learning ios security · table of contents learning ios security credits about the authors about...
TRANSCRIPT
![Page 4: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/4.jpg)
TableofContents
LearningiOSSecurity
Credits
AbouttheAuthors
AbouttheReviewers
www.PacktPub.com
Supportfiles,eBooks,discountoffers,andmore
Whysubscribe?
FreeaccessforPacktaccountholders
Preface
Whatthisbookcovers
Whatyouneedforthisbook
Whothisbookisfor
Conventions
Readerfeedback
Customersupport
Errata
Piracy
Questions
1.iOSSecurityOverview
Pairing
Backingupyourdevice
iCloudbackups
TakingbackupsusingiTunes
ViewingiOSdatainiTunes
Initialsecuritychecklist
Configuringapasscode
Configuringprivacysettings
Safariandbuilt-inAppprotections
Predictivesearchandspotlight
www.it-ebooks.info
![Page 5: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/5.jpg)
Summary
2.IntroducingAppSecurity
Installingapps
BlockingaccesstotheAppStore
SingleAppmode,AppLock,andGuidedAccess
Appcommunication
HandoffandContinuity
Keybagsandkeychains
Keyboardsandextensions
Securingwhatextensionscanaccess
Usercontext
SandboxingandAppdatastorage
Introductiontoin-houseAppdevelopment
Summary
3.EncryptingDevices
SecurebootandactivatingiOS
PassbookandTouchIDforApplePay
IntroductiontoiOSnetworkcommunication
AirDrop
Abugorafeature?
VPN(Always-On,APN,Per-App,On-Demand)
GlobalHTTPProxy,caching,andthewebcontentfilter
Privacy-relatedconcerns
Lesser-knownwaysforAppletogatherdiagnostics
Healthapp
Configurationprofiles
Signing,encryption,anddelivery
Summary
4.OrganizationalControls
AppleConfigurator
Intendedworkflows
www.it-ebooks.info
![Page 6: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/6.jpg)
Theinteractionmodes–Prepare,Supervise,andAssign
Theimportanceofsupervision
Apps,VPP,andAppleConfigurator
Massrestoringandnamingofdevices
Backupconcerns
Configuratoraschaperone
ActivationLockandFindMyiPhone
Addressingtheroughspots
DEPversusAppleConfigurator
GuidedAccessversusAppLockversusSingleAppMode
ActiveSync
Summary
5.MobileDeviceManagement
IntroducingMDM
ConfiguratorversusMDM
TheProfileManager
PreparingtheProfileManagerServer
PreparingProfileManager
CompletingPostConfigurationtasks
UsingProfileManager
EnrollingintoProfileManager
Devicemanagement
Passcodepolicies
IntroducingBushel
Setup
Theenrollmentprocess
Restrictions
VolumePurchasingProgramandMDM
Summary
6.DebuggingandConclusion
Xcode
www.it-ebooks.info
![Page 7: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/7.jpg)
Divedeeperwithlibimobiledevice
InstallinglibimobiledeviceusingHomebrew
Usingidevicesyslogandidevicepair
Usingidevicedateandideviceinstaller
Appcommunications
Identifyingdevices
Listeningtonetworkcommunications
AppleIDsandApps
Forensics
Applicationsecurity
ViewinganApp
Summary
Index
www.it-ebooks.info
![Page 11: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/11.jpg)
LearningiOSSecurityCopyright©2015PacktPublishing
Allrightsreserved.Nopartofthisbookmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,withoutthepriorwrittenpermissionofthepublisher,exceptinthecaseofbriefquotationsembeddedincriticalarticlesorreviews.
Everyefforthasbeenmadeinthepreparationofthisbooktoensuretheaccuracyoftheinformationpresented.However,theinformationcontainedinthisbookissoldwithoutwarranty,eitherexpressorimplied.Neithertheauthors,norPacktPublishing,anditsdealersanddistributorswillbeheldliableforanydamagescausedorallegedtobecauseddirectlyorindirectlybythisbook.
PacktPublishinghasendeavoredtoprovidetrademarkinformationaboutallofthecompaniesandproductsmentionedinthisbookbytheappropriateuseofcapitals.However,PacktPublishingcannotguaranteetheaccuracyofthisinformation.
Firstpublished:February2015
Productionreference:2240215
PublishedbyPacktPublishingLtd.
LiveryPlace
35LiveryStreet
BirminghamB32PB,UK.
ISBN978-1-78355-174-3
www.packtpub.com
www.it-ebooks.info
![Page 13: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/13.jpg)
CreditsAuthors
AllisterBanks
CharlesS.Edge
Reviewers
JeremyAgostino
WilliamSmith
CommissioningEditor
AshwinNair
AcquisitionEditor
HemalDesai
ContentDevelopmentEditor
MamataWalkar
TechnicalEditor
MenzaMathew
CopyEditors
JasmineNadar
WishvaShah
ProjectCoordinator
ShipraChawhan
Proofreaders
SafisEditing
PaulHindle
Indexer
TejalSoni
ProductionCoordinator
MelwynD’sa
CoverWork
MelwynD’sa
www.it-ebooks.info
![Page 15: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/15.jpg)
AbouttheAuthorsAllisterBanksisanenthusiast.He’sveryexcitedtobeintheexceedinglylimited,exclusiveclubofcoauthorsofCharlesS.Edge.AfterworkingforadecadewithITconsultingcompaniesonboththecoastsoftheU.S.,henowworksforamedical-focusedinstitutionwitheducationanddatacenteraspects.HehasgivenspeechesatLOPSA-East,MacTechConference,andMacAdminsConferenceatPennState.HelivesinNewYork.HecontributestovariousopensourceprojectsandspeaksenoughJapanesetoorderfood.
CharlesS.EdgehasbeenworkingwithAppleproductssincehewasachild.Professionally,CharlesstartedwiththeMacOSandAppleserverofferingsin1999afterworkingofyearswithvariousflavorsofUnix.CharlesbeganhisconsultingcareerwithSupportTechnologiesandAndersenConsulting.Asthechieftechnologyofficerof318,Inc.,aconsultingfirminSantaMonica,California,Charlesbuiltandnurturedateamofover50engineers,whichwasthelargestMacteamintheworldatthattime.CharlesisnowaproductmanageratJAMFSoftware,withafocusonBushel(http://www.bushel.com).
CharleshasspokenatavarietyofconferencesincludingDefCon,BlackHat,LinuxWorld,MacWorld,MacSysAdmin,andAppleWorldwideDevelopersConference.Charleshasalsowritten12books,over3,000blogposts,andanumberofprintedarticlesonAppleproducts.
www.it-ebooks.info
![Page 17: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/17.jpg)
AbouttheReviewersJeremyAgostinoisalongtimeMacandiOSdeveloperwithaprofessionalfocusonhardwaresupportanddevicedrivers.HehasassistedinthedesignandimplementationofcustomtechnicalsolutionstomanagesomeofthelargestiOSdeploymentsintheU.S.JeremyiscurrentlyleadingtheengineeringteamatGroundControlSolutions,whereheisdevelopingapowerfuldeploymentandmanagementtoolforiOSdevices.
WilliamSmithisasolutionsarchitectfor318,Inc.,whichisanITconsultancythatisbasedinSantaMonica,California.Heisatechnologyveteranwithmorethan20yearsofexperience.HelivesinSaintPaul,Minnesota,wherehehasprovidedtrainingandconsultingservicesonbehalfofcustomerssuchasAppleandJAMFSoftware.
WilliamenjoyswritingandpresentingontechnologytopicsandhehasspokenatJAMFNationUserConference,MacIT,PSUMacAdmins,andotherconferences.HehasbeenaMicrosoftMVPformorethan11yearsandisco-ownerofOfficeforMacHelp.com.Currently,heisapartofthesteeringcommitteeforthenewTwinCitiesMacAdminsprofessionalsgroup—acommunitythatsupportsallthingsApple,fromeducationtoenterprise.
www.it-ebooks.info
![Page 20: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/20.jpg)
Supportfiles,eBooks,discountoffers,andmoreForsupportfilesanddownloadsrelatedtoyourbook,pleasevisitwww.PacktPub.com.
DidyouknowthatPacktofferseBookversionsofeverybookpublished,withPDFandePubfilesavailable?YoucanupgradetotheeBookversionatwww.PacktPub.comandasaprintbookcustomer,youareentitledtoadiscountontheeBookcopy.Getintouchwithusat<[email protected]>formoredetails.
Atwww.PacktPub.com,youcanalsoreadacollectionoffreetechnicalarticles,signupforarangeoffreenewslettersandreceiveexclusivediscountsandoffersonPacktbooksandeBooks.
https://www2.packtpub.com/books/subscription/packtlib
DoyouneedinstantsolutionstoyourITquestions?PacktLibisPackt’sonlinedigitalbooklibrary.Here,youcansearch,access,andreadPackt’sentirelibraryofbooks.
www.it-ebooks.info
![Page 21: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/21.jpg)
Whysubscribe?FullysearchableacrosseverybookpublishedbyPacktCopyandpaste,print,andbookmarkcontentOndemandandaccessibleviaawebbrowser
www.it-ebooks.info
![Page 22: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/22.jpg)
FreeaccessforPacktaccountholdersIfyouhaveanaccountwithPacktatwww.PacktPub.com,youcanusethistoaccessPacktLibtodayandview9entirelyfreebooks.Simplyuseyourlogincredentialsforimmediateaccess.
www.it-ebooks.info
![Page 24: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/24.jpg)
PrefaceNowadays,iOSisbecomingmoreandmoreprevalentincompaniesandlargerorganizations.WhetherthisisatrendthatisdrivenbyBringYourOwnDevice(BYOD)orsomethingthatiscomingfromwithintheITdepartment,ourknowledgeofplatformsisbeingstretchedmoreandmoreallthetime.It’sgettingharderandhardertobeanexpertoneveryplatformthatisinuseinourorganizations!
YouneedtosecureyouriOSdevices.LearningiOSsecuritygivesyoutheknowledgetobuildsecurityintolarge-scaleiOSdeployments.Thisbooktakesyouthroughgoodsecuritypractices;theseincludeconfiguringprivacyoptionstokeeppersonaldataawayfrompryingeyes,learningaboutencryptionoptionstokeepdatasafeatrest,securingappstoreducetherisksintroducedbythird-partyapps,andthenlayingdownpracticalstepsandproceduresforcarryingoutthesesteps,bothon-screenondevicesandatscaleusingAppleConfigurator,profiles,andMobileDeviceManagement(MDM)solutions.
Thisbookalsoincludesasectionondebuggingandviewingdatasothatyoucancheckouthowtofurthersecureitemsnotcoveredindetailinthebook.Weteachyouhowtoprovideenterprise-classsecuritytoyouriPhone,iPad,andiPodTouchdeployments.Thisincludesaquickrun-downofbasicsecuritystepsandmassdeploymentofthesestepstoaidinyourlarge-scaledeploymentofiOSdevices.
Thisbookismeanttobeaneasy-to-digestguidethatfollowsreal-worldexamplestoimplementbestsecuritypractices.Eachtopiciscoveredinatheoreticalcontextandfurtherresourcesareprovidedwheretheyareneeded/applicable.
www.it-ebooks.info
![Page 25: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/25.jpg)
WhatthisbookcoversChapter1,iOSSecurityOverview,isaquick-and-dirtyoverviewofthemanystepstotaketoinitiallysecureaniPad,iPhone,andiPodTouch.Thepurposeofthischapterisn’ttogointotoomuchdepthwithanygiventechnology,buttoprovideacheatsheetofsortstogetyoustartedwithiOSsecurity.
Chapter2,IntroducingAppSecurity,isamorethoroughreviewofhowtochooseappsandsecurethemduringaniOSdeployment.Here,welookatanoverviewofsandboxingtechniquesandhowtouseSingleAppModeandkeybags.Wealsolookatin-houseApps.
Chapter3,EncryptingDevices,explainstheencryptiontypesandtechniquesthatareusediniOS.Here,welookatTouchID,ApplePay,networkencryption,andprivacyconcerns.
Chapter4,OrganizationalControls,introducesAppleConfiguratorandprofilemanagement.Here,wealsolookattheFindMyiPhoneappasitpertainstoActivationLock,ActiveSyncpolicies(EASPolicies),anddevicesupervision.
Chapter5,MobileDeviceManagement,looksatApple’sProfileManagerandasimplethird-partyMDMcalledBushel.Here,welookatOvertheAir(OTA)profilemanagement.
Chapter6,DebuggingandConclusion,coverswaystotroubleshootanddebugdevicesinlargerdeployments.Inthischapter,we’lllookathowtofindlogsandinterpretthem,howtogetmoredatathanyoucanusefromdevices,andthenwewillwrapupthebook.
www.it-ebooks.info
![Page 27: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/27.jpg)
WhatyouneedforthisbookThisbookfocusesonusingaMactomanageAppleiOSdevices.Therefore,youshouldhaveaMacthatrunsOSX10.10orahigherversionandaniOSdevicethatrunsiOS8orahigherversion.YoucanuseaWindowsorLinuxcomputerinsteadofaMac,butnotallofthecontentcoveredinthisbookwillbeapplicableifyoudothis.
www.it-ebooks.info
![Page 29: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/29.jpg)
WhothisbookisforThisbookisintendedforsystemsadministratorsandsecurityprofessionalswhowanttolearnhowtoimplementgoodsecuritypracticesoniOSdevices.ThereadersshouldknowsomethingabouttheInformationTechnologyindustry,buttheyneednotbeveteranswhohaveanexperienceofmorethan30years.
www.it-ebooks.info
![Page 31: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/31.jpg)
ConventionsInthisbook,youwillfindanumberofstylesoftextthatdistinguishbetweendifferentkindsofinformation.Herearesomeexamplesofthesestyles,andanexplanationoftheirmeaning.
Codewordsintext,databasetablenames,foldernames,filenames,fileextensions,pathnames,dummyURLs,userinput,andTwitterhandlesareshownasfollows:“Whilenotexactlysimple,onecoulduseopensslonvariousoperatingsystems,intandemwitharootcertificatefromatrustedcertificateauthority,toapplysignaturestoconfigurationprofiles,whichdeviceswillthenseeastrusted.”
Anycommand-lineinputoroutputiswrittenasfollows:
codesign-d-vv/Users/abanks/Music/iTunes/iTunes\Media/Mobile\
Applications/Dropbox\3.5.2/Payload/Dropbox.app
Newtermsandimportantwordsareshowninbold.Wordsthatyouseeonthescreen,inmenusordialogboxesforexample,appearinthetextlikethis:“ThisisexposedtoenduserswithaSendAllTrafficsliderwhenoptional.
NoteWarningsorimportantnotesappearinaboxlikethis.
TipTipsandtricksappearlikethis.
www.it-ebooks.info
![Page 33: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/33.jpg)
ReaderfeedbackFeedbackfromourreadersisalwayswelcome.Letusknowwhatyouthinkaboutthisbook—whatyoulikedormayhavedisliked.Readerfeedbackisimportantforustodeveloptitlesthatyoureallygetthemostoutof.
Tosendusgeneralfeedback,simplysendane-mailto<[email protected]>,andmentionthebooktitleviathesubjectofyourmessage.
Ifthereisatopicthatyouhaveexpertiseinandyouareinterestedineitherwritingorcontributingtoabook,seeourauthorguideonwww.packtpub.com/authors.
www.it-ebooks.info
![Page 35: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/35.jpg)
CustomersupportNowthatyouaretheproudownerofaPacktbook,wehaveanumberofthingstohelpyoutogetthemostfromyourpurchase.
www.it-ebooks.info
![Page 36: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/36.jpg)
ErrataAlthoughwehavetakeneverycaretoensuretheaccuracyofourcontent,mistakesdohappen.Ifyoufindamistakeinoneofourbooks—maybeamistakeinthetextorthecode—wewouldbegratefulifyouwouldreportthistous.Bydoingso,youcansaveotherreadersfromfrustrationandhelpusimprovesubsequentversionsofthisbook.Ifyoufindanyerrata,pleasereportthembyvisitinghttp://www.packtpub.com/submit-errata,selectingyourbook,clickingontheerratasubmissionformlink,andenteringthedetailsofyourerrata.Onceyourerrataareverified,yoursubmissionwillbeacceptedandtheerratawillbeuploadedonourwebsite,oraddedtoanylistofexistingerrata,undertheErratasectionofthattitle.Anyexistingerratacanbeviewedbyselectingyourtitlefromhttp://www.packtpub.com/support.
www.it-ebooks.info
![Page 37: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/37.jpg)
PiracyPiracyofcopyrightmaterialontheInternetisanongoingproblemacrossallmedia.AtPackt,wetaketheprotectionofourcopyrightandlicensesveryseriously.Ifyoucomeacrossanyillegalcopiesofourworks,inanyform,ontheInternet,pleaseprovideuswiththelocationaddressorwebsitenameimmediatelysothatwecanpursuearemedy.
Pleasecontactusat<[email protected]>withalinktothesuspectedpiratedmaterial.
Weappreciateyourhelpinprotectingourauthors,andourabilitytobringyouvaluablecontent.
www.it-ebooks.info
![Page 38: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/38.jpg)
QuestionsYoucancontactusat<[email protected]>ifyouarehavingaproblemwithanyaspectofthebook,andwewilldoourbesttoaddressit.
www.it-ebooks.info
![Page 40: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/40.jpg)
Chapter1.iOSSecurityOverviewOutofthebox,iOSisoneofthemostsecureoperatingsystemsavailable.Thereareanumberoffactorsthatcontributetotheelevatedsecuritylevel.Theseincludethefactthatuserscannotaccesstheunderlyingoperatingsystem.Appsalsohavedatainasilo(sandbox),soinsteadofaccessingthesystem’sinternalstheycanaccessthesilo.AppdeveloperschoosewhethertostoresettingssuchaspasswordsintheapporoniCloudKeychain,whichisasecurelocationforsuchdataonadevice.Finally,Applehasanumberofcontrolsinplaceondevicestohelpprotectuserswhileprovidinganelegantuserexperience.
However,devicescanbemadeevenmoresecurethantheyarenow.Inthischapter,we’regoingtogetsomebasicsecuritytasksunderourbeltinordertogetsomebasicbestpracticesofsecurity.Wherewefeelmoreexplanationisneededaboutwhatwedidondevices,we’llexplorethetechnologyitselfeitherinthischapter,orothers.
Thischapterwillcoverthefollowingtopics:
PairingBackingupyourdeviceInitialsecuritychecklistSafariandbuilt-inappprotectionPredictivesearchandspotlight
TokickofftheoverviewofiOSsecurity,we’llquicklysecureoursystemsbyinitiallyprovidingasimplechecklistoftasks,wherewe’llconfigureafewdeviceprotectionsthatwefeeleveryoneshoulduse.Then,we’lllookathowtotakeabackupofourdevicesandfinally,athowtouseabuilt-inwebbrowserandprotectionsaroundabrowser.
www.it-ebooks.info
![Page 41: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/41.jpg)
PairingWhenyouconnectadevicetoacomputerthatrunsiTunesforthefirsttime,youarepromptedtoenterapassword.Doingsoallowsyoutosynchronizethedevicetoacomputer.ApplicationsthatcancommunicateoverthischannelincludeiTunes,iPhoto,Xcode,andothers.
TopairadevicetoaMac,simplyplugthedevicein(ifyouhaveapasscode,you’llneedtoenterthatinordertopairthedevice.)Whenthedeviceispluggedin,you’llbepromptedonboththedeviceandthecomputertoestablishatrust.SimplytaponTrustontheiOSdevice,asshowninthefollowingscreenshot:
Trustingacomputer
www.it-ebooks.info
![Page 42: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/42.jpg)
ForthecomputertocommunicatewiththeiOSdevice,you’llalsoneedtoacceptthepairingonyourcomputer(although,whenyouuselibimobiledevice,whichisthecommandtopair,doesnotrequiredoingso,becauseyouusethecommandlinetoaccept.ThiscommandiscoveredinChapter6,DebuggingandConclusion).Whenprompted,clickonContinuetoestablishthepairing,asseeninthefollowingscreenshot(thescreenshotisthesameinWindows):
Trustingadevice
Whenadeviceispaired,afileiscreatedin/var/db/lockdown,whichistheUDIDofthedevicewithapropertylist(plist)extension.ApropertylistisanAppleXMLfilethatstoresavarietyofattributes.InWindows,iOSdataisstoredintheMobileSyncfolder,whichyoucanaccessbynavigatingto\Users\(username)\AppData\Roaming\AppleComputer\MobileSync.Theinformationinthisfilesetsupatrustbetweenthecomputersandincludesthefollowingattributes:
DeviceCertificate:Thiscertificateisuniquetoeachdevice.EscrowBag:ThekeybagofEscrowBagcontainsclasskeysusedtodecryptthedevice.HostCertificate:Thiscertificateisforthehostwho’spairedwithiOSdevices(usually,thesameforallfilesthatyou’vepaireddeviceswith,onyourcomputer).HostID:ThisisageneratedIDforthehost.HostPrivateKey:ThisistheprivatekeyforyourMac(shouldbethesameinallfilesonagivencomputer).RootCertificate:Thisisthecertificateusedtogeneratekeys(shouldbethesameinallfilesonagivencomputer).RootPrivateKey:ThisistheprivatekeyofthecomputerthatrunsiTunesforthatdevice.SystemBUID:ThisreferstotheIDofthecomputerthatrunsiTunes.WiFiMACAddress:ThisistheMacaddressoftheWi-Fiinterfaceofthedevicethatispairedtothecomputer.IfyoudonothaveanactiveWi-Fiinterface,MACisstillusedwhilepairing.
Whydoesthismatter?It’simportanttoknowhowadeviceinterfaceswithacomputer.Thesefilescanbemovedbetweencomputersandcontainavarietyofinformationaboutadevice,includingprivatekeys.
Havingkeysisn’tallthatisrequiredforacomputertocommunicatewithadevice.When
www.it-ebooks.info
![Page 43: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/43.jpg)
thedevicesareinterfacingwithacomputeroverUSB,ifyouhaveapasscodeenabledonthedevice,youwillberequiredtoenterthatpasscodeinordertounlockthedevice.
Onceacomputerisabletocommunicatewithadevice,youneedtobecarefulasthebackupsofadevice,appsthatgetsynchronizedtoadevice,andotherdatathatgetsexchangedwithadevicecanbeexposedwhileatrestondevices.
www.it-ebooks.info
![Page 45: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/45.jpg)
BackingupyourdeviceWhatdomostpeopledotomaximizethesecurityofiOSdevices?Beforewedoanything,weneedtotakeabackupofourdevices.Thisprotectsthedevicefromusbyprovidingarestorepoint.Thisalsosecuresthedatafromthepossibilityoflosingitthroughasillymistake.Therearetwoways,whicharemostcommonlyusedtotakebackups:iCloudandiTunes.Asthenamesimply,thefirstmakesbackupsforthedataonApple’scloudserviceandthesecondondesktopcomputers.
We’llcoverhowtotakeabackuponiCloudfirst.
www.it-ebooks.info
![Page 46: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/46.jpg)
iCloudbackupsAniCloudaccountcomeswithfreestorage,tobackupyourAppledevices.AniOSdevicetakesabackuptoAppleserversandcanberestoredwhenanewdeviceissetupfromthosesameservers(it’sascreenthatappearsduringtheactivationprocessofanewdevice.Also,itappearsasanoptioniniTunesifyoubackuptoiTunesoverUSB—coveredlaterinthischapter).
SettingupandcheckingthestatusofiCloudbackupsisastraightforwardprocess.FromtheSettingsapp,taponiCloudandthenBackup.AsyoucanseefromtheBackupscreen,youhavetwooptions,iCloudBackup,whichenablesautomaticbackupsofthedevicetoyouriCloudaccount,andBackUpNow,whichrunsanimmediatebackupofthedevice.
iCloudbackups
AllowingiCloudtotakebackupsondevicesisoptional.Asyou’llseeinChapter5,MobileDeviceManagement,andChapter6,DebuggingandConclusion,youcandisableaccesstoiCloudandiCloudbackups.However,doingsoisrarelyagoodideaasyouarelimitingthefunctionalityofthedeviceandputtingthedataonyourdeviceatrisk,ifthatdataisn’tbackedupanotherwaysuchasthroughiTunes.Manypeoplehavereservationsaboutstoringdataonpublicclouds;especially,dataasprivateasphonedata(texts,phone
www.it-ebooks.info
![Page 47: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/47.jpg)
callhistory,andsoon).FormoreinformationonApple’ssecurityandprivacyaroundiCloud,refertohttp://support.apple.com/en-us/HT202303.IfyoudonottrustAppleoritscloud,thenyoucanalsotakeabackupofyourdeviceusingiTunes,describedinthenextsection.
www.it-ebooks.info
![Page 48: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/48.jpg)
TakingbackupsusingiTunesOriginally,iTuneswasusedtotakebackupsforiOSdevices.YoucanstilluseiTunesandit’slikelyyouwillhaveasecondbackupevenifyouareusingiCloud,simplyforaquickrestoreifnothingelse.
Backupsareusuallyprettysmall.Thereasonisthattheoperatingsystemisnotpartofbackups,sinceuserscan’teditanyofthosefiles.Therefore,youcanuseanipswfile(theoperatingsystem)torestoreadevice.
TheseareaccessedthroughAppleConfigurator(whichiscoveredfurtherinChapter4,OrganizationalControls),orthroughiTunesifyouhavearestorefilewaitingtobeinstalled.Thesecanbeseenin~/Library/iTunes,andthenameofthedeviceanditssoftwareupdates,ascanbeseeninthefollowingscreenshot:
IPSWfiles
Backupsarestoredinthe~/Library/ApplicationSupport/MobileSync/Backupdirectory.Here,you’llseeanumberofdirectoriesthatareassociatedwiththeUDIDofthedevices,andwithinthose,you’llseeanumberoffilesthatmakeupthemodularincrementalbackupsbeyondtheinitialbackup.It’saprettysmartsystemandallowsyoutorestoreadeviceatdifferentpointsintimewithouttakingtoolongtoperformeachbackup.
Backupsarestoredinthe\DocumentsandSettings\USERNAME\ApplicationData\AppleComputer\MobileSync\Backup\directoryonWindowsXPandinthe\Users\USERNAME\AppData\Roaming\AppleComputer\MobileSync\Backup\directoryforneweroperatingsystems.
ToenableaniTunesbackup,plugadeviceintoacomputer,andthenopeniTunes.Clickonthedeviceforittoshowthedevicedetailsscreen.ThetopsectionofthescreenisforBackups(inthefollowingscreenshot,youcansetabackuptoThiscomputer,whichtakesabackuponthecomputeryouareon).
TipIwouldrecommendyoutoalwayschoosetheEncryptiPhonebackupoptionasitforcesyoutosaveapasswordinordertorestorethebackup.
Additionally,youcanusetheBackUpNowbuttontokickoffthefirstbackup,asshown
www.it-ebooks.info
![Page 50: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/50.jpg)
ViewingiOSdatainiTunesToshowwhyit’simportanttoencryptbackups,let’slookatwhatcanbepulledoutofthosebackups.Thereareafewtoolsthatcanextractbackups,providedyouhaveapassword.Here,we’lllookatiBackupExtractortoviewthebackupofyourbrowsinghistory,calendars,callhistory,contacts,iMessages,notes,photos,andvoicemails.
Togetstarted,downloadiBackupExtractorfromhttp://www.wideanglesoftware.com/ibackupextractor.WhenyouopeniBackupExtractorforthefirsttime,simplychoosethedevicebackupyouwishtoextractiniBackupExtractor.Asyoucanseeinfollowingscreenshot,youwillbepromptedforapasswordinordertounlocktheBackupkeybag.Enterthepasswordtounlockthesystem.
Unlockthebackups
NotethatthefiletreeinthefollowingscreenshotgivesawaysomeinformationonthestructureoftheiOSfilesystem,oratleast,thedatastoredinthebackupsoftheiOSdevice,whichwe’llcoverindetailinChapter6,DebuggingandConclusion.Fornow,simplyclickonBrowsertoseealistoffilesthatcanbeextractedfromthebackup,asyoucanseeinthenextscreenshot:
www.it-ebooks.info
![Page 51: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/51.jpg)
ViewdevicecontentsusingiBackupExtractor
NotetheprevalenceofSQLdatabasesinthefiles.Mostappsusethesetypesofdatabasestostoredataondevices.Also,checkouttheotheroptionssuchasextractingnotes(manythatwerepossiblydeleted),texts(somethathavebeendeletedfromdevices),andothertypesofdatafromdevices.
Nowthatwe’veexhaustedbackupsandproventhatyoushouldreallyputapasswordinplaceforyourbackups,let’sfinallygettosomebasicsecuritytaskstobeperformedonthesedevices!
www.it-ebooks.info
![Page 53: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/53.jpg)
InitialsecuritychecklistApplehasbuiltiOStobeoneofthemostsecureoperatingsystemsintheworld.Thishasbeenmadepossiblebyrestrictingaccesstomuchoftheoperatingsystembyendusers,unlessyoujailbreakadevice.Inthisbook,wedon’tcoverjail-breakingdevicesmuchduetothefactthatsecuringthedevicesthenbecomesawholenewtopic.Instead,wehavefocusedonwhatyouneedtodo,howyoucandothosetasks,whattheimpactsare,and,howtomanagesecuritysettingsbasedonapolicy.
ThebasicstepsrequiredtosecureaniOSdevicestartwithencryptingdevices,whichisdonebyassigningapasscodetoadevice.WewillthenconfigurehowmuchinactivetimebeforeadevicerequiresaPINandaccordinglymanagetheprivacysettings.Thesesettingsallowustogetsomeverybasicsecurityfeaturesunderourbelt,andsetthestagetoexplainwhatsomeofthefeaturesactuallydo,andhowwecansetthemviaapolicyinsubsequentchaptersofthisbook.
www.it-ebooks.info
![Page 54: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/54.jpg)
ConfiguringapasscodeThefirstthingmostofusneedtodoonaniOSdeviceisconfigureapasscodeforthedevice.Severalthingshappenwhenapasscodeisenabled,asshowninthefollowingsteps:
1. Thedeviceisencrypted.2. Thedevicethenrequiresapasscodetowakeup.3. Anidletimeoutisautomaticallysetthatputsthedevicetosleepafterafewminutes
ofinactivity.
Thismeansthatthreeofthemostimportantthingsyoucandotosecureadeviceareenabledwhenyousetupapasscode.
Bestofall,Applerecommendssettingupapasscodeduringtheinitialsetupofnewdevices.Youcanmanagepasscodesettingsusingpolicies(orprofilesasApplelikestocalltheminiOS),whichwewillcoverinChapter4,OrganizationalControls,andChapter5,MobileDeviceManagement.
Bestofall—youcansetapasscodeandthenuseyourfingerprintontheHomebuttoninsteadofthatpasscode.Wehavefoundthatbythetimeourphoneisoutofourpocketandifourfingerisonthehomebutton,thedeviceisunlockedbythetimewecheckit.WithiPhone6andhigherversions,youcannowusethatsamefingerprinttosecurepaymentinformation,whichiscoveredinChapter2,IntroducingAppSecurity.
Checkwhetherapasscodehasbeenconfigured,andifneeded,configureapasscodeusingtheSettingsapp.TheSettingsappisbydefaultontheHomescreenwheremanysettingsonthedevice,includingWi-Finetworksthedevicehasbeenjoinedto,apppreferences,mailaccounts,andothersettingsareconfigured.
Tosetapasscode,opentheSettingsappandtaponTouchID&PasscodeIfapasscodehasbeenset,youwillseetheTurnPasscodeOff(asseeninthefollowingscreenshot)optionIfapasscodehasnotbeenset,thenyoucandosoatthisscreenaswellAdditionally,youcanchangeapasscodethathasbeensetusingtheChangePasscodebuttonanddefineafingerprintoradditionalfingerprintsthatcanbeusedwithatouchID
TherearetwooptionsintheUSETOUCHIDFORsectionofthescreen.Youcanchoosewhether,ornot,youneedtoenterthepasscodeinordertounlockaphone,whichyoushoulduseunlessthedeviceisalsousedbysmallchildrenorasakiosk.Inthesecases,youdon’tneedtoencryptortakeabackupofthedeviceanyway.ThesecondoptionistoforcetheenteringofapasscodewhileusingtheAppStoreandiTunes.Thiscancostyoumoneyifsomeoneelseisusingyourdevice,soletthedefaultvalueremain,whichrequiresyoutoenterapasscodetounlocktheoptions.
www.it-ebooks.info
![Page 55: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/55.jpg)
ConfigureaPasscode
Thepasscodesettingsareveryeasytoconfigure;so,theyshouldbeconfiguredwhenpossible.Scrolldownonthisscreenandyou’llseeseveralotherfeatures,asshowninthenextscreenshot.ThefirstoptiononthescreenisSimplePasscode.MostuserswanttouseasimplepinwithaniOSdevice.Tryingtousealphanumericandlongpasscodessimplycausesmostuserstotrytocircumventtherequirement.Toaddafingerprintasapasscode,simplytaponAddaFingerprint…,whichyoucanseeintheprecedingscreenshot,andfollowtheonscreeninstructions.
Additionally,thefollowingcanbeaccessedwhenthedeviceislocked,andyoucanchoosetoturnthemoff:
Today:Thisshowsanoverviewofupcomingcalendaritems
www.it-ebooks.info
![Page 56: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/56.jpg)
NotificationsView:Thisshowsyoutherecentpushnotifications(appsthathaveupdatesonthedevice)Siri:ThisrepresentsthevoicecontrolofthedevicePassbook:ThistoolisusedtomakepaymentsanddisplayticketsforconcertvenuesandmeetupsReplywithMessage:Thistoolallowsyoutosendatextreplytoanincomingcall(usefulifyou’reonthetreadmill)
Eachorganizationcandecidewhetheritconsiderstheseoptionstobeasecurityriskanddirectusershowtodealwiththem,ortheycanimplementapolicyaroundtheseoptions.
PasscodeSettings
Therearen’talotofsecurityoptionsaroundpasscodesandencryptionbecausebyand
www.it-ebooks.info
![Page 57: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/57.jpg)
large,Applesecuresthedevicebygivingyoufeweroptionsthanyou’llactuallyuse.Underthehood,(forexamplethroughAppleConfiguratorandMobileDeviceManagement,coveredinChapter4,OrganizationalControlsandChapter5,MobileDeviceManagement,respectively)therearealotofotheroptions,butthesearen’texposedtoendusersofdevices.Forthemostpart,asimplefour-characterpasscodewillsufficeformostenvironments.Whenyoucomplicatepasscodes,devicesbecomemuchmoredifficulttounlock,anduserstendtolookforwaysaroundpasscodeenforcementpolicies.Thepasscodeisonlyusedonthedevice,socomplicatingthepasscodewillonlyreducethelikelihoodthatapasscodewouldbeguessedbeforeswipingopenadevice,whichtypicallyoccurswithin10tries.
Finally,todisableapasscodeandthereforeencryption,simplygototheTouchID&PasscodeoptionintheSettingsappandtaponTurnPasscodeOff.
www.it-ebooks.info
![Page 58: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/58.jpg)
ConfiguringprivacysettingsOnceapasscodeissetandthedeviceisencrypted,it’stimetoconfiguretheprivacysettings.Third-partyappscannotcommunicatewithoneanotherbydefaultiniOS.Therefore,youmustenablecommunicationbetweenthem(alsobetweenthird-partyappsandbuilt-iniOSappsthathaveAPIs).ThisisafundamentalconceptwhenitcomestosecuringiOSdevices.
Toconfigureprivacyoptions,opentheSettingsappandtapontheentryforPrivacy.OnthePrivacyscreen,you’llseealistofeachappthatcanbecommunicatedwithbyotherapps,asshowninthefollowingscreenshot:
PrivacyOptions
www.it-ebooks.info
![Page 59: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/59.jpg)
Asanexample,tapontheLocationServicesentry,asshowninthenextscreenshot.Here,youcansetwhichappscancommunicatewithLocationServicesandwhen.IfanappissettoWhileUsing,theappcancommunicatewithLocationServiceswhentheappisopen.IfanappissettoAlways,thentheappcanonlycommunicatewithLocationServiceswhentheappisopenandnotwhenitrunsinthebackground.
ConfigureLocationServices
OnthePrivacyscreen,taponPhotos.Here,youhavefeweroptionsbecauseunlikethelocationofadevice,youcan’taccessphotoswhentheappisrunninginthebackground.Here,youcanenableordisableanappbycommunicatingwiththephotolibraryonadevice,asseeninthenextscreenshot:
www.it-ebooks.info
![Page 60: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/60.jpg)
ConfigurewhatAppscanaccessyourCameraRoll
EachappshouldbeconfiguredinsuchawaythatitcancommunicatewiththefeaturesofiOSorotherappsthatareabsolutelynecessary.
OtherprivacyoptionswhichyoucanconsiderdisablingincludeSiriandHandoff.SirihasthevoicecontrolsofaniOS.BecauseSiricanbeusedevenwhenyourphoneislocked,considertodisableitbyopeningtheSettingsapp,tappingonGeneralandthenonSiri,andyouwillbeabledisablethevoicecontrols.TodisableHandoff,youshouldusetheGeneralSystemPreferencepaneinanyOSXcomputerpairedtoaniOSdevice.There,unchecktheAllowHandoffbetweenthisMacandyouriClouddevicesoption.
www.it-ebooks.info
![Page 62: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/62.jpg)
Safariandbuilt-inAppprotectionsWebbrowsershaveaccesstoalotofdata.Oneofthemostpopulartargetsonotherplatformshasbeenwebbrowsers.ThedefaultbrowseronaniOSdeviceisSafari.
OpentheSettingsappandthentaponSafari.TheSafaripreferencestosecureiOSdevicesincludethefollowing:
Passwords&AutoFill:Thisisascreenthatincludescontactinformation,alistofsavedpasswordsandcreditcardsusedinwebbrowsers.ThisdataisstoredinaniCloudKeychainifiCloudKeychainhasbeenenabledinyourphone.Favorites:Thisperformsthefunctionofbookmarkmanagement.ThisshowsbookmarksiniOS.OpenLinks:Thisconfigureshowlinksaremanaged.BlockPop-ups:Thisenablesapop-upblocker.
Scrolldownandyou’llseethePrivacy&Securityoptions(asseeninthenextscreenshot).Here,youcandothefollowing:
DoNotTrack:Bythis,youcanblockthetrackingofbrowsingactivitybywebsites.BlockCookies:Acookieisasmallpieceofdatasentfromawebsitetoavisitor’sbrowser.Manysiteswillsendcookiestothird-partysites,sothemanagementofcookiesbecomesanobstacletotheprivacyofmany.Bydefault,Safarionlyallowscookiesfromwebsitesthatyouvisit(AllowfromWebsitesIVisit).SettheCookiesoptiontoAlwaysBlockinordertodisableitsabilitytoacceptanycookies;settheoptiontoAlwaysAllowtoacceptcookiesfromanysource;andsettheoptiontoAllowfromCurrentWebsiteOnlytoonlyallowcookiesfromcertainwebsites.FraudulentWebsiteWarning:Thisblocksphishingattacks(sitesthatonlyexisttostealpersonalinformation).ClearHistoryandWebsiteData:Thisclearsanycachedhistory,webfiles,andpasswordsfromtheSafaribrowser.UseCellularData:Whenthisoptionisturnedoff,itdisableswebtrafficovercellularconnections(sowebtrafficwillonlyworkwhenthephoneisconnectedtoaWi-Finetwork).
www.it-ebooks.info
![Page 63: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/63.jpg)
ConfigurePrivacySettingsforSafari
TherearealsoanumberofadvancedoptionsthatcanbeaccessedbyclickingontheAdvancedbutton,asshowninthefollowingscreenshot:
www.it-ebooks.info
![Page 64: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/64.jpg)
ConfiguretheAdvancedSafariOptions
Theseadvancedoptionsincludethefollowing:
WebsiteData:Thisoption(asyoucanseeinthenextscreenshot)showstheamountofdatastoredfromeachsitethatcachesfilesonthedevice,andallowsyoutoswipeleftontheseentriestoaccessanyfilessavedforthesite.TaponRemoveAllWebsiteDatatoremovedataforallthesitesatonce.JavaScript:ThisallowsyoutodisableanyJavaScriptsfromrunningonsitesthedevicebrowses.WebInspector:ThisshowsthedeviceintheDevelopmenuonacomputerconnectedtothedevice.IftheWebInspectoroptionhasbeendisabled,useAdvancedPreferencesintheSafariPreferencesoptionofSafari.
www.it-ebooks.info
![Page 65: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/65.jpg)
Viewwebsitedataondevices
Browsersecurityisanimportantaspectofanyoperatingsystem.
www.it-ebooks.info
![Page 67: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/67.jpg)
PredictivesearchandspotlightThefinalaspectofsecuringthesettingsonaniOSdevicethatwe’llcoverinthischapterincludespredictivesearchandspotlight.WhenyouusethespotlightfeatureiniOS,usagedataissenttoApplealongwiththeinformationfromLocationServices.Additionally,youcansearchforanythingonadevice,includingitemspreviouslyblockedfrombeingaccessed.Theabilitytosearchforblockedcontentwarrantstheinclusioninlockingdownadevice.
Thatdataisthenusedtogeneratefuturesearches.ThisfeaturecanbedisabledbyopeningtheSettingsapp,taponPrivacy,thenLocationServices,andthenSystemServices.SimplyslideSpotlightSuggestionstoOfftodisablethelocationdatafromgoingoverthatconnection.Tolimitthetypeofdatathatspotlightsends,opentheSettingsapp,taponGeneral,andthenonSpotlightSearch.Uncheckeachitemyoudon’twantindexedintheSpotlightdatabase.Thefollowingscreenshotshowsthementionedoptions:
www.it-ebooks.info
![Page 68: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/68.jpg)
ConfigureWhatSpotlightIndexes
Nowthatwe’velookedatsomebasictacticaltasksthatsecuredevices,it’stimetoturnourattentiontothetheorybehindsomeoftheseandtomakesureyourappsaresecure,inthenextchapter.
www.it-ebooks.info
![Page 70: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/70.jpg)
SummaryThischapterwasawhirlwindofquickchangesthatsecureadevice.Here,wepaireddevices,tookabackup,setapasscode,andsecuredappdataandSafari.Thisisbyfarthesimplestchapterofthisbook,butalsolaysthegroundworktocoversomeofthemoreesotericcontent.Inthischapter,weshowedhowtomanuallydosometasksthatwewillsetviapolicieslaterinthebook.
Inthenextchapter,wewillmoveontosecuringappsandlearnhowappscommunicatewithoneanother.
www.it-ebooks.info
![Page 72: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/72.jpg)
Chapter2.IntroducingAppSecurityInthischapter,wewilllookatoneofthemostimportantthingstosecureoniOS:apps.Thisincludesdatawithinapps,thecontextinwhichappsareallowedtorun,howappscommunicateviaextensions,andhownewerfeaturesinOScontinuetoputthefocusonanAppleIDasthemostimportantaccounttocontrolonyourdevice.However,thereasonwhymostpeoplesignupforanAppleIDistoinstallapps.
ManyoftheconceptsdiscussedinthischapterwillbeanadditiontoorareinforcementofourknowledgeabouttheOSXarchitectureuponwhichiOSisbased,whichwillbeespeciallyhelpfulifyouarecomingfromtheWindowsorBlackberryplatforms.EvenLinux,withitsprocessmodelechoingUnix,stillhasenoughnotabledifferenceswiththeappliance-stylecomputingexperienceshowcasedoniOSthatitwillbehelpfultocoverthesemorefundamentalpoints.Wewillalsobrieflytouchonin-houseappdevelopment,whichcanbeaugmentedbythemanagementsystemsthatwewillbediscussinginChapter4,OrganizationalControls,andChapter5,MobileDeviceManagement.
Thetopicsthatwewillcoverinthischapter,whichunderpinappsecurity,include:
Howappsaredistributed,installed,andrestrictedSingleappmode(alsoknownasLocktoApp)andGuidedAccessTraditionalandcurrentinter-app(anddevice)communicationClarificationofwhenkeybagsareutilizedbyiOSKeyboards,sandboxing,andextensionsIntroductiontosecurelydistributingcustomin-houseapps
www.it-ebooks.info
![Page 73: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/73.jpg)
InstallingappsHowtoinstallanappisconsideredatrivialexerciseatthispoint,withcommonadvertisementsdoingnothingmorethanshowingtheiconsoftheplatformtosuggestthattheywantyoutogettheirappfromthecorrespondingstore.Thatbeingsaid,thereareotherwaystodownloadandinstallanappthansimplyopeninganappstoreonadeviceandtappingonGet.Anappcanbepushedovertheairwithmanagementsystems,putonthedevicewithtoolssuchasAppleConfigurator(discussedinChapter4,OrganizationalControls),andinstalledonceitiscompiledfromthesourcecodewithXcode(Apple’sIntegratedDevelopmentEnvironment(IDE),whichisdiscussedwithothertoolsthatcanperforminstallationsinChapter6,DebuggingandConclusion).
ThereisnoconceptofsideloadingappsoniOSincomparisontootherplatformswhereyoumaybeabletoplaceadeviceintodevelopermode.Likewiseyouwilllikelyneverhaveimplicitorotherwisestatedencouragementtogainrootaccesstothedevice.We’lldiscoverthelengthstowhichApplegoestoensurethisinthenextchapter,butsufficeittosaythatyousimplycannottransferabinarytoaniOSdeviceandbringaboutasystem-widechangeinanybuttheendorsedwayswhileplayingwithinApple’sso-calledwalledgarden.
AppsthemselvescanonlybedistributedbyAppleviatheAppStorethat’savailableonthedevice,andiniTunesonaMacorPC,throughaspecialBusiness-to-BusinessstorewiththeVolumePurchaseProgram,orwhenexplicitlyassociatedwithanAppleDeveloperProgram.Theselimitedoptionsdecreasetheroutesthroughwhichapplicationscanbeacquired,butifyouhaveadeveloperaccount,youcancompileapplicationsreleasedasopensourceandinstallthemondevicesatwill.Similarly,thecompressed.ipaarchivethatcontainsaniOSapplicationcanbetransferredlikeanydata,butgettingtheinstallerprocessintheOStopickuponitisanothermatter.
Securityaroundappinstallationmanifestsitselfinthefactthatthekernelperformsverificationatinstallationtimeandeverysubsequentlaunchtoensurethattheexecutablebundleandframeworksinsidethearchivehavebeensignedwithanapproveddeveloper’scertificatethatAppletrusts.ThereisnoinstallerbinaryforIPAfilesoniOS,soverificationliketheonethatisdonewiththepkgencapsulationformatontheMacisnotapartoftheprocess.Aslongasthecodedeliveredbyanarchivechecksoutassigned,itisallowedtobeinstalledandrun.Onecanspeculatethatthisallowsmorecachingpossibilitiessincethereislesslikelihoodofcorruption,asallyouneedtochangeistheDigitalRightsManagement(DRM)softwareupondeliverytoanewdevice.
YoucanseetheappsignatureverificationprocessonaMacusingthefollowingsteps:
1. First,downloadanappfromiTunesandnavigatetoitintheFinder.Normally,itcanbefoundbynavigatingto/Users/yourusername/Music/iTunes/MobileApplications,Duplicatethefile(ifyou’dliketokeepafresh,unalteredversion)andhighlightthecopy.Then,fromtheFilemenu,chooseOpenWith|ArchiveUtilitytoexpandit.
2. Youwillthenseeafolderofthesamenamewithseveralthingsinsideit,oneof
www.it-ebooks.info
![Page 74: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/74.jpg)
whichisafolderlabeledPayload.3. LaunchtheTerminalapplicationthatyouwillfindintheOtherfolderin
Launchpad.Youwouldfirsttypecodesign–d–vvandthendraganddroptheapplicationyoufindinsidethePayloadfolder,andthenhitreturn.Onexecutingthecommand,youwillseesomethinglikethefollowing:
codesign-d-vv/Users/abanks/Music/iTunes/iTunes\Media/Mobile\
Applications/Dropbox\3.5.2/Payload/Dropbox.app
Executable=/Users/abanks/Music/iTunes/iTunesMedia/Mobile
Applications/Dropbox3.5.2/Payload/Dropbox.app/Dropbox
Identifier=com.getdropbox.Dropbox
Format=bundlewithMach-Ouniversal(armv7arm64)
CodeDirectoryv=20200size=54086flags=0x0(none)hashes=2695+5
location=embedded
Signaturesize=3487
Authority=AppleiPhoneOSApplicationSigning
Authority=AppleiPhoneCertificationAuthority
Authority=AppleRootCA
Anoutputsuchastheprecedingonewillappear,whichwillshowthechainoftrustinaction.Apple’sRootCertificateAuthority(CA)ispresentasatrustedauthoritytoverifythattheapplicationinsidethe.ipafilethatweacquiredhasnotbeentamperedwith.
www.it-ebooks.info
![Page 75: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/75.jpg)
BlockingaccesstotheAppStoreOnecanpotentiallyhidetheAppStoreapplicationonthedevice,butifthedevicecanstillconnecttoanenduserscomputerthatisrunningiTunes,youwillnotbeabletoeffectivelycutofftheinstallationofapps.
NoteTherehavebeenadditional,undocumentedwaystohidefeaturesandappsthatareactuallypresentonadeviceincertainjurisdictions,mostofwhichrelyinsomepartonconfigurationprofiles,butthatisbeyondthescopeofthisbook.
Asdemonstratedbytheaccessgrantedtodataonthedevicebybackingituptoacomputerinthelastchapter,whenallowingenduserstodirectlyinteractwiththebackupprocess,itshouldbethoroughlyexaminedandaccountedforinawrittenpolicy.
ThemostsimplisticformofapplyingmanagementtoaniOSdeviceistonavigatetoSettings|General|Restrictions,taponEnableRestrictions,andthensetanewpasswordthatisdistinctfromtheoneusedtounlockthedevice.Then,youcangranularlydisableInstallingApps,DeletingApps,andIn-AppPurchasesandessentiallyshutoffallinteractionswiththeappsonadevice,asshowninthefollowingfigure:
www.it-ebooks.info
![Page 76: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/76.jpg)
RestrictingAppStoreFunctionality
ManagementtoolssuchasAppleConfiguratorandiTuneswillalsonotbeabletoinstallorremoveappsoncethesesettingsareenabled,whichmakescontrollingaccesstoRestrictionsofparticularimportancetoeducationalenvironments.
www.it-ebooks.info
![Page 78: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/78.jpg)
SingleAppmode,AppLock,andGuidedAccessWhendevicesaremadetoworkashared-usagemodel,forexample,manynursesusingthesameiPadduringshiftsatahospital,onemethodtorestrictaccessandstandardizetheexperiencewouldbetolockthedevicetoasingleapp.Thisisreferredtobydifferentnamesbasedonhowitisinitiated,anditcanbeachievedwiththetoolsthatwewilldiscussinfuturechapters.Thedeviceshowsonlythedesignatedappandnevergoestothehomescreen(alsoreferredtointernallyastheSpringboard).TheHomebuttonisessentiallydisabledandControlCenter(whichisaccessedbyswipingupfromthebottomedgeofaniOSdevice)isalsonotaccessible.Thiscanalsoenableakiosk-typeexperience,wherethedeviceisprotectedfrommisusebydictatingthatonlyasingleappcanrun.
InrecentreleasesofiOS,developershavebeengrantedAPIstoenableapplockwhentheyenteracertainstatewithintheapporuntilaspecificrequirementismet;however,thisisapplicableonlyforappsdistributedviaMobileDeviceManagement(MDM).Thismeetsthecriteriaforeducationalusewhereyoudonotwantstudentstolookupanswers.Itcanalsopreventexfiltrationofdatawithintheappsonadeviceifyoucancoordinatewithadevelopertoenablethisfeature.Financialprocessing,securedocumentviewing,andothersensitiveappinteractionmaybenefitfromthisaswell.
YoucansimulatehowalockeddevicewillperformatanytimebyenablingafeaturecalledGuidedAccess.YoucaninitiatethismodebypressingtheHomebuttonthreetimesfromwithinanapp.Youwillthenbepresentedwithoptionstocontrolmotion(theabilitytorotatethescreens’orientation)andtheuseofthekeyboard.Itdetectsscreenelements,soyoucandesignatespecificregionsofthescreentobeoff-limits,forexample,thein-apppurchasebuttonorads.ExitingGuidedAccessrequiresyetanotherdistinctfour-digitpassword,butitcanbedisabledwiththefingerprintunlockfeatureondevicesthatareequippedwithTouchID.
Youcanfindmoreinformationaboutthisathttp://support.apple.com/HT202612.ThefollowingscreenshotshowstheGuidedAccessconfigurationscreenonaniPhone:
www.it-ebooks.info
![Page 79: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/79.jpg)
EnablingGuidedAccess
Now,thefollowingscreenshotshowshowthecontrolsofanappcanbeselectivelydisabled:
www.it-ebooks.info
![Page 80: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/80.jpg)
DisablingControlsinanApp
Oneofthethingsthatpeopleutilizingthisfunctionalitydiscoverasasupportconcernisthatyoucannotturnoffthedevicenorputthescreeninsleepmode.Thismakespoweringthedeviceofcriticalimportance,asdoesensuringaconsistentWi-Ficonnection;thereisnowaytore-entercredentialsorswitchnetworks.TheprecedingscreenshotsshowhowyoucanenableGuidedAccessandwhatyouwouldseewhenyouconfigureit,whereasnoconfigurationispresentedwhenusingMDMorin-appfunctionalitytoLocktoApp;furtherrestrictionsmaybenecessaryifyouwouldliketodisablein-apppurchasesorunnecessarywebviews.
TipDocumentinganobscurefeaturelikeGuidedAccessisactuallyquiteachallenge,asthe
www.it-ebooks.info
![Page 81: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/81.jpg)
normal,simpletousescreenshotcontrolsonthedeviceareeffectivelydisabled.Insteadofmessingaboutwithvideocaptureviaaphysicaladapterorcable,Apple’sAirPlayfeaturecanbepairedwithanapplikeReflectorbySquirrels(http://www.airsquirrels.com/reflector/)tomirrorthescreentoaMac,PC,oranAndroiddevicefromwhichyoucanthentakescreenshots.
www.it-ebooks.info
![Page 83: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/83.jpg)
AppcommunicationHistorically,veryfewaffordancesweremadewhenonedeveloperwantedtocommunicatewiththeapplicationdataofanotherdeveloper.URLschemesweremanipulatedforthispurposeandtheyallowedadeveloper’sapptobesummonedbyanidentifierthatwasusuallybasedonthebundleID.InthelastfewmajorreleasesofiOS,therewasatleasttheaffordanceforsharedcredentialstobeaccessedbetweenappsbythesamedeveloper.Thissharingofakeychainbyanappgroupnowalsoincludesthesharingoffilestorageandpreferencedata,whichwaspreviouslyaccomplishedbyseparateaccountswiththird-partysyncserviceslikeDropbox.iCloudDrivehasbeenintroducedtoperformsimilaradhocfilestorageandsharingtasks.Ifthissoundssomewhatlimiting,it’sbecausehistoricallyithasbeen,butwewilltouchuponthenewwaysinwhichappfunctionalityanddatacanleakoutfromtheone-app-at-a-timesiloafterwediscusshowappdatacannowpassmoreeasilybetweendevices.ThefollowingscreenshotshowsawebpageinSafarionaniOS8devicethatisbeingofferedtoaMacrunningOSX10.10:
AwebpageinSafarionaniOS8devicethatisbeingofferedtoaMacrunningOSX10.10
www.it-ebooks.info
![Page 84: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/84.jpg)
HandoffandContinuityLet’sstartbysigningintothesameAppleIDonaMacrunningOSX10.10(Yosemite)andaniPhoneoriPadrunningiOS8.OpenawebpageinSafariontheiOSdeviceandyouwillseeaniconinyourDock(analogoustothetaskbaronWindows)tocontinueviewingthewebpageontheMac.ThisisHandoffinaction.It’salsoreferredtoundertheContinuityheadinginApple’smarketingmaterial.ManyAppleappsareshippingwiththisfunctionalityiniOS8,andthedevelopersofpopularappslikeGoogle’sChromewebbrowserarerapidlyadoptingitaswell.
iCloudandthenewestoperatingsystemsarethegluethatholdallthistogetherandthesefeaturesworkbetweeniOSdevices.ForotherContinuityfeaturessuchasphone/textmessagerelay,youmayneedtoexplicitlysetuptherelationshipbetweendeviceswhenprompted,asshowninthefollowingfigure:
www.it-ebooks.info
![Page 85: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/85.jpg)
AuthorizinganiPadtoreceivetextmessages(SMSandMMS)
TipAsatroubleshootingstep,makesurethatanydevicethatwillpiggybackonaniPhone’sserviceisusingthephonenumberofaniPhoneandthee-mailaddressoftheAppleIDtoidentifyitselftoiCloud-basedservices.Youcanfindmoredetailsaboutthisathttp://support.apple.com/HT6337.
Somepeoplehavecriticizedthisduplicationofpossiblyredundantorsensitiveapplicationstatesacrossdevices,whichyouwouldbeautomaticallyopted-intouseifyouhaveaniPhoneandwhichusesthesameAppleIDandphonenumberastheprimaryidentifierofiCloud-basedservicessuchasiMessageandFaceTime.ThisincreasesthemovingpartsthatneedtobesecuredandtheimportanceofthedevicewipefeaturethatispresentinActiveSync,FindMyiPhone,andtheMDM-basedenterprisewipe.
www.it-ebooks.info
![Page 87: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/87.jpg)
KeybagsandkeychainsAsdiscussedinthepreviouschapter,thekeychainisknownasawaytocentrallystoreandmanagecredentialsandothersecretdatathatareinusebyapplicationsonthebehalfoftheuser,carriedoverfromOSX.Thereisalsotheconceptofakeybag,whichinpracticeisagroupingofsecrets(ormorepractically,keys)thatallowthesystemtomanagethemovingpartsaroundspecificinteractions.Besides,whenusedbythesystemitselftomanagetheencryptionofthedata,thesedealwithprimarilywhenabackupwillruneitheroverWi-FitoiTunes,whentetheredbyUSBtoiTunes,orwhilethedeviceispluggedintoapowersourceandlockedasarequirementtosendtoiCloudBackup.
Explainingkeybagsasaconceptisaminorpoint,buttherehasbeenterminologyconfusionregardingthingssuchasthesecuringofappswithdigitalrightsmanagementandtheuseofthekeychain,neitherofwhicharedirectlyrelated.Tosummarize,keybagsareanabstractionforsecretslikekeychainitems,sotheycanbesecuredindependentofthedatawithin.Thisallowsformoreflexiblesecuritybyaddinganinteraction-specificlayertoeventssuchastherotationofcredentials,amongothercommoninteractions.
NoteSomekeychainitemscanbemarkedastiedtoaspecificdevicewhentheyarecreatedbyanapplication,disallowingthemfrombeingrestoredtoanotherdevice.Googleappearstobeusingthisintheirpopulartwo-stepauthenticationappGoogleAuthenticator,whereasotherservicesdonotimposethislimitation.
www.it-ebooks.info
![Page 89: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/89.jpg)
KeyboardsandextensionsOneofthegreatlyanticipatedfeaturesofiOS8wastheconceptofExtensions.Whileshuttlingaroundthestateofanapplicationisallwellandgood,extensionsallowappstohavetheirfunctionalityappearinnewplaces.
Thisisimplementedthroughtheadditionofspecificabilitiespresentedtodevelopersthatarereferredtoasextensionpoints,withthemostanticipatedbeingthird-partykeyboards.AmorepopularkeyboardthatisavailableforotherplatformsisSwype(thoughIampersonallywaitingforthereturnofPalm’sGraffiti),whichallowsmorefluid,one-handedtextentry.
ApplegroupedotherpossibleextensioncategoriesunderTodaywidgets(TodaybeinganewlyexpandedviewinNotificationCenteroniOSandMac),photoeditingenhancements(forexample,filtersfrompopularappslikeVSCOCam),documentprovidersforimportingfilesfrompopularsyncserviceslikeDropbox,andshareproviderslikethepre-existingbutsystemprovidedFacebooksharingfunctionality.Morebroadly,thevaguelynamedcustomactionsallowappstobeinteractiveevenwhenthescreenislocked,andfromwithinasmalldrop-downinterfacewhentheyreceivenotificationswhilethescreenisunlocked.
ThesecurityandprivacyconcernsthatApplehasaddressedforkeyboardsinparticulararehowinputsforpasswordfieldsandnetworkcommunicationarehandled,sothatakeyboardappcannotsendkeystrokesoverthenetworkandbecometheleastimposing-lookingkeylogger.Extensionsaredistributedinregularappbundlesandfollowcommonprivacyandsecuritycontrols.Inaddition,onemustexplicitlyallownetworktrafficforakeyboardinSettings,butevenApple’sownPredictiveTextkeyboardadd-oncannotentertextinadesignated(properlycoded)passwordfield.
TipNotethatmuchoftheAppleWatch’spreliminaryappfunctionalityisenabledviaextensionsandalltheprocessinghappensintheiPhone.ThesearethensenttothedeviceoverBluetoothLowEnergy.Verylittleisstoredaboutanapponthewatchitself(UIstoryboardsthatcancontaindynamicallyupdatingcontentlikewatchfaces),sosecuringtheiPhonewillbesufficient.
www.it-ebooks.info
![Page 90: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/90.jpg)
SecuringwhatextensionscanaccessTheabilitytoenforcetheseexpandedprivacyandnetworkaccesscontrolswaspreparedbyhavinginterapplicationcommunication(undertheprotocolnameXPC)addedaspartofiOS5(andOSX10.7).ThespecificAPIsforthistypeofcommunicationensurethatappswillnotsharethesamefileormemoryspacewithanextension.
Essentially,bothpartiesstayintheirownsandboxbutXPCarbitratesandactsasaproxybetweenthem.IntermsofPrivacy,whileanyrightgrantedtotheextension’scontainerappwillbeinheritedbyit,anewappwillnotshareitsprivacysettingswithanotherdeveloper’sextensionthatisaccessiblewithinit.
WhilewewilldiscussMDMindepthlater,theiruseaddsthepotentialtoapplymoreon-the-flycontrols,whichincludelimitingthemailaccountsthroughwhichdatacanbesent,orthesharinganddocumentprovidersenabledonadevicethatdatacanbemovedto.AlotofthisalsodependsontheMDMactuallysupplyingtheapplications,butthisbecomesverypowerfulwhenpairedwithanin-houseapp.
www.it-ebooks.info
![Page 91: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/91.jpg)
UsercontextTheoldUnixsecuritymodel,fromwhentheonlywayfortheaveragepersontouseacomputerwasbysharingtimeonamainframe,statedthatnobodywastrustedexceptthesystemadministrator.Whenonewasgivenastandarduseraccounttologin,therewasonlyalimitedrangeofthingsthatonecoulddotointroduceinstabilitytothesystem.iOSanditsprecursorOSXaredescendantsofNeXT,andBSDbeforethat.Thisputstheconceptofsystemprocessesrunningunderuseraccountswiththeirassociatedprivilegesintofocus.
iOSrunsappsonbehalfofastandarduseraccountnamedmobile,andunlikeOSX,itdoesn’thelptoenableanawarenessofmultipleusersonthesystem.WhenusinganiOSdevice,wedonotthinkabouttraditionaluseraccounts(thereisnointerfacetoaddmoreusers),asthedesignassumptionisthatthereisonlyoneownerofthishighlypersonalizeddeviceandtherefore,thereisonlyoneactualuser.Roleaccountsthatwouldrundaemonsonbehalfofthird-partyapplicationprocessesareabsent,aswhatisallowedtorunisstrictlylimitedoniOS(asitisonaMacnow;withthemanyrestrictionsthathavebeenimposedontheappsthatareallowedinitscorrespondingAppStore).
www.it-ebooks.info
![Page 93: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/93.jpg)
SandboxingandAppdatastorageAswementionedinthebeginningofthechapter,acodesignatureisplacedontheappbundleitselfwithadditionalprotection,sothatthesignatureisverifiednotonlywhentheappisinstalled,butalsoatruntimewhentheappislaunched,tomakesurethatithasnotbeenmodifiedinthemeantime.Thisisforstabilityasmuchasitisforsecurity,sincecodethathasbeenmodifiedorallowedtorunroughshodonthesystemcancausethedevice,whichwemightjustwanttobeabletousetocall911inanemergency,tocrash.
Wespokeaboutamobileuserwhichwouldhaveahomefolder.UnlikethecommonconsumercomputerOS,thedatastoragelocationofanappisrandomlygeneratedandkeptseparatefromtheuser(besidesthecontainerizationofspecificpreferencesthathelpsharingamongadeveloper’sapps,sothosesettingspersistevenifanappisdeleted).Thereareframeworks,whichareshippedbyAppleinitsSDK,thatencouragestoringappdatainanencryptedformat.However,someexploitshaveusedanimpersonationofanapp’sbundleidentifiertomakeittrustworthytootherapplicationsthatwillbeabletoexchangedatawithit.Todate,forensicdeconstructionoftheseattemptshasfoundthatusersmustexplicitlyenablenon-standardbehaviorthroughseveralextenuatingcircumstancesforexploitstowork.Thepotentialfordataleakagehasnotbeensubstantialonnon-jailbrokendevices,butsecurityprofessionalsshouldbeawareofthisshortcomingwhereendusersareinvolvedintheinstallationofapps.
Plainfilestorageisnottheonlywayinwhichdataissegregatedandtreateddiscriminatelyonthesystem;otherprivacyordeviceusage-relatedpermissionsmustberequestedbyanappthroughentitlements.ThepreviouslyintroducedextensionscanbecontrastedwithAndroidintents,astheyarebothinitiatedbytheend-userandarefocusedfromthatperspective(althoughAndroidappstendtobroadcasttheircapabilitiestoreceivedatawithoutastrictorclearoversight,whichsomewouldargueisactuallybeneficialduetoaperceivedincreasesinproductivityandfunctionality).EntitlementsareonlyslightlydifferentfromWindowsphonecontracts,andApple’sstatedmodelmentionsthatappsshouldaskforasfewrightsaspossible,whichendusersshouldbe(asunobtrusivelyaspossible)promptedtoexplicitlygrantaccessfor,andeventhen,onlywhenitisabsolutelynecessaryforthefullusageofanapp’scapabilities.ThesearespecifiedintheapplicationbundleandcanbeinvestigatedwiththecodesignbinaryonaMac.
www.it-ebooks.info
![Page 95: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/95.jpg)
Introductiontoin-houseAppdevelopmentSo,youhavefoundaneedtodeployacustomapptothedevicesinyourorganizationandhavereceivedthego-aheadtobuildone.AppleencouragesorganizationsandtheirdeveloperstosignupwithitsEnterpriseDeveloperProgramsothattheycanbegrantedthecapabilitytobuildanddistributecustom-builtappsoutsidetheAppStore.ManyITdepartmentshavealreadysignedupindividualstonotonlytestareleaseoftheoperatingsystem,butthetinkerersamongstuscanalsobuildopensourceappsforpersonaluse,whichcanalsobeachievedwithastandard,standalonedeveloperaccount.Youcanfindmoreinformationaboutthisathttps://developer.apple.com/enterprise/.
Theprocessoftyingtherequiredcertificatesandidentifiersforanapptothedesireddevicesfortestingisreferredtoasprovisioning.Creatingandmanagingprovisioningprofileswillnotalwaysbenecessary;however,itdependsonhowclosetoin-houseyouractualdevelopmentmaybe.WhenyouuseApple’sapprovalprocesstoclearanin-housedevelopedappforinternaluse,youwillmostoftenusetheBusinessVolumePurchaseprogramandleverageApple’sinfrastructuretodistributeit.Thisisbyfartheeasiestwayfromaprocurementandongoingsupportperspective,andthisisoftenthecaseforwhite-labeledappsthataremadebyprofessionalappdevelopmentcompanies.AppsintheBusiness-to-Business,VolumePurchaseappstorearenotvisibletothegeneralpublic,whichmayalsobebeneficialdependingonthesituation.
Adhocdistributionallowslimitedbetatestingonregistereddevices.ThisrequiresallthesamestepsthatanindividualwillperformtogetanappontheAppStore,includingregisteringasadeveloper,applyingtohavetheirappIDconsideredasunique,acquiringthecorrectcertificatessothatdevicestrusttheappwhenitisinstalled,andpreparingthebuiltapplicationfordeploymentonceallthementionedrequirementsarecomplete.Youwilladditionallyneedtogothroughtheprocessofbuildingateamentitytoidentifythedevelopersworkingonyourbehalfandgrantthemaccesstoyouraccountwhentheybuildtheapplications.Whenitcomestowidertestingwithmanydevices,ApplehasrecentlyacquiredanoutsideservicecalledTestFlightthatmakesthisprocesseasierforalargenumberoftesters,althoughanumberofothersolutionsstillexistoutsideofApplethatoptimizedifferentpartsofthetestingprocess.Youcanfindmoreinformationathttps://developer.apple.com/testflight/.
EnterprisedistributiondoesnotrequireeverydevicetoberegisteredwithApple,butitmustbedeliveredwithMDM.Therefore,itisrequiredtohavedirectaccessorsomecommunicationwiththefolkswhomanagethedevice,whethercompany-ownedorotherwise.OnepointtokeepinmindisthatdifferentMDMprovidersneeddifferentlevelsofinvolvementwhentheyareaskedtodistributeappsonyourbehalf.Theycanmakeyoushootyourselfinthefoot,sotospeak,byallowingamismatchoftheprovisioningprofileyouwoulduploadandtheassociatedappbundle,resultinginanappwithaprettyiconthatwon’tlaunch.OtherMDMsinsistondirectinteractionwithyourdevelopmentteamtoreducethepossibilityofissues.Keepinmindthatcertificatesareanintegralpartoftheprocessaswell;therefore,theyneedtoberenewedsothatapps
www.it-ebooks.info
![Page 98: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/98.jpg)
SummaryInthischapter,wewentoverhowappsaredistributedandhowtheyprovetheirintegritytothesystemoncetheyareinstalled.WedemonstratedtheconceptoflockingadeviceintoanappwithGuidedAccess.Inter-app(anddevice)communicationviaextensionsandContinuitywasalsodiscussedalongwiththenewcomplimentaryprivacycontrolsforthingslikekeyboards.Asthischapterwasaboutthecustomizationandcontrolsyou’dwanttoplaceonapps,wegaveabriefintroductiontosecurelydistributingyourownin-houseapps.
SincethetimetheiPhonefirstcamealong,thewaymanypeopleinteractwithappshaschangedsignificantly.Limitedmethodsofinstallation,silosforcategoriesofdataandthecapabilitiesofapps,andthekeychainconceptfromOSXhaveallcometobearoniOS’overallsecurity.Youshouldnowhaveenoughbackgroundonhowappsfunctiontobegintounderstandwhythelimitationsarethewaytheyare,andwhattokeepinmindwhenyouaretaskedwithsecuringappdata.
Inthenextchapter,wewillcoverhowiOStakesadvantageofitshardwaretocreateasecureenvironmentevenbeforewegettorunanyapps,startingfromthemomentthedeviceisturnedon.
www.it-ebooks.info
![Page 100: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/100.jpg)
Chapter3.EncryptingDevicesInthischapter,wewillbelookingatiOSdeviceencryption.Youmightthinkthiswouldbetheshortestchapter,asthefilesystemitselfhasbeenfullyencryptedformanyrevisionsoftheOS.Thismakeswipingthedevicewhengivingitawayorsellingitaveryquickprocess,asallyou’redoinginessenceisforgettingthemasterencryptionkeytounlockthealreadyscrambleddataandrenderingitirretrievable.Wearlevelingconcernsforflashstoragelikethosewhichareusedinmobiledevicesnowadaysmakesthispracticalforanotherreason,asscrubbingallblocks(orpages)onthestoragedeviceisnotnecessarytoensurethatthedataisunrecoverable.We’lllookintomoretopicsthanjustthedatabitsatrestthough,includingnetworktrafficandVPN.
Whileitmayseemconsumer-focused,wecannowusethesedevicesalongwithNFC(shortforNearFieldCommunication)forpayments,andconcernsoveremployerliabilityforidentitytheftonacompany-owneddevicecanraiseseriousconcerns.Securityprofessionalsmustbeevenmoreintouchwithwhattheircompany’spoliciesareonprotectingthecompany’sbestinterests,whilestillallowingenduserstobeproductiveandenjoyfulluseofthe“perk”thataniOSdevicemightprovide.LuckilymanyaspectsoftheiOSsecuritymodelallowustoletthedeviceroamuntethered,andwecaninformtheenduserhowmuchdatatheirdeviceexposeswhenitisusednormallyandforeverythingapolicydoesn’tcover.Privacyalsocomesintoplay,sowe’lltouchonthataswell.
Tobreakitdown,we’lldiscussthefollowingtopicsinthischapter:
RevisitingOSinitializationPassbookandTouchIDforApplePayIntroductiontoiOSnetworkcommunicationPrivacyconcernswiththeHealthApp,HIPAA,anddiagnosticsConfigurationProfileEncryption
www.it-ebooks.info
![Page 101: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/101.jpg)
SecurebootandactivatingiOSInaconceptnotunlikethatofhowChromeOSensuresboththeintegrityofitsfirmwareandthatitskernelhasn’tbeentamperedwith,fieldupgradescansimilarlyproceedinasecuredfashionwithafeaturecalledverifiedboot.WhenaniOSdevicestartsup,itverifiesthekernelandtherestoftheread-onlyOSpartitiontoconfirmthatitmatchesaparticularsignature.TheprocesswouldbehaltedandthedevicewouldgobacktoDeviceFirmwareUpgrademodeorDFU(whichwouldalsobeaccompaniedbythe‘ConnecttoiTunes’screen)ifthemainOSpartitionisfoundtobenonfunctional.ThiscanalsobeinitiatedifawipeandreinstallisinterruptedwheninitiatedbyiTunes,AppleConfigurator,ortheuserthemselvesbygoingintotheGeneralsectionofSettingsandnavigatingtoReset|EraseAllContentandSettings.
Theprocessfromthetimeyoupoweronthedevicetowhenyoulandinuserspaceisreferredtoasthesecurebootchain.Alow-levelbootloaderperformsverificationtoconfirmwhethertheOSpartitionhasnotbeentamperedwith,andasawhole,whetherithasbeensignedbyApple.Ituseson-boardkeys(whichincludesarootkey,device-specifickey,andgroupkeytoestablishthechainoftrustforcryptographicoperations)thatareincludedinthefactoryattimeofmanufacture.Thislow-levelbootloaderprocessfinishes,andthen,theiBootprocessstarts,whichinturnstartstheOSkernel.
OncellulardevicesthatincludetheA7orgreaterAMDarchitectureprocessor(whichisinuseindevicessincetheiPhone5s),thereisaregionontheCPUthatisresponsibleforcryptographicoperationsandthisisreferredtoinmarketingastheSecureEnclave.Whileitisnotphysicallydistinct,thehighestimportanceisplacedonmakingitsfunctionalitylogicallywalledofffromtheprocessor’smainfunction.TheSecureEnclaveinteractswiththebootprocessbybeingcalledupontostartthecellularbasebandthroughaseparatebutsimilarsequence,whichisalsoresponsibleforcheckingthesystemsoftwareauthorization.
Specifically,uponreactivationthatisinitiatedbyamanualeraseoranOSrestore,avalidationprocessreferredtoasSystemSoftwareAuthorizationisperformed,whichrequiresInternetaccess.AcomputerrunningiTunesorAppleConfiguratorcanprovidethatconduit,orsinceiOS5anditsPCFreefeaturescamealong,youcanconnecttoaWi-Fiorcellularnetworktoactivatethedevice.AsdocumentedbyAppleforsometimeinitsiOSSecurity–WhitePaper,thereisaspecific,cryptographicallysecuredprocessthroughwhichanindividualdeviceidentifiesitselftoApplewhilerequestingactivationtocontinue.SinceAppleistheclearinghousethroughwhichdevicesareallowedtorunaspecificOSversion,previousOSeswithanyknownsecurityflawsaredisallowedfrombeingreappliedtoanupgradeddevicethatiscapableofrunningit.
Aswe’lldiscussinthenextchapter,restoringabackupcanskipthisactivationsteponsuperviseddevices,butthatisaconcernseparatefromtheOSitself.AdevicerunninganolderiOSversioncanthereforebeerasedwithoutupgradingit,assumingthatithasnotbeentamperedwithtofailverification.
Tip
www.it-ebooks.info
![Page 102: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/102.jpg)
NotethatwhenanactivationisrequiredafteraniOSinstallationonacellular-capabledevice,aSIMcardmustbepresent.AppleusesthistogenerateavalidECIDtoidentifythedevice,soevenwhenthedeviceispreparedwithiTunesorAppleConfiguratorbuthasnoSIMcard,thiswillresultinanerrorandcauseittofail.
Onemayask,ofthemanydevicesstillbeingsoldbyApplewiththeolderprocessorarchitecture,howdoesitperformthecryptographicoperationsthatarenecessarytofunction?WhilethiswasnotpreviouslyoutlinedbyApple,acommontechniquethatisusedistogatherentropy(orunpredictableresults)fromthemanysensorsonthedevicesuchasitsgyroscope,accelerometer,orcompass.Theneedforrandomnumbersisobvioustoanyonewhoistryingtomakeasecuresystem,sincemanyimplementationsofakeygenerationprocessstartbygettingsomethingdistinctandsufficientlyrandomtobaseitsidentityon.
www.it-ebooks.info
![Page 104: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/104.jpg)
PassbookandTouchIDforApplePayWebrieflytouchedonTouchIDinChapter1,iOSSecurityOverview,butmoreimplementationdetailsaroundtimeoutsandotherkey-relatedinteractionsarebetterdescribeApple’sowniOSSecurity–WhitePaper(astheygotogreatlengthstomakethingsasunderstandableaspossible).Atthetimeofwriting,themostrecentPDFwasfromOctober2014anditcanbefoundathttps://www.apple.com/privacy/docs/iOS_Security_Guide_Oct_2014.pdf.
AsTouchIDshouldstilljustbeconsideredanaddedconvenience,sufficientlycomplexpasscodesare,asalways,recommendedinallthingsthataresecurity-related.
TipIfyourcustomersorusersarelikeours,theywillforgettheirdevices’passcodesaftergettingusedtousingTouchID.Therefore,makesurethatyoudonotleaveyourcustomersinasituationwithoutMDMmanagement(orbackups,ifyourorganizationencouragesit),especiallyiftheActiveSync-based“failedpasswordattempt”limitisconfigured.Oncethethresholdisreached,itwillcausetheirdevicetobewiped.Thishappenswithoutadequatetimetogetassistancemoreoftenthanwewouldlike.
IntheWhitePapermentionedearlier,theimportanceandutilityoftheSecureEnclaveisdetailed.ItmayhavecomeintoexistenceinparttomaketheTouchIDfingerprintfunctionalityasquickandseamlessaspossible,sothattherewouldbenobottleneckfortherequiredcomputation.OnemaythinkfromApple’smarketingoftheSecureEnclavethatitisdedicatedhardware,butjustlikethejailingofpartsofthefilesystem,thisismostlyimplementedasatechniquetoensurethatthesoftwareoperationsarewhollydistinctandcannotruninthesamememoryorprocessorspacewhencarryingoutitsfunctions.
HowdoesthisrelatetoPassbook?Andhowdoesafeaturethatmostfolksuseforplanetickets(ifever)comeintoadiscussionaboutsecurity?Well,aswediscussedpreviously,identitytheftonacompany-owneddevicecouldaffectthecompanythatprovidesthedevicetotheemployee,asevidencedbynetworkequipmentandmailsystemsthatdetectdangerousbehaviorlikesocialsecuritynumbersbeingsentinplaintexte-mailcorrespondence.Withitsearlypopularityandprobablesuccessof,ApplePay,whichisApple’ssolutionforNFC-basedpaymentsakintoGoogleWallet,becameanattractivetarget.SincePassbookiswhereApplePaystoresthedetailsofitscreditanddebitcards,securingitisimportant.Luckily,thereareafewallowedvectorstogetintoPassbook,includingthemuch-malignedQRcode,andeventhen,thereislimitedfunctionalityonceapassisinstalled.
TipThePassbookapplicationhasabuilt-inscannerthatyoucanaccessbytappingonScanCodefromitssplashscreen,orbytappingtheplusbuttoninthetop-rightcorner(ifthere’sonlyonepass;otherwise,you’llseetheplusbuttonatthetop,anditcanbescrolledwheninthelistview).Thisisthesameprocessthroughwhichyouwouldaddpaymentcards.
www.it-ebooks.info
![Page 105: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/105.jpg)
Forsecurityreasons,neitheradditionstorestheimagetotheCameraRollonthedevice.
APassbookpassandoneprocessbywhichpassesorcardscanbeadded
Amongotherrestrictions,youcannot,forinstance,haveanactivehyperlinkonthefrontofapass.Youcan,however,sendanotificationtoadevicewiththepassinstalled,andpushupdatestothepasssothatitwilldynamicallychangeitscontent.Passbookpasseswithanactivestate(suchastheleaduptoboardingaplane)canbeaccessedwhenthedeviceislocked,butupdatestoitcanoptionallybedisabledinthepassitself,orbothaccesstoandnotificationsforPassbookcanbedisabledintheTouchIDandPasscodesectionoftheSettingsapporviaamanagementsystem,alongthelinesoftherestrictionsthatwe’lldemonstrateinChapter5,MobileDeviceManagement.
TheattackvectorsforApplePayhaven’tbeenexercisedtothepointthatanyworkingproof-of-conceptshavebeendisclosed,butanotherquirkisthatapasscanrespondtolocationinformation.ThiscouldtriggerapushnotificationwhenitisintheproximityofaniBeacon,Apple’sbrandingforBluetoothlowenergytransmitters,whichcanachievesomethingalongthelinesofasupplementaltechnologytoGPS.WhileiBeaconsthemselvesdon’tcollectanyinformation,Passbookwillcontinuetoevolveasanareaofthephonetoremaininterestedin.NeitherNFC-basedApplePaynorPassbookisyetavailableontheiPad;however,in-apporbrowser-basedApplePaypurchasesworkwith
www.it-ebooks.info
![Page 106: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/106.jpg)
thenewestiPadhardwarethathasTouchID.
Finally,oneothernoteaboutpurchasesonthedeviceisthatwhencheckingoutfromawebstore,itmay(whenthesiteisavalidHTTPSoneandcertainfieldsaredetectedwithintheform)triggeraprompttousethecameratotakeapictureofthecardthatyou’dliketomakethepurchasewithandfillinthedetectedinformation.
CardpaymentsystemsandfraudingeneralintheU.S.hasalwaysbeenasorespotwhencomparedtoothercountries,inparticularthingslikeATMtransactionsthatarethepoorestversionoftwo-factorauthentication:somethingyouhave(thephysicalcard)andsomethingyouknow(PIN).Whileit’snotparticularlyrelevanttousaswearenotasconcernedfromapaymentprocessingperspective,butthisseemstorequirethesameamountofvigilance.Theoretically,onecouldtakeaphotoofsomeoneelse’scard,andthroughacoordinatedattackinvolvingsocialengineering,useittoauthorizepurchases.Applecanpolicethisprocess,butasmanyconcernsasthereareaboutidentitytheftingeneral,therewillalwaysbethattradeoffbetweeneaseofuseandprotectingthesystemfromabuse.
www.it-ebooks.info
![Page 107: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/107.jpg)
IntroductiontoiOSnetworkcommunicationWediscussedSafariandthepredictivesearchfeaturesthatareenabledbydefaultasthemostobviousnetworktraffic,besidese-mailandapplicationslikeTwitterandFacebookthatcanbeaccessedfrommoreplacesonthedeviceduetohavingaccountinformationbuiltintotheOS.Weather,Stocks,andSiri’sdataproviders,arealsoallowedtousethenetworkbydefaultalthoughyoucandisablejustcellularaccessgranularly.Speakingofwhich,dependingonthecarrier,swappingSIMcards(iftheslotisunlockedonthatparticularcellular-capableiOSmodel)canbeusedtosupplantinternationalroamingplansbyprovidinganumberthatislocaltothatplace,orevenjustthedataserviceasdesired.
Besidesthisgrabbagofoverarching,networking-relatedconcerns,we’llzoominonAirdropusingwiredconnectionsoniOS,VPN,proxying,andfiltering.
www.it-ebooks.info
![Page 108: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/108.jpg)
AirDropApeer-to-peerwaytosharefilesondemandoveranadhocWi-FinetworkwithlittleornosetuphasbeenpresentintheMacOSforsometimeanditwasaddedtoiOS7.AirDropisthisfeature’sbrandinganditnowdoestheinitialdetectionofnearbydevicesbasedonBluetoothproximityandidentifiesinformationwithApple,againasthebackendclearinghousethroughwhichAppleIDidentitiesareprocessed.Thisaddsanonymitytotheprocessofcheckingwhetherweknowthepersontowhomwearesendingthefile,andcanpopulatetheroundiconrepresentingtheotherdevicewiththecontact’slocallyassignedimage.
AsofiOS8andOSX10.10,Yosemite,computerscanalsoperformthishandshakeandtransferofdata.Duetoitseaseofuseandlackofauthenticationbeforeallowingthesendingendtotransmit(amongotherreasons),manyITdepartmentsdisabledtheearlyimplementationsofAirDropontheMac.Multicasttrafficislessofanetwork-relatedconcernwhenitispeer-to-peerandrestrictedtoWi-Fi,butidentityverificationwithitsassociatedmetadataamongmanyothercryptographicprocessesthatdohitthenetwork,requiresasignificantamountoftrustinApple.
TipNotethatthisisoneofthebiggerissuesthatpeoplewithprivacyandsecurityconcernsexpressaboutvendorswhohavemadechoicessimilartoApple.ThisisalsocommonlydiscussedinrelationtotheiriMessageservice;partoftheconditionofusingtheserviceisthatyoumustimplicitlytrustthatAppleisproperlysecuringandrestrictingaccesstothekeysthattheparticipantsuse.
Dependingonthetypeoffilethatisbeingtransferred,compatibleapplicationsaredisplayedonthereceivingendtothentakeaction.ThefollowingscreenshotshowsadevicethathasreceivedafileoverAirDrop:
www.it-ebooks.info
![Page 110: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/110.jpg)
Abugorafeature?WelongagomadetheassertionthatApplecheatsbybeingabletosynchronizeitssoftwarewithitsownhardware.AnothermaximofAppleITisthatingeneral,Appledoesn’tcareaboutthedevelopercommunity,Appledoesn’tcareaboutus.Theirprioritiescouldreasonablybearrangedasfollows:
ThecustomersThemselvesandtheirsideoftheoverlapbetweenpartnersandtheirplatformsLastly,anybodyelsewhowouldwishthemwellalongthewaytoimprovetheexperienceofthefirsttwo
Thisisnotnew,norshouldanyoneexpectthemtochangeinthelightoftheirsuccess.However,theysometimesmakeiteasierforallthepartiesinvolvedbyhavinganextensivelysharedcodebasebetweeniOSdevices.Thisincludesanotherproduct,theAppleTV,whichisoftenoverlookedordiscardedasnotaseriousendeavor,butwhichweinITgetasurprisebenefit:itincludesEthernetdriverstosupportitshardware,whichinturnispresentacrossalliOSinstallationseversinceitssmaller,hockeypuckformfactorwasintroduced.
Anunintentionalbitoffunctionalitythatwegainfromthisisthroughatechniquethatinvolvesthefollowingthings:
ApoweredUSBhubTheLightningtoUSBCameraAdapter(intendedtoconnectacamerawithaniOSdevicetoimportphotosintoiPhotoorotheriOSapplications)AnAppleUSBEthernetAdapter
ByconnectingtheLightningtoUSBCameraAdaptertotheupstreamportoftheUSBhubandtheEthernetAdapterinanydownstreamport,adeviceshouldbeabletousethisconfigurationtogetonthewirednetwork.Whilethispartofthenetworkingstackdoesn’tseemparticularlyoptimized,forensiccapturethroughmoretraditionalmeans(mirroringports,andsoon)ispossiblewithouttheinvolvementofanycomputer.(Wewill,however,coverApple’ssupportedprocessestoaccomplishiOSpackettracinginChapter6,DebuggingandConclusion.)AnillustrationofthissetupisdocumentedintermsofpasscoderemovalviaMDMathttps://www.afp548.com/2014/05/07/mdm-passcode-removal-from-an-offline-ios-device/.
TipCommonhumaninputdevicessuchasbarcodescannersorkeyboardscanbeusedwiththeLightningtoUSBCameraAdapterforeaseofinputandtheyareagreatwaytopreventfolksfromhavingtousetheirthumbsfordataentryenmasse.WhiletheiOSdevicemaybarkthattheaccessoryisnotsupported,youmayaddahiddenfunctionalityandsignificantlystreamlineinteractionsifallthehardwareiscompliantanditallgoeswell.
www.it-ebooks.info
![Page 111: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/111.jpg)
VPN(Always-On,APN,Per-App,On-Demand)Sinceveryearlyon,youhavebeenabletoconfigureandinitiateaVPNconnectionintheSettingsofaniOSdevice,whichstartedwiththemoreprevalentgatewaysinuse(includingflavorsofCiscoIPSec,andtheraccoon-basedL2TPorPPTPprojectswhichOSXServerrelieson).Now,therearemorewaystotunneltrafficthanyoucanfigurativelyshakeametaphoricalstickat.AsthedemandtoenablemorefunctionalityoniOSiseverincreasing,ApplehasaddedsupportforRSASecurIDtwo-factortokensinthebuilt-inconfigurationsettingsaswell.
Aswithothercomplexsettings,youcouldalsouseaconfigurationprofiletosimplifythesetupforendusers,whichwewilltouchoninChapter5,MobileDeviceManagement.
Anewerfeature,alsoavailableforusewhenconfiguredwithaprofileormanually,istheabilitytolockthedeviceintotunnelingallitstrafficthroughaVPNtunnelwithanAlwaysOnconfiguration.ThisisexposedtoenduserswithaSendAllTrafficsliderwhenoptional.ForittobemanagedsothatitislockedintotheONposition,theappropriateconfigurationprofileneedstobeinplaceandthedeviceneedstobeinastatecalledSupervision,whichwewilldescribeindetailinthenextchapter.
ThefollowingscreenshotshowsaVPNconnection,withoptionsforRSASecurID,SendAllTraffic,andsoon:
www.it-ebooks.info
![Page 112: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/112.jpg)
AVPNconnectionwithoptionsforRSASecurIDtokensandSendAllTraffic
Anolder,moreobscuremethodofsecuringdataserviceaccesswiththecooperationofyourcellularproviderisviaanAccessPointNameconfiguration,butit’snotsomethingthattheauthorsofthisbookcomeacrossveryoftenanymoreintherealworld.YoumayforgivethecomparisonofAPNtoanextensionofthecorporateLAN,althoughwiththepopularityandtoolsetaroundVPNsbecomingsocommonplace,it’sunderstandablethatthiscellular-onlytechniquewouldfallbythewayside.
WhenpairedwithpropercertificatesandaconfigurationprofiletodefinethedomainsthatrequireaVPNconnection,VPNOnDemandenableson-the-flyconnectionstobemadewhenadevicetriestoconnecttoagivendomain.Manyelaboratechecksarealsopossibleonanetworkstatechange,includingSSID,reachableserverdetection,andDNSserversettingssothatOnDemandcanbeturnedoffwhenit’s‘on-network’.Thisisespeciallyusefulinsplit-domainDNSconfigurations.
www.it-ebooks.info
![Page 113: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/113.jpg)
Per-Appisbyfarthemostattractiveapp,aswhenanorganizationhasprovidedanapptheycommonlyalsowanttosecureallthetrafficthattheappwillgenerate.Asalways,however,thedevilisinthedetails.AfewVPNgatewaysandfewerappsaresettoenablethisbehavior.Organizationsmayfindanyofthemoreadvancedimplementationstricky,asyouneedamoresophisticatedgatewaysetupwithcompatiblehardwareandsoftware,whichcanalsorequiresignificantpreparationfromacertificateinfrastructureperspective.
ThemostsimpleandpossiblyhardesttomanagearethespecificappsontheAppStorefromVPNgatewayvendors,someofwhichmerelyembedawebbrowserthatallowsyoutoconnecttositesonaremotenetworkoncetheconnectionisestablished.
Otherwise,youcanjustbuildallyourworkflowsintoanappsuchasGood,enablesorwrapthemintoacontainerappthatdoesallthenetworktrafficandbusinessinteractionsforyou.Evenmoreattractiveissecuringthetransportanddataatrestwheninteractingwithyourorganization’sapplicationsandsidesteppingallofthistomfoolery.ConjuretomindthememeofthecharacterBoromirfromTheLordoftheRingssayingthatonedoesnotsimplywalkintoMordor,thetwistbeingthatonedoesnotsimplytrustanyclientaccessingyourdatatobeproperlysecuredeveniftheyhaveprovidedvalidcredentials.Butwecanonlygosocrazyuntilitbecomesprohibitivetorestrictaccessthatfolksneedtodotheirjobs.
GlobalHTTPProxy,caching,andthewebcontentfilterDuetoconcernsoverandregulationofthenetworktrafficofiOSdevicesinschoolenvironments,ApplestartedwithaGlobalHTTPProxyfeaturetoenablethecachingandproxyingoftraffic,withtheadditionalbenefitofworkingoff-campusandoncellulardevices.Vendorsthatspecializeinensuringtheuptimeoftheservice’sgatewayareimportanttopartnerwith,andcommonlynetworksecurityapplianceshavetakenonthisroleamongtheirotherservices.AsthisisonlyHTTP,itdoesn’taddressmanymandatedregulationsforprotectingstudentsincertainjurisdictions,butitwasastartatalleviatingsomenetworkinspectionandcachingneeds.
AppleincludedaCachingServiceinthe2.2releaseofitsServerapplication,whichisdistributedasanadd-ontoregularOSX.YoucansetthisupandcachecontentforaNAT’slocalnetworkinordertoimproveperformanceduringOSupdatesorwhenotherfrequentlyaccesseddataisrequestedbymanydevices.Wedonotgetmanyfeatureswiththissolutionthough,asyoucannotpoisonthecachetoensurethatcertainapplicationsorcontentaremadeunavailableonyournetwork.SomehaveresortedtohijackingDNSrequestsonport80tomesu.apple.com,forexample,sothatOSupdatescannottakeplacewhileon-network.OthercontentthatisenabledbydefaultwiththisserviceisiTunes,iOSAppStore,MacAppStore,andiBooksStorepurchasesalongwithMacandiOSUpdates.
Thisisall,ofcourse,onlyHTTPanditismoreaboutrelievingnetworkloadthanlimitingthetypeofcontentthatisaccessibleonthedevices.OnlyrecentlydidAppleaddtheabilitytosubscribetocontentfilterupdatesforHTTPSsites,orgranularlywhitelistorblacklistsites.Asdiscussedearlier,areliablepartnerwhounderstandsyourorganization’spoliciesiscriticaltoimplementafilterthatdoesn’tbecomeahindranceorablocktoyourcustomers’productivity.
www.it-ebooks.info
![Page 114: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/114.jpg)
AsdiscussedwiththelockingofAlwaysOnVPNsettings,devicesmustbeinthesupervisedstatetouseeitherGlobalHTTPProxyorthewebcontentfilter.(Thismakessenseasasuperviseddevicecanhavesettingslockedthatenduserscannotdisableatwill.)
www.it-ebooks.info
![Page 116: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/116.jpg)
Privacy-relatedconcernsJustasearlierwhenwediscussedApplePay,youmayfinditoddtoseeasectiononprivacy,butaswesaid,thesedayswithidentitytheftandotherwayscustomerscanleakdatathroughsocialengineering,theconcernsfororganizationsaremorepressing.Practicallyspeaking,it’sjustalotofoverheadwhendirectoryharvestattackscatchtheless-astuteemployeeswhofallfortricksthatcausethemtohandovertheircredentials,andthenadministratorsneedtogothroughtheprocessoflockingthemoutandfixingtheirmailboxes.
TipAdministrativeoverheadistheleastoftheconcernsforlarger,well-knowninternetcompaniesthatwouldbeveryembarrassed,attheveryleast,iftheiremployeeswerephishedorwereclumsywiththeircredentials.Itbecamepublicthatonecompanyinparticularhaddeployedaplug-intothewebbrowserthattheydevelopedwhosepurposewastodetectwhennetworkcredentialswerebeingenteredinaninsecureorbogusform,therebyeffectivelypreventingthatmethodofexposure.TheMacadmincommunitygetsalotoftheirideasandbestpracticesfromthiscompany,whichrhymeswith“froogle”.
Justasthereareregulationsaroundprocessingcreditcards—themostcommonlyknownisPCI(shortforthePaymentCardIndustry)SecurityStandardsCouncil—therearehealthcareindustrystandardsaroundprivacywhichareincludedaspartofHIPAA(ortheHealthInsurancePortabilityandAccountabilityAct).Partofthisstatuteclassifiescertainpiecesofhealth-relatedinformationtobeprotected,whichincludesasurprisinglybroadrangeofdata—evensomethingassimpleasnames,whenattachedtodatainaparticularcontextbecomesensitiveandimportanttocontrolaccessto.
We’llcovertwoexamplesofnewwaysthedataiscollectedoniOSdevices(andtheiPhoneinparticular)todemonstratehowthisisaconstantlyevolvingtopicthatrequiresappropriateattentionbasedonyourdealingswiththehealthcareindustry.Evencollegesaretryingtoreducetheriskoflawsuitsduetoinformationinstudentrecordsgettingintothewronghands,sohopefullyyoucanworkwiththepolicymakersatyourinstitutiontocraftappropriatepolicies.
www.it-ebooks.info
![Page 117: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/117.jpg)
Lesser-knownwaysforAppletogatherdiagnosticsFirst,youmaynotrealizehoweasyitisforAppletobeinvitedintothegoings-onoftheirdevices.JustrecentlywecameacrossaniOSdevicethatneededtobeserviced.IfyougotoApple’ssiteandsaythatyouwouldliketosetupaGeniusBar,in-storetechnicalsupportappointment,theycanpromptyoutosendinidentificationanddiagnosticdatarightthereonthespot(presumablytodeliverabetter,moreefficientexperience).Further,toproveownershipoverthephone,ApplecansendapushnotificationwithaPINtoadeviceloggedintotheiCloudaccountifyouprovideotheridentificationinformationaboutthedevice.
Now,inthescenariothatwejustdescribedforcollectingidentificationanddiagnosticdata,youmaythinkthattherewouldbeahighbartohaveaccesstothemechanismthatcollectsthisdata.However,thereareself-servicingorganizationstatusesthatcanbegrantedtolargecompaniesandinstitutionsthatdonotwanttogetservicethroughthird-partyserviceprovidersortheAppleStore’sGeniusBar.Whileimprovingtherepairexperienceforthecustomersofanorganization,thedevicesthatdiagnosticscanberunonarenot,toourknowledge,limitedtotheonespurchasedbytheorganization.
Onewouldthinkthebindingagreementsplacedonthosewithaccesstoself-serviceorganizationstatusthroughaserviceprovidedbyApplecalledGlobalServiceExchangewouldpreventfoulplay.Throughconversationswiththosewhodohaveaccesstothesediagnostics,wecanreportthattherearelittledifferencesinwhatcanbeseenindiagnosticlogsonthedevice.Thisservicehasabitmorehardwarerepair-relatedinformationthatwouldbehelpfulforparticipatinginrecallorwarrantyupgradeprogramsthatAppleisforcedtodofromtimetotime.Forexample,inthecaseofcertainmodelsofiPhone5,therewasaknownissuewherethehomebuttonlostfunctionalityafterbeinginuseforacertainperiodoftime,whichwasthereforemadeeligibleforexchange.
AswewilldrivehomeinChapter6,DebuggingandConclusionregardingtheattackvectorsadeviceisexposedtooncepairingtoacomputerisallowed,onemayconsiderthisanacceptabletrade-offforabetterexperiencewhentheaverageconsumerneedstheirdevicefixed.Thedatagatheredandcollectableislimited,butApplewillcontinuetodancethislinebetweenthingslikenotshowingtheirthird-partydevelopersmuchinthewayoffeedbackfromcustomers,topreventingtoomuchexposurelikethewell-publicizeddeletionofthedevicesofaprominentjournalistforWiredwhoseiCloudaccountwashackedinto.
www.it-ebooks.info
![Page 118: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/118.jpg)
HealthappAnotherclassofdatathatmanywouldconsiderprivateistheiractivity.iOS8introducedframeworkstohelpthevarioushealthcarecompaniesthatdevelophardwareaccessoriestointeractwithhealthdata.
NoteGlaringlymissingatlaunch,however,wasaclassofperiodtrackingdataforwomen.Asthird-partyiOSappshavebeenbuilttotrackthisfromthebeginningoftheexistenceoftheAppStore,withrecentstandoutscoveringnarrowly-targetedtasksrelatingtobreastfeeding,thisisratherodd.Developerscouldn’tevensubmitappsleveragingtheframeworkuntilseveralrevisionsofiOS8,andstill,NikeFuelisanotablethird-partythatisabletoleverageitsdatawithanamedinclusionintheHealthapp.
AsofthelaunchoftheiPhone5s,asensorwhichfunctionsasapedometerisincludedinalliPhones.Apple’smarketingteambrandedthehardwarethatmanagesthecachingandprocessingofhealthsensor-specificdatatheM7motioncoprocessor,withversionnumberinginsyncwithitsin-houseARMlineofprocessors,whichiscurrentlyA8.Thisremovestheneedforasmanyexternalsensorsondevices,likethoseleftoutofthedesignoftheAppleWatch(thatwasproposedatthetimeofwriting).Additionally,asoftheHealthappbundledwithiOS8,stepandrunningdataistrackedanddisplayedbydefault,whetheryouexplicitlyenableitornot.
YoucanseethiscombinationofGPSandaccelerometersensorsinactionforyourselfbynoticingthestepdataloggedintheHealthappwithoutanyopt-inonyourpart.Thereare,infact,nosettingsfortheappwhatsoever.Onlyprivacysettingscanbemanagedtodisallowappsthathaverequestedaccesstothewarehouseofdatastoredwithin,whetherthephone’sownsensorsloggeditoranaccessorywastheoriginalsource.Inthefollowingscreenshot,youwillgettoseeautomaticallyloggedstepanddistancedata:
www.it-ebooks.info
![Page 119: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/119.jpg)
Automaticallyloggedstepanddistancedata
Oneotherthingthatyoucaninteractwithcouldbeapotentialsourceofinformationleakage,butisimplementedasanopt-infeature:an“incaseofemergency”function.
NoteAstoryfromapopularsitebyDavePelltitled‘MyHeadisintheCloud’recountshowhisbabysitterdoesn’thaveherboyfriend’scellphonenumbermemorized,andwhenshewasinjuredandhercellphonewaswrecked,theyhadnowaytocontacthim.It’sasifthisfeaturewasdesignedwiththisscenario(minusthedestroyedphone)inmind.
YoucanaddyourinformationseparatelytowhatisthenaccessiblebyappsthattieintotheHealthapp(andtheHealthKitframeworktherein)sothatfromthelockscreen’semergencycallfunction(whichhasbeentheresincethefirstiPhone,asfederally
www.it-ebooks.info
![Page 120: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/120.jpg)
mandatedintheUS)therewillbeanewtextlabelinthelowerleft-handcorner:MedicalID.Thefollowingscreenshotshowsthescreenthatshowstheinformationtoaidfirstrespondersincaseofemergencies:
Informationtoaidfirstrespondersincaseofemergencies
Thistellssomevitalstatistics,andmostimportantly,incasethephone’sownerisunabletocommunicate,whomtocontact(ortobecompletelymaudlin,thenextofkin)withahandycallbuttonnexttoitsothattheyaremorelikelytopickupthecall.
www.it-ebooks.info
![Page 122: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/122.jpg)
ConfigurationprofilesIfyouhaveanyfamiliaritywithhowOSXstoresitsconfigurationfiles,itwouldnotbetoomuchofasurprisetohearthataprofilethatwasimplementedforiOSmanagementisalsoaspecificflavorofXML.InsteadofacentralregistrylikeyouhaveonWindows,there’sdifferent,oftengranularlysetfilesor(oftensqlite3)databaseswithwhichanapplicationortheoperatingenvironmentitselfiscustomized.However,thisisnotasimportantastheframeworkwithwhichchangesareenforcedonthesystem,andso,atripbacktoOSXwouldactuallybeuseful,asthatwaswhatinspiredmuchofthearchitectureofiOS.
Withoutmanagement,changescanstillbeappliedbytouchingkey-valuepairsintheseXMLfilesinwhatarecalledpreferencedomains.Thefilesthemselvesarereferredtoaspropertylistsandcarrythe.plistfileextension.Acommonbinaryusedtointeractwiththese.plistfilesatthecommandlineisthedefaultscommand,althoughsystemframeworksareexposedtoscriptinglanguagestodirectlyinteractwiththeunderlyingAPI.
Aswithatraditionaldirectoryservice,however,settingscanbeinheritedfromanetwork-basedcentraldatabase,thepayloadforwhichonWindowsiscommonlygrouppolicyobjectsorGPOs.MacshaveaframeworkthatisreferredtoasManagedClientforOSXorMCX.ByapplyingMCXsettingstoacomputerorcomputergroup,theywouldallhavethesamesettingsenforcednomatterwhousedthedevice,butuserorgroup-levelsettingswoulddependuponwho’sloggedin.Justaswithnon-networkawarepreferencedomains,MCX-enforcedpropertylistfilesarestorednearthelocaluserandgroupdatabaseonthefilesystem,whereitiscachedtomaintainthesettingsoffnetwork.Adminuserscouldoptionallyoverrideanysettingswhenloggingin,forquicktroubleshootingofconfigurations.
InsteadofMCXasthedeliverymethod,profilescametotheMacasanadditionalwaytomanagesettingsinOSX10.7andbecamemorepowerful;now,aconfigurationprofilecanaffectchangesthatMCXhadnotpreviouslybeenabletosuchasnetworking-relatedsettingsamongothers.TheideawastogobacktotheMacandallowmanagementsystemstousethesameformat,XMLfileswiththemobileconfigextension,inmanycasesapplyingthesamesettings.So,torecap,configurationscanbesetontheMacthroughthefollowingways:
Simple.plistfilesresidingatthesamelocationwherethey’dbefoundinadefaultinstallationandcanbeinteractedwithviathedefaultscommandThe.plistfileswithspecificMCXstanzas,whichwasthepreviouswayinwhichyoucouldimplementmanagementfromacentraluser/group/computerdatabaselikeLDAPConfigurationprofiles,whichisthenewer,cross-platform(betweeniOSandMac)methodofapplyingmanagementsettings
Withconfigurationprofiles,justlikeMCX,youcangroupcomputersandusersormanagethemindividually.AswewilldemonstrateinChapter5,MobileDeviceManagement,the
www.it-ebooks.info
![Page 123: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/123.jpg)
terminologyusedwiththeServerapplication’sProfileManagerserviceistouseadevicetorefertoaniOSdeviceoraMac,andyoucaneveninheritusersandgroupsfromActiveDirectory.ThedevicelevelofmanagementwithinaprofileiscalledtheSystemscope,whereasanythingthatwouldapplygranularlytoaUseriscalledjustthat.ThefollowingscreenshotshowsanexampleofanApple-flavoredXMLfile,withtheSystemPayloadscope,whichmeansthatitwilltakeeffectdevice-wide,insteadofbeingscopedtoaparticularuser:
AnexampleofanApple-flavoredXMLfile,withtheSystemPayloadscope,meaningitistotakeeffectdevice-wideinsteadofbeingscopedtoaparticularuser
NoticethattheDOCTYPEintheprecedingscreenshotspecificallycallsoutApple,andsettingsarestructuredwithnoparticularorderingsinceithasahashordict(shortfordictionary)asthebasetype.Thefollowingscreenshothasmoredetailsonthis802.1x-specificconfiguration:
www.it-ebooks.info
![Page 124: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/124.jpg)
AWi-Ficonfigurationprofile,whichwouldtelltheradiuscontrollerthatActiveDirectorycredentialswillbeusedfor802.1xauthentication
Thereis,however,noconceptofbindinganiOSdevicetoadirectoryservice,norofdifferentusershavingcustomizedsettings,whereasMacscantakebothintoaccount.ProductsevenexisttomanagesettingsforMacswithinthesameinterfaceasGPOforPCs.ForiOSthough,theMDMserviceitselfneedstobeawareofthegroupingsandmanagementsettingswhichitcanthenactupontohanddownconfigurationstodevices.ThisisincontrasttoMacs,whichcanevenbetoldtoprovideauthenticationtoradiuscontrollersoverWi-FiwithActiveDirectorycredentialsattheloginwindow,asshownintheprecedingscreenshot.IfyoudeployedtheprofilepicturedpreviouslytoaniOSdevice,itmayverywellignoretheunusedoptionsorfailaltogether.
Nowthatwehaveseenmoreabouttheformatandhowit’sscopedtodevices,let’slookintothehistoryofthismanagementformat.Apple’scanonicalreferenceofaninterfacewithwhichtoconstructthesettingsavailableformanagingiOSdevicesfirstappearedinatoolforWindowsandMaccallediPhoneConfigurationUtility(oriPCUforshort,whichmakesitsoundlikeoneofthoseplacesyoucangetanassociate’sdegreeontheinternet).ItwasoriginallyreleasedbackwhentheOSwascallediPhoneOS2.(Really,itwasOS/2Warp.NowthatwasanOS!)Whenconstructingaconfigurationprofile,youwouldseemanagementoptionsgroupedintosectionsinasidebarontheleft,andyouwouldinteractwithvariousfieldsontheright.Thefollowingscreenshotshowstheconfigurationprofilecreation/editingintheiPCUinterface:
www.it-ebooks.info
![Page 125: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/125.jpg)
Configurationprofilecreation/editingintheiPCUinterface
Youcouldevenviewlogs(unlikethemerediagnosticreportswedidearlier),whichcameinhandywhileyouappliedaprofiletoseewherethingswentoffthetrackwhenaconfigurationwasn’tvalid.Thefollowingscreenshotshowstheloggedoutput(essentiallysyslogoutputinaconsolerunningonthedevice)displayedwhileapplyingaprofile:
www.it-ebooks.info
![Page 126: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/126.jpg)
Loggedoutput(essentiallysyslogoutputinaconsolerunningonthedevice)displayedwhileapplyingaprofile
iPCUhasbeendiscontinued.ItcannolongerviewlogsoniOS8devicesanditisnolongeravailabletodownloadforWindowsorMac.Thisisprobablyagoodthingasithadn’tbeenupdatedsinceiOS6.ItlaunchedtheinterfaceparadigmformanyconfigurationprofileinterfacesandnoAppletoolhasyetreplacedtheease-of-useofitsconsolefeature.SeeChapter6,DebuggingandConclusion,fordetailsonlibimobiledevice,whichmayhaveasimilarfunctionality.
TipForessentiallyopeningaconsoleonaniOSdeviceandviewinglogs(aslongasthedevicehasbeenpaired),oneofourexcellenttechnicalreviewers,JeremyAgostino,recommendsiOSConsole,whichisavailableathttp://lemonjar.com/iosconsole.
www.it-ebooks.info
![Page 127: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/127.jpg)
Signing,encryption,anddeliveryWhenaproperlyconfiguredandsecureMDMpushesaconfigurationprofiletoadevice,itwillbesignedasanypieceofcodeshouldbethatwantstoproveitsidentityandbetrustedbydevices.Itshouldalsoencryptitspayloadtoprotectanysensitivedatacontainedwithin.However,theusualdeliverymethod,pulledover-the-airbythedeviceoncetoldtocheckinbyApple’sPushNotificationService,isnottheonlytransportmechanism.
WheniPCUwastheonlywaytoconstructaprofile,youcouldeitherapplyitlocallyoverUSB,oryoucoulduseoneofthefollowingoptions:
E-mailittoeachapplicabledevicebywayoftheassociatedenduserPutitonaproperlyconfiguredwebserver(whichwouldtreatthemimetypeaccordinglyforaccessfrommobilesafariondevices)Senditbyatextmessage(remember,thispredatediMessage)
Now,thereareafewothertoolsthatcanapplyaprofiletoadevice,butotherwise,thenon-MDMdeliverymechanismsareunchanged.
Tobreakdowntheformatofconfigurationprofilesthatareavailable,youcanleavetheprofileinplaintextwithnosignatureandedititatwill.Thismayberejectedorjustnotappliediffolksrefusetocontinueafterbeingpresentedwithwarningpromptswhenaskedtoinstallit.
Youcouldsignbutnotencrypttheprofile,leavingthepayloadandothercontentsabletobeinspectedinplaintext.Abarelyrecognizabletextblobwouldprecedeandclosetheprofile’smaintext,whichisitssignature,ensuringthatitwasnottamperedwith.Ifitwasalteredaftersigning,anysubsequentinstallationswouldberefused.
Finally,theentireprofilecouldbeencrypted,makingitrelyonaworking,compatiblePKIrelationshipthatisnormallybasedonaRemoteManagementprofilebeinginstalledonthedevice,whichanMDMservicewouldputonatenrollmenttime.
NoteConfigurationprofilesignaturesusetheCryptographicMessageSyntax(CMS)standard.Whilenotexactlysimple,onecoulduseopensslonvariousoperatingsystemsintandemwitharootcertificatefromatrustedcertificateauthoritytoapplysignaturestoconfigurationprofiles,whichdeviceswillthenseeastrusted.
www.it-ebooks.info
![Page 129: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/129.jpg)
SummaryThischapterwasabitofagrabbagofthemorefundamentalconceptsofhowthedevicehandlesencryption.InsteadofbeingacompletederivativeofApple’siOSSecurityWhitePaper,wepresentedthenewerquirksandreal-worldapplicationofsomeofthetopicsaroundencryptingthemainfunctionsofthedevice.Wediscussedhowthesystemispreparedatthefactorywithsecurityinmindthroughitssecurebootprocess.TheadditionofNFCpaymentsviaApplePayledustoinvestigatePassbookanditsintegrationwithTouchID.Networking-relatedconcernslikeVPN,AirDrop,Proxies,andFilterswerealsodiscussedalongwithawayofutilizingawirednetworkconnection.TheHealthappandMedicalIDweretouredbriefly.Finally,wepreparedforapplyingmanagementbydetailingwhattheactualfilesandformatsarethatmanagesettingsonbothiOSandMac.
BringYourOwnDevice(BYOD)programsoftenoverlapwithhowregularconsumerswanttousewhatis,infact,theirdevice.Whilekeepingthatinmind,asprofessionalsweneedtobalancecontroloverourdatawithtakingfulladvantageoftheutilityofthedevice.Hopefully,thisalsogetsyouthinkingaboutprivacyasatopicthatgoeshand-in-handwithsecurity,andlaysthegroundworkfortheapplicationofmanagementsettingstobringaboutproductivityinemployees,whichwe’llbecoveringoverthenexttwochapters.
www.it-ebooks.info
![Page 131: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/131.jpg)
Chapter4.OrganizationalControlsNow,we’llmoveontoexploretheconceptsinvolvedinmanagingiOSdevicesfromacentrallocationon-premises.Thisincludesdevicesupervision,ActivationLock,SingleAppMode,andmorebasicoptionspresentedbytheoldstalwart,ActiveSync.Formostofthetime,wewillbelookingatatoolcalledAppleConfiguratorthatisdevelopedbyApple.Weconsiderittobeoneoftheeasiesttoolstorecommendforenvironmentsthatneedmorehands-oncontrolwhenofficiallysupportingiOS,eitherwhenmigratingtoaBYOD(shortformforbringyourowndevice)environmentorinconjunctionwithanMDM.Itfitsacoupleofspecificworkflowsverywellandhassomefeaturesthatarevitalforhardeningdevices.
BesidesAppleConfigurator,whichattheveryleastcanprovideagoodreferenceforshowingApple’sacknowledgedusecasesforstartingwithdevicemanagement,wewillalsointroduceApple’sDeviceEnrollmentProgramorDEP.ActivationLockisathorniertopicnow,sowe’lltouchonthisaswell.JusttotransitionfromGuidedAccess,whichwascoveredinChapter2,IntroducingAppSecurity,we’llalsodiscussAppLockwhenweexplainthedifferencebetweenitinteractingwithGuidedAccessandSingleAppMode.And,beforewegetintofull-blownMDMinthefollowingchapter,wewilldiscussActiveSyncasoneoftheoriginalover-the-airmanagementframeworks.
Inbrief,thischapter’stopicsareasfollows:
AppleConfiguratorPreparation,supervision,andassignmentofiOSdevicesThedistributionofappswithAppleConfiguratorandtheVolumePurchaseProgramActivationLockandFindMyiPhoneTheDeviceEnrollmentProgramversusAppleConfiguratorAppLockandSingleAppModeincontrasttoGuidedAccessRefresheronwhatActiveSyncprovidesoniOS
www.it-ebooks.info
![Page 132: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/132.jpg)
AppleConfiguratorBeforethereleaseofAppleConfiguratorontheMacAppStore,therewerethreeothersanctionedapplicationsforinteractionwithiOSdevices:iTunes,Xcode,andiPhoneConfigurationUtility(iPCU).Xcodehadthecapabilitytoconnectmultipledevicessimultaneously,buteventhatfunctionalitywaslimitedforrunningtestsondevicesorforrestoringaversionofiOS.Still,wewerewithoutanyconceptofefficient,directlyconnectedmanagementtools,noreventhehintofintegrationwithadirectoryservice.
WhentheiPadwasreleased,itdidnotcomewithamanuallikealawnmower,whichshowsyouwhatitsintendedusageisandhowtosharpentheblades.Applejustaboutsaidthesamethingtoitscustomersthatitsaystoitsdevelopers,somethingtotheeffectof“wecan’twaittoseewhatYOUdowithit”,asifitwasstillanopenquestionastowhatitsmostpopularusewouldbe.Appleproductshave,however,historicallybeenusedextensivelyineducationandthepricewascommonlyahalftoathirdoftheleastexpensivelaptopMac.ThisledtoaninfluxofiPadsinenvironmentsthatmightnothavebeenparticularlypreparedtohavesomanycomputingdevicesonWi-Fi.Thisleadsusbacktothelackofapplicationsthatallowtetheredpreparationandmaintenanceofmanydevicesatonce.
Perhaps,ifcustomersthatusedAppleproductsforeducationalpurposesinparticularwereaskedwhattheywanted,astheparaphrasedsayingattributedtoHenryFordgoes,theywouldhavesaidafasterhorse;insteadtheygotAppleConfigurator.Wedonotwanttoberepetitive,butwemustrecallthatApple’sprioritiesareitscustomersfirstandforemost,andtheysellanastoundingamountofproductstoregularconsumers.Onemaybeinclinedtocutthem,andcompanieslikeAmazonwhoaresellingtothegeneralpublicwithsuccess,someslack,whichishard.Amazon’snottryingtobeCDWandApplecan’tbeeverythingtoeveryone;(althoughithasneverstoppedthesprawlofiTunes,whichtheAppleTVAssistantbuiltintoAppleConfiguratorwhichhasafaintwhiffof.)
BackinChapter2,IntroducingAppSecurity,wementionedabouttheVolumePurchaseProgram(VPP)thatAppleoffers.ThiswasanintegralpartofwhatwasconsideredgoingintodesigningAppleConfigurator,alongwiththeSupervisionconceptthatwe’vebeenhintingatthroughoutthebooksofar.However,beforewegetintothat,let’sdiscussworkflows.
www.it-ebooks.info
![Page 133: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/133.jpg)
IntendedworkflowsOfalltheiOSformfactors,at9.6”,theoriginalandcanonicaliPadscreeniscomparablysizedto8.5”x11”oranA4sheetofpaper,ifyoulosethemarginsandenjoyedstaringatalightbulballthetime.(What?youdon’tpreferemissivescreens?)Ifatelecomfieldworkerhasvisitedyourhomeorbusinessrecently,youmighthavenoticedthattheynowalmostexclusivelyusetablets.Similarly,airlineshavebeengivingtheirstaffhandhelddevicesforsometime.Whentakingthisrapidadoptionofmobiledevicesintoaccount,andrecallingwhoAppleusuallycaresaboutwhendesigningsolutions,itmaymakemoresenseastohowAppleConfiguratorcameintobeing.
AniPadcanconceivablyreplaceautilityworker’sclipboardorastudent’sthree-ringbindersandstreamlineprocessesalongtheway.AirlinepilotsbegandemandingiPadstoreplacetheirungainlyandheavybindersofairportandroutemaps,whichactuallysavedfuelduetothedropinweight.Wecanstarttoseethatdeviceswillbeusedinamultitudeofways,butaparticularlyaptcaseishigh-serviceandquick-turnaroundenvironments,loadedwiththeappsanddatapeopleneedtogettheirworkdone.
AppleConfigurator’sreleasewasgroundbreakinginthatitwasaseriesoffirsts:
ApplicationscouldbehandedoutinbulkwithoutMDM,andtheseappscouldthenbereclaimedBackupscouldbecreatedandrestoredwithoutiTunesandrestoredorrefreshedenmasseNew,morelocked-downrestrictionscouldbeenabled
Educationalinstitutionssegmenttimeintoclassesandtheyoftengatherdevicesinlabsorcarts.Hospitalsandutilityworkershaveshiftsandcanmakeastationaroundatimeclockoragatheringplacefordevices,fromwheretheycanbecheckedinandoutfrom.ItiswidelyreportedthatAppledoesnothaveacolossalR&Dfootprint,sowhentheymakeatooltheyhavetopleaseasmanyendusersaspossible.Theydon’thavetheresourcestoqualityassureanddevelopfeaturesthatcanserveeverymarket.PleasekeepallofthisinmindaswediscusswhatAppleConfiguratorcando,withatleastanunderstandingofwhyitdoesn’tmakeFrenchfriesfourdifferentways.
ThefollowingscreenshotshowsthesplashscreenonstartingAppleConfiguratorforthefirsttime,whichgraphicallyintroducesitsthreemodes:
www.it-ebooks.info
![Page 134: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/134.jpg)
ThesplashscreenonstartingAppleConfiguratorforthefirsttimegraphicallyintroducesitsthreemodes
www.it-ebooks.info
![Page 135: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/135.jpg)
Theinteractionmodes–Prepare,Supervise,andAssignAfteracquiringAppleConfiguratorfromtheMacAppStore(itisfree,butrequiresaMacatthistime),you’regreetedwithanimagethatbreaksdownitsthreecumulativemodesofoperation.First,therearethecapabilitiesofthePreparemode,whichareasfollows:
Namingthedevice(thisincludestheoptionofsequential,numericnamingifyouarepreparingmultipledevicesatonce,asitcanhandleupto30devicesconcurrently)Creatinga(unsupervised)backupApplyingasoftwareupdate(whichcachesthatversion)andoptionally,wipingthedeviceintheprocessImporting,creating,exportingand/orapplyingconfigurationprofiles
Finally,flippingaswitchtomovethedevicetothenextmode,Supervision.
FlippingthisswitchtomakethedevicebecomesupervisedchangesthebehaviorofAppleConfigurator’soptions.Therefore,youmustthenwipethedeviceandapplythemostrecentiOSupdate.
Onemightsaythatthesedistinctionshelptoprovethatthedeviceisindeedownedandunderthecontroloftheinstitutionmanagingthesedevices,asitisassumedthatregularpeoplewouldn’tletITseizetheirpropertyandremoveallpersonalizationorcustomization.(Iftheyarelikeourcustomersatleast.)However,AppleConfiguratorcaneasilybeusedinPreparemodetolightlyrunanOSupdate,installaconfigurationprofile,orevenperformabackupandrestoration.
NoteOurtechnicaleditorpointsoutthatthedevicemusttrustthecomputerrunningAppleConfiguratorfirsttoevendotheselighttasks,aswe’llexploitinChapter6,DebuggingandConclusion.
Thishelpsustoclearlydefinethedistinctionbetweenpreparationandsupervision,asthesecondlayer’spowerfulfunctionalityrestsontopofthefirst.Thelastmode,Assign,hasjusttwoadditions:
First,youcanleveragealocalornetwork-baseddirectoryserviceSecond,thedatacreatedbyauserfromthedirectorycanbestoredonthecomputerrunningAppleConfigurator
Thisallowstheusertocheckinorcheckoutofdataaswellassetsofapps,anditcanalsoaidinthedistributionofdocumentstodevicesthathavecompatibleappsinstalledonthem.Itmayseemlikewe’rejumpingaheadtodiscusstheAssignmode,butthat’sreallytheonlyadditionalfeature.
Otherthanthat,aswhiz-bangfeaturesgo,ifusersfromthedirectoryservicehaveimagesassociatedwiththeirLDAPrecords,thereisapreferencetoshowtheseimagesonthelockscreenwhenassigningdevices.YouwillaccessitfromtheAppleConfiguratormenuin
www.it-ebooks.info
![Page 136: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/136.jpg)
thetopleft-handcornerofthescreen,underPreferences.However,thestarshaveneveralignedtothepointthatwe’veseenthatinuseintherealworld.Thefollowingscreenshotshows,inPreferences,whereanassigneddevicecanbeconfiguredtouseanimagefromLDAP:
InPreferences,whereanassigneddevicecanbeconfiguredtouseanimagefromLDAP
www.it-ebooks.info
![Page 137: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/137.jpg)
TheimportanceofsupervisionOncethedevicehasbeenwipedandupdatedbybeingtetheredtoacomputerrunningAppleConfigurator,youcantakeadvantageofseveraloptions.Theseinclude:
Customizingthelockscreenimage,asshownintheprecedingimage,optionallywiththedevice’snameorsomeotherstatictextEnablingvariousnetwork-relatedfeaturesincludingAlways-OnVPN,Contentfilters,GlobalHTTPproxy(asdiscussedinthepreviouschapter),andcellulardatamodificationsRestrictingvariousfeaturessuchasthemanualinstallationofconfigurationprofiles,AirDrop,accountmodificationsincludingFindMyFriends,enablingotheron-devicerestrictions,education-specificconcernslikeSiri’sprofanityfilter,andwhitelistingdestinationsorpresettingpasscodesforAirPlayHide(bywhichwemeandisable,tobringabouttheeffectthattheappisnotshown)built-inapplicationslikeGameCenter,iTunesStore,iMessage,Podcasts,orstorecomponentslikeIn-AppPurchaseortheiBooksStoreStoptheremovalofanyotherapps,includingtheonesthatAppleConfiguratormayhaveinstalled,orpreventtheadditionofanyso-calledInternetaccounts(suchasFacebook,Twitter,andsoon)ore-mailaccounts
NoteRestrictingSafaridoesnotrequiresupervision,butitisacommonerrortobelievethatyou’llallowallthewebfunctionalityyouwantbyusingaWebClippayloadinaconfigurationprofile.Forexample,foraccessingyourintranetonly.IfyourestrictSafari,theappwillberemovedandWebClipswillnotevenlaunchifpresent.
Abiggerpointthaneventhesesettings,whichwereadvocatedbysomanyofApple’scustomersinlargeinstitutions,istheabilitytoinstallprofileswithzerotaps.IfthedeviceisstillinPreparemode,you’llneedtorespondtothepromptsonthescreentoacceptcertificatenotifications,learnaboutwhattheprofilewilldotothedevice,andeventually,install,andthentapondone,perprofile.Loadingaprofileontoasuperviseddeviceissilent.Infact,whenrestoringthebackuptosuperviseddevices,youdon’tevenneedtogothroughanysetuporactivationsteps.(MorerecentversionsofAppleConfiguratorcanallowsimilarbehaviorwithoutrestoringabackup,byselectingwhichpromptstoskip.)
Ifthiswasn’tasecuritybook,wecouldprobablystophere.However,byfarthebiggestpointfromasecurityperspectiveisthefactthat,bydefault,asuperviseddevicecanbedisabledfromconnectingtoanyothercomputerrunningAppleConfigurator.AnattackercannotpiggybackoniTunestotargetanotherdevicetoo.Thismitigatesmanyofthepairing-basedcomplicationsthatwe’llbediscussinginChapter6,DebuggingandConclusion.Infact,ifitwasdesirabletoallowmovinganycontenttothedevicefromanothercomputer,thedevicemustbedesignatedattimeofsupervisiontoAllowdevicestoconnecttootherMacs(bywhichtheyimplyPCsaswell).
Further,ifaspecificconfigurationprofilewitharestrictionpayloadisapplied,Allow
www.it-ebooks.info
![Page 138: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/138.jpg)
pairingwithnon-Configuratorhostsmustalsobeselected.Ifyouwantto,thiscanallowyoutooptionallydisablepairinglaterviaMDM,incaseitisnotclearwhetheryourenduserswillneeditatthetimeofsupervision,butifyouareusingAppleConfiguratortosupervisethedevice,thenitmustbeconnectedtothecomputeragain.Youcanseeeachofthesesettingsinthefollowingscreenshot:
Thetwosettingsthatmustalignfordevicestobeallowedtopairwithanycomputer
Whendiscussingworkflows,wesaidAppleConfiguratorisagoodfitforhigh-service,fast-turnaroundusecases,whichleadstoanotherbigfeatureofsupervision:theabilitytorefreshthedevicetoastoredstateuponreconnection.Ifthisincludestherestorationofalargerbackupwithmanyapps,thiscanbeamorelengthyprocess,butinanycase,alloftheingredientsarecachedlocallyinAppleConfigurator’ssupportdirectories.(AppssuchasiMovieandKeynoterunintohundredsofMBsandflashstorageingeneralisoptimizedforreadingandnotwriting,soit’sgoodtomeasureifthecycletimemeetsyourexpectations.)ThiscanessentiallyreimagetheiOSdeviceifAppleConfiguratorisopenonthecomputertowhichthedeviceisattached.
Optionally,intheeventyouarenotrestoringabackup,youcanalsohaveappsandprofilesthatmayhavebeenaddedtothedeleteddevice,sousertrainingregardingsuperviseddevicesisveryimportant.Ifthisbehaviorisnotdesiredforanyreason,youmustatleasttemporarilyturnoffthesesettingsinAppleConfigurator’sPreferences,asshowninthefollowingscreenshot:
www.it-ebooks.info
![Page 139: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/139.jpg)
InPreferenceswheresuperviseddevicesareconfiguredtoautomaticallyrefreshwhentheyareconnected
www.it-ebooks.info
![Page 140: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/140.jpg)
Apps,VPP,andAppleConfiguratorWhentheusagemodelisonecustomerforonedevice,anMDMcanpromptanenduserfortheirAppleID.AppleConfiguratordoesn’trequireauserthatreceivesadevicepreparedbyittopluganythingin,allowingsharedusagemodelsthatjustweren’tpossiblebefore.
IfanAppleIDisauthorizedforuseonthecomputerrunningAppleConfigurator,evenifitisnotassociatedwithVPP,youcangoaheadandimportanddistributefreeapplications.Therecommendedwaytogoaboutobtainingthe.ipafiles(thearchivedbundlesthatareiOSapplications,asdiscussedinChapter2,IntroducingAppSecurity)istodownloadthemfromtheAppStoresectioniniTunes.However,nomatterwhatIDtheappwasdownloadedwith(forexample,ifaniOSdevicealreadysynchedwiththecomputerandbackedupitspurchaseswithiTunes),theDRMcanberemovedfromtheappbundleandimportedwithwhateverAppleIDAppleConfiguratorwantstouse.However,ifyouforgettoauthorizethecomputeriniTunes,you’dseethefollowingerror:
WhenanapptobeinstalledonadeviceisimportedwithouttheassociatedAppleIDauthorizediniTunes
NoteKeepinmindthattheupdatesforanyapplicationinstalledwithAppleConfiguratoraretiedtotheAppleIDitwasimportedwith,whichmayhaveunintendedconsequenceswhenitpromptsforupdatesoneverydevice.
ThisisespeciallytruewhentheAppleIDhasane-mailaddressfortheusernamethatisnotassociatedwithyourinstitution,becauseendusersseeitwhenprompted.We’renotsayingthatthishashappenedtoanyofourcustomers.
Ifyouhavedifferentgroupsthataresharingthesamesetofsuperviseddevices,appscangooutandcomebackinifanothersetupisrequiredwheretheseappsshouldn’tbepresent.AppleConfiguratorcangroupdevicesarbitrarilyasyouchooseandapplysettingsasneeded,andappsareoneofthethingsthatcancomealongfortheride.
TheseprocessesarejustthesameforpaidappsthathavebeenpurchasedundertheVPP.Itbecomesveryimportant,however,tofollowApple’sguidanceastowhatversionofVPPpurchasesshouldbechosenbasedonyourusecase.Also,youshouldbecarefultonotapplyanapptoadeviceifithasnotbeenfirstputintotheSupervisemode,asthiswillnotallowyoutoreclaimtheappcodeifyou’rerelyingonthismethodofappdistribution.
www.it-ebooks.info
![Page 141: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/141.jpg)
Whilethisisnotnecessarilypertinentforasecuritydiscussion,theonlineVPPportalfromAppleprovidesaninterfacetodownloadredemptioncodesforusewithAppleConfigurator,anditinquiresinternallyhowmanyofthesehaveeverbeenappliedtodevices.TheAppleConfiguratorinterfacehelpfullyprovidesfeedbackabouthowmanyhavebeenredeemedperproductanditprovidesaspreadsheetofcodesaswell.Itmayseemobvious,butdonotusethesamespreadsheetofcodeswithanMDMorotherdistributionmethods.
www.it-ebooks.info
![Page 142: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/142.jpg)
MassrestoringandnamingofdevicesFromabrandingorsupportstandpoint,havingtheiconsconsistentlyarrangedwithastandardhomescreenbackgroundisdesirable.AlthoughMDMsaresupposedlygainingthisfunctionality,theoriginalwaytodothesecustomizations,whetherinthePrepareorSupervisemodes,istocreateabackup.(BackupsmadefromadeviceinonemodecannotberestoredtoanotherwithAppleConfigurator.)ThisoftenrequiresmanualinteractionandifyouhaveanMDM,itwouldmakesensetoallowittoperformanyapplicableconfigurations.It’sverystraightforwardintheinterfacewhereyouwouldinitiatethecreationofabackupwhenyouareineithermode,andyoucanevenaccessthestoredbackups.
AppleConfiguratoralsoprotectsthethroughputoftheUSBbusbylimitingconcurrentoperationstosomewhereintherangeofthreeatatime.
NoteNotethattheapplicationislimitedto30concurrentUSBconnectionsoverapoweredhub,whichisobviouslynotthemaximumfortheprotocol.
Also,keepinmindthatexceptwithveryrecent,specializedhardware,USBhubscanpracticallybeconsideredaddresslessexceptforphysicalidentification.Themostreliablewaytobeconfidentthatdevicesonalargehubarebeingnamedorotherwisepreparedinaparticularorderistoattacheachcabletothedeviceinthesequencethatyoulike.
Notethatifyousupervisedadeviceanditislost,stolen,orbrokentothepointthatitcannotreconnecttoAppleConfigurator,youwillloseanyapplicableappcodesifyouareusingVPP.(Whichistosaytheoriginal“redemptioncodes”versionincomparisontothelicensesmodelreferredtointheVPPportalas“manageddistribution”,forusewithMDM.)Toreclaimthepreviouslysuperviseddevice’snametokeepyourinventoryneat,youcanselectitfromthelistinAppleConfiguratorandundertheDevicesmenu,holddowntheOptionkey.UnsupervisewillchangetoRemoveandyoucanprepareanewdevicetotakethatslotinthesequence.Thesamegoeswhenadeviceisrepairedandreplacedwithadevicethathasadifferentserialnumber,ifyouwerenotabletounsupervisethepreviousdevicebeforeitleftyourpossession.
www.it-ebooks.info
![Page 143: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/143.jpg)
BackupconcernsWhenthereisasupervisionrelationshipbetweenmanyofyourdevicesandyourealizethatonlysmallworkgroupsorsetsofdevicesfitintheAppleConfiguratorusagemodel,backupsbecomecrucial,andalternativestopreventover-relianceoranabundanceofhackyworkaroundsbecomeattractive.Takingbackupsasthefirsttopic,Appleshipsbuilt-inbackupsoftwarecalledTimeMachinethatcanbeusedtoprotectthecomputerthatrunsAppleConfigurator,butitislimitedinitscapabilities.Youcaneitherdirectlyconnectaharddrive(whichcanbeencrypted),orsendthebackupoverthelocalnetworktoamachinerunningacompatibleendpoint.Itisnotoptimizedforover-the-WANoffsitebackup,amongothershortcomings.
Toseparatelyunderstandthefilesinuse,firstwe’llrepriseourtalkaboutsandboxing.Inararereversalofthe“doasIsay,notasIdo”maxim,AppleisfollowingitsownruleswithAppleConfiguratorbyusingthecontainermodelforitsdatastorage,whichputsthefilesitoperateswithawayfromtheviewoftheuser.Itisliterallydeepwithinahiddenfolder.YoucanreachitbynavigatingtoUsers|CurrentUser(thecurrentuser’sname)|Library|Containers|com.apple.configurator|Data|Library.Yes,therepetitionisintentional.
SimilartoTimeMachine,AppleConfiguratorleverageslinkstorefertofilesoutsideofitssandboxforwhichitdoesn’tneedwriteaccess.(TimeMachineuseshardlinkstostubunchangedfilesfrompreviousbackups,whichletsitpresentacompletesetwhenyoubrowsethemostcurrentfolderstructureinitsstoragedestination.)
AnotherrepeatedpatternistheuseofSQLiteasthestoragemechanismforthedatabaseofsuperviseddevicesandotherinventory-relatedinformation.ThisislocatedinasubdirectoryofthepathlistedearlierandyoucangotoitbynavigatingtoApplicationSupport|com.apple.configurator|AppleConfigurator.storedata.iOSsoftwareupdatesthatareoftenfullOSinstallationsgetcachedwithinFirmwareunderCachesandappsimportedintotheprogramgetstoredinResources,whichyoucanreachbynavigatingtoApplicationSupport|com.apple.configurator.
www.it-ebooks.info
![Page 144: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/144.jpg)
ConfiguratoraschaperoneItisacommontroubleshootingtiptoturnuptheverbosityofaprocess,lookthroughthelogs,andcheckanysettingsorconfigurationfiles.MacfolkshavelonggatheredcommandsthatenablehiddensettingsinpreferencefilesthatareApple-flavoredXMLfiles,justaswesaidwerethecaseforconfigurationprofiles.Ifyourundefaultswritecom.apple.configuratorLogLevelALL(withthepreferencedomainmappingtothepathofcom.apple.configurator.plistatPreferencesbynavigatingtoUsers|CurrentUser(thecurrentuser’sname)|Library|Containers|com.apple.configurator|Data|Library),youwillcauseinformationaltextbuiltintothedebugoutputoftheapplicationtobewrittentologs.Youcanthensiftthroughthisinformationbyviewingsystem.logintheConsoleapplicationinsidetheUtilitiesfolderinApplications,ifyou’rerunningasanadminuseronMac.(Otherwise,youcantailthesystem.logfilebynavigatingtovar|logifyoucanelevateyourselftoanadminuserfromashell.)
Sometimes,oldcodenamesforapps,devices,orfeaturesstickaroundintheinnerworkingsofapplications,andifyourundefaultsreadontheprecedingfile(oropenitinabinaryplistcompatibletexteditorsuchasXcode),you’llnoticetheChaperoneCertificateIssuerandChaperoneCertificateSerialkey/valuepairs.SupervisionmayverywellhaveusedthisChaperonenaminginternallyatAppleduringdevelopment.Similarly,thenameoftheprofilethatAppleConfiguratorinstallswhensupervisingthedeviceisreferredtoascom.apple.configurator.chaperoneprofile.Thefollowingscreenshotshowsthesettingsonasuperviseddevice;thisisanexampleofAppleConfigurator’sinstalledprofile:
InSettingsonasuperviseddevice,thisisanexampleofwhatAppleConfigurator’s
www.it-ebooks.info
![Page 145: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/145.jpg)
installedprofilelookslike
InpastversionsofAppleConfigurator,youwouldseethattheconsoleoutputalsomentionstheBoolean(true/false)valueforthe“chaperoned”propertyofadevicethatisbeinginteractedwith.ThisconceptofahosthavingaresponsibilityrelationshipwiththedevicehelpsfurtherstresstheimportanceofguardingthecomputerthatisrunningAppleConfigurator.Ifthismachineisevercompromised,(orperhapsevenworse,experiencesdataloss)youwouldbeinquiteapickleindeed.
www.it-ebooks.info
![Page 147: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/147.jpg)
ActivationLockandFindMyiPhoneAboonfortheftprevention(orabustfortheiOSdeviceresalemarket),istheimplementationofanewfeature,asofiOS7,byApplecalledActivationLock,whichisanextensionofiCloud’spreviousFindMyiPhonefeature.IfyouhadaniCloudaccountconfiguredwiththesettingonaniOS7deviceanditneededtobereactivatedfromscratchafterarestore,theprocesswouldnothavebeenabletoproceeduntilthataccount’spasswordwasentered.Thiswasfelttobeaburdenandamanagementheadacheforthosewholentoutdevicesregularly,butbysomemunicipality’sstatistics,thisalonereducedtheftofiOSdevicesastheybecamepracticallyuseless.
NoteAfewlinkstonote
Thecitationfortheclaimthatthefts(andtheiPhoneresalemarket)areimpactedbythisfeaturecanbefoundathttp://arstechnica.com/apple/2014/06/ios-7-activation-lock-cutting-iphone-theft-damages-resale-market/.
Apple’sCheckActivationLockStatuspageathttps://www.icloud.com/activationlock/forusebeforeyoubuyorreceiveaphone.
LookatApple’sguidanceonhowtodealwithadevicethatisstilllocked(http://support.apple.com/en-us/HT201441)orpreparingyourowndeviceforsale(http://support.apple.com/en-us/HT201351).
Apple,asthecentralclearinghouseofdevicesthatmustcomeontothenetworkandcheckinbeforebeingallowedtobeactivated,cantheoreticallyensurethatdevicescanonlybeactivatedbytheirrightfulowners.
Toaddresstheproblemofinstitutionsthatwantcontroloverwhethercustomerscanenablethisfeatureanddonotfinditdesirablewhenthey’dliketoreprovisionthedevicetoanotheruser,twotechniquesexist.ThefirstoneisthatanMDMcanblockActivationLockuntilabypasscodecanbegeneratedforthedeviceandsenttotheserviceforacertainwindowoftimeafteranenrollmentthatisakintoafulldiskencryptionkeyescrow,whichprovidesadistinct,non-identifying“getoutofjailfree”cardsothatyoucanreactivatethedevicewithoutthepresenceofthepreviousiCloud-identifieduser.Youcanfindmoredetailsathttp://support.apple.com/en-us/HT202804inApple’sdocumentationabouthowtheyrecommendfolksmixtoolssuchasanMDMorAppleConfiguratorintotheirsupportproceduresaroundActivationLock.
ThereferenceimplementationofMDMforApple,theProfileManagerserviceintheirOSXServerapp,hasspecificdocumentationontheActivationLockbypasscodeat:
http://help.apple.com/profilemanager/mac/4.0/#/apd94BD5B2E-6448-450D-B76F-605AEEEEC9D7.
TheothertechniquetodealwithActivationLockisthatbydefaultsupervisiondoesnotallowthisfeaturetobeenabledinthefirstplace.AreyougettingtheideathatApple
www.it-ebooks.info
![Page 148: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/148.jpg)
reallywantsyoutosuperviseyourdevices?OnlyifyouthenuseanMDMthatenablesthefeature(viaescrowingabypasscodeorotherwise)candevicesusethefeature.EveniftheenduserenablesActivationLockonasuperviseddevice,puttingthedeviceintoRecoverymodewillallowyoutowipe(orprepareorrefresh)itasyouseefit.Ifyou’regivenadevicethatwasnotsupervisedbeforeActivationLockwasenabled,youwillgetanerrormessagethatsaysthatitis“UnabletocheckiOS”.
RecoverymodeisastatewherethedevicehasbootedtoitsfirmwareandhasbeentoldthatitneedsafreshOSinstallation.ItpreviouslyshowedaConnecttoiTunesmessagewithaUSBconnector,butnowitshowsanarrowfromalightningconnectortothenewrediTunesicon(http://support.apple.com/en-us/HT1212).YoucanalsouseautilitylikeRecBootorothersifyouoftenfindyourselfrecoveringaforgottenpassword,butbesuretocarefullyevaluateandinspectapplicationsthatpurporttodocoolthingstoiOSdevices,astheyarenotofficiallysanctionedbyAppleandmaybefromcompromisedsources(http://jaxov.com/2010/05/recboot-iphone-recovery-mode/).ThefollowingscreenshotshowsapromptthatdisplaystheerrorencounteredwhenyoutrytoprepareadevicewithActivationLockenabled:
TheerrorpresentedwhenyoutrytoprepareadevicewithActivationLockenabled
www.it-ebooks.info
![Page 149: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/149.jpg)
AddressingtheroughspotsForyears,Applesaidyoucouldtryastick-and-carrotapproach,usingHRpolicyandenticementstostopendusersfromremovingMDMorsupervisionprofiles,withtheultimatecaveatbeingthatenduserscouldalwayswipethedevice.iOS8finallydeliveredamorecomprehensivewaytoensurethatthedevicesaremanagedafterbeinggiventoendusers.Now,thereisarestrictiononaccesstothesettingthaterasesalldataandsettingsifthedeviceissupervised,butonlyDEP,whichwe’lldiscusslater,trulykeepsthedevicelockedtoyourMDM.Youcanalsorestricttheremovalofprofilesbysettingpasswordsasneededforremovalinanadhocmanner.
Betweenthesmall(intended)workgroupscale,inflexibilityregardinginteractionwiththingslikebackups,andthesingular,fatclient-basedpointoffailure,manyhavehopedthattherewereotheroptions.GroundControlisanewproductthatcanprovidesomeofthepowerfulfeaturesandfunctionalityofConfiguratorwithoutitslimitations.(Disclaimer:oneofourtechnicaleditorsistheleaddeveloperonthisproject.)Thiscloud-basedsolutionaimstoputtightcontrolofthedeploymentprocessinthehandsofthestakeholders.Youcanlearnmoreaboutthisathttps://www.groundctl.com.
www.it-ebooks.info
![Page 150: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/150.jpg)
DEPversusAppleConfiguratorTheDeviceEnrollmentProgram(DEP)isprovidedbyAppletoalterthesetupassistantsothatdevicescanbeunboxedbyendusers,buttheyarethenforcedtoenrollintotheMDM.DEPcanalsoenablesupervisionwithoutAppleConfigurator.Infact,ApplerecommendsthatyouarenotsupposedtousedevicesthathaveDEPwithAppleConfigurator,atleastwhiletheyareassignedtoanMDM.JustasActivationLockwouldcausetroublewithAppleConfigurator;DEPwouldliketokickinwhenthedeviceisbeingactivated,andthisisnotcurrentlyengineeredintotheproduct.Apple’sdocumentationregardingtheexampleusecaseswhereDEPcanbeusedwithAppleConfiguratorisfoundathttp://support.apple.com/en-us/HT201092.
TogetgoingwithDEP,asignificantamountofpaperworkisrequiredsuchasassociatingAppleIDs,trackingdownpurchases,gettingaD-U-N-Snumberifyoudon’talreadyhaveoneforyourAppleEnterpriseDeveloperaccount,andthenconnectingtheDEPportaltoyourMDM.Andevenbeforeallthat,itmaynotbeavailableinyourcountry.ThecompletelistofcountriesthathaveDEPcanbefoundathttps://deploy.apple.com.
TheactualmovingpartsforsettingupDEPwithyourMDMaremostlyconcernedwithwhatyouwanttoseeaspartofthesetupassistant.ThereisalsotheoptiontolocktheMDMprofileandenablesupervision.
Keepinmindthatthingssuchassupervisionandlockingdowndevicesshouldn’tbeaconcernwhenyou’reonlysupportingaBYODprogram.However,therearecertainlymanyimportantconsiderationstokeepinmindwhenyoutransitionfrompreviouslydeployedandsuperviseddevicestoDEP.Justlikesupervision,youmustwipethedevicesothatitalwayspointstoyourMDMduringsetup.Thisbringsustoabitofashow-stopperformany,andthatisthefactthatyouarenotsupposedtorestorethebackuptakenfromthesamedevicethatisnowbeingassociatedwithDEP.
Thismakesitsoundlikethereisn’tarealmigrationpathforpre-existingmanageddevices.Wearenotmakingthisup.Formoreinformation,youcanrefertohttp://support.apple.com/en-us/HT202977.YouareevenexpectedtoMDM-wipeorAppleConfigurator-unsupervisedevicesbeforetheycanbeconsideredactivewithinDEP.Formovingdata,thefollowingchoicequoteisincludedunderAppleConfigurator:TransitioningtoAppleDeploymentPrograms:
WhenaniCloudbackupisrestoredtothesamedevice,allsupervisionandprofilescomefromthebackupregardlessofhowitwasconfiguredintheDeviceEnrollmentProgram.Forthisreason,whenrestoringbackupseachusershouldtransitiontoanewordifferentdevicetoensureDeviceEnrollmentProgramsupervisionandMDMenrollmentareenforced.
Whenwefiledaradar(bugreport)onthisbehavior,theresponsereceived“worksasintended”.
www.it-ebooks.info
![Page 151: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/151.jpg)
GuidedAccessversusAppLockversusSingleAppModeTheprevioussectiononGuidedAccessinChapter2,IntroducingAppSecurity,introducedustotheconceptofputtingthedeviceintoamodewhereverylittlecangowrongwithit,butthisalsolimitsittoasinglepurpose—lockingthedevicetorunonlyoneapp.Notethatthiswouldonlybeapplicableforsuperviseddevices.AppleConfiguratorcanbetoldwhichapptorunandthedevicewillbypassthehomescreenafterthedeviceiswokenfromsleep.ThepreviousguidanceappliesformakingsurethatyoucangetaccesstotheAppleConfiguratorstationincaseitneedsmaintenance,ortomakesurethatthenetworkaccessisreliableifusingSingleAppModewithMDM.Inaddition,ensurethatthepowersettingsareapplied,asenduserswouldneedtoputthescreentosleepmanuallysincetheydon’thaveaccesstosettings.
AsSingleAppModeallowsadhoc,over-the-airapplicationoftheprofiletomakethedeviceenterthislocked-to-appmode,youcanfirstallowenduserstosetapasscodeonthedevicebeforethehomescreenbecomesinaccessible.Whilethisallowsittoremainlockedwhenunattended,makesureyouconsiderappsthatpromptforauthenticationandallowyoutologoutifsensitivedataorsystemsaretobeused.
www.it-ebooks.info
![Page 153: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/153.jpg)
ActiveSyncYoumaygetalongverywellwithoutanyofthesetoolsthatwe’vediscussedsofar.Inaddition,MDMisnotparticularlynecessaryiftheActiveSyncprotocoldeliverstherestrictionsandsecurityfeaturesthatyouneed.TheprotocolwasalsoadoptedbypaidversionsoftheGoogleAppsproductanditisnativelysupportedwhenyouconfigureanExchangee-mailaccountoniOS.
ManyaspectsoftheserverandOutlookWebAccessinterfaceworkinexactlythesamemannerwithiOSastheywouldwithBlackberry,Symbian,WindowsMobile,WindowsPhone,oranAndroiddevice.However,whilethe14.0versionofthespecificationshouldbesupported,theactualapplicablesettingshaveremainedsomewhatunchangedforyears.Recently,Microsofthasbeenpromotingvariousnewproductstomanagemobiledevices,whichsupportthenativemanagementframeworksofeachofthepopularplatforms.
Asarefresher,managementsettingsenforceableviatheActiveSyncprotocolareasfollows:
Wipingthedevice(ifthedeviceislostorstolen)Enforcingadevicepasscode,withcomplexity,expiration,history,timeoutbeforeprompt,andfailedattemptthresholdsAllowinguseofthecamera(whichwasoriginallyfocusedaroundcourtsorgovernment-relatedbuildingsandcontractors)Disablingsyncwhilethedeviceisroamingtohelpwithdatausagewhileyouareoutsidenormalcellularcoverage
Further,viaaconfigurationprofile,youcanlimithowfarinthepastyourmailissynced,alongwithotheraccount-specificsettingslikecertificates.
www.it-ebooks.info
![Page 155: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/155.jpg)
SummaryOverthecourseofthischapter,wespentalotoftimeinvestigatingAppleConfigurator.WediscussedthePreparemode,whichcanmakelightweight,one-offchangesasperyourneed.Supervisionandusercheckoutorassignmentsetsuplong-termmanagement“chaperone”relationshipswithiOSdevices.WewentoverhowAppleConfiguratordistributestheolderversionofVPPappcodesandhowitcanlockthedeviceintoanapp.AsActivationLockhelpedtomakeadevice’stheftbecomelesseffective,supervisionalsoprovidedasafetynetforinstitutionsbyallowingthemtoreclaimdevicesviatheRecoverymode.WealsoremindedyouthatbeforeevaluatinganMDM,manyrestriction-relatedfeaturesareactuallyavailabletoActiveSyncasanalternative.
Forsecurityprofessionals,itmayseemlikeAppleiscluelessabouttheneedsoflargeenterprises,andAppleConfiguratormaynothelpwiththatimpression.Butbyprovidingbestpracticeswe’releftwiththemostsupportablemanagement,whichworkswiththeplatforminsteadofagainstit.Applehaspushedtheideaof“tierzero”or“thenewIT”asahands-off,infinitelyscalablesolutionwhereITletsendusersperformmaintenancetasksanditdoesn’tneedtobuildwallsbetweenworkandpersonaldataineveryone’sdevices.Wecandoourbestworkwhenweareprotectingdevicesbyconcentratingonhowlittleofthedeviceneedstobemanaged,eveniftheyareownedbyinstitutions.Evenwhenitseemsthatthecontrolsthatareavailablearen’tofindustrialstrength,practicalconcernsaregoingtotrumpatightlylocked-downexperience.Apple,itscustomers,anditsdevelopersstillneedroomtoexperimentandbringrealinnovationandproductivitytomobiledevices.
www.it-ebooks.info
![Page 157: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/157.jpg)
Chapter5.MobileDeviceManagementMobileDeviceManagement(MDM)referstothetechnologythatallowsthecentralizedmanagementofmobiledevices,includingthosethatrunApple’siOS.CentrallycontrollingiOSdevicesisanabsoluterequirementformanylargeorganizations.Centralizedmanagementisalsobecominganecessityinsmallerenvironments.Therearealotofproductsthatcanbeusedtomanagedevices.TheserangefromtoolssuchastheinexpensiveProfileManagerbuiltintotheMacOSXServerapplicationtothird-partytoolssuchasAirWatch,MaaS360(byIBM),MobileIronJAMF’sCasperSuite,andBushel.
NoteIntheinterestoffulldisclosure,Bushelisbeingdevelopedbyoneoftheauthorsofthisbook.Bushelisrepresentedherebecauseofthedepthofknowledgethattheauthorshaveoftheproduct.
Inthischapter,wewillcoverthefollowingtopics:
IntroducingMDMUsingconfiguratorversusmobiledevicemanagementProfileManagerIntroducingBushel
Thesearemeanttoshowcasethetechnologyandarenotanendorsementofanysinglesolution.Thereasonthatit’shardtoendorseanysinglesolutionisthateachhasspecificstrengthsandweaknesses,andeachshouldbeconsideredindependentlyaccordingtotheenvironment.
www.it-ebooks.info
![Page 158: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/158.jpg)
IntroducingMDMAsmentioned,MDMisatechnologythatempowersyoutocentrallymanagemobiledevices.MDM’sframeworkisdevelopedbyAppleandworksusingtheApplePushNotificationservice(APNs)tosendmessagesfromApple.ThenotificationsbytheAPNsdonotactuallycontaincommandsorsettings,butinsteadnotifythedevicetolookbackatanMDMserver,topullcommandsthatarewaitingontheserver.
MDMcommandscanwipe,lock,andperformothertasksondevices.MDMcommandscanalsoleverageprofilestoconfiguresettingsondevices,similartohowweconfiguredsettingsusingAppleConfiguratorinthischapter.However,whenconfiguringsettingsviaanMDMsolution,theprofilesareinstalledovertheair.Thisallowsyoutochangesettingsdailyorbasedonadevicemeetingaspecificrequirement.Forexample,withsomethird-partytools,youcanwipeadevicebasedonthegeographiclocationofthedevice.MDMreferstothemyriadoftechnologiesthatgointofacilitatingthesetransactions.
www.it-ebooks.info
![Page 160: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/160.jpg)
ConfiguratorversusMDMInChapter4,OrganizationalControls,welookedatmanagingdeviceslocallyusingtheAppleConfigurator.TheAppleConfiguratorworksbyinstallingprofilesondevicesusingtheUSBconnectionfromthecomputertothedevices.Thisworksgreatincertainenvironments,suchaswhenyoujustwanttoloadsettingsontoadevicepriortogivingitouttoauser.However,foranumberofscenarios,youwillwanttoupdatedevicesovertheair.And,foranumberofotherscenarios,youneedtouseAppleConfiguratororacombinationofAppleConfiguratorandanMDMsolution.
Asmentioned,thereareanumberoftasksthatcannotbemanagedusinganMDMsolution.Theseincludethefollowing:
RestoringdatatodevicesSettingthebackgroundimageofdevicesUpgradingdevicesEnablingsupervision,withtheexceptionofDeviceEnrollmentProgram(DEP)devices(DEPallowsAppledevicestobetiedtoanMDMsolution)
AppleConfigurator,ontheotherhand,canbeusedforalloftheprecedingpoints,aswellasenrollingintoanMDMsolution.ItcanalsobeusedtosupervisedeviceswithoutanMDM,thebenefitsofwhichwediscussedinthepreviouschapter.ThismakesusingAppleConfiguratoraviableusecaseforthetasksitcanperform;italsohelpstoautomatethesetupofalotofdevices.
www.it-ebooks.info
![Page 162: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/162.jpg)
TheProfileManagerTherearealotofproviderswithMDMsolutions,suchasSymantec,IBM,Sophos,JAMFSoftware,andothers.We’regoingtouseProfileManagerinthischapter,notbecauseit’sthebestofthem,butbecauseit’sanAppleproduct.ThefeaturesofeachMDMsolutioncanbequicklyandeasilycomparedathttp://www.enterpriseios.com/wiki/Comparison_MDM_Providers.
Inthischapter,wewilllookattwosolutions.ThefirstisApple’sProfileManager.ThisisaserviceincludedaspartoftheServerapplication,whichrunsonMacOSXandisbuiltbyApple.TheServerappcanbepurchasedfromtheMacAppStoreforaround20dollars(USD).However,theProfileManagerisnotacompletesolutionformany;itlackssomescalabilityandeaseofusethatothervendorshavebuiltintotheirproducts.ThesecondisanewcomercalledBushel.TheProfileManagerrequiresanOSXServer,whereasBushelisaSaaSsolution.
www.it-ebooks.info
![Page 163: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/163.jpg)
PreparingtheProfileManagerServerAsmentioned,ProfileManagerrequiresaMacrunningOSXServer.Inmanycases,thisserverisasimpleMacminiserver.BeforewegetstartedwithinstallingtheServerapplicationandshowinghowtouseProfileManager,preparethecomputerthatwillbeusedastheserver.
TipFortesting,theservercanbeavirtualmachinewhenrunningonApplehardware.
SettinguptheProfileManagerinvolvespreparingtheserverbyconfiguringastaticIPaddressontheOSXServer.OnceyouhaveinstalledtheServerappfromtheMacAppStore,configureastaticIPaddressusingtheNetworkSystemPreferencespane.Oncedone,youwillneedtoproperlyconfigureahostname.
ThehostnameinthisexamplewillbeYosemiteserver.krypted.com.Wheninitiallysetup,aself-signedcertificateisinstalled.It’ssimpletogenerateaCSRandinstallacertificatefromaCertificateAuthority(CA);however,doingsoisbeyondthescopeofthisexample.Performthefollowingsteps:
1. First,elevateyourprivilegesbyinvokingbashwithsudo:
sudobash
2. Next,configurethehostnameusingthescutilcommand:
sudoscutil--setHostNameYosemiteserver.krypted.com
3. Then,configurethecomputernameusingtheComputerNameoptionwiththescutilcommand:
sudoscutil--setComputerNameYosemiteserver
4. Finally,configurethelocalhostnameusingtheLocalHostNameoptionwithscutil:
sudoscutil--setLocalHostNameYosemiteserver
NoteTheprecedingComputerNameandLocalHostNameoperationscanbeperformedusingtheSharingSystemPreferencepane;however,wearedoingitheresincewearealreadyinthecommandlineanditsonelessscreenshottotakeuphalfapage.
Oncethenamesareproperlyconfigured,checkwhethertheyfunctionproperlyusingthechangeipcommand:
sudochangeip-checkhostname
Theoutputofthechangeipcommandshouldappearsimilartothefollowingexample:
Primaryaddress=192.168.210.201
CurrentHostName=Yosemiteserver.krypted.com
DNSHostName=Yosemiteserver.krypted.com
www.it-ebooks.info
![Page 164: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/164.jpg)
Thenamesmatch.Thereisnothingtochange.
dirserv:success="success"
Ifyou’reunsuccessfulanddon’tseesuccess,youmayneedtodosomeworktoresolvethedomainnames:
1. WhenhostingyourownDNSfromwithintheServerappontheProfileManagerserver,verifythattheDNSserverissetusingtheIPaddressusedontheserver.
2. WhenhostingaDNSonanActiveDirectory-basedDNSserverorothernon-localDNSserver,verifythatyouhaveproperlyworking,forwardandreverserecordsforthehostnameandIPaddresscombinationinuseontheOSXServerortheActiveDirectoryintegratedserver.
3. FromtheServerappontheProfileManagerserverorotherMac,clickontheWebsitesserviceandthenontheONbutton(whichwouldsayOFFtostartwith).Don’tconfigureanythingelseforthewebserver.
4. Whentheservicestarts,youwillseethepathtothedefaultwebsites(/Library/Server/Web/Data/Sites/Default)andaViewServerWebsitelinkwillbedisplayedonthescreen,asshowninthefollowingfigure:
Thesetupofthewebservice
ClickontheViewServerWebsitelinkatthebottomoftheServerapp.ThenverifythattheWelcometoOSXServerpageloads.Doingsoverifiesthatthewebservice(Apache)startsproperlyandisaccessible.
www.it-ebooks.info
![Page 165: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/165.jpg)
PreparingProfileManagerOnceyouseetheWelcometoOSXServerpage,clickonProfileManagerintheServerappsidebar.Then,clickontheConfigurebutton,showninthefollowingscreenshot:
TheProfileManagerService
TheConfigureDeviceManagementassistantappears.ClickontheNextbutton.
ManyenvironmentswillhaveanexistingdirectoryservicethattheProfileManagerserverconnectsto.IfyouconnecttoActiveDirectory,thenProfileManagerwillrequireanOpenDirectorymasterorreplicatobeaccessible.Ifthereisnone,thenclickontheCreateaNewOpenDirectorydomainintheConfigureNetworkUsersandGroupsscreen(orgoontocreatetheDirectoryAdministratoraccountifpromptedtodosoinstead).ThisdirectoryservicewillbeusedforProfileManager.Ifyouhaveanexistingdirectoryservice,thentheexistingservicewillbeusedforusernamesandpasswordsandthisoneyoujustcreatedwillonlybeusedforProfileManager.
Ifyou’recreatinganOpenDirectorydomain,clickontheNextbutton.Then,provideanadministrativeusernameandpasswordforOpenDirectory.Thedefaultusernameisdiradmin.ClickontheNextbutton.
WhenpromptedontheOrganizationInformationscreen,providethenameofyourorganizationandanadministrator’se-mailaddress(thee-mailaddresstoputoncertificates),asinthefollowingscreenshot,andthenclickontheNextbutton.
www.it-ebooks.info
![Page 166: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/166.jpg)
Providinganorganization’sinformation
ThesettingsyouusedarethendisplayedontheConfirmSettingsscreen.
ClickontheSetUpbutton.Ifpromptedtodoso,chooseacertificate(thenextscreenshot)andthenclickonNext.
www.it-ebooks.info
![Page 167: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/167.jpg)
ConfiguringanSSLCertificate
Forthisexample,wewillusetheself-signedcertificatecreatedbyOpenDirectoryandclickonNext.
TheAPNscertificateestablishesatrustrelationshipbetweenAppleandyourProfileManagerserversothatpushnotificationscanbesenttodevices.YoushoulduseaninstitutionalAppleIDforyourorganization(forexample,<[email protected]>)ratherthanaprivateone(forexample,<[email protected]>).OnceyouhaveenteredthecredentialsforavalidAppleID,clickontheNextbutton.
ProvidedtheAppleIDauthenticatesandeverythingworksasintended,clickontheFinishbuttontocompleteandexittheconfigurationassistant.TheConfigurebuttonshouldthenbegone.OncebackattheProfileManagersettingsinServer,selectSignConfigurationProfiles,displayedinthefollowingscreenshot:
www.it-ebooks.info
![Page 168: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/168.jpg)
Signingupyourconfigurationprofile
FromtheCodeSigningCertificatesheet,choosetheappropriatecertificate,andclickontheOKbutton:
www.it-ebooks.info
![Page 169: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/169.jpg)
Choosingacodesigningcertificate
NoteYoucanalsoimportacertificatehereifyouhavepurchasedacode-signingcertificate.
CompletingPostConfigurationtasksEnabletheIncludeconfigurationforservicesoptiontoautomaticallybuildyourconfigurationprofilesettingsforserviceshostedontheserver(Mail,Calendars,VPN,andsoon).IfyouusetheProfileManagerserverforotherservices,leavethisoptionenabled;otherwise,disableitasseeninthefollowingscreenshot.
www.it-ebooks.info
![Page 170: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/170.jpg)
Enablingconfigurationforservicesrunningontheserver
Apple’sVolumePurchaseProgram(VPP)allowsyoutobuyappsontheMacAppStoreoriOSAppStoreinbulkanddistributethemtousers.Youcanalsorevokeappswhenemployeesleaveyourorganization.VPPalsoallowsyoutomanageiBooksaswell.ProfileManagercanhelpyoudistributetheseappsandiBooks.
ToenabletheVPPfeaturesofProfileManager,youwillfirstneedaVPPaccount,whichcanbeobtainedfromdeploy.apple.com.Onceyouhavecreatedthisaccount,downloadyouruniquetokenfile.Then,backinProfileManager,enablethecheckboxforDistributeappsandbooksfromtheVolumePurchaseProgram.ClickontheChoosebuttonandselectthetokenfileyoudownloadedearlierfromApple.
Oncetheseappsareadded,clickontheONslider(whichwouldsayOFFuntilclicked).DoingsostartstheProfileManagerservice.OnceyouseetheURLtoaccessyourwebinterface,youcanstartmanagingdevicesusingProfileManager:
www.it-ebooks.info
![Page 171: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/171.jpg)
AccessingtheProfileManagerservice
OncetheProfileManagerserviceisstarted,clickonOpenProfileManageratthebottomoftheProfileManagersettingsscreen.AuthenticateyourselfontheloginpagetomanageyouriOSandOSXdevices.
UsingProfileManagerOnceyoulogin,thereisatonofoptions.Youcanconfigurepoliciesfordevicesandplaceholdersandgetlostprettyquickly.Hence,we’regoingtoprovideaprimeronconfiguringprofilesandmanagingdevices.TheeasiestwaytogetstartedistousetheEveryoneprofile.Thisprofileallowsyoutoconfigureprofilesforservicesrunningontheservertodeploysettingstoallusersenrolledontheserver.
TheEveryonegrouphasaRestrictionssection,whichallowsadministratorstorestrictaccesstovariousProfileManageroptions.TheseincluderestrictingaccesstotheMyDevicesportal(we’llcoverusingMyDevicesforenrollmentlaterinthischapter),lockingfordevices(anoptionwithinMyDevices),andtheabilityforuserstowipetheirownAppledevice.
TipTheDEPisasystemthatautomaticallyconfiguresAppledevicestojoinanMDMuponsetup,whichbeginsaprocessthatuserscancomplete.YoucanallowyouruserstoautomaticallyenrollviaDEPhere.
www.it-ebooks.info
![Page 172: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/172.jpg)
ActivationLockisafeatureiniOSthatrestrictsadevicefrombeingerasedandreactivatedwithouttheAppleIDthatwasusedtooriginallysetuptheActivationLockfeatures.Thiscanbechallengingifusersdonotactuallyowntheirdevices.Whenrunningsuperviseddevices,youcandisableActivationLockorgenerateabypasscodetounlockadevicethathasbeenlockedthroughActivationLock,asshowninthefollowingscreenshot:
LoggingintoProfileManagerforthefirsttime
EnrollingintoProfileManagerTomanageadevice,youmustfirstenrollthedeviceinProfileManager.Enrollmentisanopt-inprocedure,unlessthedeviceisassignedtoanMDMserverviaDEP.UsetheURLoftheserverfollowedbyMyDevicestoaccesstheMyDevicesportal,whichishowuserscanenrolltheirowndevicesintoProfileManager.Thisbringsupalistofprofilesthatcanbeinstalledmanually.
www.it-ebooks.info
![Page 173: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/173.jpg)
EnrollingdevicesinProfileManager
TapontheEnrollbuttontoenrolladevice.Whenprompted,taponContinue:
www.it-ebooks.info
![Page 174: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/174.jpg)
Installingprofiles
Youwillreceiveanerrorifyouareinstallingacertificatethathasn’tyetbeentrustedbyathird-partyCertificateAuthority(CA).Ascanbeseeninthefollowingscreenshot,clickontheInstallbutton:
www.it-ebooks.info
![Page 175: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/175.jpg)
AcceptingunverifiedProfiles
Onceyou’reenrolled,clickonProfileintheProfilessectionoftheSettingsapptoseewhatsettingsaredeployedandoptionallyunenrolldevices.UserscanwipeorlocktheirowndevicesfromtheMyDevicesportaloradministratorscanmanagedevicesfromtheadministrativeportal.
DevicemanagementAsmentioned,youcanthenmanageiOSdevicesfromProfileManager.Thefirsttaskwe’llcoverhereisenforcingapasscodepolicyforagroupofdevices.Todoso,clickonDeviceGroupsinProfileManagerandselectagroupofdevices.
Acriticalaspectofanymanagementsolutionistoseetheinventoryinformation.TheinformationshownincludescertificatesinstalledbytheMDMsolution,UDID,LastCheckinTime,Wi-FiMAC,EthernetMACaddresses,DeviceModel,andwhetherthepersonalhotspotisenabled.YoucanalsoseetheappsthattheMDMsolutionhasinstalledandtherestrictionsthathavebeenenforcedbytheMDMsolution.
www.it-ebooks.info
![Page 176: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/176.jpg)
PasscodepoliciesReal-timemanagementofdevicesisdoneusingtheDevicesscreen.Here,wecanaccessmachine-specificinformationandsettingsusingtheSettings(cog)button,aswellaswipeandlockdevices.Trytoalwaysusegroupstodeploypolicies,aswedohere.FromDeviceGroups,selectyourgroupandthenclickontheSettingstab.ClickontheEditbuttonshowninthenextscreenshot:
DeviceGroups
Sincewe’reconfiguringapasscodepolicy,clickonPasscode.Theitemsintheleftcolumnareknownaspayloads.ClickonConfiguretosetupthepasscodepayload.ChecktheboxandenableAllowsimplevalue,asshowninthefollowingscreenshot.Then,settheMinimumpasscodelengthoptiontoanumber.Wereallylikeusingfourcharacters.Then,clickontheOKbuttontosaveyourchanges.
www.it-ebooks.info
![Page 177: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/177.jpg)
Configuringpasscoderequirements
Okay!Thatdidn’tsaveyourchangestotheprofile,onlytothatpayloadwithintheprofile.ClickontheSavebuttonontheSaveChanges?screentofinishtheprocess.You’llknoweverythingworkedwhenthedevicepromptsyouforanewpasscodeifoneisalreadyconfigured.
Wipingadeviceisanothercommonadministrativetask.Makesureyou’reusingadevicewhereyoudon’tmindlosingeverythingbeforeyoufollowalongwiththisexample.Towipeadevice,selectthedevicefromProfileManagerandthenclickontheSettings(cog)button,asyoudidearlier.Thistime,clickonWipe:
www.it-ebooks.info
![Page 178: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/178.jpg)
Wipingadevice
WhentheWipescreencomesup,clickonWipe.Becausethisisdestructivetodataonthedevice,you’llbepromptedtoclickonWipeasecondtime.Ifyoulookatyourdevice,notethatitshouldinstantlygoblack,andthen,rebootthedevice.
TipIfthedeviceisDEP-enabled,itwillautomaticallybegintheenrollmentprocessagainonceitjoinsaWi-Finetworkforthefirsttime.
www.it-ebooks.info
![Page 180: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/180.jpg)
IntroducingBushelIntheinterestoffulldisclosure,oneoftheauthorsofthisbookworksatJAMFSoftware,thecompanythatmakesBushel.Itisaverysimple,easy-to-useMDMthatallowsustoshowcase,usingathird-partysolution,tomakechangesondevicesusingthefewestnumberofscreenshotssowecanfitthemintothisbook.
www.it-ebooks.info
![Page 181: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/181.jpg)
SetupYoucansetupaBushelaccountfromsignup.bushel.com.Whenpromptedforyourcompanyname,provideitasubdomainnameaswell,asshowninthefollowingscreenshot:
ConfiguringyourorganizationinBushel
Whentheformisfilledout,clickonNext.
Ontheinitialscreen,provideyourname,e-mailaddress,andapassword,asshowninthenextscreenshot.Theadministrativeusernamefortheaccountwillthenbethise-mailaddress.ClickontheCreateAccountbutton:
www.it-ebooks.info
![Page 182: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/182.jpg)
ConfiguringyourBushelaccountsettings
Youwillreceiveane-mailfromBushel.ClickontheActivatebuttoninthee-mail.ClickonGetStartedandthenprovidethemailsettingsforyourdomainorclickontheSkipbuttontoprovidetheAPNscertificatesothatyoucanenrolliOSdevicesintoyourBushelaccount,asshownbelowinthefollowingscreenshot:
www.it-ebooks.info
![Page 184: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/184.jpg)
TheenrollmentprocessTheenrollmentprocessissimilartoProfileManagerandotherthird-partyMDMtools.LogintoyourBushelaccount,clickonEnrollment,andwhenpromptedtoEnrollThisDevice,clickontheEnrollbutton.WhenpromptedWhowillthisdevicebelongto?entertheusername(thatistheuser’snameinfrontoftheire-mailaddress,mostlikely,ortheusernameforyoure-mailsystem).
Providethee-mailaddressaswell,andthenclickonEnrollThisDevice.Toenrollthedevice,usethedefaultsettingsateachscreen.Youcanalsosavethemobileconfigfiledownloaded(ifusingaMac)ande-mailortextittoallowausertoenrollwithoutvisitingawebsite.Youwillneedtoleavetheusernamefieldblankifyou’redistributingaprofiletomultiplepeople.
www.it-ebooks.info
![Page 185: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/185.jpg)
RestrictionsApplebuiltafeaturecalledopeninmanagementiniOS.Thisfeatureprotectscompanydatainmailaccounts,apps,andevenSafarilinksdistributedbyanMDM.
OneexampleofopeninmanagementisifyoudownloadNumbersandBoxusingBushelandthenpurchaseDropboxusingyourpersonalAppleIDonthesamedevice,youcanthenopenadocumentthatcameinthroughNumbersusingBox.However,youcan’topenthatsamedocumentusingDropbox,becauseitwasnotsuppliedviatheMDMservice.
Bushelenablesopeninmanagementbydefaultonallaccounts.ThebuttonsaysProtectcorporatedataoniOSdevices.Toverifythatopeninmanagementisenabled,clickontheSetuptab.Then,clickonSecurityinthesidebarandlookforProtectcorporatedataoniOSdevices,asseeninthefollowingscreenshot:
Configurecorporatedataprotection
MakesureyouareusingVPPtodeployyourappsandverifythattheiOSdeviceisusingthemailaccountdeployedviayourMDM,ratherthanamanuallyconfiguredaccount.Tocheckthemailaccount,openSettings,taponMail,andverifythatthesettingsfoundtherecannotbechanged.WewillcovertheVolumePurchasingPrograminthenextsection.
www.it-ebooks.info
![Page 186: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/186.jpg)
VolumePurchasingProgramandMDMVPPisaserviceprovidedbyApplethatallowsorganizationstopurchaseappsinvolume.AppspurchasedinVPPanddeployedthroughanMDMsolutioncanalsocontainerizedatatoonlyexchangedatawithappsdeployedbythatMDMsolution.Todeployanapp,simplyclickonAppsinthesidebar.Ifyouhavea.vpptokenfile(afileyougetfromtheAppleVPPportal),thenyouwillseetheappspurchasedusingtheAppleVPPportalinyourLibrary,asshownhere:
InstallationofAppsusingVPP
ClickonanappandthenclickontheInstallbuttontodeploytheapptoalldevicesenrolledinyourBushelaccount.ThentrytocopydataoutofthatappintotheonemanuallyinstalledfromtheAppStore.Providedthecopyfails,youhavesuccessfullybuiltawalledgardenforyourapp-baseddata.
www.it-ebooks.info
![Page 188: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/188.jpg)
SummaryWedidalotinthischapter,whichisgreat.InChapter1,iOSSecurityOverview,welookedatconfiguringpasscodes,andinChapter2,IntroducingAppSecurity,welookedatappdata.Here,wemanagedbothwithverybasicpolicies,deployedbyinexpensiveandeasy-to-useMDMs.YoucangetalotofcomplicatedfunctionalitieswithyourMDM,ifyouchoose.Youcanalsodomuchmorewiththetoolsweprovidedinthischapter,sowehopeyouwillexploreeverythingthesetools(andtheotherthird-partyMDMsuites)havetooffer.
Inthenextchapter,we’llconcludethebookbyturningourattentiontotheinsidesofthedevice,divingintodebuggingtoolssoyoucandiveevendeeperintotheabyss,thatis,reverseengineeringhowthesethingswork.
www.it-ebooks.info
![Page 190: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/190.jpg)
Chapter6.DebuggingandConclusionEveryenvironmentisdifferent.UnderstandingtheinternalworkingsofaniOSdeviceenablesyoutoisolateitemsthatyoumightconsidertobeasecuritythreatforyourparticularenvironmentthatwehaven’tidentifiedinthisbook.Inaddition,learningmoreaboutthesedevicesisjustplaincool!Inthischapter,we’regoingtolookatdebuggingandforensicdatacollection.Thesebothshowcasewhatkindofdatacanbepulledofffromdevicesandteachesyoumoreaboutthedevicesthatyou’resecuring.
Aswe’veshowcasedthroughoutthisbook,Appledoesagoodjobofprotectingsensitivedataondevices.Inaddition,applicationvendorshavealotoftoolstokeepyourdatasecureaswell.However,computersbeingwhattheyare,somedatacanbeobtainedfromthem.Inthischapter,we’regoingtocoverthefollowingtopics:
XcodeDivingdeeperintolibimobiledeviceAppcommunicationssuchasidentifyingdevicesandnetworkcommunicationsAppleIDsandApps
We’llbegoingthroughthecommontoolsfordebuggingiOS,reverseengineertoseehowthingsrununderthehood,andleveragethatdataforvarioususecases.ThisprocessstartswiththetoolthatAppleprovidesforwritingappsandthisiscalledXcode.
www.it-ebooks.info
![Page 191: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/191.jpg)
XcodeXcodeiswrittenanddistributedforOSXbyApple.XcodeisusedtowriteappsforbothOSXandiOSanditcanbeusedtowritescriptsinvariouslanguages.Xcodealsocomeswithasuiteoftoolsthatcanbeusedtodebugtheappsthatyou’rewriting.Thesetoolscanalsobeusedtoviewlogsandwatchwhathappensondeviceswhenyou’reusingthem.
XcodeisavailableontheMacAppStoreathttps://itunes.apple.com/us/app/xcode/id497799835?mt=12,asyoucanseeinthefollowingscreenshot:
InstallXcodefromtheMacAppStore
InordertoinstallXcodefromtheMacAppStore,performthefollowingsteps:
1. ClickonInstallandwaitfortheinstallationtocompletetogetXcodeinstalledonyourcomputer.
2. Onceinstalled,openXcodefromthe/Applicationsdirectory.3. ChooseDevicesfromtheWindowmenutoseealistofdevicesthatthecomputer
canconnectto.4. Pluginthedevice.5. Clickonyourdevicetoseebasicinformationaboutthedeviceandthenclickonthe
ViewDeviceLogsbuttontoviewthedevicelogs,asshowninthefollowingscreenshot.
www.it-ebooks.info
![Page 192: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/192.jpg)
TheXcodeDEVICESscreen
NoteNotethatatthebottomleftoftheDeviceInformationpaneisaShow/Hidebutton.Clickingonthisdisplaystheconsoleoftheconnecteddeviceinrealtime.
6. Thelogsarethendisplayed.Whentheyarereviewed,theselogsprovideawealthofinformationaboutdevices,asyoucanseeinthenextscreenshot.
7. Right-clickonalogandyoucandeleteitfromthedevicewithinXcode.Whenyouunplugthedevice,thelogwindowcloses.
TipNotethatyoucanalsoobtainXcodefromtheDeveloperportalofAppleifyouwouldrathernotusetheMacAppStoretodoso.
www.it-ebooks.info
![Page 193: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/193.jpg)
iOSDeviceLogs
ManyofthesamelogscanbeviewedfromdifferentAppledevicesbyopeningtheSettingsappfromthehomescreen,taponPrivacy,tappingonDiagnostics&Usage,andthentaponDiagnostics&UsageData.Fromhere,youcantaponentriestoseethesamedebugginginformationthatisavailableinXcode,asshowninthefollowingscreenshot:
www.it-ebooks.info
![Page 196: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/196.jpg)
DivedeeperwithlibimobiledeviceXcodeandothertoolscanbeusedtoviewlogsoniOSdevices.Anothertoolthatisusedtodebugdevicesiscalledlibimobiledevice.Thisisanopensourceprojectthatismeanttohelpsecurityresearchers,developers,andadministratorstrackthegoings-onofiOSdevices.Thelibimobiledevicelibraryisavailableathttp://www.libimobiledevice.org
www.it-ebooks.info
![Page 197: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/197.jpg)
InstallinglibimobiledeviceusingHomebrewIusuallyinstalllibimobiledeviceusingHomebrew,asthereareafewdependenciesthatcanbealittleannoyingtoinstallotherwise.
ToinstallHomebrewifyouhaven’talreadydoneso,performthefollowingsteps:
1. Elevateyourprivilegesbyrunningsudoandinvokingabashshell:
sudobash
2. Runthefollowingcommand:
ruby-e"$(curl-fsSL
https://raw.githubusercontent.com/Homebrew/install/master/install)"
3. Oncethecommandisexecuted,followthepromptstocompletetheinstallation.OnceHomebrewisinstalled,runthefollowingbrewcommandtodownloadtherequiredcomponentsandthenlibimobiledevice:
brewinstall-v--freshautomakeautoconflibtoolwgetlibimobiledevice
4. Then,runideviceinstaller:
brewinstall-v--HEAD--fresh--build-from-sourceideviceinstaller
UsingidevicesyslogandidevicepairOncethesepairoftoolsareinstalled,youcanpluginapaireddevice,unlockit,andusethefollowingcommandtoviewthelogsonthescreen:
Idevicesyslog
Thisisakintorunningatailagainstthedevice.Again,thedevicemustbepaired.Youcanusethecommandline(forexample,ifyou’rerunningthisonLinux)toviewthelogs,butifyou’renotpaired,you’llneedtouseidevicepairtopairyourdevice,followedbythepairverb(whichisverydifferentfromthepearverb):
idevicepairpair
Youcanalsounpairadeviceusingtheunpaircommand:
idevicepairunpair
Whenpairingandunpairing,youshouldseetheappropriateentriesin/var/db/lockdown.
UsingidevicedateandideviceinstallerThenextoptionisdate(veryusefulwhenscriptingunittestsusingthissuite).Toobtainthis,usetheidevicedatecommand;youdonotneedanyoperatorsorverbs:
idevicedate
Next,let’schecktheappsinstalledonadevice.Wecandothiswiththeideviceinstallercommand(thatisalsopartoftheilibmobiledevicesuiteoftools).Here,we’llusethe-l
www.it-ebooks.info
![Page 198: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/198.jpg)
optiontojustlistwhat’sinstalled:
/usr/local/bin/ideviceinstaller-l
Theoutputwouldshowtheappalongwiththeversionoftheappcurrentlyinstalledonthedevice:
com.apple.Pages-Pages1716
Touninstalloneofthelistedapps,usethe--uninstalloption:
ideviceinstaller--uninstallcom.protogeo.Moves
Youcanalsoinstallapps,providedyou’vecachedtheIPAfile(forexample,viaiTunes):
ideviceinstaller--install/Users/charlesedge/Music/iTunes/iTunes\Media/
Mobile\Applications/Box\3.3.0.ipa
NoteNotethattheprecedingfoldermaychangebasedontheoperatingsystemonwhichyourlibrarybeganwith.
Theprecedingcommandreturnsthefollowingoutput:
Copying'/Users/charlesedge/Music/iTunes/iTunesMedia/Mobile
Applications/Box3.3.0.ipa'todevice…DONE.
Installing'net.box.BoxNet'
Install-CreatingStagingDirectory(5%)
Install-ExtractingPackage(15%)
Install-InspectingPackage(20%)
Install-TakingInstallLock(20%)
Install-PreflightingApplication(30%)
Install-VerifyingApplication(40%)
Install-CreatingContainer(50%)
Install-InstallingApplication(60%)
Install-PostflightingApplication(70%)
Install-SandboxingApplication(80%)
Install-GeneratingApplicationMap(90%)
Install-Complete
Whenitisrunagainstadevice,theappcanthenopenotherapps,providedtheusertheAppleIDownstheapp.
Aprovisioningprofileisaprofilethatisusedtoinstallapps.TheseappsareusuallylocatedonamailserverthatsupportstheipaMIMEtypeandtheprofiledefinesthelocationtoobtaintheapp.ThisformsthebasisoftheWirelurkerattack,whereattackersreplaceanappbyspoofingthedomainoftheapp.There’salsoacommandforideviceprovisionthatcanbeusedtoviewinstalledprovisioningprofileswhentheyarerunwiththelistverb:
/usr/local/bin/ideviceprovisionlist
Asmentionedearlier,theideviceprovisioncommandcanalsoinstallaprovisioningprofile;thereforeitcanactuallymakethedeviceinstallanapp.Thisisdoneusingtheideviceprovisioncommandfollowedbytheinstallverbandthename(andpathifthe
www.it-ebooks.info
![Page 199: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/199.jpg)
.mobileprovisionfileisn’tintheworkingdirectoryfromwhereyou’rerunningthecommand)ofthefilethatisbeinginstalled:
/usr/local/bin/ideviceprovisioninstallangrybirds.mobileprovision
YoucanalsoremovethepathoftheworkingdirectorybyfeedingintheUUIDoftheprovisioningprofilethatisobtainedbyusingthelistverbandreplacingMYUUIDfromthefollowingcodeblock:
/usr/local/bin/ideviceprovisionremoveMYUUID
YoucanalsoputadeviceinrecoverymodesothatitwouldneedtobepluggedintoacomputerthatisrunningiTunesandgetanewipswfileinstalled,whichisassimpleasfeedingtheUDIDintoideviceenterrecovery:
/usr/local/bin/ideviceenterrecovery
af36e5d7065d4ad666bf047b6e4de26dd144578c
Thisbringsupaninterestingquestion.HowwouldyougettheUDID?Youcanuseideviceinfotogetthis:
ideviceinfo
TheprecedingideviceinfooutputshowsmoreinformationaboutadevicethanwhatIknewyoucouldactuallygetpreviously.YoucanusegrepforUniqueDeviceIDasfollows:
ideviceinfo|grepUniqueDeviceID|awk'{print$2}'
ThiswouldjustreturntheUDID.Sincethisisblankwhennodeviceisconnectedtothesystem,youcanrunaloopthatwaitsforafewsecondswhentheUDIDisemptyandthenusesthatUDIDasa$1insomescripts.Ofcourse,it’smucheasiertouseacommandthatwasbuiltforthis,whichiscalledidevice_id:
idevice_id-l
Next,youcanuseidevicediagnosticstoobtainsomeinformationaboutthecurrentstateofthedevice:
idevicediagnosticsdiagnosticsAll-u
af36e5d7065d4ad666bf047b6e4de26dd1445789
TheidevicediagnosticscommandhasanXMLoutputwithinformationaboutthedevice,suchashowmuchbatterylifeisstillthere.Youcanalsoquerytheioregfileofthedevice,whichshowswhat’spluggedintothedevice:
idevicediagnosticsioregIODeviceTree-u
af36e5d7065d4ad666bf047b6e4de26dd1445789
Theidevicediagnosticscommandcanalsodosomebasictasks(whereeachtaskissentasaverbwithouttherequiredUDID)suchasrestart,sleep,andshutdown:
idevicediagnosticsrestart
Thecrashreportsonadevice(whichincludereportsofuninstalledappsthatforensicallyprovideaglimpseintowhatappswereremovedfromadeviceandwhentheywere
www.it-ebooks.info
![Page 200: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/200.jpg)
removed)canbeextractedfromapaireddeviceaswell,usingidevicecrashreport:
idevicecrashreport-e/test
NoteTheprecedingdirectorymustexistpriortoexecutingthecommandandthecurrentusermusthavepermissiontowrite.
Youcanthenviewthelogsorgrepthroughthemforspecificpiecesofinformation:
cat/Test/Baseband/log-bb-2014-08-06-stats.plist
Thelastcommandthatwe’regoingtocoverinthissectionisidevicebackup2,whichisusedtobackupdevices.Here,we’regoingtofeedtheUDIDtoit.I’mlazilyusingtheidevice_idcommandfromearlier,inbackticks,tograbtheUDIDandbackitupinthat/testdirectorywhenthedeviceisunlocked.
idevicebackup2-u`idevice_id-l`backup/test
Here,we’vebackedupwhateverdeviceispluggedintothe/testdirectory.Thesubsequentbackupswillbeincremental.
Asyoucansee,thereareanumberoftasksthatcanbeperformedonadevicewhenthedevicehasbeenpairedtoacomputer.Thisfurtheremphasizesthefactthatyoushouldneverpairyourdevicetoanuntrustedcomputer.
YoucanalsousetheinformationobtainedfromthesecommandstotroubleshootandresearchawidevarietyofthingswithregardstodevicesbasedoniOS.Havingabackup,crashreports,andreal-timelogs,andmakingchangessuchasinstallingappsondevicesallowsyoutodoregressiontesting,vulnerabilityresearch,andalotmoreingeneralthatyouwouldn’tbeabletodootherwise.
www.it-ebooks.info
![Page 202: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/202.jpg)
AppcommunicationsUpuntilnow,thischapterfocusedonviewingdataondevices,obtaininglogs,andmakingchangestodevicesthemselves.Sincelisteningtonetworktrafficisthebasisofmostofthereconnaissancethatisdoneondevices,we’lllookathowtoobtainmoreinformationaboutdevicesthatarebasedonwhatgoesoverthenetworkmedium.ThisisdonebyfirstidentifyingtheiOSdevicesonanetworkandthenlisteningtorawnetworktrafficusingcommontoolssuchasWireshark.
www.it-ebooks.info
![Page 203: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/203.jpg)
IdentifyingdevicesForstarters,youcanidentifyalliOSdeviceseasilyastheylistenonport62078,whichisauniqueport.ToverifythataniOSdeviceisoccupyinganIPonanetwork,scantheIPaddressforthatport.Forexample,hereweusethebuilt-inportscannerinOSXtoscananIPaddressonthenetworkwithaniPhone:
/System/Library/CoreServices/Applications/Network\
Utility.app/Contents/Resources/stroke192.168.0.126207862078
www.it-ebooks.info
![Page 204: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/204.jpg)
ListeningtonetworkcommunicationsOSXhasacommandcalledrvictlthatcanbeusedtoproxynetworkcommunicationsfromiOSdevicesthroughacomputeroverwhat’sknownasaRemoteVirtualInterface(RVI).TosetupanRVI,you’llneedtheUDIDofadeviceandthedevicewillneedtobepluggedintoaMacandhavethedevicepairedtotheMac.Thismayseemlikealot,butifyou’vefollowedwhatwehavebeendoinguntilnow,thisshouldbeprettysimple.
TosetupanRVI,we’llperformthefollowingsteps:
1. First,we’llpairadeviceusingthefollowingcommand:
idevicepairpair
2. Then,we’lltaponTrustonthedeviceitself.Then,we’llgrabthatUDIDwithidevice_id:
idevice_id-l
3. Next,we’llsetupanRVIwithrvictlandthe-soption(hereI’mjustgoingtograbtheUDIDsinceIonlyhaveonedevicepluggedintomycomputer):
rvictl-s`idevice_id-l`
4. Then,wecanlisttheconnectionsusingrvictlwiththe-loption:
rvictl-l
5. Next,we’llrunatcpdumpcommandusingthisnewlyconstructedrvi0:
tcpdump-n-irvi0
6. Next,we’llgetalotoflogs.Let’sfireuptheNikeFuelBandappandrefreshourstatus.Whilewatchingtheresultanttraffic,we’llseealinelikethis:
22:42:29.485691IP192.168.0.12.57850>54.241.32.20.443:Flags[S],
seq3936380112,win65535,options[mss1460,nop,wscale5,nop,nop,TS
val706439445ecr0,sackOK,eol],length0
There’sanIPinthisline—54.241.32.20.Wecanlookthisupandwe’llbeabletoseethattheserversaresittingonAmazonWebServices,andonverifyingit,wecometoknowthatit’sNike.Bywatchingthetrafficwithtcpdump,wecanobtainGET,POST,andotherinformationthatissentandreceived.UsingWireshark,wecangetevenmoredetaileddata.
Overall,thisbookismeanttofocusontheiOSsideofinformationsecurityandnotondebuggingandrefiningtheapproachtousingtcpdump/wireshark.ThervictltoolisagreattoolintheiOSdevelopmentcycleandforsecurityresearcherswhoarelookingintothenumberoftheappsoniOSdevicesthatexchangedata.
TipWhileI’vefoundthatrvictlisabletoshowmeprettymuchanythingIneedaccessto,if
www.it-ebooks.info
![Page 205: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/205.jpg)
youfindanyissueswithit,gotohttps://github.com/libimobiledevice/usbmuxd.Thisisanopensourceprojectthatisbeingdevelopedmoreaggressivelyandcanbeusedtodosimilartasks.
www.it-ebooks.info
![Page 207: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/207.jpg)
AppleIDsandAppsOneitemthatisnotoftencoveredwhenconsideringiOSsecurityistheAppleIDthatisusedtomanageadevice.TheAppleIDcanpotentiallybeusedtowipeadevice(forexample,viatheFindMyiPhoneapp),restoreadevice’sbackup,orevenviewthepurchasedmedia(songs,movies,iBooks,andapps)thatmaynotbeavailableonadevice.
Whenyouuninstallanapp,theappisstillinyourpurchasehistory.Asyoucanseeinthefollowingscreenshot,youcangetafairamountofinformationaboutwhatsomeoneusesadevicefor:
AppleIDsandPurchasedHistory
www.it-ebooks.info
![Page 208: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/208.jpg)
TheonlywaytopreventsomeonefromlookingatsuchinformationistosecuretheAppleID.Usestrongpasswordsfortheseandchangethemfromtimetotime.Whenanemployeeleavesanorganization,youmightalsobeabletoresettheirpasswordusingane-mailaddressiftheAppleIDusesacorporatee-mailaddress.
www.it-ebooks.info
![Page 210: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/210.jpg)
ForensicsSofar,we’vediscussedlookingatdataondevices.Whenyouuseadevice,unlessyoumadeaforensicimageofthedevicepriortousingit,youaretaintingevidence.Thisisnotabookonforensics,butwecanletyouknowaboutsometoolsthatwillallowyoutoacquireaforensicallysoundimageofadevicewithoutmuchfanfare.
NoteManyofthesetoolsareonlyavailabletolawenforcementprofessionals.Applehasrecentlygonetogreatlengthstomaketheirdevices“leak”lessdata,eventolawenforcement.SinceiOS7,it’sbeenpracticallyimpossibletobruteforcepasscodesandafterApplefixedthebootroomexploitsofiPhone4/iPad2,it’snolongerpossibletoobtainanimageofthedevice’sflashstorageforofflineanalysis.
ThefollowinglinksareavailabletohelpyouproperlyacquireevidencefromiOSdevicesandcomputersthataccessiOSdevices:
iOSForensicToolkit:http://www.elcomsoft.com/eift.htmlMobilyze:https://www.blackbagtech.com/mobilyze.htmlAccessDataForensicToolkit:http://www.elcomsoft.com/ios-forensic-toolkit.htmlLantern:https://katanaforensics.com/products/Blacklight:https://www.blackbagtech.com/forensics/blacklight/blacklight.htmliPhoneBackupAnalyzer:http://ipbackupanalyzer.com/Oxygen:http://www.oxygen-forensic.com/en/ForensicHardware:http://www.cellebrite.com/iXAM:http://www.ixam-forensics.com/devices.aspSecureView:http://mobileforensics.susteen.com/
TipManyofthesetoolscanalsobruteforcepasswordsthatareusedondevices.However,thismightbealengthyprocess.
Abasictoolthatdoesn’trequiretobepurchasedthroughlawenforcementbutcaninteractdirectlywithadeviceisiExplorerfromMacroplant.Thistooldoesnotexposeitemsthatareinsecureenclavesonthedevice,butitallowsyoutohavealotmoreaccessthanwhatyouwouldotherwisehave.iExplorerallowsyoutoviewContacts,Messages,Notes,Safari’shistory,backups,andsomeappdata.Asyoucanseeinthefollowingscreenshot,onceitisinstalled,youcanviewSafari’sbrowsinghistory:
www.it-ebooks.info
![Page 211: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/211.jpg)
Macroplant’siExplorer
Asyoucanseeinthefollowingscreenshot,youcanalsoviewbooksandotherformsofmediainthefoldersinwhichtheseitemsarestoredonthedevice.Ausercanaccessthesefolderswithoutjailbreakingadevice.
ViewingiBooksData
Togofurtherintoadeviceandviewpreferences,operatingsystemfiles,andsoon,youwillneedtojailbreakitanduseatoolsuchasiFunBoxoriFileviaCydia,whichisanappstoreforjail-brokendevices.iFunBoxisaMac/Windowstoolforexaminingthedevice’sfilesystemandiFileisanappthatyoucaninstallonjail-brokendevices.SinceiOS7,
www.it-ebooks.info
![Page 212: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/212.jpg)
you’llneedtoinstallahackedAppleFileConduit(AFC2)fromCydiaonajail-brokendevicetoaccessanythingoutsidethenormalsandboxedAFCareasofthedevice.(Seehttps://cydia.saurik.com/info/com.saurik.afc2d/formoreinformationonthis.)
TipFormoreinformationonjailbreakingdevices,searchforthetermJailbreakandalsoprovidethemodelofdeviceyouhaveonGoogle.Alotofsitesonjailbreakingcomeandgo,sowe’renotgoingtoincludealinkhere,butit’sworthcheckingouthowpeoplegoaboutsuchthingsandthelimitationsondevicesoncethey’rejail-broken.
www.it-ebooks.info
![Page 214: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/214.jpg)
ApplicationsecurityEarlierinthischapter,wecoveredhowtoobtainmoreinformationabouthowapplicationscommunicatewithservers.Here,we’regoingtotakeabrieflookathowyoucanobtainmoreinformationaboutthedataand/orbinarieswithinanapp.Inapps,theseareusuallycompiled,soyouwillnottypicallyseerawsourcecode.Mostapplicationvendorswillnotprovideyouwithaccesstotheirsourcecodeeither.
IPAfilesarezippedapplicationbundles.Youcanunzipthembeforeattemptingtodisassemblethebinary.Todoso,youcanright-clickonanIPAfileandopenitwithArchiveUtilitytoquicklyunzipanappbundle.Insidetheresultingfolder,you’llseeaPayloadfolderthatcontainstheappitself.Onceyoucanseetheapp,youcanviewthepackagecontentsontheappbundleandlocatethebinaryfilewithin.Unfortunately,inmanycasesalthoughyoucanviewthestrings,attemptingtodisassembleaniOSappbinarywithatoollikeHoppercanbefruitlessbecauseappsfromtheAppStoreareusuallyencrypted.
Adhocandenterprisedistributionappscanbeexaminedwiththesetools;however,manyenterpriseappdevelopersuseobfuscationtechniquesorwrapperstoreducetheusefulnessofdisassemblyontheirproductionbinaries.
Insummary,thesedisassemblytechniquesprobablyaren’tusefultothereaderinanymeaningfulway.Unlessyouareanexperienceddeveloperwithsomeassemblylanguageknowledge,disassemblyofevenasimpleunencryptedbinaryofanysortisn’tlikelytohelpyoulearnanything.
www.it-ebooks.info
![Page 216: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/216.jpg)
ViewinganAppThereareanumberoftoolsthatcanhelpyoutoobtainmoreinformationaboutanapp.Youcanuseacommandlinetoviewthecontentsofafile,andwhenitiscompiled,there’sstillafairamountofinformationthatcanbederivedfromaniOSapplicationfile(anIPAfile).Todothis,simplyusethecatcommandforafilefromyourapplibrary:
Cat/Users/charlesedge/Music/iTunes/iTunes\Media/Mobile\Applications/
Amex\4.6.0.ipa
Youcanalsoviewdatainthefilewithoutallthespecialcharactersusingthestringscommand:
Strings/Users/charlesedge/Music/iTunes/iTunes\Media/Mobile\
Applications/Amex\4.6.0.ipa
Therearealsodisassemblersthathavedifferentlevelsofluckinobtaininginformationaboutafile.Forexample,HopperDisassemblerthatcanbepurchasedfromtheMacAppStoreathttps://itunes.apple.com/us/app/hopper-disassembler/id422856039?mt=12.ThefollowingscreenshotshowstheHopperDisassembler:
HopperDisassembler
There’salsoatoolcalledClutch,whichisavailableonGitHubathttps://github.com/KJCracks/Clutch.Clutchmustberunfromajail-brokendevice,soitrequiresasomewhatthought-outmethodtodecompilecode;however,itisabletoobtainmoredatathananyothertoolthatwe’veseen.
Therearemanybooksthatareavailableonlinethatcanhelpyoutounderstandnativeprogramminglanguagesifyouaren’talreadyawareofthem.
www.it-ebooks.info
![Page 218: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/218.jpg)
SummaryThereareanumberofplaceswherewestoppedourselvesfromwritingmoreinthischapter.Thischapterdoesnotprovidein-depthinformationaboutpacketcapturing,forensicacquisition,applicationdevelopment,oriOSsystemsinternals.Instead,similartotherestofthebook,wearepointingyoutowardsthenecessarycontenttodomoreifyouchoose.
Theauthorsofthisbookarestrongproponentsofthehackermentality.Therereallyisn’tmoresecurityinformationaboutdevicesthatareavailablewithoutjailbreakingdevicesoraccessingApple’sDeveloperportalathttp://developer.apple.com.Wedohopethatyouwilldothembothatsomepoint.Wedon’tbelievethatyoucanfullysecureajailbrokendevice,soyoushould,therefore,refrainfromputtingthemintoproduction.However,wealsobelieveinlearningasmuchaswecan,whichmeanseventuallyjailbreakingadeviceandseeingwhatreallymakesthoselittleSpeak-and-Spellappstick.
www.it-ebooks.info
![Page 219: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/219.jpg)
IndexA
AccessDataForensicToolkitURL/Forensics
ActivationLockabout/ActivationLockandFindMyiPhonereferences/ActivationLockandFindMyiPhone
ActiveSyncabout/ActiveSyncmanagementsettings/ActiveSync
advancedoptions,SafariWebsiteData/Safariandbuilt-inAppprotectionsJavaScript/Safariandbuilt-inAppprotectionsWebInspector/Safariandbuilt-inAppprotections
AirDropabout/AirDrop
Always-Onabout/VPN(Always-On,APN,Per-App,On-Demand)
appsignatureverificationprocess/Installingappscommunication/AppcommunicationHandoffandContinuity/HandoffandContinuitydatastorage/SandboxingandAppdatastorageviewing/ViewinganApp
appcommunicationsabout/Appcommunicationsdevices,identifying/Identifyingdevicesnetworkcommunications/Listeningtonetworkcommunications
AppleURL,fordocumentation/ActivationLockandFindMyiPhone
AppleConfiguratorabout/AppleConfigurator,Apps,VPP,andAppleConfigurator,IntroducingMDMintendedworkflows/Intendedworkflowsinteractionmodes/Theinteractionmodes–Prepare,Supervise,andAssignsupervision,significance/Theimportanceofsupervisionmassrestoring/Massrestoringandnamingofdevicesdevices,naming/Massrestoringandnamingofdevicesbackupconcerns/Backupconcernsaschaperone/ConfiguratoraschaperoneversusDEP/DEPversusAppleConfiguratorversusMDM/ConfiguratorversusMDM
www.it-ebooks.info
![Page 220: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/220.jpg)
AppleFileConduit(AFC2)about/Forensics
AppleIDsabout/AppleIDsandApps
ApplePushNotificationservice(APNs)about/IntroducingMDM
AppleTVabout/Abugorafeature?
applicationsecurityabout/Applicationsecurity
AppLockabout/SingleAppmode,AppLock,andGuidedAccessversusSingleAppMode/GuidedAccessversusAppLockversusSingleAppModeversusGuidedAccess/GuidedAccessversusAppLockversusSingleAppMode
appsinstalling/Installingappsstoreaccess,blocking/BlockingaccesstotheAppStoreabout/Apps,VPP,andAppleConfigurator,AppleIDsandApps
www.it-ebooks.info
![Page 221: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/221.jpg)
BBackupkeybag/ViewingiOSdatainiTunesbackups
taking,iTunesused/TakingbackupsusingiTunesBlacklight
URL/Forensicsbuilt-inAppprotections
andSafari/Safariandbuilt-inAppprotectionsBushel
about/IntroducingBushelaccount,settingup/Setupenrollmentprocess/Theenrollmentprocessrestrictions/Restrictions
www.it-ebooks.info
![Page 222: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/222.jpg)
Ccaching
about/GlobalHTTPProxy,caching,andthewebcontentfilterCertificateAuthority(CA)/PreparingtheProfileManagerServer,EnrollingintoProfileManagerCertificationAuthority(CA)/InstallingappsChaperoneCertificateIssuer/ConfiguratoraschaperoneChaperoneCertificateSerial/ConfiguratoraschaperoneClutch
about/ViewinganAppconfigurationfiles
about/ConfigurationprofilesContinuity
andHandoff/HandoffandContinuityCryptographicMessageSyntax(CMS)standard/Signing,encryption,anddelivery
www.it-ebooks.info
![Page 223: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/223.jpg)
Ddelivery
about/Signing,encryption,anddeliveryDEP
about/DEPversusAppleConfiguratorversusAppleConfigurator/DEPversusAppleConfiguratorreferences/DEPversusAppleConfigurator
DEPusecases,AppleConfiguratorURL/DEPversusAppleConfigurator
devicebackingup/Backingupyourdevice
DeviceCertificateabout/Pairing
diagnosticsgathering/Lesser-knownwaysforAppletogatherdiagnostics
DigitalRightsManagement(DRM)/Installingapps
www.it-ebooks.info
![Page 224: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/224.jpg)
Eencryption
about/Signing,encryption,anddeliveryEscrowBag
about/Pairingextensions
andkeyboards/Keyboardsandextensionsaccess,securing/Securingwhatextensionscanaccess
www.it-ebooks.info
![Page 225: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/225.jpg)
FFindMyiPhonefeature/ActivationLockandFindMyiPhoneForensicHardward
URL/Forensicsforensics
about/Forensics
www.it-ebooks.info
![Page 226: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/226.jpg)
GGlobalHTTPProxy
about/GlobalHTTPProxy,caching,andthewebcontentfilterGlobalServiceExchange/Lesser-knownwaysforAppletogatherdiagnosticsGroundControl
about/AddressingtheroughspotsURL/Addressingtheroughspots
GuidedAccessabout/SingleAppmode,AppLock,andGuidedAccessURL/SingleAppmode,AppLock,andGuidedAccessversusAppLock/GuidedAccessversusAppLockversusSingleAppModeversusSingleAppMode/GuidedAccessversusAppLockversusSingleAppMode
www.it-ebooks.info
![Page 227: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/227.jpg)
HHandoff
andContinuity/HandoffandContinuityHealthapp/HealthappHomebrew
used,forinstallinglibimobiledevice/InstallinglibimobiledeviceusingHomebrew
Homebrew,forinstallinglibimobiledeviceidevicesyslog,usedfor/Usingidevicesyslogandidevicepairidevicepair,usedfor/Usingidevicesyslogandidevicepairidevicedate,usedfor/Usingidevicedateandideviceinstallerideviceinstaller,usedfor/Usingidevicedateandideviceinstaller
HostCertificateabout/Pairing
HostIDabout/Pairing
HostPrivateKeyabout/Pairing
www.it-ebooks.info
![Page 228: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/228.jpg)
IiBackupExtractor/ViewingiOSdatainiTunesiCloudbackups
about/iCloudbackupsidevicediagnosticscommand/Usingidevicedateandideviceinstallerin-houseappdevelopment
about/Introductiontoin-houseAppdevelopmentinitialsecuritychecklist
about/Initialsecuritychecklistpasscode,configuring/Configuringapasscodeprivacysettings,configuring/Configuringprivacysettings
IntegratedDevelopmentEnvironment(IDE)/Installingappsinteractionmodes,AppleConfigurator
Prepare/Theinteractionmodes–Prepare,Supervise,andAssignSupervise/Theinteractionmodes–Prepare,Supervise,andAssignAssign/Theinteractionmodes–Prepare,Supervise,andAssign
iOSactivating/SecurebootandactivatingiOS
iOSConsoleURL/Configurationprofiles
iOSdataviewing,iniTunes/ViewingiOSdatainiTunes
iOSForensicToolkitURL/Forensics
iOSnetworkcommunicationabout/IntroductiontoiOSnetworkcommunication
iPhoneBackupAnalyzerURL/Forensics
iPhoneConfigurationUtility(iPCU)about/Configurationprofiles,AppleConfigurator
iTunesused,fortakingbackups/TakingbackupsusingiTunesiOSdata,viewingin/ViewingiOSdatainiTunes
iXAMURL/Forensics
www.it-ebooks.info
![Page 229: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/229.jpg)
Kkeybag
about/Keybagsandkeychainskeyboards
andextensions/Keyboardsandextensionskeychains
about/Appcommunication,Keybagsandkeychains
www.it-ebooks.info
![Page 230: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/230.jpg)
LLantern
URL/Forensicslibimobiledevice
about/DivedeeperwithlibimobiledeviceURL/Divedeeperwithlibimobiledeviceinstalling,Homebrewused/InstallinglibimobiledeviceusingHomebrew
www.it-ebooks.info
![Page 231: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/231.jpg)
MMDM
URL/Abugorafeature?about/IntroducingMDMversusAppleConfigurator/ConfiguratorversusMDMandVPP/VolumePurchasingProgramandMDM
MDMProviders,comparisonreferencelink/TheProfileManager
MobileDeviceManagement(MDM)/SingleAppmode,AppLock,andGuidedAccessMobilyze
URL/Forensics
www.it-ebooks.info
![Page 232: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/232.jpg)
OOnDemand
about/VPN(Always-On,APN,Per-App,On-Demand)openinmanagementfeature,iOS/RestrictionsOxygen
URL/Forensics
www.it-ebooks.info
![Page 233: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/233.jpg)
Ppairing
about/PairingPassbook
about/PassbookandTouchIDforApplePaypasscode
configuring/ConfiguringapasscodeTodayoption/ConfiguringapasscodeNotificationsViewoption/ConfiguringapasscodeSirioption/ConfiguringapasscodePassbooktool/ConfiguringapasscodeReplywithMessagetool/Configuringapasscode
passcodepoliciesabout/Passcodepolicies
PaymentCardIndustry(PCI)about/Privacy-relatedconcerns
Per-Appabout/VPN(Always-On,APN,Per-App,On-Demand)
PINabout/PassbookandTouchIDforApplePay
predictivesearch/Predictivesearchandspotlightpreferencedomains
about/ConfigurationprofilesPrivacy&Securityoptions,Safari
DoNotTrack/Safariandbuilt-inAppprotectionsBlockCookies/Safariandbuilt-inAppprotectionsFraudulentWebsiteWarning/Safariandbuilt-inAppprotectionsClearHistoryandWebsiteData/Safariandbuilt-inAppprotectionsUseCellularData/Safariandbuilt-inAppprotections
privacy-relatedconcernsabout/Privacy-relatedconcerns
ProfileManagerabout/TheProfileManagerpreparing/PreparingProfileManagerPostConfigurationtasks,completing/CompletingPostConfigurationtasksusing/UsingProfileManagerenrollinginto/EnrollingintoProfileManagerdevicemanagement/Devicemanagementpasscodepolicies/Passcodepolicies
ProfileManagerServerpreparing/PreparingtheProfileManagerServer
www.it-ebooks.info
![Page 234: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/234.jpg)
RRecBoot/ActivationLockandFindMyiPhonerecoverymode/ActivationLockandFindMyiPhonereflector
URL/SingleAppmode,AppLock,andGuidedAccessRemoteVirtualInterface(RVI)
about/Listeningtonetworkcommunicationssettingup/Listeningtonetworkcommunications
RootCertificateabout/Pairing
RootPrivateKeyabout/Pairing
www.it-ebooks.info
![Page 235: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/235.jpg)
SSafari
andbuilt-inAppprotections/Safariandbuilt-inAppprotectionsSafaripreferences,forsecuringiOSdevices
Passwords&AutoFill/Safariandbuilt-inAppprotectionsFavorites/Safariandbuilt-inAppprotectionsOpenLinks/Safariandbuilt-inAppprotectionsBlockPop-ups/Safariandbuilt-inAppprotections
sandboxingabout/SandboxingandAppdatastorage
securebootchainabout/SecurebootandactivatingiOS
SecureEnclaveabout/SecurebootandactivatingiOS
SecureViewURL/Forensics
signingabout/Signing,encryption,anddelivery
SingleAppModeversusGuidedAccess/GuidedAccessversusAppLockversusSingleAppModeversusAppLock/GuidedAccessversusAppLockversusSingleAppMode
SingleAppmodeabout/SingleAppmode,AppLock,andGuidedAccess
spotlight/PredictivesearchandspotlightSupervision
about/VPN(Always-On,APN,Per-App,On-Demand)SystemBUID
about/Pairingsystemscope/ConfigurationprofilesSystemSoftwareAuthorization
about/SecurebootandactivatingiOS
www.it-ebooks.info
![Page 238: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/238.jpg)
Vverifiedboot
about/SecurebootandactivatingiOSVPNOnDemand
about/VPN(Always-On,APN,Per-App,On-Demand)VPP
about/AppleConfigurator,Apps,VPP,andAppleConfigurator,CompletingPostConfigurationtasks,VolumePurchasingProgramandMDMandMDM/VolumePurchasingProgramandMDM
www.it-ebooks.info
![Page 239: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/239.jpg)
Wwebcontentfilter
about/GlobalHTTPProxy,caching,andthewebcontentfilterWiFiMACAddress
about/Pairing
www.it-ebooks.info
![Page 240: Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About the Reviewers Support files, eBooks, discount offers, and more](https://reader035.vdocuments.us/reader035/viewer/2022081613/5fba6052168d5e67cf1d1ce5/html5/thumbnails/240.jpg)
XXcode
about/XcodeURL/Xcodeinstalling/Xcode
XPC/Securingwhatextensionscanaccess
www.it-ebooks.info