mobile security master class oct 2014 day 1 public version
TRANSCRIPT
Passionate about• IT security and hacking • Fast cars and champagne (not together)
IT Security advisor / Ethical hacker • Jan 2014 - now: Independent advisor @ Linq42 • 2006 – 2013 @ KPMG Information Protection Services • Strong technical skills • Testing mobile since 2009
Who am I
The mobile landscape (cont.)
INTERNET
CORPORATE EXCHANGE SERVICES
Mobile Device Management
INTE
RN
ET S
ER
VIC
ES
DEVICES
WIFI / UMTS / GPRS
WIFI / USB
USB
WEB
CLOUD
SE
RV
ICE
S
Bluetooth
LOC
AL S
ER
VIC
ES
CORPORATE / PRIVATE
NETWORK
PERIPHERALS
Legacy ActiveSync conn.
The mobile landscape (cont.)Corporate connecting:• Exchange ActiveSync (EAS) • Mobile Device Management • Security policy • Remote wipe • GSM / GPRS / UMTS / HSDPA / GPS / WIFI
Platform specific - Apple:• iCloud (MobileMe) • iMessage • iTunes • AppleTV • App Store
How about Android?
The mobile landscape - Android specific
INTERNET
CORPORATE EXCHANGE SERVICES
Mobile Device Management Legacy ActiveSync conn.
WIFI / UMTS / GPRS
WIFI / USB / Bluetooth / NFC INTE
RN
ET S
ER
VIC
ES
WEB
CLOUD
GO
OG
LE S
ER
VIC
ES
ANDROID DEVICES
INTERNET
LOCAL STORAGE
CU
STO
M R
OM
S
VE
ND
OR
SE
RV
ICE
S
AN
DR
OID
V
ER
SIO
NS
ALTE
RN
ATIVE
M
AR
KE
TS
LOC
AL N
ETW
OR
K S
ER
VIC
ES
CORPORATE / PRIVATE
NETWORK
The mobile landscape - Android specific (cont.)Generic:• NFC • Local storage
What are these?• Astro, Bender, Cupcake, Donut, Éclair, Froyo, Gingerbread, Honeycomb, Ice
Cream Sandwich, Jelly Bean, Kit Kat
Android specific:• Google Play/Market, and alternatives • Custom ROMs • Vendors and specific models
The mobile landscape - jailbreaking
Jailbreaking (iOS)• Jailbreaking = removing the ‘jail’ Apple has put in • Install Apps Apple did not approve
Rooting and custom roms (Android)• Rooting = gaining root level access to device • Custom rom = custom OS (faster, newer, better)
Is jailbreaking hard?
The mobile landscape - jailbreaking (cont.)
Jailbreaking is allowed by DMCA since 2010
Around 15 - 40% of users jailbreak
No real harm• Restore from iTunes or Android device Vendor • Bricking highly unlikely • Security risk?
The mobile landscape - Apps and daily usage
INTERNET
Developer network
INTE
RN
ET S
ER
VIC
ES
DEVICES
WIFI / UMTS / GPRS
WEB
CLOUD
Where connecting to?
The mobile landscape - Apps and daily usage
INTERNET
Developer network
INTE
RN
ET S
ER
VIC
ES
DEVICES
WIFI / UMTS / GPRS
WEB
CLOUD
SE
RV
ICE
S
LOC
AL S
ER
VIC
ES
CORPORATE / PRIVATE
NETWORK
Store
Push Notification
Services e.g. updates
Services unknown
Developer machine App related 3rd party App framework
The mobile landscape - Apps and daily usage
Apps• App Store • QA • Permissions
Services• Known services (e.g. updates from vendor) • Unknown services (e.g. calling-home or app-creator specific)
The mobile landscape - Mobile Device Management
INTERNET
DEVICES
WIFI / UMTS / GPRS VENDOR SERVICES
Store
CORPORATE NETWORK
Mobile Device Management
The mobile landscape - Mobile Device Management
INTERNET
DEVICES
WIFI / UMTS / GPRS VENDOR SERVICES
Store
Push Notification
CORPORATE NETWORK
Mobile Device Management
MDM PROVIDER NETWORK
Similarities
Usability • Very easy to use • Hardware allows for always and always connected • Strong integration with online ID -> minimise logons
Eco-system • Apps Apps Apps • Store / Market for easy acces to more Apps • Integration with online services (e.g. Cloud)
Similarities (cont.)
Both are ‘new’ platforms based on existing platforms • Android -> Linux • iOS -> Mac OS X
Security built-in • When comparing to desktops… • native Disk Encryption • Only allow approved software to run • App containers / sandboxes
Differences
Eco-system setup and usage
Hardware + software + Store/Market + services • Android - “open” • iOS - strictly controlled by Apple
iOS specifics - core security
iOS fundamentals• Based on Mac OS X = UNIX • Two users: root (pw = alpine) and mobile. Apps run as mobile, services as root • Apps run in strict sandboxes: inter-app communication strictly guarded.
iOS security featuresOS support for: • Exchange (2007), CalDAV, IMAP, LDAP • Cisco VPN • Hardware encryption (3Gs and up only) • Remote wipe functionality • Configuration profiles
iOS specifics - iOS Ecosystem
iOS ecosystem• AppleIDs:
• 1: regular free account for consumer services • 2: paid developer account • 3: paid corporate account
• iTunes • iCloud(.com)
INTERNET
CORPORATE EXCHANGE SERVICES
Mobile Device Management
INTE
RN
ET S
ER
VIC
ES
DEVICES
WIFI / UMTS / GPRS
WIFI / USB
USB
WEB
CLOUD
SE
RV
ICE
S
Bluetooth
LOC
AL S
ER
VIC
ES
CORPORATE / PRIVATE
NETWORK
PERIPHERALS
Legacy ActiveSync conn.
iOS specifics - Encryption
Disk encryption• Since iPhone 3G • Intended for fast wipe (1 key is used for encrypting data on disk) • Decryption is done when device boots
Data Protection• File level encryption • meta data remains visible • Input = passcode + UID hardware key
• It is up to developer to use • mail.app and Keychain are only Apps from Apple that use this (until iOS8)
iOS specifics -iTunes & iCloudiTunes stores backups every time you sync• Data is decoded (not encrypted) • Decoding can be done with all data available to attacker
Backup contains all user data• Photos/music/address book/etc and keychain data! • App developer can control if data is included in backup
Backup can be encrypted• Using separate password • Security policy of iDevice can dictate if a password is used, not the length • Encryption is strong (10000 rounds of PBKDF2)
Recent iOS developments
iOS8 (and some iOS7) • NFC and Apple Pay • TouchID for Apps • Activation lock • Data Protection for photo’s, messages, and some more • “Trust this computer” • Pair lock • iCloud Keychain • Health Kit
Jailbreaking becoming harder and harder
Android specifics - Ecosystem
INTERNET
CORPORATE EXCHANGE SERVICES
Mobile Device Management Legacy ActiveSync conn.
WIFI / UMTS / GPRS
WIFI / USB / Bluetooth / NFC
INTE
RN
ET S
ER
VIC
ES
WEB
CLOUD
GO
OG
LE S
ER
VIC
ES
ANDROID DEVICES
INTERNET
LOCAL STORAGE
CU
STO
M R
OM
S
VE
ND
OR
SE
RV
ICE
S
AN
DR
OID
V
ER
SIO
NS
ALTE
RN
ATIVE
M
AR
KE
TS
LOC
AL N
ETW
OR
K S
ER
VIC
ES
CORPORATE / PRIVATE
NETWORK
Within KPMG’s direct control
Android specifics - App permissions
• Each app own UID on the system -> sandboxing
• Apps are distributed as .apk files: Zipped file containing binary application data
• Install time check on permissions, user informed of permissions
• End user needs to make (hard) decision
Android specifics - Device admin API options
Policy option Version Password enabled Minimum password length Alphanumeric password required Complex password required as of 3.0 Minimum letters required in password as of 3.0 Minimum lowercase letters required in password as of 3.0 Minimum non-letter characters required in password as of 3.0 Minimum numerical digits required in password as of 3.0 Minimum symbols required in password as of 3.0 Minimum uppercase letters required in password as of 3.0 Password expiration timeout as of 3.0 Password history restriction as of 3.0 Maximum failed password attempts Maximum inactivity time lock Require storage encryption as of 3.0 Disable camera as of 4.0
Android specifics - Samsung’s attempt to secureAndroid not adopted in business world• *what* version of Android? • Security checks for MDMs lagging
Samsung’s attempt• Samsung SAFE (Samsung For Enterprise)
• Specific range of devices • Extra security checks (EAS, MDM, Encryption) • Backported features from 3.+ -> 2.3+ • Close contact with MDMs to integrate
• Samsung KNOX (Sept 2013) • Secure boot chain and signature checking • Switching between private and business part on mobile device
Recent Android developments
Android 4.4 - KitKat • NFC Host card emulation • Bluetooth messaging (cars) • Android Device Manager • SELinux enforced • App Ops (since 4.3)
Rooting remains easy
Simple - Exchange Active Sync
Active sync:• “Exchange ActiveSync is a Microsoft Exchange synchronization protocol
that's optimized to work together with high-latency and low-bandwidth networks. The protocol, based on HTTP and XML [..] enables mobile phone users to access their e-mail, calendar, contacts, and tasks“
• De-facto standard, widely supported by devices.
ActiveSync can perform security checks:• Require password • Length of password • Require encryption on device • Etc.
Simple - Exchange Active Sync
• Active Sync not reliable• Active Sync not supporting all desired checks • No continuous management with Apple tool • If not adhere to policy -> actions limited • Life cycle and diversity• App permissions • Backups to personal computers • Technical vulnerabilities • Device and data management processes (enroll, decommission, wipe)
MDM - fine grained security checks
Functionality• Additional security checks on device, for example:
• Jailbreak detection • Application/malware checks
• Data processed using regular device software
Down side:• no built-in security, limited to underlying platform • jailbreak detection?
Operating system
MDM - VirtualizationFunctionality• Two operating systems:
• playground • hardened environment under full control of a central
Management environment
Down side:• Various risks not fully mitigated, e.g. remote wiping, malware,
encryption risks • Hypervisor specific attacks possible • Low battery life Operating system
MDM - Secure containerFunctionality• All data encrypted on device • Application includes functionality for rendering Word/Excel
files, intranet • Encryption between app and corporate network
Down side:• Traffic is routed through Good’s NOC • Vulnerable to attacks outside the secure container, such as
key loggers and screen scrapers • Vulnerable due to implementation flaws • Non native UI
Operating system
MDM - Remote desktop
Functionality• Render view/desktop from remote system • No data stored on device itself
Down side:• Usability, e.g. App interface • Availability, e.g. working in a airplane • Attacks outside container, e.g. key loggers and screen
scrapers Operating system
MDM - Different solution
• Custom Android releases oriented towards security
• Sectra
• Blackphone
• NSA implementation
MDM to MAM
2
ActiveSync Exchange
Lotus
LDAP Certificate Authority
Sharepoint Enterprise Mobile Apps
VSP Mobile Policy Configuration Engine
MDM control for Apps - MobileIron
Sentry Intelligent Gateway
MobileIron Client Enforces policies
MDM to MAM (cont.)
MobileIron AppTunnel
4
Secure, App-specific connections with enterprise resources
Secure communication between enabled apps
AppTunnels: Copy & Paste
Open With
MobileIron test environment
On end user device• Walk through steps connecting a
device as end user
Install and connect app:• username & pass as shown right • <REMOVED>
iTunes account:• <REMOVED> • <REMOVED> • <REMOVED>
Accounts for MobileIron:• <REMOVED> • .. • <REMOVED>
MobileIron test environment
On online mngt environment:• Log in as an administrator and see
what options there are • Create new policies and push to
your device
New policy:• Policy -> label -> device
Admin account MobileIron mngt environment:• <REMOVED> • <REMOVED>
Other functions like:• Remote wipe / message / locate /
etc
• iCloud nude pics leak • Recent example of high profile app • Android anti-virus app • Android PIN entry • iOS MobileConfig • Banking trojan
Updates on Hacks
iCloud nude pics leak
Nude pictures of celebrities stored in iCloud
iCloud access not entirely secured - “Find my iPhone API”
Tool existed for some time
Who to blame?
Recent app hack
High profile app • SSL secures the connection • Partly web based content
Pictures removed
Android banking malware
Man-in-the-Browser attacks are real on the desktop -> Zeus & SpyEye
SMS is a considered a decent Out Of Band authentication mechanism
ZitMo / EuroGrabber
Summary
Enrolling mobile devices results in new risks• Broader then expected, e.g. legal, technology, cloud integration, backup • Broader eco-system, thankfully the proper tools are now here
How to continue• Stay up-to-date with recent developments • Know your weaknesses. Take a look at your
organization from an attacker’s perspective. • 100% security is not possible. And undesirable! • No technical solution fixes it all, mitigate risks by people
processes and technology • Prevention is insufficient. Invest in detection and response.