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER
TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE
BBM VIDEO ACCESS TO WORK NETWORK
VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK

SECURITY








CERTIFICATES & CIPHERS & S/MIME
HASH & ENCRYPTION ALGS AND KEY PARAMS
TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC

WI-FI PROFILES




WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE
VOICE CONTROL & DICTATION IN WORK & USER APPS
BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE
PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)
PERSONAL SPACE DATA ENCRYPTION

EMAIL PROFILES






NETWORK ACCESS CONTROL FOR WORK APPS
PERSONAL APPS ACCESS TO WORK CONTACTS
SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING
WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS

ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS
PROXY PASSWORD/PORT/SERVER/SUBNET MASK

VPN PROFILES





PROXY, SCEP, AUTH PROFILE PARAMS
TOKENS, IKE, IPSEC OTHER PARAMS
PROXY PORTS, USERNAME, OTHER PARAMS
MDM . Extend your device security capabilities
Blackberry (old)
 THERE 55 GROUPS CONTROLLED IN ALL
 EACH GROUP CONTAINS FROM 10 TO 30 UNITS
ARE CONTROLLED TOO
 EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs
INSTEAD OF A WAY ‘DISABLE/ENABLED &
HIDE/UNHIDE’
 EACH EVENT IS
 CONTROLLED BY CERTAIN PERMISSION
 ALLOWED TO CONTROL BY SIMILAR
PERMISSIONS TO BE MORE FLEXIBLE
 DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME
MORE THAN OTHER DOCUMENTS

Huge amount of permissions are MDM & device built-in
 EACH UNIT CAN’T CONTROL ACTIVITY UNDER
ITSELF
 ‘CREATE, READ, WRITE/SAVE, SEND,
DELETE’ ACTIONS IN REGARDS TO
MESSAGES LEAD TO SPOOFING BY
REQUESTING A ‘MESSAGE’ PERMISSION
ONLY
 SOME PERMISSIONS AREN’T REQUIRED (TO
DELETE ANY OTHER APP)
 SOME PERMISSIONS ARE RELATED TO APP,
WHICH 3RD PARTY PLUGIN WAS EMBEDDED
IN, INSTEAD OF THAT PLUGIN
2004
2005
2007
2007
2007
2008
2008
2008
2008
2008
2009
2009
2009
2009
2009
2009
2009
2009
2009
2010
2010
2010
2010
2010
2010
2010
2010
2011
2011
2011
2011
2011
2011
2011
2012
2012
2012
2012
2012
2012
2012
2012
2012
2012
2012
2012
2012
2013
2013
2013
2013

[ Vulnerabilities of OS and apps ]

10

9

8

7

6

5

4

3

2

1

0

Score - iOS
Score - Android
Score - BB
[ Vulnerabilities of OS and apps ]
MIN & AVERAGE SCORE
Android Average; 8,2
iOS Average; 6,3
BB-Average; 6,3

BB Min; 2,1

Android Min; 1,9
iOS Min; 1,2

Min & Average Score
[ APPLICATION AUDIT , APP ANALYSIS TOOLS ]
HEYDUDE, WHYIS IT VULNERABLEAGAIN?
HOW MANY THE TOOLS ARE
(approximately):





iOS – 10
ANDROID – 50
WINDOWSPHONE – 40
BLACKBERRY - 10

SORRY,BOSS,I’HADJUST BEENCOMMITEDA WRONGBRANCH
 QUANTITY OF BUGS /
SECURITY FLAWS




AVERAGE – 50
MIN – 20
MAX – INFINITY 

BUGS TYPE (OBVIOUS |
LIKELY)




OBVIOUS BUGS
LIKELY BUGS LIKE SQL
WARNING BUGS
(CHECK IT OUT)
COMPLIANCE AND MDM
CSA Mobile Device Management: Key Components
Device diversity
Configuration management
Software Distribution
Device policy compliance & enforcement
Enterprise Activation
Logging
Security Settings
Security Wipe, Lock
IAM
Make you sure to start managing security under
uncertain terms without AI 

NIST-124
Refers to NIST-800-53 and other
 Sometimes missed requirements such as
locking device, however it is in NIST-800-53
A bit details than CSA
No statements on permission management
Make you sure to start managing security under
uncertain terms without AI 
Severity & Efficiency
Permissions
 BlackBerry  Windows  Android  iOS
MDM
 BlackBerry (old)  iOS – BlackBerry (new)  Windows
Vulnerabilities
 BlackBerry  Windows  iOS  Android
Compliance
 Has nothing with insecurity reality
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
 Account
 country code, phone number
 Device Hardware Key
 login / tokens of Twitter & Facebook
 Calls history
 Name + internal ID
 Duration + date and time
 Address book
 Quantity of contacts / viber-contacts
 Full name / Email / phone numbers
 Messages

FORENSICS EXAMINATION
 Conversations
 Quantity of messages & participants
per conversations
 Additional participant info (full name,
phone)
 Messages
 Date & Time
 content of message
 ID
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
 Account
 country code, phone number
 login / tokens Facebook wasn’t revealed
 ‘Buy me for….$$$’ 
 Avatars :: phone+@s.whatsapp.net.j (jfif)
 Address book
 No records of address book were revealed…
 Check log-file and find these records (!)
 Messages
 Messages
 Date & Time

FORENSICS EXAMINATION
 content of message
 ID :: phone@s.whatsapp.net
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
 Account
 Phone number
 Password, secret code weren’t revealed
 Trace app, find the methods use it
 Repack app and have a fun
 No masking of data typed
 Information
 Amount
 Full info in history section (incl. info about
who receive money)

FORENSICS EXAMINATION
 Connected cards
 Encryption?
 No 
 Bank cards
 Masked card number only
 Qiwi Bank cards
 Full & masked number
 Cvv/cvc
 All other card info 
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
 Account
 ID , email, password
 Information
 Loyalty (bonus) of your membership
 all you ever type
 Date of birth
 Passport details
 Book/order history
 Routes,
 Date and time,
 Bonus earning
 Full info per each order

FORENSICS EXAMINATION
 Connected cards
 Encryption?
 AES
 256 bit
 On password
anywayanydayanywayanyday
 Store in plaintext
 Sizeof(anywayanydayanywayanyday) =
192 bit
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
 Account
 ID ,bonus card number, password not revealed
 Other id & tokens
 Information
 Date of birth
 Passport details
 History (airlines, city, flight number only)
 Flights tickets, logins credentials
 Repack app and grab it 

FORENSICS EXAMINATION
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
 Account
 ID , password
 Loyalty (bonus) card number
 Information
 Not revealed (tickets, history or else)
 Repack app 

FORENSICS EXAMINATION
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY

FORENSICS EXAMINATION

 Account
 ID , email, password
 Other id & tokens
 Information
 Loyalty (bonus) of your membership
 all you ever type
 Date of birth
 Passport details
 All PASSPORT INFO (not only travel data)
 Your work data (address, job, etc.) you have never typed!
 Flights tickets
 Repack app and grab it
ISSUES : USELESS SOLUTIONS
USERFULL IDEASAT FIRST GLANCE

BUT INSTEADMAKE NO SENSE

 MERGING PERMISSIONS INTO GROUPS, e.g.
 ‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ SEPARATED (BlackBerry old)
 ‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ MERGED INTO ONE UNIT (BlackBerry new)
 SCREEN CAPTURE
 IS ALLOWED VIA HARDWARE BUTTONS ONLY
 NO EMULATION OF HARDWARE BUTTONS AS IT WAS IN OLD BLACKBERRY DEVICES
 LOCKS WHEN WORK PERIMITER HAS BECOME TO PREVENT SCREEN-CAPTURE LOGGERS
 OFFICIALLY ANNOUNCED SANDBOX
 MALWARE IS STILL A PERSONAL APPLICATION SUBTYPE IN TERMS OF (IN-)SECURITY
 SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS
 INABILITY OF BACKUP MAKE DEVELOPERS TO STORE DATA IN SHARED FOLDERS
CONCLUSION
PRIVILEGEDGENERAL PERMISSIONS
 DENIAL OF SERVICE
 REPLACING/REMOVING FILES
 DOS’ing EVENTs, GUI INTERCEPT
 INFORMATION DISCLOSURE
 CLIPBOARD, SCREEN CAPTURE
 GUI INTERCEPT
 SHARED FOLDERS
 DUMPING .COD/.BAR/APK… FILES

OWN APPs, NATIVE & 3RD PARTY APPs FEATURES
 MITM (INTERCEPTION / SPOOFING)
 MESSAGES
 GUI INTERCEPT, THIRD PARTY APPs
 FAKE WINDOW/CLICKJACKING
 GENERAL PERMISSIONS
 INSTEAD OF SPECIFIC SUB-PERMISSIONS
 A FEW NOTIFICATION/EVENT LOGs FOR
USER
 BUILT PER APPLICATION INSTEAD OF APP
SCREENs
Q&A

Mais conteúdo relacionado

Mais procurados

iOS Threats - Malicious Configuration Profiles, Threat, Detection & Mitigation
iOS Threats - Malicious Configuration Profiles, Threat, Detection & MitigationiOS Threats - Malicious Configuration Profiles, Threat, Detection & Mitigation
iOS Threats - Malicious Configuration Profiles, Threat, Detection & MitigationLacoon Mobile Security
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
Generic threats to mobile application
Generic threats to mobile applicationGeneric threats to mobile application
Generic threats to mobile applicationVikrant Kansal
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device SecurityJohn Rhoton
 
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Lacoon Mobile Security
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Requirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabRequirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabSyed Ubaid Ali Jafri
 
Navigating the Zero Trust Journey for Today's Everywhere Workplace
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceNavigating the Zero Trust Journey for Today's Everywhere Workplace
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceIvanti
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security Tripwire
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
 
Samsung knox and android for work
Samsung knox and android for workSamsung knox and android for work
Samsung knox and android for workJavier Gonzalez
 
Cisco Content Security
Cisco Content SecurityCisco Content Security
Cisco Content SecurityCisco Canada
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingAmmar WK
 
USP SES and the Location Layer: Geolocation for adaptive Access Control and P...
USP SES and the Location Layer: Geolocation for adaptive Access Control and P...USP SES and the Location Layer: Geolocation for adaptive Access Control and P...
USP SES and the Location Layer: Geolocation for adaptive Access Control and P...United Security Providers AG
 
Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security DeploymentCisco Canada
 

Mais procurados (20)

iOS Threats - Malicious Configuration Profiles, Threat, Detection & Mitigation
iOS Threats - Malicious Configuration Profiles, Threat, Detection & MitigationiOS Threats - Malicious Configuration Profiles, Threat, Detection & Mitigation
iOS Threats - Malicious Configuration Profiles, Threat, Detection & Mitigation
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
 
Generic threats to mobile application
Generic threats to mobile applicationGeneric threats to mobile application
Generic threats to mobile application
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
 
BYOD / Mobile-Device Security Guidelines for CxO's
BYOD / Mobile-Device Security Guidelines for CxO'sBYOD / Mobile-Device Security Guidelines for CxO's
BYOD / Mobile-Device Security Guidelines for CxO's
 
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Requirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabRequirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing Lab
 
Navigating the Zero Trust Journey for Today's Everywhere Workplace
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceNavigating the Zero Trust Journey for Today's Everywhere Workplace
Navigating the Zero Trust Journey for Today's Everywhere Workplace
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
Samsung knox and android for work
Samsung knox and android for workSamsung knox and android for work
Samsung knox and android for work
 
Cisco Content Security
Cisco Content SecurityCisco Content Security
Cisco Content Security
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
 
USP SES and the Location Layer: Geolocation for adaptive Access Control and P...
USP SES and the Location Layer: Geolocation for adaptive Access Control and P...USP SES and the Location Layer: Geolocation for adaptive Access Control and P...
USP SES and the Location Layer: Geolocation for adaptive Access Control and P...
 
Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security Deployment
 
Mobile Security
Mobile Security Mobile Security
Mobile Security
 

Destaque

Presentation
PresentationPresentation
Presentationgmisso33
 
ImagineWall from Soloten
ImagineWall from SolotenImagineWall from Soloten
ImagineWall from SolotenSoloten
 
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015Digital Accessibility: Tips From the Met App Case Study @ MCN 2015
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015Liz Filardi
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortressSTO STRATEGY
 
EmakumeEkin en Be the Change
EmakumeEkin en Be the ChangeEmakumeEkin en Be the Change
EmakumeEkin en Be the ChangeEmakumeEkin
 
The black saturday disaster by jasi
The black saturday disaster by jasiThe black saturday disaster by jasi
The black saturday disaster by jasijlayt009
 
Мобильное решение для организации новой формы распространения купонов на скидку
Мобильное решение для организации новой формы распространения купонов на скидкуМобильное решение для организации новой формы распространения купонов на скидку
Мобильное решение для организации новой формы распространения купонов на скидкуSoloten
 
Solo MedRep
Solo MedRepSolo MedRep
Solo MedRepSoloten
 

Destaque (12)

Presentation
PresentationPresentation
Presentation
 
ImagineWall from Soloten
ImagineWall from SolotenImagineWall from Soloten
ImagineWall from Soloten
 
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015Digital Accessibility: Tips From the Met App Case Study @ MCN 2015
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortress
 
EmakumeEkin en Be the Change
EmakumeEkin en Be the ChangeEmakumeEkin en Be the Change
EmakumeEkin en Be the Change
 
Cosas antiguas
Cosas antiguasCosas antiguas
Cosas antiguas
 
Silencios
SilenciosSilencios
Silencios
 
The black saturday disaster by jasi
The black saturday disaster by jasiThe black saturday disaster by jasi
The black saturday disaster by jasi
 
Slide nahu (2)
Slide nahu (2)Slide nahu (2)
Slide nahu (2)
 
Мобильное решение для организации новой формы распространения купонов на скидку
Мобильное решение для организации новой формы распространения купонов на скидкуМобильное решение для организации новой формы распространения купонов на скидку
Мобильное решение для организации новой формы распространения купонов на скидку
 
Diego 9º3
Diego 9º3Diego 9º3
Diego 9º3
 
Solo MedRep
Solo MedRepSolo MedRep
Solo MedRep
 

Semelhante a (Pdf) yury chemerkin hacktivity_2013

(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013STO STRATEGY
 
(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013STO STRATEGY
 
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013STO STRATEGY
 
6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jaildefconmoscow
 
(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013STO STRATEGY
 
Debashis banerjee mobile_webappintrosecurity
Debashis banerjee mobile_webappintrosecurityDebashis banerjee mobile_webappintrosecurity
Debashis banerjee mobile_webappintrosecuritydebashisb
 
(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012STO STRATEGY
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareAmmar WK
 
MDM is not Enough - Parmelee
MDM is not Enough - Parmelee MDM is not Enough - Parmelee
MDM is not Enough - Parmelee Prolifics
 
iPhone and iPad Security
iPhone and iPad SecurityiPhone and iPad Security
iPhone and iPad SecuritySimon Guest
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
System Center Mobile Device Manager
System Center Mobile Device ManagerSystem Center Mobile Device Manager
System Center Mobile Device ManagerJohn Rhoton
 

Semelhante a (Pdf) yury chemerkin hacktivity_2013 (20)

(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013
 
(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013
 
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013
 
6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail
 
(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013
 
Debashis banerjee mobile_webappintrosecurity
Debashis banerjee mobile_webappintrosecurityDebashis banerjee mobile_webappintrosecurity
Debashis banerjee mobile_webappintrosecurity
 
(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
 
MDM is not Enough - Parmelee
MDM is not Enough - Parmelee MDM is not Enough - Parmelee
MDM is not Enough - Parmelee
 
iPhone and iPad Security
iPhone and iPad SecurityiPhone and iPad Security
iPhone and iPad Security
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Adaptive Trust for Strong Network Security
Adaptive Trust for Strong Network SecurityAdaptive Trust for Strong Network Security
Adaptive Trust for Strong Network Security
 
System Center Mobile Device Manager
System Center Mobile Device ManagerSystem Center Mobile Device Manager
System Center Mobile Device Manager
 
Cn35499502
Cn35499502Cn35499502
Cn35499502
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 

Mais de STO STRATEGY

(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013STO STRATEGY
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013STO STRATEGY
 
(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013STO STRATEGY
 
(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013STO STRATEGY
 
(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedings(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedingsSTO STRATEGY
 
Yury chemerkin _cyber_crime_forum_2012
Yury chemerkin _cyber_crime_forum_2012Yury chemerkin _cyber_crime_forum_2012
Yury chemerkin _cyber_crime_forum_2012STO STRATEGY
 
(Pdf) yury chemerkin info_securityrussia_2011
(Pdf) yury chemerkin info_securityrussia_2011(Pdf) yury chemerkin info_securityrussia_2011
(Pdf) yury chemerkin info_securityrussia_2011STO STRATEGY
 
Pen test career. how to begin
Pen test career. how to beginPen test career. how to begin
Pen test career. how to beginSTO STRATEGY
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensicsSTO STRATEGY
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security ChallengesSTO STRATEGY
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challengesSTO STRATEGY
 
Social network privacy.
Social network privacy.Social network privacy.
Social network privacy.STO STRATEGY
 
Comparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesComparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesSTO STRATEGY
 
Social network privacy
Social network privacySocial network privacy
Social network privacySTO STRATEGY
 
Interview with yury chemerkin
Interview with yury chemerkinInterview with yury chemerkin
Interview with yury chemerkinSTO STRATEGY
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewSTO STRATEGY
 
A security system that changed the world
A security system that changed the worldA security system that changed the world
A security system that changed the worldSTO STRATEGY
 
Is data secure on the password protected blackberry device
Is data secure on the password protected blackberry deviceIs data secure on the password protected blackberry device
Is data secure on the password protected blackberry deviceSTO STRATEGY
 

Mais de STO STRATEGY (18)

(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013
 
(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013
 
(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013
 
(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedings(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedings
 
Yury chemerkin _cyber_crime_forum_2012
Yury chemerkin _cyber_crime_forum_2012Yury chemerkin _cyber_crime_forum_2012
Yury chemerkin _cyber_crime_forum_2012
 
(Pdf) yury chemerkin info_securityrussia_2011
(Pdf) yury chemerkin info_securityrussia_2011(Pdf) yury chemerkin info_securityrussia_2011
(Pdf) yury chemerkin info_securityrussia_2011
 
Pen test career. how to begin
Pen test career. how to beginPen test career. how to begin
Pen test career. how to begin
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensics
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security Challenges
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challenges
 
Social network privacy.
Social network privacy.Social network privacy.
Social network privacy.
 
Comparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesComparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniques
 
Social network privacy
Social network privacySocial network privacy
Social network privacy
 
Interview with yury chemerkin
Interview with yury chemerkinInterview with yury chemerkin
Interview with yury chemerkin
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
A security system that changed the world
A security system that changed the worldA security system that changed the world
A security system that changed the world
 
Is data secure on the password protected blackberry device
Is data secure on the password protected blackberry deviceIs data secure on the password protected blackberry device
Is data secure on the password protected blackberry device
 

Último

TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarThousandEyes
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Libraryshyamraj55
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)codyslingerland1
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024Brian Pichman
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and businessFrancesco Corti
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNeo4j
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 

Último (20)

TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? Webinar
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Library
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and business
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4j
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 

(Pdf) yury chemerkin hacktivity_2013

  • 1. (IN-)EFFICIENCY OF SECURITY FEATURES ON MOBILE SECURITY AND COMPLIANCE YURY CHEMERKIN Hacktivity 2013
  • 2. [ YURY CHEMERKIN ] www.linkedin.com/in/yurychemerkin http://sto-strategy.com  MULTISKILLED SECURITY RESEARCHER  EXPERIENCED IN :      REVERSE ENGINEERING & AV, DEVELOPMENT (IN THE PAST) MOBILE SECURITY, INCL. MDM, MAM, etc. CYBER SECURITY & CLOUD SECURITY COMPLIANCE & FORENSICS ON MOBILE & CLOUD WRITING (HAKING, PENTEST, EFORENSICS)  PARTICIPATION AT CONFERENCES     INFOSECURITY RUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS, DEFCON MOSCOW, HACKERHALTED, HACKFEST CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY yury.s@chemerkin.com
  • 3. [ MOBILE DEVICE MANAGEMENT] WHAT DO WORKERS WANT… WHAT DO COMPANIES WANT…
  • 4. [ MOBILE DEVICE MANAGEMENT] WHAT DO THIRD PART USUALLY SELL…FIRST CASE WHAT DO THIRD PART USUALLY SELL…SECONDCASE
  • 5. [ MOBILE DEVICE MANAGEMENT] WHAT’S THE REAL DEVICE MANAGEMENT APPROACH INCLUDE…NOT LESS THAN… MOBILE DEVICE MOBILE DEVICE MANAGEMENT SOLUTION  NATIVE / THIRD PARTY SOLUTION MOBILE APPLICATION MANAGEMENT SOLUTION  EMBEDDED / NATIVE / THIRD PARTY SOLUTION MOBILE EMAIL MANAGEMENT SOLUTION NETWORK ACCESS CONTROL SOLUTION  NOT ENOUGH NEW IDEA, BUT QUITE USEFUL IN CLOUDS ADDITIONAL SOLUTION  AV, LOG MANAGEMENT, DLP-BASED SOLUTION, FORENSICS SOLUTION COMPLIANCE  GUIDELINES / BEST PRACTICES
  • 6. [ OPINIONS ] Blackberry Windows iOS Android  APPLE IS SO SERIOUS TO LET MALWARE BE SPREADED THROUGH THEIR MARKET, EXCEPT   Ch. MILLER CASE  JAILBREAK,CYDIA,BLACK&OTHER MARKETS  MICROSOFT (WINDOWS PHONE) HAS IMPLEMENTED THE SAME IDEA  GOOGLE HAS A WEAK POLICY THAT WHY EVERYONE GOT MALWARE IN OFFICAL MARKET EVEN  PLUS 3RD PARTY MARKET  PLUS REPACKAGES  BLACKBERRY IS THE SAFEST OS BECAUSE THAT'S ABOUT THE SIZE OF IT 
  • 7. [ SECURITY ENVIRONMENT ] EACH OS EVALUATESEVERY REQUEST THAT APPLICATION S MAKESTO ACCESSTO… BUT LEADS AWAY FROM ANY DETAILS AND APIs  MDM HELPS TO PROTECT DATA AND MANAGE BLACKBERRY, iOS, WINDOWS, AND ANDROID DEVICES.  MDM ENHANCED BY MANAGING THE BEHAVIOR OF THE DEVICE  SECURE BOOTLOADER, SYSTEM SOFTWARE SECURITY (UPDATES),  APPLICATION CODE SIGNING  RUNTIME PROCESS SECURITY (SANDBOX, APIs)  HARDWARE SECURITY FEATURES  FILE DATA PROTECTION  SSL, TLS, VPN  PASSCODE PROTECTION  SETTINGS (PERMISSIONS/ RESTRICTIONS, CONFIGURATIONS)  REMOTE MAGAGEMENT   MDM REMOTE WIPE
  • 8. [ KNOWN ISSUES. Examples ] THREATSBOUNDSBECOME UNCLEAR…  BYPASS MDM SOLUTIONS  iOS, ANDROID  EXPLOITS, DUMP /MEM TO GET EMAILS  BLACKHAT EU’13 http://goo.gl/HN829p  BLACKBERRY PLAYBOOK  EXPLOITS, MITM, DUMP ‘.ALL’ FILES  SECTO’11R, INFILTRATE’12, SOURCE BOSTON’13 http://goo.gl/KaTtFG  GAIN ROOT ACCESS  ANDROID  APP SIGNATURE EXPLOITATION  APP MODIFICATION  BLACKHAT USA’13 http://goo.gl/p5FhWG COMPLIANCEBRINGS COMMONRECOMMENDATIONS  TIME-FRAME TO FIX  7+ MONTH or WAIT FOR A NEXT UPDATE  WAIT FOR A VENDOR’S INTEREST TO YOU  ANALYSIS OF APP’S DATA IN THE REST  BLACKBERRY, iOS  DATA LEAKAGE  REVEAL PASSWORDS, MASTERKEYS, ETC.  BLACKHAT EU’12 http://goo.gl/STpSll  ANDROID  DATA LEAKAGE  WEAKNESS OF CRYPTO ENGINGE  PHDAY III ‘13 http://goo.gl/x1PPGK
  • 9. [ KNOWN ISSUES. Examples ] THREATSBOUNDSBECOME UNCLEAR…  PLAYBOOK ARTIFACTS (see the previous slide)  BROWSERS HISTORY  NETWORKING IDs, FLAGS, MACs  VIDEO CALLS DETAILS  ACCESS TO INTERNAL NETWORK  KERNEL  BLACKBERRY Z10  DUMP MICROKERNEL  EVEN DEVELOPERS’ CREDENTIALS (FACEBOOK, MOBILE, EMAILS) BLACKHAT DEFCON MOSCOW http://goo.gl/R74leX COMPLIANCEBRINGS COMMONRECOMMENDATIONS  GUI FAILS (mine results)  BLACKBERRY OS  DATA LEAKAGE  REVEAL PASSWORDS, … ANYTHING  NO PERMISSIONS REQUESTED  BORROW PERMISSIONS OF ANOTHER APP  NullCon’13, CONFIDENCE’13  http://goo.gl/phMey2  Haven’t yet test on new blackberry devices
  • 10. [ DEVICE MANAGEMENT ] APPLICATION LEVEL ATTACK’SVECTOR  GOALS - MOBILE RESOURCES / AIM OF ATTACK  DEVICE RESOURCES  OUTSIDE-OF-DEVICE RESOURCES  ATTACKS – SET OF ACTIONS UNDER THE THREAT  APIs - RESOURCES WIDELY AVAILABLE TO CODERS  SECURITY FEATURES  KERNEL PROTECTION , NON-APP FEATURES  PERMISSIONS - EXPLICITLY CONFIGURED  3RD PARTY  AV, FIREWALL, VPN, MDM  COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY IN ALIGNMENT WITH COMPLIANCE TO… Goals AV, MDM, DLP, VPN Non-app features MDM features Kernel protection Permissions APIs Attacks APIs
  • 11. [ DEVICE MANAGEMENT ] Concurrencyover native & additional security features 𝚫 = 𝚨 ∪ 𝚩 ∪ 𝚪 ∪ 𝚼 , 𝚨 ⊂ 𝚩, 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 𝛥 – set of OS permissions, 𝛢 – set of device permissions, 𝛣 – set of MDM permissions, 𝛤 – set of missed permissions (lack of controls), 𝜰 – set of rules are explicitly should be applied to gain a compliance 𝚮 = 𝚬+ 𝚭, 𝚬 ⊃ 𝚨∪ 𝚩 𝛨 – set of APIs , 𝛦 – set of APIs that interact with sensitive data, 𝛧 – set of APIs that do not interact with sensitive data To get a mobile security designed with full granularity the set 𝛤 should be empty set to get 𝚬 ⊇ 𝚨 ∪ 𝚩 instead of 𝚬 ⊃ 𝚨 ∪ 𝚩, so the matter how is it closer to empty. On another hand it should find out whether assumptions 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 are true and if it is possible to get ⊆ 𝐀. The situationis very serious  Set of permissions < Set of activities  efficiency is  typical case < 100%,  ability to control each API = 100%  More than 1 permission per APIs >100%   lack of knowledge about possible attacks improper granularity AV, MDM, DLP, VPN Non-app features MDM features Kernel protection Permissions
  • 12. [ BLACKBERRY. PERMISSIONS ] BB 10 Cascades SDK Background processing BlackBerry Messenger Calendar, Contacts Camera Device identifying information Email and PIN messages GPS location Internet Location Microphone Narrow swipe up Notebooks Notifications Player Phone Push Shared files Text messages Volume BB 10 AIR SDK + + + + + + + + + + + + + + + - PB (NDK/AIR) + via invoke calls + + via invoke calls + + + + + + + +
  • 13. [ BLACKBERRY. Significant APIs ] Feature BlackBerry Messenger Calendar Camera Contacts Device identifying info Email & PIN messages Internet Microphone Notebooks Notifications Phone Push Shared files Text messages Account MediaPlayer NFC Radio & SIM Clipboard Q. APIs 77 443 47 316 15 347 161 21 123 32 27 25 78 10 66 66 24 68 6 Q. sign. APIs 70 126 41 150 14 211 145 15 86 24 22 22 70 6 21 63 11 51 4 % (sign .APIs) 90,91 28,44 87,23 47,47 93,33 60,81 90,06 71,43 69,92 75,00 81,48 88,00 89,74 60,00 31,82 95,45 45,83 75,00 66,67 Controlled ? + + + + + + + + + + + + + + -
  • 14. [ BLACKBERRY. Common activities ] 34 35 30 25 21 18 20 17 14 15 10 6 5 0 7 5 4 1 3 8 6 3 2 1 1 1 Q. of m.+a. activity 4 3 2 2 2 4 2 1 1 4 1 Q. of m.+a. permission 4 1 4 3 1 2 2 5 1
  • 15. [ BLACKBERRY. Derived activities ] 116 120 100 89 80 59 60 47 40 20 0 24 1 4 3 3 23 16 7 6 1 3 46 11 3 1 2 Q. of derived activities 2 2 9 3 1 2 Q. of derived perm 27 25 24 19 1 1 8 1 2 2 5 1
  • 16. [ BLACKBERRY. Efficiency (%) ] 250,00 250,00 200,00 150,00 3,45 16,67 8,70 5,08 100,00 50,00 12,50 60,00 16,67 19,05 3,37 6,25 66,67 14,29 5,88 14,29 5,56 16,67 66,67 66,67 4,26 9,09 66,67 11,76 25,00 5,26 50,00 4,17 50,00 25,00 25,00 0,00 % m+a activity vs perm 8,00 88,89 2,17 % m+a derived activity vs perm 250,00 33,33 3,70 50,00 7,14
  • 17. [ iOS. Info.plist(app capabilities) ] Key auto-focus-camera Description handle autofocus capabilities in the device’s still camera in case of a macro photography or image processing. bluetooth-le camera-flash front-facing-camera gamekit gps handle the presence of Bluetooth low-energy hardware on the device. handle a camera flash for taking pictures or shooting video. handle a forward-facing camera such as capturing video from the device’s camera. handle a Game Center. handle a GPS (or AGPS) hardware to track a locations in case of need the higher accuracy more than Cellular/Wi-Fi. location-services retrieve the device’s current location using the Core Location framework though Cellular/Wi-Fi microphone peer-peer sms handle the built-in microphone and its accessories handle peer-to-peer connectivity over a Bluetooth network. handle the presence of the Messages application such as opening URLs with the sms scheme. still-camera handle the presence of a camera on the device such as capturing images from the device’s still camera. telephony handle the presence of the Phone application such as opening URLs with the telephony scheme. video-camera handle the presence of a camera with video capabilities on device such as capturing video from the device’s camera. wifi access to the networking features of the device.
  • 18. [ iOS. Settings ] Component Unit Safari Camera, FaceTime iTunes Store, iBookstore Siri Manage applications* Manage applications* Explicit Language (Siri) Privacy*, Accounts* Content Type Restrictions* Restrictions :: Native application Restrictions :: 3rd application Unit subcomponents Privacy :: Location Privacy :: Private Info Accounts Content Type Restrictions Game Center Manage applications Per each 3rd party app For system services Contacts, Calendar, Reminders, Photos Bluetooth Sharing Twitter, Facebook Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts Find My Friends Volume limit Ratings per country and region Music and podcasts Movies, Books, Apps, TV shows In-app purchases Require Passwords (in-app purchases) Multiplayer Games Adding Friends (Game Center) Installing Apps Removing Apps
  • 19. [ iOS. Common activities ] 20 18 16 14 12 10 8 6 4 2 0 17 12 3 2 13 8 5 0 1 1 10 0 0 1 Q. of m.+a. activity 3 0 10 0 6 0 0 3 0 1 2 0 1 0 Q. of m.+a. permission 2 1 1 0 1 2 3 0 10 1 3 0 1 Q. of m.+a. perm plus parental perm 4
  • 20. [ iOS. Derived activities ] 4 3 82 80 70 60 50 40 30 20 10 0 1 0 0 1 1 2 1 0 13 9 20 3 0 0 13 Q. of derived activities 0 9 0 18 12 0 0 10 Q. of derived perm 0 2 0 1 1 1 1 10 0 25 0 10 6 1 Q. of derived perm + plus parental perm 2 1
  • 21. [ iOS. Efficiency (%) ] 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 11,11 15,00 7,69 20,00 % m+a activity vs perm 0,00 0,00 0,00 0,00 5,56 0,00 0,00 0,00 % m+a derived activity vs perm 7,69 8,00 40,00 50,00 16,67 0,00 0,00 0,00 0,00 16,67 0,00 0,00 4,88 10,00 16,67 7,69 25,00 10,00 33,33 50,00 5,56 0,00 0,00 0,00 11,76 0,00 0,00 50,00 10,00 0,00 0,00 50,00 16,67 Q. of m.+a. perm plus parental perm 0,00 0,00 0,00 0,00 33,33 3,66 4,00 0,00 0,00 30,00 5,88 Q. of derived perm + plus parental perm
  • 22. [ Windows. Permissions ] Permission Description General use capabilities musicLibrary provides access to the user's Music library, allowing the app to enumerate and access all files w/o user interaction. picturesLibrary videosLibrary removableStorage provides access to the user's Pictures library, allowing to enumerate and access all files w/o user interaction. provides access to the user's Videos library, allowing the app to enumerate and access all w/o user interaction. provides access to files on removable storage, such as USB keys and external hard drives, filtered to the file type microphone provides access to the microphone’s audio feed, which allows to record audio from connected microphones.. webcam provides access to the webcam’s video feed, which allows to capture snapshots, movies from a connected webcam. location provides access to location functionality like a GPS sensor or derived from available network info. enables multiple devices in close proximity to communicate with one another via possible connection, incl. Bluetooth, WiFi, and the internet. proximity internetClient, internetClientServer privateNetworkClientServer enterpriseAuthentication sharedUserCertificates documentsLibrary provides outbound (inbound is for server only) access to the Internet, public networks via the firewall. provides inbound and outbound access to home and work networks through the firewall for games or for applications that share data across local devices. Special use capabilities enable a user to log into remote resources using their credentials, and act as if a user provided their user name and password. enables an access to software and hardware certificates like smart card. provides access to the user's Documents library, filtered to the file type associations
  • 23. [ Windows. Significant APIs ] Feature Q. APIs Notifications Music library Pictures library Videos library Removable storage Microphone Webcam Location Proximity Internet and public networks Home and work networks 68 1300 1157 1300 1045 274 409 37 54 488 488 Enterprise authentication Shared User Certificates Documents library 8 20 1045 Clipboard Phone SMS Contacts Device Info 132 18 122 97 221 Q. sign. APIs General use capabilities 4 138 133 138 109 33 91 5 19 134 134 Special use capabilities 4 5 126 Non-controlled capabilities 20 6 25 31 30 % (sign. APIs) Controlled? 5,88 10,62 11,50 10,62 10,43 12,04 22,25 13,51 35,19 27,46 27,46 + + + + + + + + + + + 50,00 25,00 12,06 + + + 15,15 33,33 20,49 31,96 13,57 -
  • 24. [ Windows. Common Activities ] 14 14 12 10 8 8 3 4 2 0 6 5 6 6 1 1 1 1 3 1 1 1 1 1 3 8 4 5 3 1 Q. of m.+a. activity 1 2 4 3 1 Q. of m.+a. permission 2 2 3 2 1 2 0 0 0 0 0
  • 25. [ Windows. Derived Activities ] 25 21 20 15 0 1 2 12 8 7 5 1 15 11 10 8 10 5 16 14 2 2 1 3 12 11 8 6 6 3 8 8 5 1 1 Q. of derived activities 2 1 Q. of derived perm 2 2 0 0 0 0 0
  • 26. [ Windows. Efficiency (%) ] 120,00 120,00 100,00 100,00 100,00 100,00 100,00 100,00 100,00 80,00 60,00 40,00 20,00 125,00 100,00 27,27 42,86 25,00 25,00 20,00 33,33 20,00 33,33 33,33 14,29 31,25 16,67 14,29 9,52 50,00 33,33 16,67 16,6716,67 0,00 % m+a activity vs perm % m+a derived activity vs perm 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00
  • 27. [ A droid. Permissions ] List contains~150 permissions I have ever seen that on old BlackBerry devices ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION, OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_ ,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH, ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE, PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_ ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P ,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA ,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_ TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_ MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_ REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY, OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_ TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_ GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS, RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY, LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
  • 28. [ A droid. Permission Groups ] But there only 30 permissions groups  ACCOUNTS  AFFECTS_BATTERY  APP_INFO  AUDIO_SETTINGS  BLUETOOTH_NETWORK  BOOKMARKS  CALENDAR  CAMERA  COST_MONEY  DEVELOPMENT_TOOLS  DEVICE_ALARMS  DISPLAY  HARDWARE_CONTROLS I have ever seen that on old BlackBerry devices too  LOCATION  MESSAGES  MICROPHONE  NETWORK  PERSONAL_INFO  PHONE_CALLS  SCREENLOCK  SOCIAL_INFO  STATUS_BAR  STORAGE  SYNC_SETTINGS  SYSTEM_CLOCK  SYSTEM_TOOLS  USER_DICTIONARY  VOICEMAIL  WALLPAPER  WRITE_USER_DICTIONARY
  • 29. [ A droid. Efficiency (%) ] 50,00 45,00 40,00 33,33 35,00 30,00 25,00 20,00 15,00 10,00 28,57 25,00 20,00 20,00 15,38 15,38 20,00 9,52 0,00 0,00 2,91 10,71 5,00 0,00 2,00 7,14 0,00 4,55 8,33 7,14 0,00 % m+a activity vs perm % m+a derived activity vs perm 10,00 4,00 3,13 5,88 3,13 0,00
  • 30. [ Average quantitative indicators ] 100% 102,74 90% 80% 119,31 60,63 8,86 29,26 1,89 42,04 2,32 70% 60% 60,38 435,95 9,06 0,64 7,43 0,69 1,47 1,63 2,01 2,19 Q. of m.+a. permissions Q. of derived permissions 17,07 30,48 5,94 48,06 32,79 16,99 9,21 50% 40% 62,37 3,84 67,48 9,23 9,68 54 20,97 58,06 22,76 30% 20% 394,86 10% 32,48 38,4 27,6 38,4 27,6 0% Q. APIs Q. sign APIs Q. of m.+a. activities Q. of derived activities Android Windows iOS % m+a activities %m+a derived vs % m+a vs perm vs perm perm enhanced by MDM BlackBerry % derived vs perm enhanced by MDM
  • 31. MDM . Extend your device security capabilities Android  CAMERA AND VIDEO  HIDE THE DEFAULT CAMERA APPLICATION  PASSWORD  DEFINE PASSWORD PROPERTIES  REQUIRE LETTERS (incl. case)  REQUIRE NUMBERS  REQUIRE SPECIAL CHARACTERS  DELETE DATA AND APPLICATIONS FROM THE DEVICE AFTER  INCORRECT PASSWORD ATTEMPTS  DEVICE PASSWORD  ENABLE AUTO-LOCK CONTROLLED FOUR GROUPS ONLY     LIMIT PASSWORD AGE LIMIT PASSWORD HISTORY RESTRICT PASSWORD LENGTH MINIMUM LENGTH FOR THE DEVICE PASSWORD THAT IS ALLOWED  ENCRYPTION  APPLY ENCRYPTION RULES  ENCRYPT INTERNAL DEVICE STORAGE  TOUCHDOWN SUPPORT  MICROSOFT EXCHANGE SYNCHRONIZATION  EMAIL PROFILES  ACTIVESYNC
  • 32. MDM . Extend your device security capabilities iOS   BROWSER   CONTROLLED 16 GROUPSONLY DEFAULT APP, AUTOFILL, COOKIES, JAVASCRIPT, POPUPS MESSAGING (DEFAULT APP)   BACKUP / DOCUMENT PICTURE / SHARING ONLINE STORE  CAMERA, VIDEO, VIDEO CONF  CERTIFICATES (UNTRUSTED CERTs)  MESSAGING (DEFAULT APP)  CLOUD SERVICES  PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)  PHONE AND MESSAGING (VOICE DIALING)  CONNECTIVITY      OUTPUT, SCREEN CAPTURE, DEFAULT APP BACKUP / DOCUMENT / PICTURE / SHARING ONLINE STORES , PURCHASES, PASSWORD DEFAULT STORE / BOOK / MUSIC APP  PROFILE & CERTs (INTERACTIVE INSTALLATION) NETWORK, WIRELESS, ROAMING DATA, VOICE WHEN ROAMING  SOCIAL (DEFAULT APP) CONTENT (incl. EXPLICIT) RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS    CONTENT      DIAGNOSTICS AND USAGE (SUBMISSION LOGS) STORAGE AND BACKUP   SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS DEVICE BACKUP AND ENCRYPTION VOICE ASSISTANT (DEFAULT APP)
  • 33. MDM . Extend your device security capabilities BlackBerry (new, 10, qnx)  CONTROLLED 7 GROUPSONLY     GENERAL   MOBILE HOTSPOT AND TETHERING PLANS APP, APPWORLD  PASSWORD (THE SAME WITH ANDROID, iOS)  BES MANAGEMENT (SMARTPHONES, TABLETS)  SOFTWARE      OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE BBM VIDEO ACCESS TO WORK NETWORK VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK SECURITY       CERTIFICATES & CIPHERS & S/MIME HASH & ENCRYPTION ALGS AND KEY PARAMS TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC WI-FI PROFILES    WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE VOICE CONTROL & DICTATION IN WORK & USER APPS BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE PC ACCESS TO WORK & PERSONAL SPACE (USB, BT) PERSONAL SPACE DATA ENCRYPTION EMAIL PROFILES     NETWORK ACCESS CONTROL FOR WORK APPS PERSONAL APPS ACCESS TO WORK CONTACTS SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS PROXY PASSWORD/PORT/SERVER/SUBNET MASK VPN PROFILES    PROXY, SCEP, AUTH PROFILE PARAMS TOKENS, IKE, IPSEC OTHER PARAMS PROXY PORTS, USERNAME, OTHER PARAMS
  • 34. MDM . Extend your device security capabilities Blackberry (old)  THERE 55 GROUPS CONTROLLED IN ALL  EACH GROUP CONTAINS FROM 10 TO 30 UNITS ARE CONTROLLED TOO  EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs INSTEAD OF A WAY ‘DISABLE/ENABLED & HIDE/UNHIDE’  EACH EVENT IS  CONTROLLED BY CERTAIN PERMISSION  ALLOWED TO CONTROL BY SIMILAR PERMISSIONS TO BE MORE FLEXIBLE  DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME MORE THAN OTHER DOCUMENTS Huge amount of permissions are MDM & device built-in  EACH UNIT CAN’T CONTROL ACTIVITY UNDER ITSELF  ‘CREATE, READ, WRITE/SAVE, SEND, DELETE’ ACTIONS IN REGARDS TO MESSAGES LEAD TO SPOOFING BY REQUESTING A ‘MESSAGE’ PERMISSION ONLY  SOME PERMISSIONS AREN’T REQUIRED (TO DELETE ANY OTHER APP)  SOME PERMISSIONS ARE RELATED TO APP, WHICH 3RD PARTY PLUGIN WAS EMBEDDED IN, INSTEAD OF THAT PLUGIN
  • 36. [ Vulnerabilities of OS and apps ] MIN & AVERAGE SCORE Android Average; 8,2 iOS Average; 6,3 BB-Average; 6,3 BB Min; 2,1 Android Min; 1,9 iOS Min; 1,2 Min & Average Score
  • 37. [ APPLICATION AUDIT , APP ANALYSIS TOOLS ] HEYDUDE, WHYIS IT VULNERABLEAGAIN? HOW MANY THE TOOLS ARE (approximately):     iOS – 10 ANDROID – 50 WINDOWSPHONE – 40 BLACKBERRY - 10 SORRY,BOSS,I’HADJUST BEENCOMMITEDA WRONGBRANCH  QUANTITY OF BUGS / SECURITY FLAWS    AVERAGE – 50 MIN – 20 MAX – INFINITY  BUGS TYPE (OBVIOUS | LIKELY)    OBVIOUS BUGS LIKELY BUGS LIKE SQL WARNING BUGS (CHECK IT OUT)
  • 38. COMPLIANCE AND MDM CSA Mobile Device Management: Key Components Device diversity Configuration management Software Distribution Device policy compliance & enforcement Enterprise Activation Logging Security Settings Security Wipe, Lock IAM Make you sure to start managing security under uncertain terms without AI  NIST-124 Refers to NIST-800-53 and other  Sometimes missed requirements such as locking device, however it is in NIST-800-53 A bit details than CSA No statements on permission management Make you sure to start managing security under uncertain terms without AI 
  • 39. Severity & Efficiency Permissions  BlackBerry  Windows  Android  iOS MDM  BlackBerry (old)  iOS – BlackBerry (new)  Windows Vulnerabilities  BlackBerry  Windows  iOS  Android Compliance  Has nothing with insecurity reality
  • 40. [ APPLICATION EXAMINATION ] ONLY THOSE I HAVE TO USE EVERY DAY  Account  country code, phone number  Device Hardware Key  login / tokens of Twitter & Facebook  Calls history  Name + internal ID  Duration + date and time  Address book  Quantity of contacts / viber-contacts  Full name / Email / phone numbers  Messages FORENSICS EXAMINATION  Conversations  Quantity of messages & participants per conversations  Additional participant info (full name, phone)  Messages  Date & Time  content of message  ID
  • 41. [ APPLICATION EXAMINATION ] ONLY THOSE I HAVE TO USE EVERY DAY  Account  country code, phone number  login / tokens Facebook wasn’t revealed  ‘Buy me for….$$$’   Avatars :: phone+@s.whatsapp.net.j (jfif)  Address book  No records of address book were revealed…  Check log-file and find these records (!)  Messages  Messages  Date & Time FORENSICS EXAMINATION  content of message  ID :: phone@s.whatsapp.net
  • 42. [ APPLICATION EXAMINATION ] ONLY THOSE I HAVE TO USE EVERY DAY  Account  Phone number  Password, secret code weren’t revealed  Trace app, find the methods use it  Repack app and have a fun  No masking of data typed  Information  Amount  Full info in history section (incl. info about who receive money) FORENSICS EXAMINATION  Connected cards  Encryption?  No   Bank cards  Masked card number only  Qiwi Bank cards  Full & masked number  Cvv/cvc  All other card info 
  • 43. [ APPLICATION EXAMINATION ] ONLY THOSE I HAVE TO USE EVERY DAY  Account  ID , email, password  Information  Loyalty (bonus) of your membership  all you ever type  Date of birth  Passport details  Book/order history  Routes,  Date and time,  Bonus earning  Full info per each order FORENSICS EXAMINATION  Connected cards  Encryption?  AES  256 bit  On password anywayanydayanywayanyday  Store in plaintext  Sizeof(anywayanydayanywayanyday) = 192 bit
  • 44. [ APPLICATION EXAMINATION ] ONLY THOSE I HAVE TO USE EVERY DAY  Account  ID ,bonus card number, password not revealed  Other id & tokens  Information  Date of birth  Passport details  History (airlines, city, flight number only)  Flights tickets, logins credentials  Repack app and grab it  FORENSICS EXAMINATION
  • 45. [ APPLICATION EXAMINATION ] ONLY THOSE I HAVE TO USE EVERY DAY  Account  ID , password  Loyalty (bonus) card number  Information  Not revealed (tickets, history or else)  Repack app  FORENSICS EXAMINATION
  • 46. [ APPLICATION EXAMINATION ] ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION  Account  ID , email, password  Other id & tokens  Information  Loyalty (bonus) of your membership  all you ever type  Date of birth  Passport details  All PASSPORT INFO (not only travel data)  Your work data (address, job, etc.) you have never typed!  Flights tickets  Repack app and grab it
  • 47. ISSUES : USELESS SOLUTIONS USERFULL IDEASAT FIRST GLANCE BUT INSTEADMAKE NO SENSE  MERGING PERMISSIONS INTO GROUPS, e.g.  ‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ SEPARATED (BlackBerry old)  ‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ MERGED INTO ONE UNIT (BlackBerry new)  SCREEN CAPTURE  IS ALLOWED VIA HARDWARE BUTTONS ONLY  NO EMULATION OF HARDWARE BUTTONS AS IT WAS IN OLD BLACKBERRY DEVICES  LOCKS WHEN WORK PERIMITER HAS BECOME TO PREVENT SCREEN-CAPTURE LOGGERS  OFFICIALLY ANNOUNCED SANDBOX  MALWARE IS STILL A PERSONAL APPLICATION SUBTYPE IN TERMS OF (IN-)SECURITY  SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS  INABILITY OF BACKUP MAKE DEVELOPERS TO STORE DATA IN SHARED FOLDERS
  • 48. CONCLUSION PRIVILEGEDGENERAL PERMISSIONS  DENIAL OF SERVICE  REPLACING/REMOVING FILES  DOS’ing EVENTs, GUI INTERCEPT  INFORMATION DISCLOSURE  CLIPBOARD, SCREEN CAPTURE  GUI INTERCEPT  SHARED FOLDERS  DUMPING .COD/.BAR/APK… FILES OWN APPs, NATIVE & 3RD PARTY APPs FEATURES  MITM (INTERCEPTION / SPOOFING)  MESSAGES  GUI INTERCEPT, THIRD PARTY APPs  FAKE WINDOW/CLICKJACKING  GENERAL PERMISSIONS  INSTEAD OF SPECIFIC SUB-PERMISSIONS  A FEW NOTIFICATION/EVENT LOGs FOR USER  BUILT PER APPLICATION INSTEAD OF APP SCREENs
  • 49. Q&A