You are on page 1of 50

(IN-)EFFICIENCY OF SECURITY FEATURES ON MOBILE SECURITY AND COMPLIANCE

YURY CHEMERKIN
Balkan Computer Congress (BalCCON 2013)

[ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin
EXPERIENCED IN :
REVERSE ENGINEERING & AV SOFTWARE PROGRAMMING & DOCUMENTATION MOBILE SECURITY AND MDM CYBER SECURITY & CLOUD SECURITY COMPLIANCE & TRANSPARENCY FORENSICS AND SECURITY WRITING HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA PARTICIPATION AT CONFERENCES INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS, DEFCONMOSCOW, HACTIVITY, HACKFEST CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY

http://sto-strategy.com

yury.s@chemerkin.com

[ OPINIONS ]
BLACKBERRY IS SAFER THAN WINDOWS THAT IS SAFER THAN iOS THAT IS SAFER THAN ANDROID IN TURN
APPLES CENTRALIZED POINT OF DISTRIBUTION IS PROVIDING WITH CONFIDENCE THROUGH THE VALIDATION BY APPLE, EXCEPT THE SUBMISSION OF SUSPICIOUS APP BY Ch. MILLER THAT HAD BEEN SUCCESSFULLY APPROVED BY APPLE INSTALLING CYDIA &THE REST APPS AFTER THAT MICROSOFT (WINDOWS PHONE) HAS A CENTRALIZED MARKET WITH DEEPER TESTING AND VALIDATION LIKE APPLE GOOGLE PROVIDES A CENTRALIZED MARKET TOO, HOWEVER PROVIDES ABILITY TO INSTALL APPS FROM 3RD-PARTY SOURCES SUCH AS AMAZON. ANY OTHER ARE ORIGINATE FROM MALWARE HOTSPOTS ANY ALTERNATIVE MARKETS FOR SOCALLED CRACKED DISTRIBUTE FOR FREE REPACKAGES BLACKBERRY IS THE SAFEST OS BECAUSE IT IS THE MOST MANAGEABLE AND SECURE MAINLY AS IT IS ON AN ENTERPRISE WAY

10

[ Vulnerabilities of OS and apps ]

Score - iOS Score - Android Score - BB

2004 2005 2007 2007 2007 2008 2008 2008 2008 2008 2009 2009 2009 2009 2009 2009 2009 2009 2009 2010 2010 2010 2010 2010 2010 2010 2010 2011 2011 2011 2011 2011 2011 2011 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013

[ Vulnerabilities of OS and apps ]


MIN & AVERAGE SCORE
Android Average; 8,2
iOS Average; 6,3 BB-Average; 6,3

BB Min; 2,1

Android Min; 1,9 iOS Min; 1,2

Min & Average Score

[ SOURCE & BINARY ANALYSIS TOOLS ]


HEYDUDE, WHYIS IT VULNERABLEAGAIN?
HOW MANY THE TOOLS ARE (approx): iOS 10 ANDROID 50 WINDOWS PHONE 40 BLACKBERRY - 10 QUANTITY OF BUGS / SECURITY FLAWS AVERAGE 50 MIN 20 MAX INFINITY WARINING :: ADS VERACODE THE MOST USEFUL

SORRY,BIGBOSS,ID JUST BEENCOMMITEDA WRONGBRANCH


BUGS TYPE (OBVIOUS | LIKELY) MISSED CONSTRUCTIONS LIKE DOUBLE/TRIPLE FREE () DEBUG PATHS, KEY, AND ETC. PLAINTEXT & HARD-CODE PASSWORDS, TOKENS, MASTER-KEYS, ETC.

NON-SECURE FLAWS, CONSTRUCTIONS, ETC. CHECK IT OUT


THE SQL-INJECTION IS POSSIBLE THERE IS NO HTTPS HERE

[ MOBILE SECURITY CAPABILITIES ]


THE SAME CAPABILITIES AMONG MOBILE OPERATION SYSTEMS
SECURE BOOTLOADER SYSTEM SOFTWARE SECURITY (UPDATES) APPLICATION CODE SIGNING RUNTIME PROCESS SECURITY
SANDBOX APIs HARDWARE SECURITY FEATURES FILE DATA PROTECTION SSL, TLS, VPN PASSCODE PROTECTION SETTINGS PERMISSIONS/ RESTRICTIONS CONFIGURATIONS

REMOTE MAGAGEMENT
MDM REMOTE WIPE

[ SECURITY ENVIRONMENT ]
EACH OS EVALUATESEVERY REQUEST THAT AN APPLICATION MAKES TO ACCESSTO
MDM SERVICES HELPS MANAGE AND PROTECT BLACKBERRY, IOS, WINDOWS, AND ANDROID DEVICES.
MDM SERVICES PROVIDE UNIFIED COMMUNICATION AND COLLABORATION SOFTWARE AND SERVICE (SaaS) EACH OS IS DESIGNED TO PROTECT DATA IN TRANSIT, IN MEMORY AND STORAGE AT ALL POINTS MDM SERVICES ENHANCED BY MANAGING THE BEHAVIOR OF THE DEVICE OS PROVIDES A CAPABILITY TO PROTECT ANY APPLICATION DATA USING SANDBOXING

OS PROVIDES A CAPABILITY TO MANAGE PERMISSIONS TO ACCESS ITS CAPABILITIES


OS EVALUATES ALL REQUEST MADE BY APP ... BUT LEADS AWAY FROM ANY DETAILS AND APIs

[ KNOWN ISSUES ]
THREATSBOUNDSBECOME UNCLEAR
ALL CONTROLLED OBJECTS ARE LIMITED BY
SANDBOX PERMISSIONS SECURITY FEATURES ON DEVICEs & MDMs ADDITIONAL FEATURES ARENT ACCESSIBLE ON DEVICE USER-MODE MALWARE SPYWARE, ROOTKITS EXPLOTS & ATTACKS REVERSING NETWORK LAYER RECOVERING DATA VS. SANBOX&MEMORY EXPLOITING TO GET SUPER PRIVILIGIES

MDM& COMPLIANCE BRINGS COMMON RECOMMENDATIONS


MDM vs. COMPLIANCE
COMMON RECOMMENDATIONS SET IS LESSER THAN SET OF MDM FEATURES QUITE BETTER TO MANAGE MDM SOLUTIONS THAN DEVICE AT ALL TOO FAR FROM DETAILS YOUNG STANDARDS FIRST REVISIONS, DRAFT REVISIONS MOBILE SECURITY SOFWARE READ-ONLY MODE / INFORMATION ONLY APPLICATION FIREWALL (CALLS, MESSAGES) NETWORK FIREWALL REQUIRES ROOT NO REAL SECURITY IF YOU BREAK A SANDBOX

[ KNOWN ISSUES. Examples ]


BYPASS MDM SOLUTIONS iOS, ANDROID
EXPLOITS, DUMP /MEM TO GET EMAILS BLACKHAT EU13 http://goo.gl/HN829p

BLACKBERRY PLAYBOOK
EXPLOITS, MITM, DUMP .ALL FILES SECTO11R, INFILTRATE12, SOURCE BOSTON13 http://goo.gl/KaTtFG

TIME-FRAME TO FIX 7+ MONTH or WAIT FOR A NEXT UPDATE WAIT FOR A VENDORS INTEREST TO YOU ANALYSIS OF APPS DATA IN THE REST BLACKBERRY, iOS
DATA LEAKAGE REVEAL PASSWORDS, MASTERKEYS, ETC. BLACKHAT EU12 http://goo.gl/STpSll

GAIN ROOT ACCESS ANDROID

ANDROID
DATA LEAKAGE WEAKNESS OF CRYPTO ENGINGE PHDAY III 13 http://goo.gl/x1PPGK

APP SIGNATURE EXPLOITATION APP MODIFICATION BLACKHAT USA13 http://goo.gl/p5FhWG

[ KNOWN ISSUES. Examples ]


PLAYBOOK ARTIFACTS (see the previous slide) BROWSERS HISTORY NETWORKING IDs, FLAGS, MACs VIDEO CALLS DETAILS ACCESS TO INTERNAL NETWORK KERNEL BLACKBERRY Z10 DUMP MICROKERNEL EVEN DEVELOPERS CREDENTIALS (FACEBOOK, MOBILE, EMAILS) BLACKHAT DEFCON MOSCOW http://goo.gl/R74leX GUI FAILS BLACKBERRY OS DATA LEAKAGE REVEAL PASSWORDS, ANYTHING NO PERMISSIONS REQUESTED BORROW PERMISSIONS OF ANOTHER APP NullCon13, CONFIDENCE13 http://goo.gl/phMey2

[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account country code, phone number Device Hardware Key login / tokens of Twitter & Facebook Calls history Name + internal ID Duration + date and time Address book Quantity of contacts / viber-contacts Full name / Email / phone numbers Messages

FORENSICS EXAMINATION
Conversations Quantity of messages & participants per conversations Additional participant info (full name, phone) Messages Date & Time content of message ID

[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account country code, phone number login / tokens Facebook wasnt revealed Buy me for.$$$ Avatars :: phone+@s.whatsapp.net.j (jfif) Address book No records of address book were revealed Check log-file and find these records (!) Messages Messages Date & Time

FORENSICS EXAMINATION
content of message ID :: phone@s.whatsapp.net

[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account Phone number Password, secret code werent revealed Trace app, find the methods use it Repack app and have a fun No masking of data typed Information Amount Full info in history section (incl. info about who receive money)

FORENSICS EXAMINATION
Connected cards Encryption? No Bank cards Masked card number only Qiwi Bank cards Full & masked number Cvv/cvc All other card info

[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account ID , email, password Information Loyalty (bonus) of your membership all you ever type Date of birth Passport details Book/order history Routes, Date and time, Bonus earning Full info per each order

FORENSICS EXAMINATION
Connected cards Encryption? AES 256 bit On password anywayanydayanywayanyday Store in plaintext Sizeof(anywayanydayanywayanyday) = 192 bit

[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account ID ,bonus card number, password not revealed Other id & tokens Information Date of birth Passport details History (airlines, city, flight number only) Flights tickets, logins credentials Repack app and grab it

FORENSICS EXAMINATION

[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY
Account ID , password Loyalty (bonus) card number Information Not revealed (tickets, history or else) Repack app

FORENSICS EXAMINATION

[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Account ID , email, password Other id & tokens Information Loyalty (bonus) of your membership all you ever type Date of birth Passport details All PASSPORT INFO (not only travel data) Your work data (address, job, etc.) you have never typed! Flights tickets Repack app and grab it

[ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACKSVECTOR
GOALS - MOBILE RESOURCES / AIM OF ATTACK DEVICE RESOURCES OUTSIDE-OF-DEVICE RESOURCES ATTACKS SET OF ACTIOSN UNDER THE THREAT APIs - RESOURCES WIDELY AVAILABLE TO CODERS SECURITY FEATURES KERNEL PROTECTION , NON-APP FEATURES PERMISSIONS - EXPLICITLY CONFIGURED 3RD PARTY AV, FIREWALL, VPN, MDM COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY IN ALIGNMENT WITH COMPLIANCE TO

Goals AV, MDM, DLP, VPN Non-app features

MDM features

Kernel protection

Permissions APIs APIs

Attacks

[ DEVICE MANAGEMENT ]
Concurrencyover native & additional security features
= , , , set of OS permissions, set of device permissions, set of MDM permissions, set of missed permissions (lack of controls), set of rules are explicitly should be applied to gain a compliance = + , set of APIs , set of APIs that interact with sensitive data, set of APIs that do not interact with sensitive data To get a mobile security designed with full granularity the set should be empty set to get instead of , so the matter how is it closer to empty. On another hand it should find out whether assumptions , are true and if it is possible to get .

The situationis very serious


Set of permissions < Set of activities efficiency is typical case < 100%, ability to control each API = 100% More than 1 permission per APIs >100%
lack of knowledge about possible attacks improper granularity
AV, MDM, DLP, VPN
MDM features

Non-app features

Kernel protection Permissions

[ BLACKBERRY. PERMISSIONS ]
BB 10 Cascades SDK Background processing BlackBerry Messenger Calendar, Contacts Camera Device identifying information Email and PIN messages GPS location Internet Location Microphone Narrow swipe up Notebooks Notifications Player Phone Push Shared files Text messages Volume BB 10 AIR SDK + + + + + + + + + + + + + + + PB (NDK/AIR) + via invoke calls + + via invoke calls + + + + + + + +

[ BLACKBERRY. Significant APIs ]


Feature BlackBerry Messenger Calendar Camera Contacts Device identifying info Email & PIN messages Internet Microphone Notebooks Notifications Phone Push Shared files Text messages Account MediaPlayer NFC Radio & SIM Clipboard Q. APIs 77 443 47 316 15 347 161 21 123 32 27 25 78 10 66 66 24 68 6 Q. sign. APIs 70 126 41 150 14 211 145 15 86 24 22 22 70 6 21 63 11 51 4 % (sign .APIs) 90,91 28,44 87,23 47,47 93,33 60,81 90,06 71,43 69,92 75,00 81,48 88,00 89,74 60,00 31,82 95,45 45,83 75,00 66,67 Controlled ? + + + + + + + + + + + + + + -

[ BLACKBERRY. Common activities ]


35 30 25 20 15 10 5 0 6 4 5 7 3 6 8 21 18 17 14 4 4 4 4 34

3 2 1 1 1 2 2

3 2

2 1 1

3 1

2 5 1

Q. of m.+a. activity

Q. of m.+a. permission

[ BLACKBERRY. Derived activities ]


120 100 116 89 59 47 24 6 1 4 3 3 7 1 3 16 1 23 3 2 2 2

80
60 40 20 0

46 11
1

19
3 2 1 1

24 9 8 1

25 2 2 5

27 1

Q. of derived activities

Q. of derived perm

[ BLACKBERRY. Efficiency (%) ]


250,00 200,00 150,00 100,00 50,00 0,00 16,67 19,05 16,67 250,00 3,45 12,50 5,08 60,00 8,70 3,37 6,25 66,67 14,29 66,67 4,26 9,09 25,00 66,67 5,26 250,00

88,89 2,17 50,00


4,17 33,33

8,00 3,70

66,67
11,76

50,00 25,00 25,00

50,00
7,14

5,88 14,29 5,56 16,67

% m+a activity vs perm

% m+a derived activity vs perm

[ iOS. Info.plist(app capabilities) ]


Key auto-focus-camera bluetooth-le camera-flash front-facing-camera gamekit gps location-services microphone peer-peer sms still-camera telephony video-camera wifi Description handle autofocus capabilities in the devices still camera in case of a macro photography or image processing. handle the presence of Bluetooth low-energy hardware on the device. handle a camera flash for taking pictures or shooting video. handle a forward-facing camera such as capturing video from the devices camera. handle a Game Center. handle a GPS (or AGPS) hardware to track a locations in case of need the higher accuracy more than Cellular/Wi-Fi. retrieve the devices current location using the Core Location framework though Cellular/Wi-Fi handle the built-in microphone and its accessories handle peer-to-peer connectivity over a Bluetooth network. handle the presence of the Messages application such as opening URLs with the sms scheme. handle the presence of a camera on the device such as capturing images from the devices still camera. handle the presence of the Phone application such as opening URLs with the telephony scheme. handle the presence of a camera with video capabilities on device such as capturing video from the devices camera. access to the networking features of the device.

[ iOS. Settings ]
Component Restrictions :: Native application Restrictions :: 3rd application Unit subcomponents Privacy :: Location Per each 3rd party app For system services Contacts, Calendar, Reminders, Photos Bluetooth Sharing Twitter, Facebook Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts Find My Friends Volume limit Ratings per country and region Music and podcasts Movies, Books, Apps, TV shows In-app purchases Require Passwords (in-app purchases) Multiplayer Games Adding Friends (Game Center) Installing Apps Removing Apps Unit Safari Camera, FaceTime iTunes Store, iBookstore Siri Manage applications* Manage applications* Explicit Language (Siri) Privacy*, Accounts* Content Type Restrictions*

Privacy :: Private Info


Accounts

Content Type Restrictions

Game Center
Manage applications

[ iOS. Common activities ]


20 18 16 14 12 10 8 6 4 2 0 17 12 0 2 3 8 5 1 3 0 1 3 0 0 2 0 0 2 0 13 0 1 1 10 0 0 6 1 1 10 1 1 2 3 10 3 0 1 4

Q. of m.+a. activity

Q. of m.+a. permission

Q. of m.+a. perm plus parental perm

[ iOS. Derived activities ]


4

82
80 70 60 50 40 30 20 10 0

1
0 0 9 1 2 13 0 0 1 1 0 9 0 1 0 18 12 0 0 1 1 1 0 0 0 25

2 1

20 3

13

10

10

10

Q. of derived activities

Q. of derived perm

Q. of derived perm + plus parental perm

[ iOS. Efficiency (%) ]


100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%

11,11

15,00 7,69

5,56

50,00

10,00 16,67

4,88 8,00 40,00 11,76

25,00 10,00 33,33 0,00

7,69

50,00 16,67 0,00 0,00 0,00 0,00 0,00 50,00 50,00 10,00 16,67 33,33

0,00
0,00 0,00 5,56 0,00 0,00 0,00 0,00 0,00

3,66

20,00

0,00
0,00 0,00

4,00
0,00 0,00 30,00 5,88

0,00 0,00 16,67 0,00 0,00

0,00

7,69

0,00
0,00

% m+a activity vs perm

% m+a derived activity vs perm

Q. of m.+a. perm plus parental perm

Q. of derived perm + plus parental perm

[ Windows. Permissions ]
Permission General use capabilities musicLibrary picturesLibrary videosLibrary removableStorage microphone webcam location proximity internetClient, internetClientServer privateNetworkClientServer enterpriseAuthentication sharedUserCertificates documentsLibrary provides access to the user's Music library, allowing the app to enumerate and access all files w/o user interaction. provides access to the user's Pictures library, allowing to enumerate and access all files w/o user interaction. provides access to the user's Videos library, allowing the app to enumerate and access all w/o user interaction. provides access to files on removable storage, such as USB keys and external hard drives, filtered to the file type provides access to the microphones audio feed, which allows to record audio from connected microphones.. provides access to the webcams video feed, which allows to capture snapshots, movies from a connected webcam. provides access to location functionality like a GPS sensor or derived from available network info. enables multiple devices in close proximity to communicate with one another via possible connection, incl. Bluetooth, WiFi, and the internet. provides outbound (inbound is for server only) access to the Internet, public networks via the firewall. provides inbound and outbound access to home and work networks through the firewall for games or for applications that share data across local devices. Special use capabilities enable a user to log into remote resources using their credentials, and act as if a user provided their user name and password. enables an access to software and hardware certificates like smart card. provides access to the user's Documents library, filtered to the file type associations Description

[ Windows. Significant APIs ]


Feature Notifications Music library Pictures library Videos library Removable storage Microphone Webcam Location Proximity Internet and public networks Home and work networks Enterprise authentication Shared User Certificates Documents library Clipboard Phone SMS Contacts Device Info Q. APIs 68 1300 1157 1300 1045 274 409 37 54 488 488 8 20 1045 132 18 122 97 221 Q. sign. APIs General use capabilities 4 138 133 138 109 33 91 5 19 134 134 Special use capabilities 4 5 126 Non-controlled capabilities 20 6 25 31 30 % (sign. APIs) 5,88 10,62 11,50 10,62 10,43 12,04 22,25 13,51 35,19 27,46 27,46 50,00 25,00 12,06 15,15 33,33 20,49 31,96 13,57 Controlled? + + + + + + + + + + + + + + -

[ Windows. Common Activities ]


14 12 10 14

8
6 4 2 0 1 1 1 1 3 1 1 1 1 1 3 3 5 6 3 1

8 6

4 5
1 2

3 1

4
2 2 2

3 1 0 0 0 0

2 0

Q. of m.+a. activity

Q. of m.+a. permission

[ Windows. Derived Activities ]


25 20 15 10 5 0 1 8 10 8 5 1 2 2 2 1 3 6 3 1 1 2 14 11 7 5 1 2 2 0 0 0 0 0 6 21 16 12 12 8 15 11 8 8

Q. of derived activities

Q. of derived perm

[ Windows. Efficiency (%) ]


120,00 100,00 100,00 100,00 120,00 100,00 100,00 125,00 100,00 100,00 100,00 80,00 60,00 40,00 25,00 25,00 20,00 33,33 20,00

27,27 42,86
33,33 33,33 14,29 31,25 16,67 14,29 9,52

50,00 33,33 16,67 16,6716,67 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00

20,00
0,00

% m+a activity vs perm

% m+a derived activity vs perm

[ A droid. Permissions ]
List contains~150 permissions
ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION,
ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE, ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_ MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT

I have ever seen that on old BlackBerry devices


OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC
TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_ PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK

RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS
,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH, SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION ,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S

TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET
,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_ PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY, BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN

GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T
OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_ PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_ OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_ CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_ SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS, READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO

ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA
TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY,

[ A droid. Permission Groups ]


But there only 30 permissions groups
ACCOUNTS AFFECTS_BATTERY APP_INFO AUDIO_SETTINGS BLUETOOTH_NETWORK BOOKMARKS CALENDAR CAMERA COST_MONEY DEVELOPMENT_TOOLS DEVICE_ALARMS DISPLAY HARDWARE_CONTROLS LOCATION MESSAGES MICROPHONE NETWORK PERSONAL_INFO PHONE_CALLS SCREENLOCK SOCIAL_INFO STATUS_BAR STORAGE SYNC_SETTINGS SYSTEM_CLOCK SYSTEM_TOOLS

I have ever seen that on old BlackBerry devices too


USER_DICTIONARY VOICEMAIL WALLPAPER WRITE_USER_DICTIONARY

[ A droid. Efficiency (%) ]


50,00 45,00 40,00

35,00
30,00 25,00 20,00 15,00 28,57

33,33

20,00 20,00 15,38 15,38


9,52 0,00 0,00

25,00 20,00 10,71 0,00 2,91 0,00 7,14 4,55 8,33 7,14 10,00 4,00 3,13

10,00
5,00 0,00

2,00

5,88 3,13 0,00

% m+a activity vs perm

% m+a derived activity vs perm

[ Average quantitative indicators ]


100%

102,74
90%

80%
70% 60%

119,31

60,63

8,86

29,26

1,89

2,32

42,04

30,48

48,06

32,79

60,38

435,95

0,64 7,43 17,07 9,68 1,47

9,06 0,69 1,63 54 5,94 20,97

16,99 9,21 22,76

50%
40% 30% 20% 10% 0%

62,37

3,84

58,06

394,86 67,48

9,23

32,48

2,01

2,19

38,4

27,6

38,4

27,6

Q. APIs

Q. sign APIs

Q. of m.+a. activities

Q. of derived activities

Q. of m.+a. permissions

Q. of derived permissions

% m+a activities %m+a derived vs % m+a vs perm vs perm perm enhanced by MDM

% derived vs perm enhanced by MDM

Android

Windows

iOS

BlackBerry

MDM . Extend your device security capabilities


Android
CAMERA AND VIDEO HIDE THE DEFAULT CAMERA APPLICATION PASSWORD DEFINE PASSWORD PROPERTIES REQUIRE LETTERS (incl. case) REQUIRE NUMBERS REQUIRE SPECIAL CHARACTERS DELETE DATA AND APPLICATIONS FROM THE DEVICE AFTER INCORRECT PASSWORD ATTEMPTS DEVICE PASSWORD ENABLE AUTO-LOCK

CONTROLLED FOUR GROUPS ONLY


LIMIT PASSWORD AGE LIMIT PASSWORD HISTORY RESTRICT PASSWORD LENGTH MINIMUM LENGTH FOR THE DEVICE PASSWORD THAT IS ALLOWED ENCRYPTION APPLY ENCRYPTION RULES ENCRYPT INTERNAL DEVICE STORAGE TOUCHDOWN SUPPORT MICROSOFT EXCHANGE SYNCHRONIZATION EMAIL PROFILES ACTIVESYNC

MDM . Extend your device security capabilities


iOS
BROWSER
DEFAULT APP, AUTOFILL, COOKIES, JAVASCRIPT, POPUPS OUTPUT, SCREEN CAPTURE, DEFAULT APP

CONTROLLED 16 GROUPSONLY

MESSAGING (DEFAULT APP)


BACKUP / DOCUMENT PICTURE / SHARING ONLINE STORES , PURCHASES, PASSWORD DEFAULT STORE / BOOK / MUSIC APP ONLINE STORE

CAMERA, VIDEO, VIDEO CONF CERTIFICATES (UNTRUSTED CERTs) CLOUD SERVICES BACKUP / DOCUMENT / PICTURE / SHARING NETWORK, WIRELESS, ROAMING DATA, VOICE WHEN ROAMING CONTENT (incl. EXPLICIT) RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS CONNECTIVITY

MESSAGING (DEFAULT APP) PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES) PHONE AND MESSAGING (VOICE DIALING) PROFILE & CERTs (INTERACTIVE INSTALLATION) SOCIAL (DEFAULT APP) SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS DEVICE BACKUP AND ENCRYPTION

CONTENT

STORAGE AND BACKUP VOICE ASSISTANT (DEFAULT APP)

DIAGNOSTICS AND USAGE (SUBMISSION LOGS)

MDM . Extend your device security capabilities


BlackBerry (new, 10, qnx)
GENERAL
MOBILE HOTSPOT AND TETHERING PLANS APP, APPWORLD

CONTROLLED 7 GROUPSONLY

PASSWORD (THE SAME WITH ANDROID, iOS) BES MANAGEMENT (SMARTPHONES, TABLETS) SOFTWARE OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE BBM VIDEO ACCESS TO WORK NETWORK VIDEO CHAT APP USES ORGANIZATIONS WI-FI/VPN NETWORK WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE VOICE CONTROL & DICTATION IN WORK & USER APPS BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE PC ACCESS TO WORK & PERSONAL SPACE (USB, BT) PERSONAL SPACE DATA ENCRYPTION

NETWORK ACCESS CONTROL FOR WORK APPS PERSONAL APPS ACCESS TO WORK CONTACTS SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
CERTIFICATES & CIPHERS & S/MIME HASH & ENCRYPTION ALGS AND KEY PARAMS TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS PROXY PASSWORD/PORT/SERVER/SUBNET MASK

EMAIL PROFILES

WI-FI PROFILES

SECURITY

VPN PROFILES

PROXY, SCEP, AUTH PROFILE PARAMS TOKENS, IKE, IPSEC OTHER PARAMS PROXY PORTS, USERNAME, OTHER PARAMS

MDM . Extend your device security capabilities


Blackberry (old)
THERE 55 GROUPS CONTROLLED IN ALL EACH GROUP CONTAINS FROM 10 TO 30 UNITS ARE CONTROLLED TOO EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs INSTEAD OF A WAY DISABLE/ENABLED & HIDE/UNHIDE EACH EVENT IS CONTROLLED BY CERTAIN PERMISSION ALLOWED TO CONTROL BY SIMILAR PERMISSIONS TO BE MORE FLEXIBLE DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME MORE THAN OTHER DOCUMENTS

Huge amount of permissions are MDM & device built-in


EACH UNIT CANT CONTROL ACTIVITY UNDER ITSELF CREATE, READ, WRITE/SAVE, SEND, DELETE ACTIONS IN REGARDS TO MESSAGES LEAD TO SPOOFING BY REQUESTING A MESSAGE PERMISSION ONLY SOME PERMISSIONS ARENT REQUIRED (TO DELETE ANY OTHER APP) SOME PERMISSIONS ARE RELATED TO APP, WHICH 3RD PARTY PLUGIN WAS EMBEDDED IN, INSTEAD OF THAT PLUGIN

ISSUES : USELESS SOLUTIONS


USERFULL IDEASAT FIRST GLANCE BUT INSTEADMAKE NO SENSE
MERGING PERMISSIONS INTO GROUPS, e.g. SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS SEPARATED (BlackBerry old) SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS MERGED INTO ONE UNIT (BlackBerry new) SCREEN CAPTURE IS ALLOWED VIA HARDWARE BUTTONS ONLY NO EMULATION OF HARDWARE BUTTONS AS IT WAS IN OLD BLACKBERRY DEVICES LOCKS WHEN WORK PERIMITER HAS BECOME TO PREVENT SCREEN-CAPTURE LOGGERS OFFICIALLY ANNOUNCED SANDBOX MALWARE IS STILL A PERSONAL APPLICATION SUBTYPE IN TERMS OF (IN-)SECURITY SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS INABILITY OF BACKUP MAKE DEVELOPERS TO STORE DATA IN SHARED FOLDERS

ISSUES : USELESS SOLUTIONS


USERFULL IDEASAT FIRST GLANCE
SECURE & INSECURE APP IN THE SAME TIME
HAS ENCRYPTED COMMUNICATION SESSIONS, AND MAY STORE CHAT COVERSATION WITHOUT ENCRYPTION STORE SENSITIVE DATA IN PLAINTEXT (PASSW, PASSPORT DETAILS, CARD INFO) AND BELIEVE IN POWER OF SANDBOX UPGRADE FEATURE AFFECT EVERYTHING MAY UPDATE/REMOVE ANY OTHER APP - SURPRISE REPACKAGES STILL HAVE AN ACCESS TO THE SAME DATA AS AN ORIGINAL APP DEBUG/NOT ORIGINAL SIGNATURE PROBLEM THATS NOT A PROBLEM CLIPBOARD (SECURE CLIPBOARD HAS NEVER EXISTED ANYWHERE AND MIGHT HAVE EVER) REVEAL THE DATA IN REAL TIME BY ONE API CALL ACCESSIBLE BY APIs AS WELL AS FILE DATA (DEPENDS ON YOUR OS) NATIVE WALLETS PROTECTS BY RETURNING NULL (ONLY OLD-BLACKBERRY) WHILE THE ON TOP || JUST MINIMIZE OR CLOSE IT TO GET FULL ACCESS EVERY USER MUST MINIMIZE APP TO PASTE A PASSWORD

BUT INSTEADMAKE NO SENSE

ISSUES : USELESS SOLUTIONS


USERFULL IDEASAT FIRST GLANCE
GUI EXPLOITATION HAPPENS (OLD BLACKBERRY, ANDROID REPACKAGES)
REDRAWING THE SCREENS (OLD BB ONLY), GRABBING THE TEXT FROM ANY FIELDs (INCL. PASSWORD FIELD) ADDING, REMOVING THE FIELD DATA ORIGINAL DATA IS INACCESSIBLE BUT NOT AFFECTED KASPERSKY MOBILE SECURITY PROVIDES AN INSECURITY, NO PROTECTION FROM REMOVING.CODs & UNDER SIMULATOR EXAMING THE TRAFFIC, BEHAVIOUR JUST SHOULD CHECK API IS SIMULATOR ONLY SMS MANAGEMENT VIA QUITE SECRET SMS (NOT ENCRYPTED, HASH ONLY) THE SAME SECRET AMONG OPERATING SYSTEMS (BB, ANDROID, WINDOWS,) PASSWORD IS 416 DIGITS,AND MODIFIED IN REAL-TIME (OLD BLACKBERRY, OR ANDROID REPACKAGES)

BUT INSTEADMAKE NO SENSE

SMS IS A HALF A HASH VALUE OF GOST R 34.11-94


HASH IMPLEMENTATION USES TEST CRYPTO VALUES AND NO SALT TABLES (VALUEHASH) ARE EASY BUILT OUTCOMING SMS CAN BE SPOOFED WITHOUT ANY NOTIFICATION, BECAUSE KMS DELETE THE SENT MESSAGES OUTCOMING SMS COULD BLOCK/WIPE THE SAME/ANOTHER DEVICE

COMPLIANCE AND MDM


CSA Mobile Device Management: Key Components
Device diversity Configuration management Software Distribution Device policy compliance & enforcement Enterprise Activation Logging Security Settings Security Wipe, Lock IAM Make you sure to start managing security under uncertain terms without AI

NIST-124
Refers to NIST-800-53 and other Sometimes missed requirements such as locking device, however it is in NIST-800-53 A bit details than CSA No statements on permission management Make you sure to start managing security under uncertain terms without AI

CONCLUSION
PRIVILEGEDGENERAL PERMISSIONS
DENIAL OF SERVICE REPLACING/REMOVING FILES DOSing EVENTs, GUI INTERCEPT INFORMATION DISCLOSURE CLIPBOARD, SCREEN CAPTURE GUI INTERCEPT SHARED FOLDERS DUMPING .COD/.BAR/APK FILES

OWN APPs, NATIVE & 3RD PARTY APPs FEATURES


MITM (INTERCEPTION / SPOOFING) MESSAGES GUI INTERCEPT, THIRD PARTY APPs FAKE WINDOW/CLICKJACKING GENERAL PERMISSIONS INSTEAD OF SPECIFIC SUB-PERMISSIONS A FEW NOTIFICATION/EVENT LOGs FOR USER BUILT PER APPLICATION INSTEAD OF APP SCREENs

CONCLUSION
THE VENDOR SECURITY VISION

HAS NOTHING WITH REALITY

AGGRAVATEDBY SIMPLICITY

SIMPLIFICATION AND REDUCING SECURITY CONTROLS MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS THE SANDBOX PROTECT ONLY APPLICATION DATA USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY THE NATIVE SPOOFING AND INTERCEPTION FEATURES COMPLIANCE DOES NOT EXTEND MDM CAPABILITIES JUST REPEATS IT THE MOST GRANULAR SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST

Q&A