Oct 2014 Mobile Device Security @ IIR

Day 1Marc Smeets

Passionate about• IT security and hacking • Fast cars and champagne (not together)

IT Security advisor / Ethical hacker • Jan 2014 - now: Independent advisor @ Linq42 • 2006 – 2013 @ KPMG Information Protection Services • Strong technical skills • Testing mobile since 2009

Who am I

Management of Mobile devices

Platforms

Agenda - day 1

Background and landscape

Background and landscape

Background - devices

Background - devices (cont.)

Mobile landscape

The mobile landscape

INTERNET

CORPORATE EXCHANGE SERVICES

DEVICES

WIFI / UMTS / GPRS

The mobile landscape (cont.)

INTERNET

CORPORATE EXCHANGE SERVICES

Mobile Device Management

INTE

RN

ET S

ER

VIC

ES

DEVICES

WIFI / UMTS / GPRS

WIFI / USB

USB

WEB

CLOUD

SE

RV

ICE

S

Bluetooth

LOC

AL S

ER

VIC

ES

CORPORATE / PRIVATE

NETWORK

PERIPHERALS

Legacy ActiveSync conn.

The mobile landscape (cont.)Corporate connecting:• Exchange ActiveSync (EAS) • Mobile Device Management • Security policy • Remote wipe • GSM / GPRS / UMTS / HSDPA / GPS / WIFI

Platform specific - Apple:• iCloud (MobileMe) • iMessage • iTunes • AppleTV • App Store

How about Android?

The mobile landscape - Android specific

INTERNET

CORPORATE EXCHANGE SERVICES

Mobile Device Management Legacy ActiveSync conn.

WIFI / UMTS / GPRS

WIFI / USB / Bluetooth / NFC INTE

RN

ET S

ER

VIC

ES

WEB

CLOUD

GO

OG

LE S

ER

VIC

ES

ANDROID DEVICES

INTERNET

LOCAL STORAGE

CU

STO

M R

OM

S

VE

ND

OR

SE

RV

ICE

S

AN

DR

OID

V

ER

SIO

NS

ALTE

RN

ATIVE

M

AR

KE

TS

LOC

AL N

ETW

OR

K S

ER

VIC

ES

CORPORATE / PRIVATE

NETWORK

The mobile landscape - Android specific (cont.)Generic:• NFC • Local storage

What are these?• Astro, Bender, Cupcake, Donut, Éclair, Froyo, Gingerbread, Honeycomb, Ice

Cream Sandwich, Jelly Bean, Kit Kat

Android specific:• Google Play/Market, and alternatives • Custom ROMs • Vendors and specific models

The mobile landscape - jailbreaking

Jailbreaking (iOS)• Jailbreaking = removing the ‘jail’ Apple has put in • Install Apps Apple did not approve

Rooting and custom roms (Android)• Rooting = gaining root level access to device • Custom rom = custom OS (faster, newer, better)

Is jailbreaking hard?

The mobile landscape - jailbreaking (cont.)

The mobile landscape - jailbreaking (cont.)

Jailbreaking is allowed by DMCA since 2010

Around 15 - 40% of users jailbreak

No real harm• Restore from iTunes or Android device Vendor • Bricking highly unlikely • Security risk?

The mobile landscape - Apps and daily usage

INTERNET

Developer network

INTE

RN

ET S

ER

VIC

ES

DEVICES

WIFI / UMTS / GPRS

WEB

CLOUD

Where connecting to?

The mobile landscape - Apps and daily usage

INTERNET

Developer network

INTE

RN

ET S

ER

VIC

ES

DEVICES

WIFI / UMTS / GPRS

WEB

CLOUD

SE

RV

ICE

S

LOC

AL S

ER

VIC

ES

CORPORATE / PRIVATE

NETWORK

Store

Push Notification

Services e.g. updates

Services unknown

Developer machine App related 3rd party App framework

The mobile landscape - Apps and daily usage

Apps• App Store • QA • Permissions

Services• Known services (e.g. updates from vendor) • Unknown services (e.g. calling-home or app-creator specific)

The mobile landscape - Mobile Device Management

INTERNET

DEVICES

WIFI / UMTS / GPRS VENDOR SERVICES

Store

CORPORATE NETWORK

Mobile Device Management

The mobile landscape - Mobile Device Management

INTERNET

DEVICES

WIFI / UMTS / GPRS VENDOR SERVICES

Store

Push Notification

CORPORATE NETWORK

Mobile Device Management

MDM PROVIDER NETWORK

• Main similarities • iOS specifics • Android specifics

Platforms iOS and Android

Similarities

Usability • Very easy to use • Hardware allows for always and always connected • Strong integration with online ID -> minimise logons

Eco-system • Apps Apps Apps • Store / Market for easy acces to more Apps • Integration with online services (e.g. Cloud)

Similarities (cont.)

Both are ‘new’ platforms based on existing platforms • Android -> Linux • iOS -> Mac OS X

Security built-in • When comparing to desktops… • native Disk Encryption • Only allow approved software to run • App containers / sandboxes

Differences

Eco-system setup and usage

Hardware + software + Store/Market + services • Android - “open” • iOS - strictly controlled by Apple

iOS specifics - core security

iOS fundamentals• Based on Mac OS X = UNIX • Two users: root (pw = alpine) and mobile. Apps run as mobile, services as root • Apps run in strict sandboxes: inter-app communication strictly guarded.

iOS security featuresOS support for: • Exchange (2007), CalDAV, IMAP, LDAP • Cisco VPN • Hardware encryption (3Gs and up only) • Remote wipe functionality • Configuration profiles

iOS specifics - iOS Ecosystem

iOS ecosystem• AppleIDs:

• 1: regular free account for consumer services • 2: paid developer account • 3: paid corporate account

• iTunes • iCloud(.com)

INTERNET

CORPORATE EXCHANGE SERVICES

Mobile Device Management

INTE

RN

ET S

ER

VIC

ES

DEVICES

WIFI / UMTS / GPRS

WIFI / USB

USB

WEB

CLOUD

SE

RV

ICE

S

Bluetooth

LOC

AL S

ER

VIC

ES

CORPORATE / PRIVATE

NETWORK

PERIPHERALS

Legacy ActiveSync conn.

iOS specifics - Encryption

Disk encryption• Since iPhone 3G • Intended for fast wipe (1 key is used for encrypting data on disk) • Decryption is done when device boots

Data Protection• File level encryption • meta data remains visible • Input = passcode + UID hardware key

• It is up to developer to use • mail.app and Keychain are only Apps from Apple that use this (until iOS8)

iOS specifics -iTunes & iCloudiTunes stores backups every time you sync• Data is decoded (not encrypted) • Decoding can be done with all data available to attacker

Backup contains all user data• Photos/music/address book/etc and keychain data! • App developer can control if data is included in backup

Backup can be encrypted• Using separate password • Security policy of iDevice can dictate if a password is used, not the length • Encryption is strong (10000 rounds of PBKDF2)

Recent iOS developments

iOS8 (and some iOS7) • NFC and Apple Pay • TouchID for Apps • Activation lock • Data Protection for photo’s, messages, and some more • “Trust this computer” • Pair lock • iCloud Keychain • Health Kit

Jailbreaking becoming harder and harder

Android specifics - Ecosystem

INTERNET

CORPORATE EXCHANGE SERVICES

Mobile Device Management Legacy ActiveSync conn.

WIFI / UMTS / GPRS

WIFI / USB / Bluetooth / NFC

INTE

RN

ET S

ER

VIC

ES

WEB

CLOUD

GO

OG

LE S

ER

VIC

ES

ANDROID DEVICES

INTERNET

LOCAL STORAGE

CU

STO

M R

OM

S

VE

ND

OR

SE

RV

ICE

S

AN

DR

OID

V

ER

SIO

NS

ALTE

RN

ATIVE

M

AR

KE

TS

LOC

AL N

ETW

OR

K S

ER

VIC

ES

CORPORATE / PRIVATE

NETWORK

Within KPMG’s direct control

Android specifics - Google Services

Play / market

Google Backup

Google Contacts

No “Android iTunes”

Android specifics - App permissions

• Each app own UID on the system -> sandboxing

• Apps are distributed as .apk files: Zipped file containing binary application data

• Install time check on permissions, user informed of permissions

• End user needs to make (hard) decision

Android specifics - Device admin API options

Policy option Version Password enabled Minimum password length Alphanumeric password required Complex password required as of 3.0 Minimum letters required in password as of 3.0 Minimum lowercase letters required in password as of 3.0 Minimum non-letter characters required in password as of 3.0 Minimum numerical digits required in password as of 3.0 Minimum symbols required in password as of 3.0 Minimum uppercase letters required in password as of 3.0 Password expiration timeout as of 3.0 Password history restriction as of 3.0 Maximum failed password attempts Maximum inactivity time lock Require storage encryption as of 3.0 Disable camera as of 4.0

Android specifics - Samsung’s attempt to secureAndroid not adopted in business world• *what* version of Android? • Security checks for MDMs lagging

Samsung’s attempt• Samsung SAFE (Samsung For Enterprise)

• Specific range of devices • Extra security checks (EAS, MDM, Encryption) • Backported features from 3.+ -> 2.3+ • Close contact with MDMs to integrate

• Samsung KNOX (Sept 2013) • Secure boot chain and signature checking • Switching between private and business part on mobile device

Recent Android developments

Android 4.4 - KitKat • NFC Host card emulation • Bluetooth messaging (cars) • Android Device Manager • SELinux enforced • App Ops (since 4.3)

Rooting remains easy

Recent Android developments (cont.)

• Simple options • real MDM • Hands-on

Mobile Device Management

Simple - Apple IPCU

Simple - Exchange Active Sync

Active sync:• “Exchange ActiveSync is a Microsoft Exchange synchronization protocol

that's optimized to work together with high-latency and low-bandwidth networks. The protocol, based on HTTP and XML [..] enables mobile phone users to access their e-mail, calendar, contacts, and tasks“

• De-facto standard, widely supported by devices.

ActiveSync can perform security checks:• Require password • Length of password • Require encryption on device • Etc.

Simple - Exchange Active Sync

• Active Sync not reliable• Active Sync not supporting all desired checks • No continuous management with Apple tool • If not adhere to policy -> actions limited • Life cycle and diversity• App permissions • Backups to personal computers • Technical vulnerabilities • Device and data management processes (enroll, decommission, wipe)

MDM Major players

EMM = MDM + App and content mngt

MDM main architectures

Operating system Operating system Operating system Operating system

MDM - fine grained security checks

Functionality• Additional security checks on device, for example:

• Jailbreak detection • Application/malware checks

• Data processed using regular device software

Down side:• no built-in security, limited to underlying platform • jailbreak detection?

Operating system

MDM - VirtualizationFunctionality• Two operating systems:

• playground • hardened environment under full control of a central

Management environment

Down side:• Various risks not fully mitigated, e.g. remote wiping, malware,

encryption risks • Hypervisor specific attacks possible • Low battery life Operating system

MDM - Secure containerFunctionality• All data encrypted on device • Application includes functionality for rendering Word/Excel

files, intranet • Encryption between app and corporate network

Down side:• Traffic is routed through Good’s NOC • Vulnerable to attacks outside the secure container, such as

key loggers and screen scrapers • Vulnerable due to implementation flaws • Non native UI

Operating system

MDM - Remote desktop

Functionality• Render view/desktop from remote system • No data stored on device itself

Down side:• Usability, e.g. App interface • Availability, e.g. working in a airplane • Attacks outside container, e.g. key loggers and screen

scrapers Operating system

MDM - Different solution

• Custom Android releases oriented towards security

• Sectra

• Blackphone

• NSA implementation

MDM - Trends in Apps

Fun -> line-of-business apps

Technology

Frameworks are more available

MDM to MAM

2

ActiveSync Exchange

Lotus

LDAP Certificate Authority

Sharepoint Enterprise Mobile Apps

VSP Mobile Policy Configuration Engine

MDM control for Apps - MobileIron

Sentry Intelligent Gateway

MobileIron Client Enforces policies

MDM to MAM (cont.)

MobileIron AppConnect

3

AppConnect-enabled

AppConnect Wrapping

AppConnect SDK

MDM to MAM (cont.)

MobileIron AppTunnel

4

Secure, App-specific connections with enterprise resources

Secure communication between enabled apps

AppTunnels: Copy & Paste

Open With

MDM to MAM (cont.)

Hands-on demo

MobileIron test environment

On end user device• Walk through steps connecting a

device as end user

Install and connect app:• username & pass as shown right • <REMOVED>

iTunes account:• <REMOVED> • <REMOVED> • <REMOVED>

Accounts for MobileIron:• <REMOVED> • .. • <REMOVED>

MobileIron test environment

On online mngt environment:• Log in as an administrator and see

what options there are • Create new policies and push to

your device

New policy:• Policy -> label -> device

Admin account MobileIron mngt environment:• <REMOVED> • <REMOVED>

Other functions like:• Remote wipe / message / locate /

etc

• iCloud nude pics leak • Recent example of high profile app • Android anti-virus app • Android PIN entry • iOS MobileConfig • Banking trojan

Updates on Hacks

iCloud nude pics leak

Nude pictures of celebrities stored in iCloud

iCloud access not entirely secured - “Find my iPhone API”

Tool existed for some time

Who to blame?

Recent app hack

High profile app • SSL secures the connection • Partly web based content

Pictures removed

Android anti virus

Android anti virus useful?

Android PIN entry

What happens after 5 incorrect tries?

iOS MobileConfig

Google searches everything

iOS Mobileconfig files contain what?

Android banking malware

Man-in-the-Browser attacks are real on the desktop -> Zeus & SpyEye

SMS is a considered a decent Out Of Band authentication mechanism

ZitMo / EuroGrabber

Android banking malware (cont.)

Pictures removed

Summary

Enrolling mobile devices results in new risks• Broader then expected, e.g. legal, technology, cloud integration, backup • Broader eco-system, thankfully the proper tools are now here

How to continue• Stay up-to-date with recent developments • Know your weaknesses. Take a look at your

organization from an attacker’s perspective. • 100% security is not possible. And undesirable! • No technical solution fixes it all, mitigate risks by people

processes and technology • Prevention is insufficient. Invest in detection and response.

marc@linq42.nl

+31 6 5136 6680

@mramsmeets