learning ios security · table of contents learning ios security credits about the authors about...

www.it-ebooks.info

www.it-ebooks.info

LearningiOSSecurity

www.it-ebooks.info

TableofContents

LearningiOSSecurity

Credits

AbouttheAuthors

AbouttheReviewers

www.PacktPub.com

Supportfiles,eBooks,discountoffers,andmore

Whysubscribe?

FreeaccessforPacktaccountholders

Preface

Whatthisbookcovers

Whatyouneedforthisbook

Whothisbookisfor

Conventions

Readerfeedback

Customersupport

Errata

Piracy

Questions

1.iOSSecurityOverview

Pairing

Backingupyourdevice

iCloudbackups

TakingbackupsusingiTunes

ViewingiOSdatainiTunes

Initialsecuritychecklist

Configuringapasscode

Configuringprivacysettings

Safariandbuilt-inAppprotections

Predictivesearchandspotlight

www.it-ebooks.info

Summary

2.IntroducingAppSecurity

Installingapps

BlockingaccesstotheAppStore

SingleAppmode,AppLock,andGuidedAccess

Appcommunication

HandoffandContinuity

Keybagsandkeychains

Keyboardsandextensions

Securingwhatextensionscanaccess

Usercontext

SandboxingandAppdatastorage

Introductiontoin-houseAppdevelopment

Summary

3.EncryptingDevices

SecurebootandactivatingiOS

PassbookandTouchIDforApplePay

IntroductiontoiOSnetworkcommunication

AirDrop

Abugorafeature?

VPN(Always-On,APN,Per-App,On-Demand)

GlobalHTTPProxy,caching,andthewebcontentfilter

Privacy-relatedconcerns

Lesser-knownwaysforAppletogatherdiagnostics

Healthapp

Configurationprofiles

Signing,encryption,anddelivery

Summary

4.OrganizationalControls

AppleConfigurator

Intendedworkflows

www.it-ebooks.info

Theinteractionmodes–Prepare,Supervise,andAssign

Theimportanceofsupervision

Apps,VPP,andAppleConfigurator

Massrestoringandnamingofdevices

Backupconcerns

Configuratoraschaperone

ActivationLockandFindMyiPhone

Addressingtheroughspots

DEPversusAppleConfigurator

GuidedAccessversusAppLockversusSingleAppMode

ActiveSync

Summary

5.MobileDeviceManagement

IntroducingMDM

ConfiguratorversusMDM

TheProfileManager

PreparingtheProfileManagerServer

PreparingProfileManager

CompletingPostConfigurationtasks

UsingProfileManager

EnrollingintoProfileManager

Devicemanagement

Passcodepolicies

IntroducingBushel

Setup

Theenrollmentprocess

Restrictions

VolumePurchasingProgramandMDM

Summary

6.DebuggingandConclusion

Xcode

www.it-ebooks.info

Divedeeperwithlibimobiledevice

InstallinglibimobiledeviceusingHomebrew

Usingidevicesyslogandidevicepair

Usingidevicedateandideviceinstaller

Appcommunications

Identifyingdevices

Listeningtonetworkcommunications

AppleIDsandApps

Forensics

Applicationsecurity

ViewinganApp

Summary

Index

www.it-ebooks.info

www.it-ebooks.info

LearningiOSSecurity

www.it-ebooks.info

www.it-ebooks.info

LearningiOSSecurityCopyright©2015PacktPublishing

Allrightsreserved.Nopartofthisbookmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,withoutthepriorwrittenpermissionofthepublisher,exceptinthecaseofbriefquotationsembeddedincriticalarticlesorreviews.

Everyefforthasbeenmadeinthepreparationofthisbooktoensuretheaccuracyoftheinformationpresented.However,theinformationcontainedinthisbookissoldwithoutwarranty,eitherexpressorimplied.Neithertheauthors,norPacktPublishing,anditsdealersanddistributorswillbeheldliableforanydamagescausedorallegedtobecauseddirectlyorindirectlybythisbook.

PacktPublishinghasendeavoredtoprovidetrademarkinformationaboutallofthecompaniesandproductsmentionedinthisbookbytheappropriateuseofcapitals.However,PacktPublishingcannotguaranteetheaccuracyofthisinformation.

Firstpublished:February2015

Productionreference:2240215

PublishedbyPacktPublishingLtd.

LiveryPlace

35LiveryStreet

BirminghamB32PB,UK.

ISBN978-1-78355-174-3

www.packtpub.com

www.it-ebooks.info

www.it-ebooks.info

CreditsAuthors

AllisterBanks

CharlesS.Edge

Reviewers

JeremyAgostino

WilliamSmith

CommissioningEditor

AshwinNair

AcquisitionEditor

HemalDesai

ContentDevelopmentEditor

MamataWalkar

TechnicalEditor

MenzaMathew

CopyEditors

JasmineNadar

WishvaShah

ProjectCoordinator

ShipraChawhan

Proofreaders

SafisEditing

PaulHindle

Indexer

TejalSoni

ProductionCoordinator

MelwynD’sa

CoverWork

MelwynD’sa

www.it-ebooks.info

www.it-ebooks.info

AbouttheAuthorsAllisterBanksisanenthusiast.He’sveryexcitedtobeintheexceedinglylimited,exclusiveclubofcoauthorsofCharlesS.Edge.AfterworkingforadecadewithITconsultingcompaniesonboththecoastsoftheU.S.,henowworksforamedical-focusedinstitutionwitheducationanddatacenteraspects.HehasgivenspeechesatLOPSA-East,MacTechConference,andMacAdminsConferenceatPennState.HelivesinNewYork.HecontributestovariousopensourceprojectsandspeaksenoughJapanesetoorderfood.

CharlesS.EdgehasbeenworkingwithAppleproductssincehewasachild.Professionally,CharlesstartedwiththeMacOSandAppleserverofferingsin1999afterworkingofyearswithvariousflavorsofUnix.CharlesbeganhisconsultingcareerwithSupportTechnologiesandAndersenConsulting.Asthechieftechnologyofficerof318,Inc.,aconsultingfirminSantaMonica,California,Charlesbuiltandnurturedateamofover50engineers,whichwasthelargestMacteamintheworldatthattime.CharlesisnowaproductmanageratJAMFSoftware,withafocusonBushel(http://www.bushel.com).

CharleshasspokenatavarietyofconferencesincludingDefCon,BlackHat,LinuxWorld,MacWorld,MacSysAdmin,andAppleWorldwideDevelopersConference.Charleshasalsowritten12books,over3,000blogposts,andanumberofprintedarticlesonAppleproducts.

www.it-ebooks.info

www.it-ebooks.info

AbouttheReviewersJeremyAgostinoisalongtimeMacandiOSdeveloperwithaprofessionalfocusonhardwaresupportanddevicedrivers.HehasassistedinthedesignandimplementationofcustomtechnicalsolutionstomanagesomeofthelargestiOSdeploymentsintheU.S.JeremyiscurrentlyleadingtheengineeringteamatGroundControlSolutions,whereheisdevelopingapowerfuldeploymentandmanagementtoolforiOSdevices.

WilliamSmithisasolutionsarchitectfor318,Inc.,whichisanITconsultancythatisbasedinSantaMonica,California.Heisatechnologyveteranwithmorethan20yearsofexperience.HelivesinSaintPaul,Minnesota,wherehehasprovidedtrainingandconsultingservicesonbehalfofcustomerssuchasAppleandJAMFSoftware.

WilliamenjoyswritingandpresentingontechnologytopicsandhehasspokenatJAMFNationUserConference,MacIT,PSUMacAdmins,andotherconferences.HehasbeenaMicrosoftMVPformorethan11yearsandisco-ownerofOfficeforMacHelp.com.Currently,heisapartofthesteeringcommitteeforthenewTwinCitiesMacAdminsprofessionalsgroup—acommunitythatsupportsallthingsApple,fromeducationtoenterprise.

www.it-ebooks.info

www.it-ebooks.info

www.PacktPub.com

www.it-ebooks.info

Supportfiles,eBooks,discountoffers,andmoreForsupportfilesanddownloadsrelatedtoyourbook,pleasevisitwww.PacktPub.com.

DidyouknowthatPacktofferseBookversionsofeverybookpublished,withPDFandePubfilesavailable?YoucanupgradetotheeBookversionatwww.PacktPub.comandasaprintbookcustomer,youareentitledtoadiscountontheeBookcopy.Getintouchwithusat<service@packtpub.com>formoredetails.

Atwww.PacktPub.com,youcanalsoreadacollectionoffreetechnicalarticles,signupforarangeoffreenewslettersandreceiveexclusivediscountsandoffersonPacktbooksandeBooks.

https://www2.packtpub.com/books/subscription/packtlib

DoyouneedinstantsolutionstoyourITquestions?PacktLibisPackt’sonlinedigitalbooklibrary.Here,youcansearch,access,andreadPackt’sentirelibraryofbooks.

www.it-ebooks.info

Whysubscribe?FullysearchableacrosseverybookpublishedbyPacktCopyandpaste,print,andbookmarkcontentOndemandandaccessibleviaawebbrowser

www.it-ebooks.info

FreeaccessforPacktaccountholdersIfyouhaveanaccountwithPacktatwww.PacktPub.com,youcanusethistoaccessPacktLibtodayandview9entirelyfreebooks.Simplyuseyourlogincredentialsforimmediateaccess.

www.it-ebooks.info

www.it-ebooks.info

PrefaceNowadays,iOSisbecomingmoreandmoreprevalentincompaniesandlargerorganizations.WhetherthisisatrendthatisdrivenbyBringYourOwnDevice(BYOD)orsomethingthatiscomingfromwithintheITdepartment,ourknowledgeofplatformsisbeingstretchedmoreandmoreallthetime.It’sgettingharderandhardertobeanexpertoneveryplatformthatisinuseinourorganizations!

YouneedtosecureyouriOSdevices.LearningiOSsecuritygivesyoutheknowledgetobuildsecurityintolarge-scaleiOSdeployments.Thisbooktakesyouthroughgoodsecuritypractices;theseincludeconfiguringprivacyoptionstokeeppersonaldataawayfrompryingeyes,learningaboutencryptionoptionstokeepdatasafeatrest,securingappstoreducetherisksintroducedbythird-partyapps,andthenlayingdownpracticalstepsandproceduresforcarryingoutthesesteps,bothon-screenondevicesandatscaleusingAppleConfigurator,profiles,andMobileDeviceManagement(MDM)solutions.

Thisbookalsoincludesasectionondebuggingandviewingdatasothatyoucancheckouthowtofurthersecureitemsnotcoveredindetailinthebook.Weteachyouhowtoprovideenterprise-classsecuritytoyouriPhone,iPad,andiPodTouchdeployments.Thisincludesaquickrun-downofbasicsecuritystepsandmassdeploymentofthesestepstoaidinyourlarge-scaledeploymentofiOSdevices.

Thisbookismeanttobeaneasy-to-digestguidethatfollowsreal-worldexamplestoimplementbestsecuritypractices.Eachtopiciscoveredinatheoreticalcontextandfurtherresourcesareprovidedwheretheyareneeded/applicable.

www.it-ebooks.info

WhatthisbookcoversChapter1,iOSSecurityOverview,isaquick-and-dirtyoverviewofthemanystepstotaketoinitiallysecureaniPad,iPhone,andiPodTouch.Thepurposeofthischapterisn’ttogointotoomuchdepthwithanygiventechnology,buttoprovideacheatsheetofsortstogetyoustartedwithiOSsecurity.

Chapter2,IntroducingAppSecurity,isamorethoroughreviewofhowtochooseappsandsecurethemduringaniOSdeployment.Here,welookatanoverviewofsandboxingtechniquesandhowtouseSingleAppModeandkeybags.Wealsolookatin-houseApps.

Chapter3,EncryptingDevices,explainstheencryptiontypesandtechniquesthatareusediniOS.Here,welookatTouchID,ApplePay,networkencryption,andprivacyconcerns.

Chapter4,OrganizationalControls,introducesAppleConfiguratorandprofilemanagement.Here,wealsolookattheFindMyiPhoneappasitpertainstoActivationLock,ActiveSyncpolicies(EASPolicies),anddevicesupervision.

Chapter5,MobileDeviceManagement,looksatApple’sProfileManagerandasimplethird-partyMDMcalledBushel.Here,welookatOvertheAir(OTA)profilemanagement.

Chapter6,DebuggingandConclusion,coverswaystotroubleshootanddebugdevicesinlargerdeployments.Inthischapter,we’lllookathowtofindlogsandinterpretthem,howtogetmoredatathanyoucanusefromdevices,andthenwewillwrapupthebook.

www.it-ebooks.info

www.it-ebooks.info

WhatyouneedforthisbookThisbookfocusesonusingaMactomanageAppleiOSdevices.Therefore,youshouldhaveaMacthatrunsOSX10.10orahigherversionandaniOSdevicethatrunsiOS8orahigherversion.YoucanuseaWindowsorLinuxcomputerinsteadofaMac,butnotallofthecontentcoveredinthisbookwillbeapplicableifyoudothis.

www.it-ebooks.info

www.it-ebooks.info

WhothisbookisforThisbookisintendedforsystemsadministratorsandsecurityprofessionalswhowanttolearnhowtoimplementgoodsecuritypracticesoniOSdevices.ThereadersshouldknowsomethingabouttheInformationTechnologyindustry,buttheyneednotbeveteranswhohaveanexperienceofmorethan30years.

www.it-ebooks.info

www.it-ebooks.info

ConventionsInthisbook,youwillfindanumberofstylesoftextthatdistinguishbetweendifferentkindsofinformation.Herearesomeexamplesofthesestyles,andanexplanationoftheirmeaning.

Codewordsintext,databasetablenames,foldernames,filenames,fileextensions,pathnames,dummyURLs,userinput,andTwitterhandlesareshownasfollows:“Whilenotexactlysimple,onecoulduseopensslonvariousoperatingsystems,intandemwitharootcertificatefromatrustedcertificateauthority,toapplysignaturestoconfigurationprofiles,whichdeviceswillthenseeastrusted.”

Anycommand-lineinputoroutputiswrittenasfollows:

codesign-d-vv/Users/abanks/Music/iTunes/iTunes\Media/Mobile\

Applications/Dropbox\3.5.2/Payload/Dropbox.app

Newtermsandimportantwordsareshowninbold.Wordsthatyouseeonthescreen,inmenusordialogboxesforexample,appearinthetextlikethis:“ThisisexposedtoenduserswithaSendAllTrafficsliderwhenoptional.

NoteWarningsorimportantnotesappearinaboxlikethis.

TipTipsandtricksappearlikethis.

www.it-ebooks.info

www.it-ebooks.info

ReaderfeedbackFeedbackfromourreadersisalwayswelcome.Letusknowwhatyouthinkaboutthisbook—whatyoulikedormayhavedisliked.Readerfeedbackisimportantforustodeveloptitlesthatyoureallygetthemostoutof.

Tosendusgeneralfeedback,simplysendane-mailto<feedback@packtpub.com>,andmentionthebooktitleviathesubjectofyourmessage.

Ifthereisatopicthatyouhaveexpertiseinandyouareinterestedineitherwritingorcontributingtoabook,seeourauthorguideonwww.packtpub.com/authors.

www.it-ebooks.info

www.it-ebooks.info

CustomersupportNowthatyouaretheproudownerofaPacktbook,wehaveanumberofthingstohelpyoutogetthemostfromyourpurchase.

www.it-ebooks.info

ErrataAlthoughwehavetakeneverycaretoensuretheaccuracyofourcontent,mistakesdohappen.Ifyoufindamistakeinoneofourbooks—maybeamistakeinthetextorthecode—wewouldbegratefulifyouwouldreportthistous.Bydoingso,youcansaveotherreadersfromfrustrationandhelpusimprovesubsequentversionsofthisbook.Ifyoufindanyerrata,pleasereportthembyvisitinghttp://www.packtpub.com/submit-errata,selectingyourbook,clickingontheerratasubmissionformlink,andenteringthedetailsofyourerrata.Onceyourerrataareverified,yoursubmissionwillbeacceptedandtheerratawillbeuploadedonourwebsite,oraddedtoanylistofexistingerrata,undertheErratasectionofthattitle.Anyexistingerratacanbeviewedbyselectingyourtitlefromhttp://www.packtpub.com/support.

www.it-ebooks.info

PiracyPiracyofcopyrightmaterialontheInternetisanongoingproblemacrossallmedia.AtPackt,wetaketheprotectionofourcopyrightandlicensesveryseriously.Ifyoucomeacrossanyillegalcopiesofourworks,inanyform,ontheInternet,pleaseprovideuswiththelocationaddressorwebsitenameimmediatelysothatwecanpursuearemedy.

Pleasecontactusat<copyright@packtpub.com>withalinktothesuspectedpiratedmaterial.

Weappreciateyourhelpinprotectingourauthors,andourabilitytobringyouvaluablecontent.

www.it-ebooks.info

QuestionsYoucancontactusat<questions@packtpub.com>ifyouarehavingaproblemwithanyaspectofthebook,andwewilldoourbesttoaddressit.

www.it-ebooks.info

www.it-ebooks.info

Chapter1.iOSSecurityOverviewOutofthebox,iOSisoneofthemostsecureoperatingsystemsavailable.Thereareanumberoffactorsthatcontributetotheelevatedsecuritylevel.Theseincludethefactthatuserscannotaccesstheunderlyingoperatingsystem.Appsalsohavedatainasilo(sandbox),soinsteadofaccessingthesystem’sinternalstheycanaccessthesilo.AppdeveloperschoosewhethertostoresettingssuchaspasswordsintheapporoniCloudKeychain,whichisasecurelocationforsuchdataonadevice.Finally,Applehasanumberofcontrolsinplaceondevicestohelpprotectuserswhileprovidinganelegantuserexperience.

However,devicescanbemadeevenmoresecurethantheyarenow.Inthischapter,we’regoingtogetsomebasicsecuritytasksunderourbeltinordertogetsomebasicbestpracticesofsecurity.Wherewefeelmoreexplanationisneededaboutwhatwedidondevices,we’llexplorethetechnologyitselfeitherinthischapter,orothers.

Thischapterwillcoverthefollowingtopics:

PairingBackingupyourdeviceInitialsecuritychecklistSafariandbuilt-inappprotectionPredictivesearchandspotlight

TokickofftheoverviewofiOSsecurity,we’llquicklysecureoursystemsbyinitiallyprovidingasimplechecklistoftasks,wherewe’llconfigureafewdeviceprotectionsthatwefeeleveryoneshoulduse.Then,we’lllookathowtotakeabackupofourdevicesandfinally,athowtouseabuilt-inwebbrowserandprotectionsaroundabrowser.

www.it-ebooks.info

PairingWhenyouconnectadevicetoacomputerthatrunsiTunesforthefirsttime,youarepromptedtoenterapassword.Doingsoallowsyoutosynchronizethedevicetoacomputer.ApplicationsthatcancommunicateoverthischannelincludeiTunes,iPhoto,Xcode,andothers.

TopairadevicetoaMac,simplyplugthedevicein(ifyouhaveapasscode,you’llneedtoenterthatinordertopairthedevice.)Whenthedeviceispluggedin,you’llbepromptedonboththedeviceandthecomputertoestablishatrust.SimplytaponTrustontheiOSdevice,asshowninthefollowingscreenshot:

Trustingacomputer

www.it-ebooks.info

ForthecomputertocommunicatewiththeiOSdevice,you’llalsoneedtoacceptthepairingonyourcomputer(although,whenyouuselibimobiledevice,whichisthecommandtopair,doesnotrequiredoingso,becauseyouusethecommandlinetoaccept.ThiscommandiscoveredinChapter6,DebuggingandConclusion).Whenprompted,clickonContinuetoestablishthepairing,asseeninthefollowingscreenshot(thescreenshotisthesameinWindows):

Trustingadevice

Whenadeviceispaired,afileiscreatedin/var/db/lockdown,whichistheUDIDofthedevicewithapropertylist(plist)extension.ApropertylistisanAppleXMLfilethatstoresavarietyofattributes.InWindows,iOSdataisstoredintheMobileSyncfolder,whichyoucanaccessbynavigatingto\Users\(username)\AppData\Roaming\AppleComputer\MobileSync.Theinformationinthisfilesetsupatrustbetweenthecomputersandincludesthefollowingattributes:

DeviceCertificate:Thiscertificateisuniquetoeachdevice.EscrowBag:ThekeybagofEscrowBagcontainsclasskeysusedtodecryptthedevice.HostCertificate:Thiscertificateisforthehostwho’spairedwithiOSdevices(usually,thesameforallfilesthatyou’vepaireddeviceswith,onyourcomputer).HostID:ThisisageneratedIDforthehost.HostPrivateKey:ThisistheprivatekeyforyourMac(shouldbethesameinallfilesonagivencomputer).RootCertificate:Thisisthecertificateusedtogeneratekeys(shouldbethesameinallfilesonagivencomputer).RootPrivateKey:ThisistheprivatekeyofthecomputerthatrunsiTunesforthatdevice.SystemBUID:ThisreferstotheIDofthecomputerthatrunsiTunes.WiFiMACAddress:ThisistheMacaddressoftheWi-Fiinterfaceofthedevicethatispairedtothecomputer.IfyoudonothaveanactiveWi-Fiinterface,MACisstillusedwhilepairing.

Whydoesthismatter?It’simportanttoknowhowadeviceinterfaceswithacomputer.Thesefilescanbemovedbetweencomputersandcontainavarietyofinformationaboutadevice,includingprivatekeys.

Havingkeysisn’tallthatisrequiredforacomputertocommunicatewithadevice.When

www.it-ebooks.info

thedevicesareinterfacingwithacomputeroverUSB,ifyouhaveapasscodeenabledonthedevice,youwillberequiredtoenterthatpasscodeinordertounlockthedevice.

Onceacomputerisabletocommunicatewithadevice,youneedtobecarefulasthebackupsofadevice,appsthatgetsynchronizedtoadevice,andotherdatathatgetsexchangedwithadevicecanbeexposedwhileatrestondevices.

www.it-ebooks.info

www.it-ebooks.info

BackingupyourdeviceWhatdomostpeopledotomaximizethesecurityofiOSdevices?Beforewedoanything,weneedtotakeabackupofourdevices.Thisprotectsthedevicefromusbyprovidingarestorepoint.Thisalsosecuresthedatafromthepossibilityoflosingitthroughasillymistake.Therearetwoways,whicharemostcommonlyusedtotakebackups:iCloudandiTunes.Asthenamesimply,thefirstmakesbackupsforthedataonApple’scloudserviceandthesecondondesktopcomputers.

We’llcoverhowtotakeabackuponiCloudfirst.

www.it-ebooks.info

iCloudbackupsAniCloudaccountcomeswithfreestorage,tobackupyourAppledevices.AniOSdevicetakesabackuptoAppleserversandcanberestoredwhenanewdeviceissetupfromthosesameservers(it’sascreenthatappearsduringtheactivationprocessofanewdevice.Also,itappearsasanoptioniniTunesifyoubackuptoiTunesoverUSB—coveredlaterinthischapter).

SettingupandcheckingthestatusofiCloudbackupsisastraightforwardprocess.FromtheSettingsapp,taponiCloudandthenBackup.AsyoucanseefromtheBackupscreen,youhavetwooptions,iCloudBackup,whichenablesautomaticbackupsofthedevicetoyouriCloudaccount,andBackUpNow,whichrunsanimmediatebackupofthedevice.

iCloudbackups

AllowingiCloudtotakebackupsondevicesisoptional.Asyou’llseeinChapter5,MobileDeviceManagement,andChapter6,DebuggingandConclusion,youcandisableaccesstoiCloudandiCloudbackups.However,doingsoisrarelyagoodideaasyouarelimitingthefunctionalityofthedeviceandputtingthedataonyourdeviceatrisk,ifthatdataisn’tbackedupanotherwaysuchasthroughiTunes.Manypeoplehavereservationsaboutstoringdataonpublicclouds;especially,dataasprivateasphonedata(texts,phone

www.it-ebooks.info

callhistory,andsoon).FormoreinformationonApple’ssecurityandprivacyaroundiCloud,refertohttp://support.apple.com/en-us/HT202303.IfyoudonottrustAppleoritscloud,thenyoucanalsotakeabackupofyourdeviceusingiTunes,describedinthenextsection.

www.it-ebooks.info

TakingbackupsusingiTunesOriginally,iTuneswasusedtotakebackupsforiOSdevices.YoucanstilluseiTunesandit’slikelyyouwillhaveasecondbackupevenifyouareusingiCloud,simplyforaquickrestoreifnothingelse.

Backupsareusuallyprettysmall.Thereasonisthattheoperatingsystemisnotpartofbackups,sinceuserscan’teditanyofthosefiles.Therefore,youcanuseanipswfile(theoperatingsystem)torestoreadevice.

TheseareaccessedthroughAppleConfigurator(whichiscoveredfurtherinChapter4,OrganizationalControls),orthroughiTunesifyouhavearestorefilewaitingtobeinstalled.Thesecanbeseenin~/Library/iTunes,andthenameofthedeviceanditssoftwareupdates,ascanbeseeninthefollowingscreenshot:

IPSWfiles

Backupsarestoredinthe~/Library/ApplicationSupport/MobileSync/Backupdirectory.Here,you’llseeanumberofdirectoriesthatareassociatedwiththeUDIDofthedevices,andwithinthose,you’llseeanumberoffilesthatmakeupthemodularincrementalbackupsbeyondtheinitialbackup.It’saprettysmartsystemandallowsyoutorestoreadeviceatdifferentpointsintimewithouttakingtoolongtoperformeachbackup.

Backupsarestoredinthe\DocumentsandSettings\USERNAME\ApplicationData\AppleComputer\MobileSync\Backup\directoryonWindowsXPandinthe\Users\USERNAME\AppData\Roaming\AppleComputer\MobileSync\Backup\directoryforneweroperatingsystems.

ToenableaniTunesbackup,plugadeviceintoacomputer,andthenopeniTunes.Clickonthedeviceforittoshowthedevicedetailsscreen.ThetopsectionofthescreenisforBackups(inthefollowingscreenshot,youcansetabackuptoThiscomputer,whichtakesabackuponthecomputeryouareon).

TipIwouldrecommendyoutoalwayschoosetheEncryptiPhonebackupoptionasitforcesyoutosaveapasswordinordertorestorethebackup.

Additionally,youcanusetheBackUpNowbuttontokickoffthefirstbackup,asshown

www.it-ebooks.info

inthefollowingscreenshot:

iTunes

www.it-ebooks.info

ViewingiOSdatainiTunesToshowwhyit’simportanttoencryptbackups,let’slookatwhatcanbepulledoutofthosebackups.Thereareafewtoolsthatcanextractbackups,providedyouhaveapassword.Here,we’lllookatiBackupExtractortoviewthebackupofyourbrowsinghistory,calendars,callhistory,contacts,iMessages,notes,photos,andvoicemails.

Togetstarted,downloadiBackupExtractorfromhttp://www.wideanglesoftware.com/ibackupextractor.WhenyouopeniBackupExtractorforthefirsttime,simplychoosethedevicebackupyouwishtoextractiniBackupExtractor.Asyoucanseeinfollowingscreenshot,youwillbepromptedforapasswordinordertounlocktheBackupkeybag.Enterthepasswordtounlockthesystem.

Unlockthebackups

NotethatthefiletreeinthefollowingscreenshotgivesawaysomeinformationonthestructureoftheiOSfilesystem,oratleast,thedatastoredinthebackupsoftheiOSdevice,whichwe’llcoverindetailinChapter6,DebuggingandConclusion.Fornow,simplyclickonBrowsertoseealistoffilesthatcanbeextractedfromthebackup,asyoucanseeinthenextscreenshot:

www.it-ebooks.info

ViewdevicecontentsusingiBackupExtractor

NotetheprevalenceofSQLdatabasesinthefiles.Mostappsusethesetypesofdatabasestostoredataondevices.Also,checkouttheotheroptionssuchasextractingnotes(manythatwerepossiblydeleted),texts(somethathavebeendeletedfromdevices),andothertypesofdatafromdevices.

Nowthatwe’veexhaustedbackupsandproventhatyoushouldreallyputapasswordinplaceforyourbackups,let’sfinallygettosomebasicsecuritytaskstobeperformedonthesedevices!

www.it-ebooks.info

www.it-ebooks.info

InitialsecuritychecklistApplehasbuiltiOStobeoneofthemostsecureoperatingsystemsintheworld.Thishasbeenmadepossiblebyrestrictingaccesstomuchoftheoperatingsystembyendusers,unlessyoujailbreakadevice.Inthisbook,wedon’tcoverjail-breakingdevicesmuchduetothefactthatsecuringthedevicesthenbecomesawholenewtopic.Instead,wehavefocusedonwhatyouneedtodo,howyoucandothosetasks,whattheimpactsare,and,howtomanagesecuritysettingsbasedonapolicy.

ThebasicstepsrequiredtosecureaniOSdevicestartwithencryptingdevices,whichisdonebyassigningapasscodetoadevice.WewillthenconfigurehowmuchinactivetimebeforeadevicerequiresaPINandaccordinglymanagetheprivacysettings.Thesesettingsallowustogetsomeverybasicsecurityfeaturesunderourbelt,andsetthestagetoexplainwhatsomeofthefeaturesactuallydo,andhowwecansetthemviaapolicyinsubsequentchaptersofthisbook.

www.it-ebooks.info

ConfiguringapasscodeThefirstthingmostofusneedtodoonaniOSdeviceisconfigureapasscodeforthedevice.Severalthingshappenwhenapasscodeisenabled,asshowninthefollowingsteps:

1. Thedeviceisencrypted.2. Thedevicethenrequiresapasscodetowakeup.3. Anidletimeoutisautomaticallysetthatputsthedevicetosleepafterafewminutes

ofinactivity.

Thismeansthatthreeofthemostimportantthingsyoucandotosecureadeviceareenabledwhenyousetupapasscode.

Bestofall,Applerecommendssettingupapasscodeduringtheinitialsetupofnewdevices.Youcanmanagepasscodesettingsusingpolicies(orprofilesasApplelikestocalltheminiOS),whichwewillcoverinChapter4,OrganizationalControls,andChapter5,MobileDeviceManagement.

Bestofall—youcansetapasscodeandthenuseyourfingerprintontheHomebuttoninsteadofthatpasscode.Wehavefoundthatbythetimeourphoneisoutofourpocketandifourfingerisonthehomebutton,thedeviceisunlockedbythetimewecheckit.WithiPhone6andhigherversions,youcannowusethatsamefingerprinttosecurepaymentinformation,whichiscoveredinChapter2,IntroducingAppSecurity.

Checkwhetherapasscodehasbeenconfigured,andifneeded,configureapasscodeusingtheSettingsapp.TheSettingsappisbydefaultontheHomescreenwheremanysettingsonthedevice,includingWi-Finetworksthedevicehasbeenjoinedto,apppreferences,mailaccounts,andothersettingsareconfigured.

Tosetapasscode,opentheSettingsappandtaponTouchID&PasscodeIfapasscodehasbeenset,youwillseetheTurnPasscodeOff(asseeninthefollowingscreenshot)optionIfapasscodehasnotbeenset,thenyoucandosoatthisscreenaswellAdditionally,youcanchangeapasscodethathasbeensetusingtheChangePasscodebuttonanddefineafingerprintoradditionalfingerprintsthatcanbeusedwithatouchID

TherearetwooptionsintheUSETOUCHIDFORsectionofthescreen.Youcanchoosewhether,ornot,youneedtoenterthepasscodeinordertounlockaphone,whichyoushoulduseunlessthedeviceisalsousedbysmallchildrenorasakiosk.Inthesecases,youdon’tneedtoencryptortakeabackupofthedeviceanyway.ThesecondoptionistoforcetheenteringofapasscodewhileusingtheAppStoreandiTunes.Thiscancostyoumoneyifsomeoneelseisusingyourdevice,soletthedefaultvalueremain,whichrequiresyoutoenterapasscodetounlocktheoptions.

www.it-ebooks.info

ConfigureaPasscode

Thepasscodesettingsareveryeasytoconfigure;so,theyshouldbeconfiguredwhenpossible.Scrolldownonthisscreenandyou’llseeseveralotherfeatures,asshowninthenextscreenshot.ThefirstoptiononthescreenisSimplePasscode.MostuserswanttouseasimplepinwithaniOSdevice.Tryingtousealphanumericandlongpasscodessimplycausesmostuserstotrytocircumventtherequirement.Toaddafingerprintasapasscode,simplytaponAddaFingerprint…,whichyoucanseeintheprecedingscreenshot,andfollowtheonscreeninstructions.

Additionally,thefollowingcanbeaccessedwhenthedeviceislocked,andyoucanchoosetoturnthemoff:

Today:Thisshowsanoverviewofupcomingcalendaritems

www.it-ebooks.info

NotificationsView:Thisshowsyoutherecentpushnotifications(appsthathaveupdatesonthedevice)Siri:ThisrepresentsthevoicecontrolofthedevicePassbook:ThistoolisusedtomakepaymentsanddisplayticketsforconcertvenuesandmeetupsReplywithMessage:Thistoolallowsyoutosendatextreplytoanincomingcall(usefulifyou’reonthetreadmill)

Eachorganizationcandecidewhetheritconsiderstheseoptionstobeasecurityriskanddirectusershowtodealwiththem,ortheycanimplementapolicyaroundtheseoptions.

PasscodeSettings

Therearen’talotofsecurityoptionsaroundpasscodesandencryptionbecausebyand

www.it-ebooks.info

large,Applesecuresthedevicebygivingyoufeweroptionsthanyou’llactuallyuse.Underthehood,(forexamplethroughAppleConfiguratorandMobileDeviceManagement,coveredinChapter4,OrganizationalControlsandChapter5,MobileDeviceManagement,respectively)therearealotofotheroptions,butthesearen’texposedtoendusersofdevices.Forthemostpart,asimplefour-characterpasscodewillsufficeformostenvironments.Whenyoucomplicatepasscodes,devicesbecomemuchmoredifficulttounlock,anduserstendtolookforwaysaroundpasscodeenforcementpolicies.Thepasscodeisonlyusedonthedevice,socomplicatingthepasscodewillonlyreducethelikelihoodthatapasscodewouldbeguessedbeforeswipingopenadevice,whichtypicallyoccurswithin10tries.

Finally,todisableapasscodeandthereforeencryption,simplygototheTouchID&PasscodeoptionintheSettingsappandtaponTurnPasscodeOff.

www.it-ebooks.info

ConfiguringprivacysettingsOnceapasscodeissetandthedeviceisencrypted,it’stimetoconfiguretheprivacysettings.Third-partyappscannotcommunicatewithoneanotherbydefaultiniOS.Therefore,youmustenablecommunicationbetweenthem(alsobetweenthird-partyappsandbuilt-iniOSappsthathaveAPIs).ThisisafundamentalconceptwhenitcomestosecuringiOSdevices.

Toconfigureprivacyoptions,opentheSettingsappandtapontheentryforPrivacy.OnthePrivacyscreen,you’llseealistofeachappthatcanbecommunicatedwithbyotherapps,asshowninthefollowingscreenshot:

PrivacyOptions

www.it-ebooks.info

Asanexample,tapontheLocationServicesentry,asshowninthenextscreenshot.Here,youcansetwhichappscancommunicatewithLocationServicesandwhen.IfanappissettoWhileUsing,theappcancommunicatewithLocationServiceswhentheappisopen.IfanappissettoAlways,thentheappcanonlycommunicatewithLocationServiceswhentheappisopenandnotwhenitrunsinthebackground.

ConfigureLocationServices

OnthePrivacyscreen,taponPhotos.Here,youhavefeweroptionsbecauseunlikethelocationofadevice,youcan’taccessphotoswhentheappisrunninginthebackground.Here,youcanenableordisableanappbycommunicatingwiththephotolibraryonadevice,asseeninthenextscreenshot:

www.it-ebooks.info

ConfigurewhatAppscanaccessyourCameraRoll

EachappshouldbeconfiguredinsuchawaythatitcancommunicatewiththefeaturesofiOSorotherappsthatareabsolutelynecessary.

OtherprivacyoptionswhichyoucanconsiderdisablingincludeSiriandHandoff.SirihasthevoicecontrolsofaniOS.BecauseSiricanbeusedevenwhenyourphoneislocked,considertodisableitbyopeningtheSettingsapp,tappingonGeneralandthenonSiri,andyouwillbeabledisablethevoicecontrols.TodisableHandoff,youshouldusetheGeneralSystemPreferencepaneinanyOSXcomputerpairedtoaniOSdevice.There,unchecktheAllowHandoffbetweenthisMacandyouriClouddevicesoption.

www.it-ebooks.info

www.it-ebooks.info

Safariandbuilt-inAppprotectionsWebbrowsershaveaccesstoalotofdata.Oneofthemostpopulartargetsonotherplatformshasbeenwebbrowsers.ThedefaultbrowseronaniOSdeviceisSafari.

OpentheSettingsappandthentaponSafari.TheSafaripreferencestosecureiOSdevicesincludethefollowing:

Passwords&AutoFill:Thisisascreenthatincludescontactinformation,alistofsavedpasswordsandcreditcardsusedinwebbrowsers.ThisdataisstoredinaniCloudKeychainifiCloudKeychainhasbeenenabledinyourphone.Favorites:Thisperformsthefunctionofbookmarkmanagement.ThisshowsbookmarksiniOS.OpenLinks:Thisconfigureshowlinksaremanaged.BlockPop-ups:Thisenablesapop-upblocker.

Scrolldownandyou’llseethePrivacy&Securityoptions(asseeninthenextscreenshot).Here,youcandothefollowing:

DoNotTrack:Bythis,youcanblockthetrackingofbrowsingactivitybywebsites.BlockCookies:Acookieisasmallpieceofdatasentfromawebsitetoavisitor’sbrowser.Manysiteswillsendcookiestothird-partysites,sothemanagementofcookiesbecomesanobstacletotheprivacyofmany.Bydefault,Safarionlyallowscookiesfromwebsitesthatyouvisit(AllowfromWebsitesIVisit).SettheCookiesoptiontoAlwaysBlockinordertodisableitsabilitytoacceptanycookies;settheoptiontoAlwaysAllowtoacceptcookiesfromanysource;andsettheoptiontoAllowfromCurrentWebsiteOnlytoonlyallowcookiesfromcertainwebsites.FraudulentWebsiteWarning:Thisblocksphishingattacks(sitesthatonlyexisttostealpersonalinformation).ClearHistoryandWebsiteData:Thisclearsanycachedhistory,webfiles,andpasswordsfromtheSafaribrowser.UseCellularData:Whenthisoptionisturnedoff,itdisableswebtrafficovercellularconnections(sowebtrafficwillonlyworkwhenthephoneisconnectedtoaWi-Finetwork).

www.it-ebooks.info

ConfigurePrivacySettingsforSafari

TherearealsoanumberofadvancedoptionsthatcanbeaccessedbyclickingontheAdvancedbutton,asshowninthefollowingscreenshot:

www.it-ebooks.info

ConfiguretheAdvancedSafariOptions

Theseadvancedoptionsincludethefollowing:

WebsiteData:Thisoption(asyoucanseeinthenextscreenshot)showstheamountofdatastoredfromeachsitethatcachesfilesonthedevice,andallowsyoutoswipeleftontheseentriestoaccessanyfilessavedforthesite.TaponRemoveAllWebsiteDatatoremovedataforallthesitesatonce.JavaScript:ThisallowsyoutodisableanyJavaScriptsfromrunningonsitesthedevicebrowses.WebInspector:ThisshowsthedeviceintheDevelopmenuonacomputerconnectedtothedevice.IftheWebInspectoroptionhasbeendisabled,useAdvancedPreferencesintheSafariPreferencesoptionofSafari.

www.it-ebooks.info

Viewwebsitedataondevices

Browsersecurityisanimportantaspectofanyoperatingsystem.

www.it-ebooks.info

www.it-ebooks.info

PredictivesearchandspotlightThefinalaspectofsecuringthesettingsonaniOSdevicethatwe’llcoverinthischapterincludespredictivesearchandspotlight.WhenyouusethespotlightfeatureiniOS,usagedataissenttoApplealongwiththeinformationfromLocationServices.Additionally,youcansearchforanythingonadevice,includingitemspreviouslyblockedfrombeingaccessed.Theabilitytosearchforblockedcontentwarrantstheinclusioninlockingdownadevice.

Thatdataisthenusedtogeneratefuturesearches.ThisfeaturecanbedisabledbyopeningtheSettingsapp,taponPrivacy,thenLocationServices,andthenSystemServices.SimplyslideSpotlightSuggestionstoOfftodisablethelocationdatafromgoingoverthatconnection.Tolimitthetypeofdatathatspotlightsends,opentheSettingsapp,taponGeneral,andthenonSpotlightSearch.Uncheckeachitemyoudon’twantindexedintheSpotlightdatabase.Thefollowingscreenshotshowsthementionedoptions:

www.it-ebooks.info

ConfigureWhatSpotlightIndexes

Nowthatwe’velookedatsomebasictacticaltasksthatsecuredevices,it’stimetoturnourattentiontothetheorybehindsomeoftheseandtomakesureyourappsaresecure,inthenextchapter.

www.it-ebooks.info

www.it-ebooks.info

SummaryThischapterwasawhirlwindofquickchangesthatsecureadevice.Here,wepaireddevices,tookabackup,setapasscode,andsecuredappdataandSafari.Thisisbyfarthesimplestchapterofthisbook,butalsolaysthegroundworktocoversomeofthemoreesotericcontent.Inthischapter,weshowedhowtomanuallydosometasksthatwewillsetviapolicieslaterinthebook.

Inthenextchapter,wewillmoveontosecuringappsandlearnhowappscommunicatewithoneanother.

www.it-ebooks.info

www.it-ebooks.info

Chapter2.IntroducingAppSecurityInthischapter,wewilllookatoneofthemostimportantthingstosecureoniOS:apps.Thisincludesdatawithinapps,thecontextinwhichappsareallowedtorun,howappscommunicateviaextensions,andhownewerfeaturesinOScontinuetoputthefocusonanAppleIDasthemostimportantaccounttocontrolonyourdevice.However,thereasonwhymostpeoplesignupforanAppleIDistoinstallapps.

ManyoftheconceptsdiscussedinthischapterwillbeanadditiontoorareinforcementofourknowledgeabouttheOSXarchitectureuponwhichiOSisbased,whichwillbeespeciallyhelpfulifyouarecomingfromtheWindowsorBlackberryplatforms.EvenLinux,withitsprocessmodelechoingUnix,stillhasenoughnotabledifferenceswiththeappliance-stylecomputingexperienceshowcasedoniOSthatitwillbehelpfultocoverthesemorefundamentalpoints.Wewillalsobrieflytouchonin-houseappdevelopment,whichcanbeaugmentedbythemanagementsystemsthatwewillbediscussinginChapter4,OrganizationalControls,andChapter5,MobileDeviceManagement.

Thetopicsthatwewillcoverinthischapter,whichunderpinappsecurity,include:

Howappsaredistributed,installed,andrestrictedSingleappmode(alsoknownasLocktoApp)andGuidedAccessTraditionalandcurrentinter-app(anddevice)communicationClarificationofwhenkeybagsareutilizedbyiOSKeyboards,sandboxing,andextensionsIntroductiontosecurelydistributingcustomin-houseapps

www.it-ebooks.info

InstallingappsHowtoinstallanappisconsideredatrivialexerciseatthispoint,withcommonadvertisementsdoingnothingmorethanshowingtheiconsoftheplatformtosuggestthattheywantyoutogettheirappfromthecorrespondingstore.Thatbeingsaid,thereareotherwaystodownloadandinstallanappthansimplyopeninganappstoreonadeviceandtappingonGet.Anappcanbepushedovertheairwithmanagementsystems,putonthedevicewithtoolssuchasAppleConfigurator(discussedinChapter4,OrganizationalControls),andinstalledonceitiscompiledfromthesourcecodewithXcode(Apple’sIntegratedDevelopmentEnvironment(IDE),whichisdiscussedwithothertoolsthatcanperforminstallationsinChapter6,DebuggingandConclusion).

ThereisnoconceptofsideloadingappsoniOSincomparisontootherplatformswhereyoumaybeabletoplaceadeviceintodevelopermode.Likewiseyouwilllikelyneverhaveimplicitorotherwisestatedencouragementtogainrootaccesstothedevice.We’lldiscoverthelengthstowhichApplegoestoensurethisinthenextchapter,butsufficeittosaythatyousimplycannottransferabinarytoaniOSdeviceandbringaboutasystem-widechangeinanybuttheendorsedwayswhileplayingwithinApple’sso-calledwalledgarden.

AppsthemselvescanonlybedistributedbyAppleviatheAppStorethat’savailableonthedevice,andiniTunesonaMacorPC,throughaspecialBusiness-to-BusinessstorewiththeVolumePurchaseProgram,orwhenexplicitlyassociatedwithanAppleDeveloperProgram.Theselimitedoptionsdecreasetheroutesthroughwhichapplicationscanbeacquired,butifyouhaveadeveloperaccount,youcancompileapplicationsreleasedasopensourceandinstallthemondevicesatwill.Similarly,thecompressed.ipaarchivethatcontainsaniOSapplicationcanbetransferredlikeanydata,butgettingtheinstallerprocessintheOStopickuponitisanothermatter.

Securityaroundappinstallationmanifestsitselfinthefactthatthekernelperformsverificationatinstallationtimeandeverysubsequentlaunchtoensurethattheexecutablebundleandframeworksinsidethearchivehavebeensignedwithanapproveddeveloper’scertificatethatAppletrusts.ThereisnoinstallerbinaryforIPAfilesoniOS,soverificationliketheonethatisdonewiththepkgencapsulationformatontheMacisnotapartoftheprocess.Aslongasthecodedeliveredbyanarchivechecksoutassigned,itisallowedtobeinstalledandrun.Onecanspeculatethatthisallowsmorecachingpossibilitiessincethereislesslikelihoodofcorruption,asallyouneedtochangeistheDigitalRightsManagement(DRM)softwareupondeliverytoanewdevice.

YoucanseetheappsignatureverificationprocessonaMacusingthefollowingsteps:

1. First,downloadanappfromiTunesandnavigatetoitintheFinder.Normally,itcanbefoundbynavigatingto/Users/yourusername/Music/iTunes/MobileApplications,Duplicatethefile(ifyou’dliketokeepafresh,unalteredversion)andhighlightthecopy.Then,fromtheFilemenu,chooseOpenWith|ArchiveUtilitytoexpandit.

2. Youwillthenseeafolderofthesamenamewithseveralthingsinsideit,oneof

www.it-ebooks.info

whichisafolderlabeledPayload.3. LaunchtheTerminalapplicationthatyouwillfindintheOtherfolderin

Launchpad.Youwouldfirsttypecodesign–d–vvandthendraganddroptheapplicationyoufindinsidethePayloadfolder,andthenhitreturn.Onexecutingthecommand,youwillseesomethinglikethefollowing:

codesign-d-vv/Users/abanks/Music/iTunes/iTunes\Media/Mobile\

Applications/Dropbox\3.5.2/Payload/Dropbox.app

Executable=/Users/abanks/Music/iTunes/iTunesMedia/Mobile

Applications/Dropbox3.5.2/Payload/Dropbox.app/Dropbox

Identifier=com.getdropbox.Dropbox

Format=bundlewithMach-Ouniversal(armv7arm64)

CodeDirectoryv=20200size=54086flags=0x0(none)hashes=2695+5

location=embedded

Signaturesize=3487

Authority=AppleiPhoneOSApplicationSigning

Authority=AppleiPhoneCertificationAuthority

Authority=AppleRootCA

Anoutputsuchastheprecedingonewillappear,whichwillshowthechainoftrustinaction.Apple’sRootCertificateAuthority(CA)ispresentasatrustedauthoritytoverifythattheapplicationinsidethe.ipafilethatweacquiredhasnotbeentamperedwith.

www.it-ebooks.info

BlockingaccesstotheAppStoreOnecanpotentiallyhidetheAppStoreapplicationonthedevice,butifthedevicecanstillconnecttoanenduserscomputerthatisrunningiTunes,youwillnotbeabletoeffectivelycutofftheinstallationofapps.

NoteTherehavebeenadditional,undocumentedwaystohidefeaturesandappsthatareactuallypresentonadeviceincertainjurisdictions,mostofwhichrelyinsomepartonconfigurationprofiles,butthatisbeyondthescopeofthisbook.

Asdemonstratedbytheaccessgrantedtodataonthedevicebybackingituptoacomputerinthelastchapter,whenallowingenduserstodirectlyinteractwiththebackupprocess,itshouldbethoroughlyexaminedandaccountedforinawrittenpolicy.

ThemostsimplisticformofapplyingmanagementtoaniOSdeviceistonavigatetoSettings|General|Restrictions,taponEnableRestrictions,andthensetanewpasswordthatisdistinctfromtheoneusedtounlockthedevice.Then,youcangranularlydisableInstallingApps,DeletingApps,andIn-AppPurchasesandessentiallyshutoffallinteractionswiththeappsonadevice,asshowninthefollowingfigure:

www.it-ebooks.info

RestrictingAppStoreFunctionality

ManagementtoolssuchasAppleConfiguratorandiTuneswillalsonotbeabletoinstallorremoveappsoncethesesettingsareenabled,whichmakescontrollingaccesstoRestrictionsofparticularimportancetoeducationalenvironments.

www.it-ebooks.info

www.it-ebooks.info

SingleAppmode,AppLock,andGuidedAccessWhendevicesaremadetoworkashared-usagemodel,forexample,manynursesusingthesameiPadduringshiftsatahospital,onemethodtorestrictaccessandstandardizetheexperiencewouldbetolockthedevicetoasingleapp.Thisisreferredtobydifferentnamesbasedonhowitisinitiated,anditcanbeachievedwiththetoolsthatwewilldiscussinfuturechapters.Thedeviceshowsonlythedesignatedappandnevergoestothehomescreen(alsoreferredtointernallyastheSpringboard).TheHomebuttonisessentiallydisabledandControlCenter(whichisaccessedbyswipingupfromthebottomedgeofaniOSdevice)isalsonotaccessible.Thiscanalsoenableakiosk-typeexperience,wherethedeviceisprotectedfrommisusebydictatingthatonlyasingleappcanrun.

InrecentreleasesofiOS,developershavebeengrantedAPIstoenableapplockwhentheyenteracertainstatewithintheapporuntilaspecificrequirementismet;however,thisisapplicableonlyforappsdistributedviaMobileDeviceManagement(MDM).Thismeetsthecriteriaforeducationalusewhereyoudonotwantstudentstolookupanswers.Itcanalsopreventexfiltrationofdatawithintheappsonadeviceifyoucancoordinatewithadevelopertoenablethisfeature.Financialprocessing,securedocumentviewing,andothersensitiveappinteractionmaybenefitfromthisaswell.

YoucansimulatehowalockeddevicewillperformatanytimebyenablingafeaturecalledGuidedAccess.YoucaninitiatethismodebypressingtheHomebuttonthreetimesfromwithinanapp.Youwillthenbepresentedwithoptionstocontrolmotion(theabilitytorotatethescreens’orientation)andtheuseofthekeyboard.Itdetectsscreenelements,soyoucandesignatespecificregionsofthescreentobeoff-limits,forexample,thein-apppurchasebuttonorads.ExitingGuidedAccessrequiresyetanotherdistinctfour-digitpassword,butitcanbedisabledwiththefingerprintunlockfeatureondevicesthatareequippedwithTouchID.

Youcanfindmoreinformationaboutthisathttp://support.apple.com/HT202612.ThefollowingscreenshotshowstheGuidedAccessconfigurationscreenonaniPhone:

www.it-ebooks.info

EnablingGuidedAccess

Now,thefollowingscreenshotshowshowthecontrolsofanappcanbeselectivelydisabled:

www.it-ebooks.info

DisablingControlsinanApp

Oneofthethingsthatpeopleutilizingthisfunctionalitydiscoverasasupportconcernisthatyoucannotturnoffthedevicenorputthescreeninsleepmode.Thismakespoweringthedeviceofcriticalimportance,asdoesensuringaconsistentWi-Ficonnection;thereisnowaytore-entercredentialsorswitchnetworks.TheprecedingscreenshotsshowhowyoucanenableGuidedAccessandwhatyouwouldseewhenyouconfigureit,whereasnoconfigurationispresentedwhenusingMDMorin-appfunctionalitytoLocktoApp;furtherrestrictionsmaybenecessaryifyouwouldliketodisablein-apppurchasesorunnecessarywebviews.

TipDocumentinganobscurefeaturelikeGuidedAccessisactuallyquiteachallenge,asthe

www.it-ebooks.info

normal,simpletousescreenshotcontrolsonthedeviceareeffectivelydisabled.Insteadofmessingaboutwithvideocaptureviaaphysicaladapterorcable,Apple’sAirPlayfeaturecanbepairedwithanapplikeReflectorbySquirrels(http://www.airsquirrels.com/reflector/)tomirrorthescreentoaMac,PC,oranAndroiddevicefromwhichyoucanthentakescreenshots.

www.it-ebooks.info

www.it-ebooks.info

AppcommunicationHistorically,veryfewaffordancesweremadewhenonedeveloperwantedtocommunicatewiththeapplicationdataofanotherdeveloper.URLschemesweremanipulatedforthispurposeandtheyallowedadeveloper’sapptobesummonedbyanidentifierthatwasusuallybasedonthebundleID.InthelastfewmajorreleasesofiOS,therewasatleasttheaffordanceforsharedcredentialstobeaccessedbetweenappsbythesamedeveloper.Thissharingofakeychainbyanappgroupnowalsoincludesthesharingoffilestorageandpreferencedata,whichwaspreviouslyaccomplishedbyseparateaccountswiththird-partysyncserviceslikeDropbox.iCloudDrivehasbeenintroducedtoperformsimilaradhocfilestorageandsharingtasks.Ifthissoundssomewhatlimiting,it’sbecausehistoricallyithasbeen,butwewilltouchuponthenewwaysinwhichappfunctionalityanddatacanleakoutfromtheone-app-at-a-timesiloafterwediscusshowappdatacannowpassmoreeasilybetweendevices.ThefollowingscreenshotshowsawebpageinSafarionaniOS8devicethatisbeingofferedtoaMacrunningOSX10.10:

AwebpageinSafarionaniOS8devicethatisbeingofferedtoaMacrunningOSX10.10

www.it-ebooks.info

HandoffandContinuityLet’sstartbysigningintothesameAppleIDonaMacrunningOSX10.10(Yosemite)andaniPhoneoriPadrunningiOS8.OpenawebpageinSafariontheiOSdeviceandyouwillseeaniconinyourDock(analogoustothetaskbaronWindows)tocontinueviewingthewebpageontheMac.ThisisHandoffinaction.It’salsoreferredtoundertheContinuityheadinginApple’smarketingmaterial.ManyAppleappsareshippingwiththisfunctionalityiniOS8,andthedevelopersofpopularappslikeGoogle’sChromewebbrowserarerapidlyadoptingitaswell.

iCloudandthenewestoperatingsystemsarethegluethatholdallthistogetherandthesefeaturesworkbetweeniOSdevices.ForotherContinuityfeaturessuchasphone/textmessagerelay,youmayneedtoexplicitlysetuptherelationshipbetweendeviceswhenprompted,asshowninthefollowingfigure:

www.it-ebooks.info

AuthorizinganiPadtoreceivetextmessages(SMSandMMS)

TipAsatroubleshootingstep,makesurethatanydevicethatwillpiggybackonaniPhone’sserviceisusingthephonenumberofaniPhoneandthee-mailaddressoftheAppleIDtoidentifyitselftoiCloud-basedservices.Youcanfindmoredetailsaboutthisathttp://support.apple.com/HT6337.

Somepeoplehavecriticizedthisduplicationofpossiblyredundantorsensitiveapplicationstatesacrossdevices,whichyouwouldbeautomaticallyopted-intouseifyouhaveaniPhoneandwhichusesthesameAppleIDandphonenumberastheprimaryidentifierofiCloud-basedservicessuchasiMessageandFaceTime.ThisincreasesthemovingpartsthatneedtobesecuredandtheimportanceofthedevicewipefeaturethatispresentinActiveSync,FindMyiPhone,andtheMDM-basedenterprisewipe.

www.it-ebooks.info

www.it-ebooks.info

KeybagsandkeychainsAsdiscussedinthepreviouschapter,thekeychainisknownasawaytocentrallystoreandmanagecredentialsandothersecretdatathatareinusebyapplicationsonthebehalfoftheuser,carriedoverfromOSX.Thereisalsotheconceptofakeybag,whichinpracticeisagroupingofsecrets(ormorepractically,keys)thatallowthesystemtomanagethemovingpartsaroundspecificinteractions.Besides,whenusedbythesystemitselftomanagetheencryptionofthedata,thesedealwithprimarilywhenabackupwillruneitheroverWi-FitoiTunes,whentetheredbyUSBtoiTunes,orwhilethedeviceispluggedintoapowersourceandlockedasarequirementtosendtoiCloudBackup.

Explainingkeybagsasaconceptisaminorpoint,buttherehasbeenterminologyconfusionregardingthingssuchasthesecuringofappswithdigitalrightsmanagementandtheuseofthekeychain,neitherofwhicharedirectlyrelated.Tosummarize,keybagsareanabstractionforsecretslikekeychainitems,sotheycanbesecuredindependentofthedatawithin.Thisallowsformoreflexiblesecuritybyaddinganinteraction-specificlayertoeventssuchastherotationofcredentials,amongothercommoninteractions.

NoteSomekeychainitemscanbemarkedastiedtoaspecificdevicewhentheyarecreatedbyanapplication,disallowingthemfrombeingrestoredtoanotherdevice.Googleappearstobeusingthisintheirpopulartwo-stepauthenticationappGoogleAuthenticator,whereasotherservicesdonotimposethislimitation.

www.it-ebooks.info

www.it-ebooks.info

KeyboardsandextensionsOneofthegreatlyanticipatedfeaturesofiOS8wastheconceptofExtensions.Whileshuttlingaroundthestateofanapplicationisallwellandgood,extensionsallowappstohavetheirfunctionalityappearinnewplaces.

Thisisimplementedthroughtheadditionofspecificabilitiespresentedtodevelopersthatarereferredtoasextensionpoints,withthemostanticipatedbeingthird-partykeyboards.AmorepopularkeyboardthatisavailableforotherplatformsisSwype(thoughIampersonallywaitingforthereturnofPalm’sGraffiti),whichallowsmorefluid,one-handedtextentry.

ApplegroupedotherpossibleextensioncategoriesunderTodaywidgets(TodaybeinganewlyexpandedviewinNotificationCenteroniOSandMac),photoeditingenhancements(forexample,filtersfrompopularappslikeVSCOCam),documentprovidersforimportingfilesfrompopularsyncserviceslikeDropbox,andshareproviderslikethepre-existingbutsystemprovidedFacebooksharingfunctionality.Morebroadly,thevaguelynamedcustomactionsallowappstobeinteractiveevenwhenthescreenislocked,andfromwithinasmalldrop-downinterfacewhentheyreceivenotificationswhilethescreenisunlocked.

ThesecurityandprivacyconcernsthatApplehasaddressedforkeyboardsinparticulararehowinputsforpasswordfieldsandnetworkcommunicationarehandled,sothatakeyboardappcannotsendkeystrokesoverthenetworkandbecometheleastimposing-lookingkeylogger.Extensionsaredistributedinregularappbundlesandfollowcommonprivacyandsecuritycontrols.Inaddition,onemustexplicitlyallownetworktrafficforakeyboardinSettings,butevenApple’sownPredictiveTextkeyboardadd-oncannotentertextinadesignated(properlycoded)passwordfield.

TipNotethatmuchoftheAppleWatch’spreliminaryappfunctionalityisenabledviaextensionsandalltheprocessinghappensintheiPhone.ThesearethensenttothedeviceoverBluetoothLowEnergy.Verylittleisstoredaboutanapponthewatchitself(UIstoryboardsthatcancontaindynamicallyupdatingcontentlikewatchfaces),sosecuringtheiPhonewillbesufficient.

www.it-ebooks.info

SecuringwhatextensionscanaccessTheabilitytoenforcetheseexpandedprivacyandnetworkaccesscontrolswaspreparedbyhavinginterapplicationcommunication(undertheprotocolnameXPC)addedaspartofiOS5(andOSX10.7).ThespecificAPIsforthistypeofcommunicationensurethatappswillnotsharethesamefileormemoryspacewithanextension.

Essentially,bothpartiesstayintheirownsandboxbutXPCarbitratesandactsasaproxybetweenthem.IntermsofPrivacy,whileanyrightgrantedtotheextension’scontainerappwillbeinheritedbyit,anewappwillnotshareitsprivacysettingswithanotherdeveloper’sextensionthatisaccessiblewithinit.

WhilewewilldiscussMDMindepthlater,theiruseaddsthepotentialtoapplymoreon-the-flycontrols,whichincludelimitingthemailaccountsthroughwhichdatacanbesent,orthesharinganddocumentprovidersenabledonadevicethatdatacanbemovedto.AlotofthisalsodependsontheMDMactuallysupplyingtheapplications,butthisbecomesverypowerfulwhenpairedwithanin-houseapp.

www.it-ebooks.info

UsercontextTheoldUnixsecuritymodel,fromwhentheonlywayfortheaveragepersontouseacomputerwasbysharingtimeonamainframe,statedthatnobodywastrustedexceptthesystemadministrator.Whenonewasgivenastandarduseraccounttologin,therewasonlyalimitedrangeofthingsthatonecoulddotointroduceinstabilitytothesystem.iOSanditsprecursorOSXaredescendantsofNeXT,andBSDbeforethat.Thisputstheconceptofsystemprocessesrunningunderuseraccountswiththeirassociatedprivilegesintofocus.

iOSrunsappsonbehalfofastandarduseraccountnamedmobile,andunlikeOSX,itdoesn’thelptoenableanawarenessofmultipleusersonthesystem.WhenusinganiOSdevice,wedonotthinkabouttraditionaluseraccounts(thereisnointerfacetoaddmoreusers),asthedesignassumptionisthatthereisonlyoneownerofthishighlypersonalizeddeviceandtherefore,thereisonlyoneactualuser.Roleaccountsthatwouldrundaemonsonbehalfofthird-partyapplicationprocessesareabsent,aswhatisallowedtorunisstrictlylimitedoniOS(asitisonaMacnow;withthemanyrestrictionsthathavebeenimposedontheappsthatareallowedinitscorrespondingAppStore).

www.it-ebooks.info

www.it-ebooks.info

SandboxingandAppdatastorageAswementionedinthebeginningofthechapter,acodesignatureisplacedontheappbundleitselfwithadditionalprotection,sothatthesignatureisverifiednotonlywhentheappisinstalled,butalsoatruntimewhentheappislaunched,tomakesurethatithasnotbeenmodifiedinthemeantime.Thisisforstabilityasmuchasitisforsecurity,sincecodethathasbeenmodifiedorallowedtorunroughshodonthesystemcancausethedevice,whichwemightjustwanttobeabletousetocall911inanemergency,tocrash.

Wespokeaboutamobileuserwhichwouldhaveahomefolder.UnlikethecommonconsumercomputerOS,thedatastoragelocationofanappisrandomlygeneratedandkeptseparatefromtheuser(besidesthecontainerizationofspecificpreferencesthathelpsharingamongadeveloper’sapps,sothosesettingspersistevenifanappisdeleted).Thereareframeworks,whichareshippedbyAppleinitsSDK,thatencouragestoringappdatainanencryptedformat.However,someexploitshaveusedanimpersonationofanapp’sbundleidentifiertomakeittrustworthytootherapplicationsthatwillbeabletoexchangedatawithit.Todate,forensicdeconstructionoftheseattemptshasfoundthatusersmustexplicitlyenablenon-standardbehaviorthroughseveralextenuatingcircumstancesforexploitstowork.Thepotentialfordataleakagehasnotbeensubstantialonnon-jailbrokendevices,butsecurityprofessionalsshouldbeawareofthisshortcomingwhereendusersareinvolvedintheinstallationofapps.

Plainfilestorageisnottheonlywayinwhichdataissegregatedandtreateddiscriminatelyonthesystem;otherprivacyordeviceusage-relatedpermissionsmustberequestedbyanappthroughentitlements.ThepreviouslyintroducedextensionscanbecontrastedwithAndroidintents,astheyarebothinitiatedbytheend-userandarefocusedfromthatperspective(althoughAndroidappstendtobroadcasttheircapabilitiestoreceivedatawithoutastrictorclearoversight,whichsomewouldargueisactuallybeneficialduetoaperceivedincreasesinproductivityandfunctionality).EntitlementsareonlyslightlydifferentfromWindowsphonecontracts,andApple’sstatedmodelmentionsthatappsshouldaskforasfewrightsaspossible,whichendusersshouldbe(asunobtrusivelyaspossible)promptedtoexplicitlygrantaccessfor,andeventhen,onlywhenitisabsolutelynecessaryforthefullusageofanapp’scapabilities.ThesearespecifiedintheapplicationbundleandcanbeinvestigatedwiththecodesignbinaryonaMac.

www.it-ebooks.info

www.it-ebooks.info

Introductiontoin-houseAppdevelopmentSo,youhavefoundaneedtodeployacustomapptothedevicesinyourorganizationandhavereceivedthego-aheadtobuildone.AppleencouragesorganizationsandtheirdeveloperstosignupwithitsEnterpriseDeveloperProgramsothattheycanbegrantedthecapabilitytobuildanddistributecustom-builtappsoutsidetheAppStore.ManyITdepartmentshavealreadysignedupindividualstonotonlytestareleaseoftheoperatingsystem,butthetinkerersamongstuscanalsobuildopensourceappsforpersonaluse,whichcanalsobeachievedwithastandard,standalonedeveloperaccount.Youcanfindmoreinformationaboutthisathttps://developer.apple.com/enterprise/.

Theprocessoftyingtherequiredcertificatesandidentifiersforanapptothedesireddevicesfortestingisreferredtoasprovisioning.Creatingandmanagingprovisioningprofileswillnotalwaysbenecessary;however,itdependsonhowclosetoin-houseyouractualdevelopmentmaybe.WhenyouuseApple’sapprovalprocesstoclearanin-housedevelopedappforinternaluse,youwillmostoftenusetheBusinessVolumePurchaseprogramandleverageApple’sinfrastructuretodistributeit.Thisisbyfartheeasiestwayfromaprocurementandongoingsupportperspective,andthisisoftenthecaseforwhite-labeledappsthataremadebyprofessionalappdevelopmentcompanies.AppsintheBusiness-to-Business,VolumePurchaseappstorearenotvisibletothegeneralpublic,whichmayalsobebeneficialdependingonthesituation.

Adhocdistributionallowslimitedbetatestingonregistereddevices.ThisrequiresallthesamestepsthatanindividualwillperformtogetanappontheAppStore,includingregisteringasadeveloper,applyingtohavetheirappIDconsideredasunique,acquiringthecorrectcertificatessothatdevicestrusttheappwhenitisinstalled,andpreparingthebuiltapplicationfordeploymentonceallthementionedrequirementsarecomplete.Youwilladditionallyneedtogothroughtheprocessofbuildingateamentitytoidentifythedevelopersworkingonyourbehalfandgrantthemaccesstoyouraccountwhentheybuildtheapplications.Whenitcomestowidertestingwithmanydevices,ApplehasrecentlyacquiredanoutsideservicecalledTestFlightthatmakesthisprocesseasierforalargenumberoftesters,althoughanumberofothersolutionsstillexistoutsideofApplethatoptimizedifferentpartsofthetestingprocess.Youcanfindmoreinformationathttps://developer.apple.com/testflight/.

EnterprisedistributiondoesnotrequireeverydevicetoberegisteredwithApple,butitmustbedeliveredwithMDM.Therefore,itisrequiredtohavedirectaccessorsomecommunicationwiththefolkswhomanagethedevice,whethercompany-ownedorotherwise.OnepointtokeepinmindisthatdifferentMDMprovidersneeddifferentlevelsofinvolvementwhentheyareaskedtodistributeappsonyourbehalf.Theycanmakeyoushootyourselfinthefoot,sotospeak,byallowingamismatchoftheprovisioningprofileyouwoulduploadandtheassociatedappbundle,resultinginanappwithaprettyiconthatwon’tlaunch.OtherMDMsinsistondirectinteractionwithyourdevelopmentteamtoreducethepossibilityofissues.Keepinmindthatcertificatesareanintegralpartoftheprocessaswell;therefore,theyneedtoberenewedsothatapps

www.it-ebooks.info

continuetofunction.

www.it-ebooks.info

www.it-ebooks.info

SummaryInthischapter,wewentoverhowappsaredistributedandhowtheyprovetheirintegritytothesystemoncetheyareinstalled.WedemonstratedtheconceptoflockingadeviceintoanappwithGuidedAccess.Inter-app(anddevice)communicationviaextensionsandContinuitywasalsodiscussedalongwiththenewcomplimentaryprivacycontrolsforthingslikekeyboards.Asthischapterwasaboutthecustomizationandcontrolsyou’dwanttoplaceonapps,wegaveabriefintroductiontosecurelydistributingyourownin-houseapps.

SincethetimetheiPhonefirstcamealong,thewaymanypeopleinteractwithappshaschangedsignificantly.Limitedmethodsofinstallation,silosforcategoriesofdataandthecapabilitiesofapps,andthekeychainconceptfromOSXhaveallcometobearoniOS’overallsecurity.Youshouldnowhaveenoughbackgroundonhowappsfunctiontobegintounderstandwhythelimitationsarethewaytheyare,andwhattokeepinmindwhenyouaretaskedwithsecuringappdata.

Inthenextchapter,wewillcoverhowiOStakesadvantageofitshardwaretocreateasecureenvironmentevenbeforewegettorunanyapps,startingfromthemomentthedeviceisturnedon.

www.it-ebooks.info

www.it-ebooks.info

Chapter3.EncryptingDevicesInthischapter,wewillbelookingatiOSdeviceencryption.Youmightthinkthiswouldbetheshortestchapter,asthefilesystemitselfhasbeenfullyencryptedformanyrevisionsoftheOS.Thismakeswipingthedevicewhengivingitawayorsellingitaveryquickprocess,asallyou’redoinginessenceisforgettingthemasterencryptionkeytounlockthealreadyscrambleddataandrenderingitirretrievable.Wearlevelingconcernsforflashstoragelikethosewhichareusedinmobiledevicesnowadaysmakesthispracticalforanotherreason,asscrubbingallblocks(orpages)onthestoragedeviceisnotnecessarytoensurethatthedataisunrecoverable.We’lllookintomoretopicsthanjustthedatabitsatrestthough,includingnetworktrafficandVPN.

Whileitmayseemconsumer-focused,wecannowusethesedevicesalongwithNFC(shortforNearFieldCommunication)forpayments,andconcernsoveremployerliabilityforidentitytheftonacompany-owneddevicecanraiseseriousconcerns.Securityprofessionalsmustbeevenmoreintouchwithwhattheircompany’spoliciesareonprotectingthecompany’sbestinterests,whilestillallowingenduserstobeproductiveandenjoyfulluseofthe“perk”thataniOSdevicemightprovide.LuckilymanyaspectsoftheiOSsecuritymodelallowustoletthedeviceroamuntethered,andwecaninformtheenduserhowmuchdatatheirdeviceexposeswhenitisusednormallyandforeverythingapolicydoesn’tcover.Privacyalsocomesintoplay,sowe’lltouchonthataswell.

Tobreakitdown,we’lldiscussthefollowingtopicsinthischapter:

RevisitingOSinitializationPassbookandTouchIDforApplePayIntroductiontoiOSnetworkcommunicationPrivacyconcernswiththeHealthApp,HIPAA,anddiagnosticsConfigurationProfileEncryption

www.it-ebooks.info

SecurebootandactivatingiOSInaconceptnotunlikethatofhowChromeOSensuresboththeintegrityofitsfirmwareandthatitskernelhasn’tbeentamperedwith,fieldupgradescansimilarlyproceedinasecuredfashionwithafeaturecalledverifiedboot.WhenaniOSdevicestartsup,itverifiesthekernelandtherestoftheread-onlyOSpartitiontoconfirmthatitmatchesaparticularsignature.TheprocesswouldbehaltedandthedevicewouldgobacktoDeviceFirmwareUpgrademodeorDFU(whichwouldalsobeaccompaniedbythe‘ConnecttoiTunes’screen)ifthemainOSpartitionisfoundtobenonfunctional.ThiscanalsobeinitiatedifawipeandreinstallisinterruptedwheninitiatedbyiTunes,AppleConfigurator,ortheuserthemselvesbygoingintotheGeneralsectionofSettingsandnavigatingtoReset|EraseAllContentandSettings.

Theprocessfromthetimeyoupoweronthedevicetowhenyoulandinuserspaceisreferredtoasthesecurebootchain.Alow-levelbootloaderperformsverificationtoconfirmwhethertheOSpartitionhasnotbeentamperedwith,andasawhole,whetherithasbeensignedbyApple.Ituseson-boardkeys(whichincludesarootkey,device-specifickey,andgroupkeytoestablishthechainoftrustforcryptographicoperations)thatareincludedinthefactoryattimeofmanufacture.Thislow-levelbootloaderprocessfinishes,andthen,theiBootprocessstarts,whichinturnstartstheOSkernel.

OncellulardevicesthatincludetheA7orgreaterAMDarchitectureprocessor(whichisinuseindevicessincetheiPhone5s),thereisaregionontheCPUthatisresponsibleforcryptographicoperationsandthisisreferredtoinmarketingastheSecureEnclave.Whileitisnotphysicallydistinct,thehighestimportanceisplacedonmakingitsfunctionalitylogicallywalledofffromtheprocessor’smainfunction.TheSecureEnclaveinteractswiththebootprocessbybeingcalledupontostartthecellularbasebandthroughaseparatebutsimilarsequence,whichisalsoresponsibleforcheckingthesystemsoftwareauthorization.

Specifically,uponreactivationthatisinitiatedbyamanualeraseoranOSrestore,avalidationprocessreferredtoasSystemSoftwareAuthorizationisperformed,whichrequiresInternetaccess.AcomputerrunningiTunesorAppleConfiguratorcanprovidethatconduit,orsinceiOS5anditsPCFreefeaturescamealong,youcanconnecttoaWi-Fiorcellularnetworktoactivatethedevice.AsdocumentedbyAppleforsometimeinitsiOSSecurity–WhitePaper,thereisaspecific,cryptographicallysecuredprocessthroughwhichanindividualdeviceidentifiesitselftoApplewhilerequestingactivationtocontinue.SinceAppleistheclearinghousethroughwhichdevicesareallowedtorunaspecificOSversion,previousOSeswithanyknownsecurityflawsaredisallowedfrombeingreappliedtoanupgradeddevicethatiscapableofrunningit.

Aswe’lldiscussinthenextchapter,restoringabackupcanskipthisactivationsteponsuperviseddevices,butthatisaconcernseparatefromtheOSitself.AdevicerunninganolderiOSversioncanthereforebeerasedwithoutupgradingit,assumingthatithasnotbeentamperedwithtofailverification.

Tip

www.it-ebooks.info

NotethatwhenanactivationisrequiredafteraniOSinstallationonacellular-capabledevice,aSIMcardmustbepresent.AppleusesthistogenerateavalidECIDtoidentifythedevice,soevenwhenthedeviceispreparedwithiTunesorAppleConfiguratorbuthasnoSIMcard,thiswillresultinanerrorandcauseittofail.

Onemayask,ofthemanydevicesstillbeingsoldbyApplewiththeolderprocessorarchitecture,howdoesitperformthecryptographicoperationsthatarenecessarytofunction?WhilethiswasnotpreviouslyoutlinedbyApple,acommontechniquethatisusedistogatherentropy(orunpredictableresults)fromthemanysensorsonthedevicesuchasitsgyroscope,accelerometer,orcompass.Theneedforrandomnumbersisobvioustoanyonewhoistryingtomakeasecuresystem,sincemanyimplementationsofakeygenerationprocessstartbygettingsomethingdistinctandsufficientlyrandomtobaseitsidentityon.

www.it-ebooks.info

www.it-ebooks.info

PassbookandTouchIDforApplePayWebrieflytouchedonTouchIDinChapter1,iOSSecurityOverview,butmoreimplementationdetailsaroundtimeoutsandotherkey-relatedinteractionsarebetterdescribeApple’sowniOSSecurity–WhitePaper(astheygotogreatlengthstomakethingsasunderstandableaspossible).Atthetimeofwriting,themostrecentPDFwasfromOctober2014anditcanbefoundathttps://www.apple.com/privacy/docs/iOS_Security_Guide_Oct_2014.pdf.

AsTouchIDshouldstilljustbeconsideredanaddedconvenience,sufficientlycomplexpasscodesare,asalways,recommendedinallthingsthataresecurity-related.

TipIfyourcustomersorusersarelikeours,theywillforgettheirdevices’passcodesaftergettingusedtousingTouchID.Therefore,makesurethatyoudonotleaveyourcustomersinasituationwithoutMDMmanagement(orbackups,ifyourorganizationencouragesit),especiallyiftheActiveSync-based“failedpasswordattempt”limitisconfigured.Oncethethresholdisreached,itwillcausetheirdevicetobewiped.Thishappenswithoutadequatetimetogetassistancemoreoftenthanwewouldlike.

IntheWhitePapermentionedearlier,theimportanceandutilityoftheSecureEnclaveisdetailed.ItmayhavecomeintoexistenceinparttomaketheTouchIDfingerprintfunctionalityasquickandseamlessaspossible,sothattherewouldbenobottleneckfortherequiredcomputation.OnemaythinkfromApple’smarketingoftheSecureEnclavethatitisdedicatedhardware,butjustlikethejailingofpartsofthefilesystem,thisismostlyimplementedasatechniquetoensurethatthesoftwareoperationsarewhollydistinctandcannotruninthesamememoryorprocessorspacewhencarryingoutitsfunctions.

HowdoesthisrelatetoPassbook?Andhowdoesafeaturethatmostfolksuseforplanetickets(ifever)comeintoadiscussionaboutsecurity?Well,aswediscussedpreviously,identitytheftonacompany-owneddevicecouldaffectthecompanythatprovidesthedevicetotheemployee,asevidencedbynetworkequipmentandmailsystemsthatdetectdangerousbehaviorlikesocialsecuritynumbersbeingsentinplaintexte-mailcorrespondence.Withitsearlypopularityandprobablesuccessof,ApplePay,whichisApple’ssolutionforNFC-basedpaymentsakintoGoogleWallet,becameanattractivetarget.SincePassbookiswhereApplePaystoresthedetailsofitscreditanddebitcards,securingitisimportant.Luckily,thereareafewallowedvectorstogetintoPassbook,includingthemuch-malignedQRcode,andeventhen,thereislimitedfunctionalityonceapassisinstalled.

TipThePassbookapplicationhasabuilt-inscannerthatyoucanaccessbytappingonScanCodefromitssplashscreen,orbytappingtheplusbuttoninthetop-rightcorner(ifthere’sonlyonepass;otherwise,you’llseetheplusbuttonatthetop,anditcanbescrolledwheninthelistview).Thisisthesameprocessthroughwhichyouwouldaddpaymentcards.

www.it-ebooks.info

Forsecurityreasons,neitheradditionstorestheimagetotheCameraRollonthedevice.

APassbookpassandoneprocessbywhichpassesorcardscanbeadded

Amongotherrestrictions,youcannot,forinstance,haveanactivehyperlinkonthefrontofapass.Youcan,however,sendanotificationtoadevicewiththepassinstalled,andpushupdatestothepasssothatitwilldynamicallychangeitscontent.Passbookpasseswithanactivestate(suchastheleaduptoboardingaplane)canbeaccessedwhenthedeviceislocked,butupdatestoitcanoptionallybedisabledinthepassitself,orbothaccesstoandnotificationsforPassbookcanbedisabledintheTouchIDandPasscodesectionoftheSettingsapporviaamanagementsystem,alongthelinesoftherestrictionsthatwe’lldemonstrateinChapter5,MobileDeviceManagement.

TheattackvectorsforApplePayhaven’tbeenexercisedtothepointthatanyworkingproof-of-conceptshavebeendisclosed,butanotherquirkisthatapasscanrespondtolocationinformation.ThiscouldtriggerapushnotificationwhenitisintheproximityofaniBeacon,Apple’sbrandingforBluetoothlowenergytransmitters,whichcanachievesomethingalongthelinesofasupplementaltechnologytoGPS.WhileiBeaconsthemselvesdon’tcollectanyinformation,Passbookwillcontinuetoevolveasanareaofthephonetoremaininterestedin.NeitherNFC-basedApplePaynorPassbookisyetavailableontheiPad;however,in-apporbrowser-basedApplePaypurchasesworkwith

www.it-ebooks.info

thenewestiPadhardwarethathasTouchID.

Finally,oneothernoteaboutpurchasesonthedeviceisthatwhencheckingoutfromawebstore,itmay(whenthesiteisavalidHTTPSoneandcertainfieldsaredetectedwithintheform)triggeraprompttousethecameratotakeapictureofthecardthatyou’dliketomakethepurchasewithandfillinthedetectedinformation.

CardpaymentsystemsandfraudingeneralintheU.S.hasalwaysbeenasorespotwhencomparedtoothercountries,inparticularthingslikeATMtransactionsthatarethepoorestversionoftwo-factorauthentication:somethingyouhave(thephysicalcard)andsomethingyouknow(PIN).Whileit’snotparticularlyrelevanttousaswearenotasconcernedfromapaymentprocessingperspective,butthisseemstorequirethesameamountofvigilance.Theoretically,onecouldtakeaphotoofsomeoneelse’scard,andthroughacoordinatedattackinvolvingsocialengineering,useittoauthorizepurchases.Applecanpolicethisprocess,butasmanyconcernsasthereareaboutidentitytheftingeneral,therewillalwaysbethattradeoffbetweeneaseofuseandprotectingthesystemfromabuse.

www.it-ebooks.info

IntroductiontoiOSnetworkcommunicationWediscussedSafariandthepredictivesearchfeaturesthatareenabledbydefaultasthemostobviousnetworktraffic,besidese-mailandapplicationslikeTwitterandFacebookthatcanbeaccessedfrommoreplacesonthedeviceduetohavingaccountinformationbuiltintotheOS.Weather,Stocks,andSiri’sdataproviders,arealsoallowedtousethenetworkbydefaultalthoughyoucandisablejustcellularaccessgranularly.Speakingofwhich,dependingonthecarrier,swappingSIMcards(iftheslotisunlockedonthatparticularcellular-capableiOSmodel)canbeusedtosupplantinternationalroamingplansbyprovidinganumberthatislocaltothatplace,orevenjustthedataserviceasdesired.

Besidesthisgrabbagofoverarching,networking-relatedconcerns,we’llzoominonAirdropusingwiredconnectionsoniOS,VPN,proxying,andfiltering.

www.it-ebooks.info

AirDropApeer-to-peerwaytosharefilesondemandoveranadhocWi-FinetworkwithlittleornosetuphasbeenpresentintheMacOSforsometimeanditwasaddedtoiOS7.AirDropisthisfeature’sbrandinganditnowdoestheinitialdetectionofnearbydevicesbasedonBluetoothproximityandidentifiesinformationwithApple,againasthebackendclearinghousethroughwhichAppleIDidentitiesareprocessed.Thisaddsanonymitytotheprocessofcheckingwhetherweknowthepersontowhomwearesendingthefile,andcanpopulatetheroundiconrepresentingtheotherdevicewiththecontact’slocallyassignedimage.

AsofiOS8andOSX10.10,Yosemite,computerscanalsoperformthishandshakeandtransferofdata.Duetoitseaseofuseandlackofauthenticationbeforeallowingthesendingendtotransmit(amongotherreasons),manyITdepartmentsdisabledtheearlyimplementationsofAirDropontheMac.Multicasttrafficislessofanetwork-relatedconcernwhenitispeer-to-peerandrestrictedtoWi-Fi,butidentityverificationwithitsassociatedmetadataamongmanyothercryptographicprocessesthatdohitthenetwork,requiresasignificantamountoftrustinApple.

TipNotethatthisisoneofthebiggerissuesthatpeoplewithprivacyandsecurityconcernsexpressaboutvendorswhohavemadechoicessimilartoApple.ThisisalsocommonlydiscussedinrelationtotheiriMessageservice;partoftheconditionofusingtheserviceisthatyoumustimplicitlytrustthatAppleisproperlysecuringandrestrictingaccesstothekeysthattheparticipantsuse.

Dependingonthetypeoffilethatisbeingtransferred,compatibleapplicationsaredisplayedonthereceivingendtothentakeaction.ThefollowingscreenshotshowsadevicethathasreceivedafileoverAirDrop:

www.it-ebooks.info

OptionspresentedwhenaringtoneisreceivedoverAirDrop

www.it-ebooks.info

Abugorafeature?WelongagomadetheassertionthatApplecheatsbybeingabletosynchronizeitssoftwarewithitsownhardware.AnothermaximofAppleITisthatingeneral,Appledoesn’tcareaboutthedevelopercommunity,Appledoesn’tcareaboutus.Theirprioritiescouldreasonablybearrangedasfollows:

ThecustomersThemselvesandtheirsideoftheoverlapbetweenpartnersandtheirplatformsLastly,anybodyelsewhowouldwishthemwellalongthewaytoimprovetheexperienceofthefirsttwo

Thisisnotnew,norshouldanyoneexpectthemtochangeinthelightoftheirsuccess.However,theysometimesmakeiteasierforallthepartiesinvolvedbyhavinganextensivelysharedcodebasebetweeniOSdevices.Thisincludesanotherproduct,theAppleTV,whichisoftenoverlookedordiscardedasnotaseriousendeavor,butwhichweinITgetasurprisebenefit:itincludesEthernetdriverstosupportitshardware,whichinturnispresentacrossalliOSinstallationseversinceitssmaller,hockeypuckformfactorwasintroduced.

Anunintentionalbitoffunctionalitythatwegainfromthisisthroughatechniquethatinvolvesthefollowingthings:

ApoweredUSBhubTheLightningtoUSBCameraAdapter(intendedtoconnectacamerawithaniOSdevicetoimportphotosintoiPhotoorotheriOSapplications)AnAppleUSBEthernetAdapter

ByconnectingtheLightningtoUSBCameraAdaptertotheupstreamportoftheUSBhubandtheEthernetAdapterinanydownstreamport,adeviceshouldbeabletousethisconfigurationtogetonthewirednetwork.Whilethispartofthenetworkingstackdoesn’tseemparticularlyoptimized,forensiccapturethroughmoretraditionalmeans(mirroringports,andsoon)ispossiblewithouttheinvolvementofanycomputer.(Wewill,however,coverApple’ssupportedprocessestoaccomplishiOSpackettracinginChapter6,DebuggingandConclusion.)AnillustrationofthissetupisdocumentedintermsofpasscoderemovalviaMDMathttps://www.afp548.com/2014/05/07/mdm-passcode-removal-from-an-offline-ios-device/.

TipCommonhumaninputdevicessuchasbarcodescannersorkeyboardscanbeusedwiththeLightningtoUSBCameraAdapterforeaseofinputandtheyareagreatwaytopreventfolksfromhavingtousetheirthumbsfordataentryenmasse.WhiletheiOSdevicemaybarkthattheaccessoryisnotsupported,youmayaddahiddenfunctionalityandsignificantlystreamlineinteractionsifallthehardwareiscompliantanditallgoeswell.

www.it-ebooks.info

VPN(Always-On,APN,Per-App,On-Demand)Sinceveryearlyon,youhavebeenabletoconfigureandinitiateaVPNconnectionintheSettingsofaniOSdevice,whichstartedwiththemoreprevalentgatewaysinuse(includingflavorsofCiscoIPSec,andtheraccoon-basedL2TPorPPTPprojectswhichOSXServerrelieson).Now,therearemorewaystotunneltrafficthanyoucanfigurativelyshakeametaphoricalstickat.AsthedemandtoenablemorefunctionalityoniOSiseverincreasing,ApplehasaddedsupportforRSASecurIDtwo-factortokensinthebuilt-inconfigurationsettingsaswell.

Aswithothercomplexsettings,youcouldalsouseaconfigurationprofiletosimplifythesetupforendusers,whichwewilltouchoninChapter5,MobileDeviceManagement.

Anewerfeature,alsoavailableforusewhenconfiguredwithaprofileormanually,istheabilitytolockthedeviceintotunnelingallitstrafficthroughaVPNtunnelwithanAlwaysOnconfiguration.ThisisexposedtoenduserswithaSendAllTrafficsliderwhenoptional.ForittobemanagedsothatitislockedintotheONposition,theappropriateconfigurationprofileneedstobeinplaceandthedeviceneedstobeinastatecalledSupervision,whichwewilldescribeindetailinthenextchapter.

ThefollowingscreenshotshowsaVPNconnection,withoptionsforRSASecurID,SendAllTraffic,andsoon:

www.it-ebooks.info

AVPNconnectionwithoptionsforRSASecurIDtokensandSendAllTraffic

Anolder,moreobscuremethodofsecuringdataserviceaccesswiththecooperationofyourcellularproviderisviaanAccessPointNameconfiguration,butit’snotsomethingthattheauthorsofthisbookcomeacrossveryoftenanymoreintherealworld.YoumayforgivethecomparisonofAPNtoanextensionofthecorporateLAN,althoughwiththepopularityandtoolsetaroundVPNsbecomingsocommonplace,it’sunderstandablethatthiscellular-onlytechniquewouldfallbythewayside.

WhenpairedwithpropercertificatesandaconfigurationprofiletodefinethedomainsthatrequireaVPNconnection,VPNOnDemandenableson-the-flyconnectionstobemadewhenadevicetriestoconnecttoagivendomain.Manyelaboratechecksarealsopossibleonanetworkstatechange,includingSSID,reachableserverdetection,andDNSserversettingssothatOnDemandcanbeturnedoffwhenit’s‘on-network’.Thisisespeciallyusefulinsplit-domainDNSconfigurations.

www.it-ebooks.info

Per-Appisbyfarthemostattractiveapp,aswhenanorganizationhasprovidedanapptheycommonlyalsowanttosecureallthetrafficthattheappwillgenerate.Asalways,however,thedevilisinthedetails.AfewVPNgatewaysandfewerappsaresettoenablethisbehavior.Organizationsmayfindanyofthemoreadvancedimplementationstricky,asyouneedamoresophisticatedgatewaysetupwithcompatiblehardwareandsoftware,whichcanalsorequiresignificantpreparationfromacertificateinfrastructureperspective.

ThemostsimpleandpossiblyhardesttomanagearethespecificappsontheAppStorefromVPNgatewayvendors,someofwhichmerelyembedawebbrowserthatallowsyoutoconnecttositesonaremotenetworkoncetheconnectionisestablished.

Otherwise,youcanjustbuildallyourworkflowsintoanappsuchasGood,enablesorwrapthemintoacontainerappthatdoesallthenetworktrafficandbusinessinteractionsforyou.Evenmoreattractiveissecuringthetransportanddataatrestwheninteractingwithyourorganization’sapplicationsandsidesteppingallofthistomfoolery.ConjuretomindthememeofthecharacterBoromirfromTheLordoftheRingssayingthatonedoesnotsimplywalkintoMordor,thetwistbeingthatonedoesnotsimplytrustanyclientaccessingyourdatatobeproperlysecuredeveniftheyhaveprovidedvalidcredentials.Butwecanonlygosocrazyuntilitbecomesprohibitivetorestrictaccessthatfolksneedtodotheirjobs.

GlobalHTTPProxy,caching,andthewebcontentfilterDuetoconcernsoverandregulationofthenetworktrafficofiOSdevicesinschoolenvironments,ApplestartedwithaGlobalHTTPProxyfeaturetoenablethecachingandproxyingoftraffic,withtheadditionalbenefitofworkingoff-campusandoncellulardevices.Vendorsthatspecializeinensuringtheuptimeoftheservice’sgatewayareimportanttopartnerwith,andcommonlynetworksecurityapplianceshavetakenonthisroleamongtheirotherservices.AsthisisonlyHTTP,itdoesn’taddressmanymandatedregulationsforprotectingstudentsincertainjurisdictions,butitwasastartatalleviatingsomenetworkinspectionandcachingneeds.

AppleincludedaCachingServiceinthe2.2releaseofitsServerapplication,whichisdistributedasanadd-ontoregularOSX.YoucansetthisupandcachecontentforaNAT’slocalnetworkinordertoimproveperformanceduringOSupdatesorwhenotherfrequentlyaccesseddataisrequestedbymanydevices.Wedonotgetmanyfeatureswiththissolutionthough,asyoucannotpoisonthecachetoensurethatcertainapplicationsorcontentaremadeunavailableonyournetwork.SomehaveresortedtohijackingDNSrequestsonport80tomesu.apple.com,forexample,sothatOSupdatescannottakeplacewhileon-network.OthercontentthatisenabledbydefaultwiththisserviceisiTunes,iOSAppStore,MacAppStore,andiBooksStorepurchasesalongwithMacandiOSUpdates.

Thisisall,ofcourse,onlyHTTPanditismoreaboutrelievingnetworkloadthanlimitingthetypeofcontentthatisaccessibleonthedevices.OnlyrecentlydidAppleaddtheabilitytosubscribetocontentfilterupdatesforHTTPSsites,orgranularlywhitelistorblacklistsites.Asdiscussedearlier,areliablepartnerwhounderstandsyourorganization’spoliciesiscriticaltoimplementafilterthatdoesn’tbecomeahindranceorablocktoyourcustomers’productivity.

www.it-ebooks.info

AsdiscussedwiththelockingofAlwaysOnVPNsettings,devicesmustbeinthesupervisedstatetouseeitherGlobalHTTPProxyorthewebcontentfilter.(Thismakessenseasasuperviseddevicecanhavesettingslockedthatenduserscannotdisableatwill.)

www.it-ebooks.info

www.it-ebooks.info

Privacy-relatedconcernsJustasearlierwhenwediscussedApplePay,youmayfinditoddtoseeasectiononprivacy,butaswesaid,thesedayswithidentitytheftandotherwayscustomerscanleakdatathroughsocialengineering,theconcernsfororganizationsaremorepressing.Practicallyspeaking,it’sjustalotofoverheadwhendirectoryharvestattackscatchtheless-astuteemployeeswhofallfortricksthatcausethemtohandovertheircredentials,andthenadministratorsneedtogothroughtheprocessoflockingthemoutandfixingtheirmailboxes.

TipAdministrativeoverheadistheleastoftheconcernsforlarger,well-knowninternetcompaniesthatwouldbeveryembarrassed,attheveryleast,iftheiremployeeswerephishedorwereclumsywiththeircredentials.Itbecamepublicthatonecompanyinparticularhaddeployedaplug-intothewebbrowserthattheydevelopedwhosepurposewastodetectwhennetworkcredentialswerebeingenteredinaninsecureorbogusform,therebyeffectivelypreventingthatmethodofexposure.TheMacadmincommunitygetsalotoftheirideasandbestpracticesfromthiscompany,whichrhymeswith“froogle”.

Justasthereareregulationsaroundprocessingcreditcards—themostcommonlyknownisPCI(shortforthePaymentCardIndustry)SecurityStandardsCouncil—therearehealthcareindustrystandardsaroundprivacywhichareincludedaspartofHIPAA(ortheHealthInsurancePortabilityandAccountabilityAct).Partofthisstatuteclassifiescertainpiecesofhealth-relatedinformationtobeprotected,whichincludesasurprisinglybroadrangeofdata—evensomethingassimpleasnames,whenattachedtodatainaparticularcontextbecomesensitiveandimportanttocontrolaccessto.

We’llcovertwoexamplesofnewwaysthedataiscollectedoniOSdevices(andtheiPhoneinparticular)todemonstratehowthisisaconstantlyevolvingtopicthatrequiresappropriateattentionbasedonyourdealingswiththehealthcareindustry.Evencollegesaretryingtoreducetheriskoflawsuitsduetoinformationinstudentrecordsgettingintothewronghands,sohopefullyyoucanworkwiththepolicymakersatyourinstitutiontocraftappropriatepolicies.

www.it-ebooks.info

Lesser-knownwaysforAppletogatherdiagnosticsFirst,youmaynotrealizehoweasyitisforAppletobeinvitedintothegoings-onoftheirdevices.JustrecentlywecameacrossaniOSdevicethatneededtobeserviced.IfyougotoApple’ssiteandsaythatyouwouldliketosetupaGeniusBar,in-storetechnicalsupportappointment,theycanpromptyoutosendinidentificationanddiagnosticdatarightthereonthespot(presumablytodeliverabetter,moreefficientexperience).Further,toproveownershipoverthephone,ApplecansendapushnotificationwithaPINtoadeviceloggedintotheiCloudaccountifyouprovideotheridentificationinformationaboutthedevice.

Now,inthescenariothatwejustdescribedforcollectingidentificationanddiagnosticdata,youmaythinkthattherewouldbeahighbartohaveaccesstothemechanismthatcollectsthisdata.However,thereareself-servicingorganizationstatusesthatcanbegrantedtolargecompaniesandinstitutionsthatdonotwanttogetservicethroughthird-partyserviceprovidersortheAppleStore’sGeniusBar.Whileimprovingtherepairexperienceforthecustomersofanorganization,thedevicesthatdiagnosticscanberunonarenot,toourknowledge,limitedtotheonespurchasedbytheorganization.

Onewouldthinkthebindingagreementsplacedonthosewithaccesstoself-serviceorganizationstatusthroughaserviceprovidedbyApplecalledGlobalServiceExchangewouldpreventfoulplay.Throughconversationswiththosewhodohaveaccesstothesediagnostics,wecanreportthattherearelittledifferencesinwhatcanbeseenindiagnosticlogsonthedevice.Thisservicehasabitmorehardwarerepair-relatedinformationthatwouldbehelpfulforparticipatinginrecallorwarrantyupgradeprogramsthatAppleisforcedtodofromtimetotime.Forexample,inthecaseofcertainmodelsofiPhone5,therewasaknownissuewherethehomebuttonlostfunctionalityafterbeinginuseforacertainperiodoftime,whichwasthereforemadeeligibleforexchange.

AswewilldrivehomeinChapter6,DebuggingandConclusionregardingtheattackvectorsadeviceisexposedtooncepairingtoacomputerisallowed,onemayconsiderthisanacceptabletrade-offforabetterexperiencewhentheaverageconsumerneedstheirdevicefixed.Thedatagatheredandcollectableislimited,butApplewillcontinuetodancethislinebetweenthingslikenotshowingtheirthird-partydevelopersmuchinthewayoffeedbackfromcustomers,topreventingtoomuchexposurelikethewell-publicizeddeletionofthedevicesofaprominentjournalistforWiredwhoseiCloudaccountwashackedinto.

www.it-ebooks.info

HealthappAnotherclassofdatathatmanywouldconsiderprivateistheiractivity.iOS8introducedframeworkstohelpthevarioushealthcarecompaniesthatdevelophardwareaccessoriestointeractwithhealthdata.

NoteGlaringlymissingatlaunch,however,wasaclassofperiodtrackingdataforwomen.Asthird-partyiOSappshavebeenbuilttotrackthisfromthebeginningoftheexistenceoftheAppStore,withrecentstandoutscoveringnarrowly-targetedtasksrelatingtobreastfeeding,thisisratherodd.Developerscouldn’tevensubmitappsleveragingtheframeworkuntilseveralrevisionsofiOS8,andstill,NikeFuelisanotablethird-partythatisabletoleverageitsdatawithanamedinclusionintheHealthapp.

AsofthelaunchoftheiPhone5s,asensorwhichfunctionsasapedometerisincludedinalliPhones.Apple’smarketingteambrandedthehardwarethatmanagesthecachingandprocessingofhealthsensor-specificdatatheM7motioncoprocessor,withversionnumberinginsyncwithitsin-houseARMlineofprocessors,whichiscurrentlyA8.Thisremovestheneedforasmanyexternalsensorsondevices,likethoseleftoutofthedesignoftheAppleWatch(thatwasproposedatthetimeofwriting).Additionally,asoftheHealthappbundledwithiOS8,stepandrunningdataistrackedanddisplayedbydefault,whetheryouexplicitlyenableitornot.

YoucanseethiscombinationofGPSandaccelerometersensorsinactionforyourselfbynoticingthestepdataloggedintheHealthappwithoutanyopt-inonyourpart.Thereare,infact,nosettingsfortheappwhatsoever.Onlyprivacysettingscanbemanagedtodisallowappsthathaverequestedaccesstothewarehouseofdatastoredwithin,whetherthephone’sownsensorsloggeditoranaccessorywastheoriginalsource.Inthefollowingscreenshot,youwillgettoseeautomaticallyloggedstepanddistancedata:

www.it-ebooks.info

Automaticallyloggedstepanddistancedata

Oneotherthingthatyoucaninteractwithcouldbeapotentialsourceofinformationleakage,butisimplementedasanopt-infeature:an“incaseofemergency”function.

NoteAstoryfromapopularsitebyDavePelltitled‘MyHeadisintheCloud’recountshowhisbabysitterdoesn’thaveherboyfriend’scellphonenumbermemorized,andwhenshewasinjuredandhercellphonewaswrecked,theyhadnowaytocontacthim.It’sasifthisfeaturewasdesignedwiththisscenario(minusthedestroyedphone)inmind.

YoucanaddyourinformationseparatelytowhatisthenaccessiblebyappsthattieintotheHealthapp(andtheHealthKitframeworktherein)sothatfromthelockscreen’semergencycallfunction(whichhasbeentheresincethefirstiPhone,asfederally

www.it-ebooks.info

mandatedintheUS)therewillbeanewtextlabelinthelowerleft-handcorner:MedicalID.Thefollowingscreenshotshowsthescreenthatshowstheinformationtoaidfirstrespondersincaseofemergencies:

Informationtoaidfirstrespondersincaseofemergencies

Thistellssomevitalstatistics,andmostimportantly,incasethephone’sownerisunabletocommunicate,whomtocontact(ortobecompletelymaudlin,thenextofkin)withahandycallbuttonnexttoitsothattheyaremorelikelytopickupthecall.

www.it-ebooks.info

www.it-ebooks.info

ConfigurationprofilesIfyouhaveanyfamiliaritywithhowOSXstoresitsconfigurationfiles,itwouldnotbetoomuchofasurprisetohearthataprofilethatwasimplementedforiOSmanagementisalsoaspecificflavorofXML.InsteadofacentralregistrylikeyouhaveonWindows,there’sdifferent,oftengranularlysetfilesor(oftensqlite3)databaseswithwhichanapplicationortheoperatingenvironmentitselfiscustomized.However,thisisnotasimportantastheframeworkwithwhichchangesareenforcedonthesystem,andso,atripbacktoOSXwouldactuallybeuseful,asthatwaswhatinspiredmuchofthearchitectureofiOS.

Withoutmanagement,changescanstillbeappliedbytouchingkey-valuepairsintheseXMLfilesinwhatarecalledpreferencedomains.Thefilesthemselvesarereferredtoaspropertylistsandcarrythe.plistfileextension.Acommonbinaryusedtointeractwiththese.plistfilesatthecommandlineisthedefaultscommand,althoughsystemframeworksareexposedtoscriptinglanguagestodirectlyinteractwiththeunderlyingAPI.

Aswithatraditionaldirectoryservice,however,settingscanbeinheritedfromanetwork-basedcentraldatabase,thepayloadforwhichonWindowsiscommonlygrouppolicyobjectsorGPOs.MacshaveaframeworkthatisreferredtoasManagedClientforOSXorMCX.ByapplyingMCXsettingstoacomputerorcomputergroup,theywouldallhavethesamesettingsenforcednomatterwhousedthedevice,butuserorgroup-levelsettingswoulddependuponwho’sloggedin.Justaswithnon-networkawarepreferencedomains,MCX-enforcedpropertylistfilesarestorednearthelocaluserandgroupdatabaseonthefilesystem,whereitiscachedtomaintainthesettingsoffnetwork.Adminuserscouldoptionallyoverrideanysettingswhenloggingin,forquicktroubleshootingofconfigurations.

InsteadofMCXasthedeliverymethod,profilescametotheMacasanadditionalwaytomanagesettingsinOSX10.7andbecamemorepowerful;now,aconfigurationprofilecanaffectchangesthatMCXhadnotpreviouslybeenabletosuchasnetworking-relatedsettingsamongothers.TheideawastogobacktotheMacandallowmanagementsystemstousethesameformat,XMLfileswiththemobileconfigextension,inmanycasesapplyingthesamesettings.So,torecap,configurationscanbesetontheMacthroughthefollowingways:

Simple.plistfilesresidingatthesamelocationwherethey’dbefoundinadefaultinstallationandcanbeinteractedwithviathedefaultscommandThe.plistfileswithspecificMCXstanzas,whichwasthepreviouswayinwhichyoucouldimplementmanagementfromacentraluser/group/computerdatabaselikeLDAPConfigurationprofiles,whichisthenewer,cross-platform(betweeniOSandMac)methodofapplyingmanagementsettings

Withconfigurationprofiles,justlikeMCX,youcangroupcomputersandusersormanagethemindividually.AswewilldemonstrateinChapter5,MobileDeviceManagement,the

www.it-ebooks.info

terminologyusedwiththeServerapplication’sProfileManagerserviceistouseadevicetorefertoaniOSdeviceoraMac,andyoucaneveninheritusersandgroupsfromActiveDirectory.ThedevicelevelofmanagementwithinaprofileiscalledtheSystemscope,whereasanythingthatwouldapplygranularlytoaUseriscalledjustthat.ThefollowingscreenshotshowsanexampleofanApple-flavoredXMLfile,withtheSystemPayloadscope,whichmeansthatitwilltakeeffectdevice-wide,insteadofbeingscopedtoaparticularuser:

AnexampleofanApple-flavoredXMLfile,withtheSystemPayloadscope,meaningitistotakeeffectdevice-wideinsteadofbeingscopedtoaparticularuser

NoticethattheDOCTYPEintheprecedingscreenshotspecificallycallsoutApple,andsettingsarestructuredwithnoparticularorderingsinceithasahashordict(shortfordictionary)asthebasetype.Thefollowingscreenshothasmoredetailsonthis802.1x-specificconfiguration:

www.it-ebooks.info

AWi-Ficonfigurationprofile,whichwouldtelltheradiuscontrollerthatActiveDirectorycredentialswillbeusedfor802.1xauthentication

Thereis,however,noconceptofbindinganiOSdevicetoadirectoryservice,norofdifferentusershavingcustomizedsettings,whereasMacscantakebothintoaccount.ProductsevenexisttomanagesettingsforMacswithinthesameinterfaceasGPOforPCs.ForiOSthough,theMDMserviceitselfneedstobeawareofthegroupingsandmanagementsettingswhichitcanthenactupontohanddownconfigurationstodevices.ThisisincontrasttoMacs,whichcanevenbetoldtoprovideauthenticationtoradiuscontrollersoverWi-FiwithActiveDirectorycredentialsattheloginwindow,asshownintheprecedingscreenshot.IfyoudeployedtheprofilepicturedpreviouslytoaniOSdevice,itmayverywellignoretheunusedoptionsorfailaltogether.

Nowthatwehaveseenmoreabouttheformatandhowit’sscopedtodevices,let’slookintothehistoryofthismanagementformat.Apple’scanonicalreferenceofaninterfacewithwhichtoconstructthesettingsavailableformanagingiOSdevicesfirstappearedinatoolforWindowsandMaccallediPhoneConfigurationUtility(oriPCUforshort,whichmakesitsoundlikeoneofthoseplacesyoucangetanassociate’sdegreeontheinternet).ItwasoriginallyreleasedbackwhentheOSwascallediPhoneOS2.(Really,itwasOS/2Warp.NowthatwasanOS!)Whenconstructingaconfigurationprofile,youwouldseemanagementoptionsgroupedintosectionsinasidebarontheleft,andyouwouldinteractwithvariousfieldsontheright.Thefollowingscreenshotshowstheconfigurationprofilecreation/editingintheiPCUinterface:

www.it-ebooks.info

Configurationprofilecreation/editingintheiPCUinterface

Youcouldevenviewlogs(unlikethemerediagnosticreportswedidearlier),whichcameinhandywhileyouappliedaprofiletoseewherethingswentoffthetrackwhenaconfigurationwasn’tvalid.Thefollowingscreenshotshowstheloggedoutput(essentiallysyslogoutputinaconsolerunningonthedevice)displayedwhileapplyingaprofile:

www.it-ebooks.info

Loggedoutput(essentiallysyslogoutputinaconsolerunningonthedevice)displayedwhileapplyingaprofile

iPCUhasbeendiscontinued.ItcannolongerviewlogsoniOS8devicesanditisnolongeravailabletodownloadforWindowsorMac.Thisisprobablyagoodthingasithadn’tbeenupdatedsinceiOS6.ItlaunchedtheinterfaceparadigmformanyconfigurationprofileinterfacesandnoAppletoolhasyetreplacedtheease-of-useofitsconsolefeature.SeeChapter6,DebuggingandConclusion,fordetailsonlibimobiledevice,whichmayhaveasimilarfunctionality.

TipForessentiallyopeningaconsoleonaniOSdeviceandviewinglogs(aslongasthedevicehasbeenpaired),oneofourexcellenttechnicalreviewers,JeremyAgostino,recommendsiOSConsole,whichisavailableathttp://lemonjar.com/iosconsole.

www.it-ebooks.info

Signing,encryption,anddeliveryWhenaproperlyconfiguredandsecureMDMpushesaconfigurationprofiletoadevice,itwillbesignedasanypieceofcodeshouldbethatwantstoproveitsidentityandbetrustedbydevices.Itshouldalsoencryptitspayloadtoprotectanysensitivedatacontainedwithin.However,theusualdeliverymethod,pulledover-the-airbythedeviceoncetoldtocheckinbyApple’sPushNotificationService,isnottheonlytransportmechanism.

WheniPCUwastheonlywaytoconstructaprofile,youcouldeitherapplyitlocallyoverUSB,oryoucoulduseoneofthefollowingoptions:

E-mailittoeachapplicabledevicebywayoftheassociatedenduserPutitonaproperlyconfiguredwebserver(whichwouldtreatthemimetypeaccordinglyforaccessfrommobilesafariondevices)Senditbyatextmessage(remember,thispredatediMessage)

Now,thereareafewothertoolsthatcanapplyaprofiletoadevice,butotherwise,thenon-MDMdeliverymechanismsareunchanged.

Tobreakdowntheformatofconfigurationprofilesthatareavailable,youcanleavetheprofileinplaintextwithnosignatureandedititatwill.Thismayberejectedorjustnotappliediffolksrefusetocontinueafterbeingpresentedwithwarningpromptswhenaskedtoinstallit.

Youcouldsignbutnotencrypttheprofile,leavingthepayloadandothercontentsabletobeinspectedinplaintext.Abarelyrecognizabletextblobwouldprecedeandclosetheprofile’smaintext,whichisitssignature,ensuringthatitwasnottamperedwith.Ifitwasalteredaftersigning,anysubsequentinstallationswouldberefused.

Finally,theentireprofilecouldbeencrypted,makingitrelyonaworking,compatiblePKIrelationshipthatisnormallybasedonaRemoteManagementprofilebeinginstalledonthedevice,whichanMDMservicewouldputonatenrollmenttime.

NoteConfigurationprofilesignaturesusetheCryptographicMessageSyntax(CMS)standard.Whilenotexactlysimple,onecoulduseopensslonvariousoperatingsystemsintandemwitharootcertificatefromatrustedcertificateauthoritytoapplysignaturestoconfigurationprofiles,whichdeviceswillthenseeastrusted.

www.it-ebooks.info

www.it-ebooks.info

SummaryThischapterwasabitofagrabbagofthemorefundamentalconceptsofhowthedevicehandlesencryption.InsteadofbeingacompletederivativeofApple’siOSSecurityWhitePaper,wepresentedthenewerquirksandreal-worldapplicationofsomeofthetopicsaroundencryptingthemainfunctionsofthedevice.Wediscussedhowthesystemispreparedatthefactorywithsecurityinmindthroughitssecurebootprocess.TheadditionofNFCpaymentsviaApplePayledustoinvestigatePassbookanditsintegrationwithTouchID.Networking-relatedconcernslikeVPN,AirDrop,Proxies,andFilterswerealsodiscussedalongwithawayofutilizingawirednetworkconnection.TheHealthappandMedicalIDweretouredbriefly.Finally,wepreparedforapplyingmanagementbydetailingwhattheactualfilesandformatsarethatmanagesettingsonbothiOSandMac.

BringYourOwnDevice(BYOD)programsoftenoverlapwithhowregularconsumerswanttousewhatis,infact,theirdevice.Whilekeepingthatinmind,asprofessionalsweneedtobalancecontroloverourdatawithtakingfulladvantageoftheutilityofthedevice.Hopefully,thisalsogetsyouthinkingaboutprivacyasatopicthatgoeshand-in-handwithsecurity,andlaysthegroundworkfortheapplicationofmanagementsettingstobringaboutproductivityinemployees,whichwe’llbecoveringoverthenexttwochapters.

www.it-ebooks.info

www.it-ebooks.info

Chapter4.OrganizationalControlsNow,we’llmoveontoexploretheconceptsinvolvedinmanagingiOSdevicesfromacentrallocationon-premises.Thisincludesdevicesupervision,ActivationLock,SingleAppMode,andmorebasicoptionspresentedbytheoldstalwart,ActiveSync.Formostofthetime,wewillbelookingatatoolcalledAppleConfiguratorthatisdevelopedbyApple.Weconsiderittobeoneoftheeasiesttoolstorecommendforenvironmentsthatneedmorehands-oncontrolwhenofficiallysupportingiOS,eitherwhenmigratingtoaBYOD(shortformforbringyourowndevice)environmentorinconjunctionwithanMDM.Itfitsacoupleofspecificworkflowsverywellandhassomefeaturesthatarevitalforhardeningdevices.

BesidesAppleConfigurator,whichattheveryleastcanprovideagoodreferenceforshowingApple’sacknowledgedusecasesforstartingwithdevicemanagement,wewillalsointroduceApple’sDeviceEnrollmentProgramorDEP.ActivationLockisathorniertopicnow,sowe’lltouchonthisaswell.JusttotransitionfromGuidedAccess,whichwascoveredinChapter2,IntroducingAppSecurity,we’llalsodiscussAppLockwhenweexplainthedifferencebetweenitinteractingwithGuidedAccessandSingleAppMode.And,beforewegetintofull-blownMDMinthefollowingchapter,wewilldiscussActiveSyncasoneoftheoriginalover-the-airmanagementframeworks.

Inbrief,thischapter’stopicsareasfollows:

AppleConfiguratorPreparation,supervision,andassignmentofiOSdevicesThedistributionofappswithAppleConfiguratorandtheVolumePurchaseProgramActivationLockandFindMyiPhoneTheDeviceEnrollmentProgramversusAppleConfiguratorAppLockandSingleAppModeincontrasttoGuidedAccessRefresheronwhatActiveSyncprovidesoniOS

www.it-ebooks.info

AppleConfiguratorBeforethereleaseofAppleConfiguratorontheMacAppStore,therewerethreeothersanctionedapplicationsforinteractionwithiOSdevices:iTunes,Xcode,andiPhoneConfigurationUtility(iPCU).Xcodehadthecapabilitytoconnectmultipledevicessimultaneously,buteventhatfunctionalitywaslimitedforrunningtestsondevicesorforrestoringaversionofiOS.Still,wewerewithoutanyconceptofefficient,directlyconnectedmanagementtools,noreventhehintofintegrationwithadirectoryservice.

WhentheiPadwasreleased,itdidnotcomewithamanuallikealawnmower,whichshowsyouwhatitsintendedusageisandhowtosharpentheblades.Applejustaboutsaidthesamethingtoitscustomersthatitsaystoitsdevelopers,somethingtotheeffectof“wecan’twaittoseewhatYOUdowithit”,asifitwasstillanopenquestionastowhatitsmostpopularusewouldbe.Appleproductshave,however,historicallybeenusedextensivelyineducationandthepricewascommonlyahalftoathirdoftheleastexpensivelaptopMac.ThisledtoaninfluxofiPadsinenvironmentsthatmightnothavebeenparticularlypreparedtohavesomanycomputingdevicesonWi-Fi.Thisleadsusbacktothelackofapplicationsthatallowtetheredpreparationandmaintenanceofmanydevicesatonce.

Perhaps,ifcustomersthatusedAppleproductsforeducationalpurposesinparticularwereaskedwhattheywanted,astheparaphrasedsayingattributedtoHenryFordgoes,theywouldhavesaidafasterhorse;insteadtheygotAppleConfigurator.Wedonotwanttoberepetitive,butwemustrecallthatApple’sprioritiesareitscustomersfirstandforemost,andtheysellanastoundingamountofproductstoregularconsumers.Onemaybeinclinedtocutthem,andcompanieslikeAmazonwhoaresellingtothegeneralpublicwithsuccess,someslack,whichishard.Amazon’snottryingtobeCDWandApplecan’tbeeverythingtoeveryone;(althoughithasneverstoppedthesprawlofiTunes,whichtheAppleTVAssistantbuiltintoAppleConfiguratorwhichhasafaintwhiffof.)

BackinChapter2,IntroducingAppSecurity,wementionedabouttheVolumePurchaseProgram(VPP)thatAppleoffers.ThiswasanintegralpartofwhatwasconsideredgoingintodesigningAppleConfigurator,alongwiththeSupervisionconceptthatwe’vebeenhintingatthroughoutthebooksofar.However,beforewegetintothat,let’sdiscussworkflows.

www.it-ebooks.info

IntendedworkflowsOfalltheiOSformfactors,at9.6”,theoriginalandcanonicaliPadscreeniscomparablysizedto8.5”x11”oranA4sheetofpaper,ifyoulosethemarginsandenjoyedstaringatalightbulballthetime.(What?youdon’tpreferemissivescreens?)Ifatelecomfieldworkerhasvisitedyourhomeorbusinessrecently,youmighthavenoticedthattheynowalmostexclusivelyusetablets.Similarly,airlineshavebeengivingtheirstaffhandhelddevicesforsometime.Whentakingthisrapidadoptionofmobiledevicesintoaccount,andrecallingwhoAppleusuallycaresaboutwhendesigningsolutions,itmaymakemoresenseastohowAppleConfiguratorcameintobeing.

AniPadcanconceivablyreplaceautilityworker’sclipboardorastudent’sthree-ringbindersandstreamlineprocessesalongtheway.AirlinepilotsbegandemandingiPadstoreplacetheirungainlyandheavybindersofairportandroutemaps,whichactuallysavedfuelduetothedropinweight.Wecanstarttoseethatdeviceswillbeusedinamultitudeofways,butaparticularlyaptcaseishigh-serviceandquick-turnaroundenvironments,loadedwiththeappsanddatapeopleneedtogettheirworkdone.

AppleConfigurator’sreleasewasgroundbreakinginthatitwasaseriesoffirsts:

ApplicationscouldbehandedoutinbulkwithoutMDM,andtheseappscouldthenbereclaimedBackupscouldbecreatedandrestoredwithoutiTunesandrestoredorrefreshedenmasseNew,morelocked-downrestrictionscouldbeenabled

Educationalinstitutionssegmenttimeintoclassesandtheyoftengatherdevicesinlabsorcarts.Hospitalsandutilityworkershaveshiftsandcanmakeastationaroundatimeclockoragatheringplacefordevices,fromwheretheycanbecheckedinandoutfrom.ItiswidelyreportedthatAppledoesnothaveacolossalR&Dfootprint,sowhentheymakeatooltheyhavetopleaseasmanyendusersaspossible.Theydon’thavetheresourcestoqualityassureanddevelopfeaturesthatcanserveeverymarket.PleasekeepallofthisinmindaswediscusswhatAppleConfiguratorcando,withatleastanunderstandingofwhyitdoesn’tmakeFrenchfriesfourdifferentways.

ThefollowingscreenshotshowsthesplashscreenonstartingAppleConfiguratorforthefirsttime,whichgraphicallyintroducesitsthreemodes:

www.it-ebooks.info

ThesplashscreenonstartingAppleConfiguratorforthefirsttimegraphicallyintroducesitsthreemodes

www.it-ebooks.info

Theinteractionmodes–Prepare,Supervise,andAssignAfteracquiringAppleConfiguratorfromtheMacAppStore(itisfree,butrequiresaMacatthistime),you’regreetedwithanimagethatbreaksdownitsthreecumulativemodesofoperation.First,therearethecapabilitiesofthePreparemode,whichareasfollows:

Namingthedevice(thisincludestheoptionofsequential,numericnamingifyouarepreparingmultipledevicesatonce,asitcanhandleupto30devicesconcurrently)Creatinga(unsupervised)backupApplyingasoftwareupdate(whichcachesthatversion)andoptionally,wipingthedeviceintheprocessImporting,creating,exportingand/orapplyingconfigurationprofiles

Finally,flippingaswitchtomovethedevicetothenextmode,Supervision.

FlippingthisswitchtomakethedevicebecomesupervisedchangesthebehaviorofAppleConfigurator’soptions.Therefore,youmustthenwipethedeviceandapplythemostrecentiOSupdate.

Onemightsaythatthesedistinctionshelptoprovethatthedeviceisindeedownedandunderthecontroloftheinstitutionmanagingthesedevices,asitisassumedthatregularpeoplewouldn’tletITseizetheirpropertyandremoveallpersonalizationorcustomization.(Iftheyarelikeourcustomersatleast.)However,AppleConfiguratorcaneasilybeusedinPreparemodetolightlyrunanOSupdate,installaconfigurationprofile,orevenperformabackupandrestoration.

NoteOurtechnicaleditorpointsoutthatthedevicemusttrustthecomputerrunningAppleConfiguratorfirsttoevendotheselighttasks,aswe’llexploitinChapter6,DebuggingandConclusion.

Thishelpsustoclearlydefinethedistinctionbetweenpreparationandsupervision,asthesecondlayer’spowerfulfunctionalityrestsontopofthefirst.Thelastmode,Assign,hasjusttwoadditions:

First,youcanleveragealocalornetwork-baseddirectoryserviceSecond,thedatacreatedbyauserfromthedirectorycanbestoredonthecomputerrunningAppleConfigurator

Thisallowstheusertocheckinorcheckoutofdataaswellassetsofapps,anditcanalsoaidinthedistributionofdocumentstodevicesthathavecompatibleappsinstalledonthem.Itmayseemlikewe’rejumpingaheadtodiscusstheAssignmode,butthat’sreallytheonlyadditionalfeature.

Otherthanthat,aswhiz-bangfeaturesgo,ifusersfromthedirectoryservicehaveimagesassociatedwiththeirLDAPrecords,thereisapreferencetoshowtheseimagesonthelockscreenwhenassigningdevices.YouwillaccessitfromtheAppleConfiguratormenuin

www.it-ebooks.info

thetopleft-handcornerofthescreen,underPreferences.However,thestarshaveneveralignedtothepointthatwe’veseenthatinuseintherealworld.Thefollowingscreenshotshows,inPreferences,whereanassigneddevicecanbeconfiguredtouseanimagefromLDAP:

InPreferences,whereanassigneddevicecanbeconfiguredtouseanimagefromLDAP

www.it-ebooks.info

TheimportanceofsupervisionOncethedevicehasbeenwipedandupdatedbybeingtetheredtoacomputerrunningAppleConfigurator,youcantakeadvantageofseveraloptions.Theseinclude:

Customizingthelockscreenimage,asshownintheprecedingimage,optionallywiththedevice’snameorsomeotherstatictextEnablingvariousnetwork-relatedfeaturesincludingAlways-OnVPN,Contentfilters,GlobalHTTPproxy(asdiscussedinthepreviouschapter),andcellulardatamodificationsRestrictingvariousfeaturessuchasthemanualinstallationofconfigurationprofiles,AirDrop,accountmodificationsincludingFindMyFriends,enablingotheron-devicerestrictions,education-specificconcernslikeSiri’sprofanityfilter,andwhitelistingdestinationsorpresettingpasscodesforAirPlayHide(bywhichwemeandisable,tobringabouttheeffectthattheappisnotshown)built-inapplicationslikeGameCenter,iTunesStore,iMessage,Podcasts,orstorecomponentslikeIn-AppPurchaseortheiBooksStoreStoptheremovalofanyotherapps,includingtheonesthatAppleConfiguratormayhaveinstalled,orpreventtheadditionofanyso-calledInternetaccounts(suchasFacebook,Twitter,andsoon)ore-mailaccounts

NoteRestrictingSafaridoesnotrequiresupervision,butitisacommonerrortobelievethatyou’llallowallthewebfunctionalityyouwantbyusingaWebClippayloadinaconfigurationprofile.Forexample,foraccessingyourintranetonly.IfyourestrictSafari,theappwillberemovedandWebClipswillnotevenlaunchifpresent.

Abiggerpointthaneventhesesettings,whichwereadvocatedbysomanyofApple’scustomersinlargeinstitutions,istheabilitytoinstallprofileswithzerotaps.IfthedeviceisstillinPreparemode,you’llneedtorespondtothepromptsonthescreentoacceptcertificatenotifications,learnaboutwhattheprofilewilldotothedevice,andeventually,install,andthentapondone,perprofile.Loadingaprofileontoasuperviseddeviceissilent.Infact,whenrestoringthebackuptosuperviseddevices,youdon’tevenneedtogothroughanysetuporactivationsteps.(MorerecentversionsofAppleConfiguratorcanallowsimilarbehaviorwithoutrestoringabackup,byselectingwhichpromptstoskip.)

Ifthiswasn’tasecuritybook,wecouldprobablystophere.However,byfarthebiggestpointfromasecurityperspectiveisthefactthat,bydefault,asuperviseddevicecanbedisabledfromconnectingtoanyothercomputerrunningAppleConfigurator.AnattackercannotpiggybackoniTunestotargetanotherdevicetoo.Thismitigatesmanyofthepairing-basedcomplicationsthatwe’llbediscussinginChapter6,DebuggingandConclusion.Infact,ifitwasdesirabletoallowmovinganycontenttothedevicefromanothercomputer,thedevicemustbedesignatedattimeofsupervisiontoAllowdevicestoconnecttootherMacs(bywhichtheyimplyPCsaswell).

Further,ifaspecificconfigurationprofilewitharestrictionpayloadisapplied,Allow

www.it-ebooks.info

pairingwithnon-Configuratorhostsmustalsobeselected.Ifyouwantto,thiscanallowyoutooptionallydisablepairinglaterviaMDM,incaseitisnotclearwhetheryourenduserswillneeditatthetimeofsupervision,butifyouareusingAppleConfiguratortosupervisethedevice,thenitmustbeconnectedtothecomputeragain.Youcanseeeachofthesesettingsinthefollowingscreenshot:

Thetwosettingsthatmustalignfordevicestobeallowedtopairwithanycomputer

Whendiscussingworkflows,wesaidAppleConfiguratorisagoodfitforhigh-service,fast-turnaroundusecases,whichleadstoanotherbigfeatureofsupervision:theabilitytorefreshthedevicetoastoredstateuponreconnection.Ifthisincludestherestorationofalargerbackupwithmanyapps,thiscanbeamorelengthyprocess,butinanycase,alloftheingredientsarecachedlocallyinAppleConfigurator’ssupportdirectories.(AppssuchasiMovieandKeynoterunintohundredsofMBsandflashstorageingeneralisoptimizedforreadingandnotwriting,soit’sgoodtomeasureifthecycletimemeetsyourexpectations.)ThiscanessentiallyreimagetheiOSdeviceifAppleConfiguratorisopenonthecomputertowhichthedeviceisattached.

Optionally,intheeventyouarenotrestoringabackup,youcanalsohaveappsandprofilesthatmayhavebeenaddedtothedeleteddevice,sousertrainingregardingsuperviseddevicesisveryimportant.Ifthisbehaviorisnotdesiredforanyreason,youmustatleasttemporarilyturnoffthesesettingsinAppleConfigurator’sPreferences,asshowninthefollowingscreenshot:

www.it-ebooks.info

InPreferenceswheresuperviseddevicesareconfiguredtoautomaticallyrefreshwhentheyareconnected

www.it-ebooks.info

Apps,VPP,andAppleConfiguratorWhentheusagemodelisonecustomerforonedevice,anMDMcanpromptanenduserfortheirAppleID.AppleConfiguratordoesn’trequireauserthatreceivesadevicepreparedbyittopluganythingin,allowingsharedusagemodelsthatjustweren’tpossiblebefore.

IfanAppleIDisauthorizedforuseonthecomputerrunningAppleConfigurator,evenifitisnotassociatedwithVPP,youcangoaheadandimportanddistributefreeapplications.Therecommendedwaytogoaboutobtainingthe.ipafiles(thearchivedbundlesthatareiOSapplications,asdiscussedinChapter2,IntroducingAppSecurity)istodownloadthemfromtheAppStoresectioniniTunes.However,nomatterwhatIDtheappwasdownloadedwith(forexample,ifaniOSdevicealreadysynchedwiththecomputerandbackedupitspurchaseswithiTunes),theDRMcanberemovedfromtheappbundleandimportedwithwhateverAppleIDAppleConfiguratorwantstouse.However,ifyouforgettoauthorizethecomputeriniTunes,you’dseethefollowingerror:

WhenanapptobeinstalledonadeviceisimportedwithouttheassociatedAppleIDauthorizediniTunes

NoteKeepinmindthattheupdatesforanyapplicationinstalledwithAppleConfiguratoraretiedtotheAppleIDitwasimportedwith,whichmayhaveunintendedconsequenceswhenitpromptsforupdatesoneverydevice.

ThisisespeciallytruewhentheAppleIDhasane-mailaddressfortheusernamethatisnotassociatedwithyourinstitution,becauseendusersseeitwhenprompted.We’renotsayingthatthishashappenedtoanyofourcustomers.

Ifyouhavedifferentgroupsthataresharingthesamesetofsuperviseddevices,appscangooutandcomebackinifanothersetupisrequiredwheretheseappsshouldn’tbepresent.AppleConfiguratorcangroupdevicesarbitrarilyasyouchooseandapplysettingsasneeded,andappsareoneofthethingsthatcancomealongfortheride.

TheseprocessesarejustthesameforpaidappsthathavebeenpurchasedundertheVPP.Itbecomesveryimportant,however,tofollowApple’sguidanceastowhatversionofVPPpurchasesshouldbechosenbasedonyourusecase.Also,youshouldbecarefultonotapplyanapptoadeviceifithasnotbeenfirstputintotheSupervisemode,asthiswillnotallowyoutoreclaimtheappcodeifyou’rerelyingonthismethodofappdistribution.

www.it-ebooks.info

Whilethisisnotnecessarilypertinentforasecuritydiscussion,theonlineVPPportalfromAppleprovidesaninterfacetodownloadredemptioncodesforusewithAppleConfigurator,anditinquiresinternallyhowmanyofthesehaveeverbeenappliedtodevices.TheAppleConfiguratorinterfacehelpfullyprovidesfeedbackabouthowmanyhavebeenredeemedperproductanditprovidesaspreadsheetofcodesaswell.Itmayseemobvious,butdonotusethesamespreadsheetofcodeswithanMDMorotherdistributionmethods.

www.it-ebooks.info

MassrestoringandnamingofdevicesFromabrandingorsupportstandpoint,havingtheiconsconsistentlyarrangedwithastandardhomescreenbackgroundisdesirable.AlthoughMDMsaresupposedlygainingthisfunctionality,theoriginalwaytodothesecustomizations,whetherinthePrepareorSupervisemodes,istocreateabackup.(BackupsmadefromadeviceinonemodecannotberestoredtoanotherwithAppleConfigurator.)ThisoftenrequiresmanualinteractionandifyouhaveanMDM,itwouldmakesensetoallowittoperformanyapplicableconfigurations.It’sverystraightforwardintheinterfacewhereyouwouldinitiatethecreationofabackupwhenyouareineithermode,andyoucanevenaccessthestoredbackups.

AppleConfiguratoralsoprotectsthethroughputoftheUSBbusbylimitingconcurrentoperationstosomewhereintherangeofthreeatatime.

NoteNotethattheapplicationislimitedto30concurrentUSBconnectionsoverapoweredhub,whichisobviouslynotthemaximumfortheprotocol.

Also,keepinmindthatexceptwithveryrecent,specializedhardware,USBhubscanpracticallybeconsideredaddresslessexceptforphysicalidentification.Themostreliablewaytobeconfidentthatdevicesonalargehubarebeingnamedorotherwisepreparedinaparticularorderistoattacheachcabletothedeviceinthesequencethatyoulike.

Notethatifyousupervisedadeviceanditislost,stolen,orbrokentothepointthatitcannotreconnecttoAppleConfigurator,youwillloseanyapplicableappcodesifyouareusingVPP.(Whichistosaytheoriginal“redemptioncodes”versionincomparisontothelicensesmodelreferredtointheVPPportalas“manageddistribution”,forusewithMDM.)Toreclaimthepreviouslysuperviseddevice’snametokeepyourinventoryneat,youcanselectitfromthelistinAppleConfiguratorandundertheDevicesmenu,holddowntheOptionkey.UnsupervisewillchangetoRemoveandyoucanprepareanewdevicetotakethatslotinthesequence.Thesamegoeswhenadeviceisrepairedandreplacedwithadevicethathasadifferentserialnumber,ifyouwerenotabletounsupervisethepreviousdevicebeforeitleftyourpossession.

www.it-ebooks.info

BackupconcernsWhenthereisasupervisionrelationshipbetweenmanyofyourdevicesandyourealizethatonlysmallworkgroupsorsetsofdevicesfitintheAppleConfiguratorusagemodel,backupsbecomecrucial,andalternativestopreventover-relianceoranabundanceofhackyworkaroundsbecomeattractive.Takingbackupsasthefirsttopic,Appleshipsbuilt-inbackupsoftwarecalledTimeMachinethatcanbeusedtoprotectthecomputerthatrunsAppleConfigurator,butitislimitedinitscapabilities.Youcaneitherdirectlyconnectaharddrive(whichcanbeencrypted),orsendthebackupoverthelocalnetworktoamachinerunningacompatibleendpoint.Itisnotoptimizedforover-the-WANoffsitebackup,amongothershortcomings.

Toseparatelyunderstandthefilesinuse,firstwe’llrepriseourtalkaboutsandboxing.Inararereversalofthe“doasIsay,notasIdo”maxim,AppleisfollowingitsownruleswithAppleConfiguratorbyusingthecontainermodelforitsdatastorage,whichputsthefilesitoperateswithawayfromtheviewoftheuser.Itisliterallydeepwithinahiddenfolder.YoucanreachitbynavigatingtoUsers|CurrentUser(thecurrentuser’sname)|Library|Containers|com.apple.configurator|Data|Library.Yes,therepetitionisintentional.

SimilartoTimeMachine,AppleConfiguratorleverageslinkstorefertofilesoutsideofitssandboxforwhichitdoesn’tneedwriteaccess.(TimeMachineuseshardlinkstostubunchangedfilesfrompreviousbackups,whichletsitpresentacompletesetwhenyoubrowsethemostcurrentfolderstructureinitsstoragedestination.)

AnotherrepeatedpatternistheuseofSQLiteasthestoragemechanismforthedatabaseofsuperviseddevicesandotherinventory-relatedinformation.ThisislocatedinasubdirectoryofthepathlistedearlierandyoucangotoitbynavigatingtoApplicationSupport|com.apple.configurator|AppleConfigurator.storedata.iOSsoftwareupdatesthatareoftenfullOSinstallationsgetcachedwithinFirmwareunderCachesandappsimportedintotheprogramgetstoredinResources,whichyoucanreachbynavigatingtoApplicationSupport|com.apple.configurator.

www.it-ebooks.info

ConfiguratoraschaperoneItisacommontroubleshootingtiptoturnuptheverbosityofaprocess,lookthroughthelogs,andcheckanysettingsorconfigurationfiles.MacfolkshavelonggatheredcommandsthatenablehiddensettingsinpreferencefilesthatareApple-flavoredXMLfiles,justaswesaidwerethecaseforconfigurationprofiles.Ifyourundefaultswritecom.apple.configuratorLogLevelALL(withthepreferencedomainmappingtothepathofcom.apple.configurator.plistatPreferencesbynavigatingtoUsers|CurrentUser(thecurrentuser’sname)|Library|Containers|com.apple.configurator|Data|Library),youwillcauseinformationaltextbuiltintothedebugoutputoftheapplicationtobewrittentologs.Youcanthensiftthroughthisinformationbyviewingsystem.logintheConsoleapplicationinsidetheUtilitiesfolderinApplications,ifyou’rerunningasanadminuseronMac.(Otherwise,youcantailthesystem.logfilebynavigatingtovar|logifyoucanelevateyourselftoanadminuserfromashell.)

Sometimes,oldcodenamesforapps,devices,orfeaturesstickaroundintheinnerworkingsofapplications,andifyourundefaultsreadontheprecedingfile(oropenitinabinaryplistcompatibletexteditorsuchasXcode),you’llnoticetheChaperoneCertificateIssuerandChaperoneCertificateSerialkey/valuepairs.SupervisionmayverywellhaveusedthisChaperonenaminginternallyatAppleduringdevelopment.Similarly,thenameoftheprofilethatAppleConfiguratorinstallswhensupervisingthedeviceisreferredtoascom.apple.configurator.chaperoneprofile.Thefollowingscreenshotshowsthesettingsonasuperviseddevice;thisisanexampleofAppleConfigurator’sinstalledprofile:

InSettingsonasuperviseddevice,thisisanexampleofwhatAppleConfigurator’s

www.it-ebooks.info

installedprofilelookslike

InpastversionsofAppleConfigurator,youwouldseethattheconsoleoutputalsomentionstheBoolean(true/false)valueforthe“chaperoned”propertyofadevicethatisbeinginteractedwith.ThisconceptofahosthavingaresponsibilityrelationshipwiththedevicehelpsfurtherstresstheimportanceofguardingthecomputerthatisrunningAppleConfigurator.Ifthismachineisevercompromised,(orperhapsevenworse,experiencesdataloss)youwouldbeinquiteapickleindeed.

www.it-ebooks.info

www.it-ebooks.info

ActivationLockandFindMyiPhoneAboonfortheftprevention(orabustfortheiOSdeviceresalemarket),istheimplementationofanewfeature,asofiOS7,byApplecalledActivationLock,whichisanextensionofiCloud’spreviousFindMyiPhonefeature.IfyouhadaniCloudaccountconfiguredwiththesettingonaniOS7deviceanditneededtobereactivatedfromscratchafterarestore,theprocesswouldnothavebeenabletoproceeduntilthataccount’spasswordwasentered.Thiswasfelttobeaburdenandamanagementheadacheforthosewholentoutdevicesregularly,butbysomemunicipality’sstatistics,thisalonereducedtheftofiOSdevicesastheybecamepracticallyuseless.

NoteAfewlinkstonote

Thecitationfortheclaimthatthefts(andtheiPhoneresalemarket)areimpactedbythisfeaturecanbefoundathttp://arstechnica.com/apple/2014/06/ios-7-activation-lock-cutting-iphone-theft-damages-resale-market/.

Apple’sCheckActivationLockStatuspageathttps://www.icloud.com/activationlock/forusebeforeyoubuyorreceiveaphone.

LookatApple’sguidanceonhowtodealwithadevicethatisstilllocked(http://support.apple.com/en-us/HT201441)orpreparingyourowndeviceforsale(http://support.apple.com/en-us/HT201351).

Apple,asthecentralclearinghouseofdevicesthatmustcomeontothenetworkandcheckinbeforebeingallowedtobeactivated,cantheoreticallyensurethatdevicescanonlybeactivatedbytheirrightfulowners.

Toaddresstheproblemofinstitutionsthatwantcontroloverwhethercustomerscanenablethisfeatureanddonotfinditdesirablewhenthey’dliketoreprovisionthedevicetoanotheruser,twotechniquesexist.ThefirstoneisthatanMDMcanblockActivationLockuntilabypasscodecanbegeneratedforthedeviceandsenttotheserviceforacertainwindowoftimeafteranenrollmentthatisakintoafulldiskencryptionkeyescrow,whichprovidesadistinct,non-identifying“getoutofjailfree”cardsothatyoucanreactivatethedevicewithoutthepresenceofthepreviousiCloud-identifieduser.Youcanfindmoredetailsathttp://support.apple.com/en-us/HT202804inApple’sdocumentationabouthowtheyrecommendfolksmixtoolssuchasanMDMorAppleConfiguratorintotheirsupportproceduresaroundActivationLock.

ThereferenceimplementationofMDMforApple,theProfileManagerserviceintheirOSXServerapp,hasspecificdocumentationontheActivationLockbypasscodeat:

http://help.apple.com/profilemanager/mac/4.0/#/apd94BD5B2E-6448-450D-B76F-605AEEEEC9D7.

TheothertechniquetodealwithActivationLockisthatbydefaultsupervisiondoesnotallowthisfeaturetobeenabledinthefirstplace.AreyougettingtheideathatApple

www.it-ebooks.info

reallywantsyoutosuperviseyourdevices?OnlyifyouthenuseanMDMthatenablesthefeature(viaescrowingabypasscodeorotherwise)candevicesusethefeature.EveniftheenduserenablesActivationLockonasuperviseddevice,puttingthedeviceintoRecoverymodewillallowyoutowipe(orprepareorrefresh)itasyouseefit.Ifyou’regivenadevicethatwasnotsupervisedbeforeActivationLockwasenabled,youwillgetanerrormessagethatsaysthatitis“UnabletocheckiOS”.

RecoverymodeisastatewherethedevicehasbootedtoitsfirmwareandhasbeentoldthatitneedsafreshOSinstallation.ItpreviouslyshowedaConnecttoiTunesmessagewithaUSBconnector,butnowitshowsanarrowfromalightningconnectortothenewrediTunesicon(http://support.apple.com/en-us/HT1212).YoucanalsouseautilitylikeRecBootorothersifyouoftenfindyourselfrecoveringaforgottenpassword,butbesuretocarefullyevaluateandinspectapplicationsthatpurporttodocoolthingstoiOSdevices,astheyarenotofficiallysanctionedbyAppleandmaybefromcompromisedsources(http://jaxov.com/2010/05/recboot-iphone-recovery-mode/).ThefollowingscreenshotshowsapromptthatdisplaystheerrorencounteredwhenyoutrytoprepareadevicewithActivationLockenabled:

TheerrorpresentedwhenyoutrytoprepareadevicewithActivationLockenabled

www.it-ebooks.info

AddressingtheroughspotsForyears,Applesaidyoucouldtryastick-and-carrotapproach,usingHRpolicyandenticementstostopendusersfromremovingMDMorsupervisionprofiles,withtheultimatecaveatbeingthatenduserscouldalwayswipethedevice.iOS8finallydeliveredamorecomprehensivewaytoensurethatthedevicesaremanagedafterbeinggiventoendusers.Now,thereisarestrictiononaccesstothesettingthaterasesalldataandsettingsifthedeviceissupervised,butonlyDEP,whichwe’lldiscusslater,trulykeepsthedevicelockedtoyourMDM.Youcanalsorestricttheremovalofprofilesbysettingpasswordsasneededforremovalinanadhocmanner.

Betweenthesmall(intended)workgroupscale,inflexibilityregardinginteractionwiththingslikebackups,andthesingular,fatclient-basedpointoffailure,manyhavehopedthattherewereotheroptions.GroundControlisanewproductthatcanprovidesomeofthepowerfulfeaturesandfunctionalityofConfiguratorwithoutitslimitations.(Disclaimer:oneofourtechnicaleditorsistheleaddeveloperonthisproject.)Thiscloud-basedsolutionaimstoputtightcontrolofthedeploymentprocessinthehandsofthestakeholders.Youcanlearnmoreaboutthisathttps://www.groundctl.com.

www.it-ebooks.info

DEPversusAppleConfiguratorTheDeviceEnrollmentProgram(DEP)isprovidedbyAppletoalterthesetupassistantsothatdevicescanbeunboxedbyendusers,buttheyarethenforcedtoenrollintotheMDM.DEPcanalsoenablesupervisionwithoutAppleConfigurator.Infact,ApplerecommendsthatyouarenotsupposedtousedevicesthathaveDEPwithAppleConfigurator,atleastwhiletheyareassignedtoanMDM.JustasActivationLockwouldcausetroublewithAppleConfigurator;DEPwouldliketokickinwhenthedeviceisbeingactivated,andthisisnotcurrentlyengineeredintotheproduct.Apple’sdocumentationregardingtheexampleusecaseswhereDEPcanbeusedwithAppleConfiguratorisfoundathttp://support.apple.com/en-us/HT201092.

TogetgoingwithDEP,asignificantamountofpaperworkisrequiredsuchasassociatingAppleIDs,trackingdownpurchases,gettingaD-U-N-Snumberifyoudon’talreadyhaveoneforyourAppleEnterpriseDeveloperaccount,andthenconnectingtheDEPportaltoyourMDM.Andevenbeforeallthat,itmaynotbeavailableinyourcountry.ThecompletelistofcountriesthathaveDEPcanbefoundathttps://deploy.apple.com.

TheactualmovingpartsforsettingupDEPwithyourMDMaremostlyconcernedwithwhatyouwanttoseeaspartofthesetupassistant.ThereisalsotheoptiontolocktheMDMprofileandenablesupervision.

Keepinmindthatthingssuchassupervisionandlockingdowndevicesshouldn’tbeaconcernwhenyou’reonlysupportingaBYODprogram.However,therearecertainlymanyimportantconsiderationstokeepinmindwhenyoutransitionfrompreviouslydeployedandsuperviseddevicestoDEP.Justlikesupervision,youmustwipethedevicesothatitalwayspointstoyourMDMduringsetup.Thisbringsustoabitofashow-stopperformany,andthatisthefactthatyouarenotsupposedtorestorethebackuptakenfromthesamedevicethatisnowbeingassociatedwithDEP.

Thismakesitsoundlikethereisn’tarealmigrationpathforpre-existingmanageddevices.Wearenotmakingthisup.Formoreinformation,youcanrefertohttp://support.apple.com/en-us/HT202977.YouareevenexpectedtoMDM-wipeorAppleConfigurator-unsupervisedevicesbeforetheycanbeconsideredactivewithinDEP.Formovingdata,thefollowingchoicequoteisincludedunderAppleConfigurator:TransitioningtoAppleDeploymentPrograms:

WhenaniCloudbackupisrestoredtothesamedevice,allsupervisionandprofilescomefromthebackupregardlessofhowitwasconfiguredintheDeviceEnrollmentProgram.Forthisreason,whenrestoringbackupseachusershouldtransitiontoanewordifferentdevicetoensureDeviceEnrollmentProgramsupervisionandMDMenrollmentareenforced.

Whenwefiledaradar(bugreport)onthisbehavior,theresponsereceived“worksasintended”.

www.it-ebooks.info

GuidedAccessversusAppLockversusSingleAppModeTheprevioussectiononGuidedAccessinChapter2,IntroducingAppSecurity,introducedustotheconceptofputtingthedeviceintoamodewhereverylittlecangowrongwithit,butthisalsolimitsittoasinglepurpose—lockingthedevicetorunonlyoneapp.Notethatthiswouldonlybeapplicableforsuperviseddevices.AppleConfiguratorcanbetoldwhichapptorunandthedevicewillbypassthehomescreenafterthedeviceiswokenfromsleep.ThepreviousguidanceappliesformakingsurethatyoucangetaccesstotheAppleConfiguratorstationincaseitneedsmaintenance,ortomakesurethatthenetworkaccessisreliableifusingSingleAppModewithMDM.Inaddition,ensurethatthepowersettingsareapplied,asenduserswouldneedtoputthescreentosleepmanuallysincetheydon’thaveaccesstosettings.

AsSingleAppModeallowsadhoc,over-the-airapplicationoftheprofiletomakethedeviceenterthislocked-to-appmode,youcanfirstallowenduserstosetapasscodeonthedevicebeforethehomescreenbecomesinaccessible.Whilethisallowsittoremainlockedwhenunattended,makesureyouconsiderappsthatpromptforauthenticationandallowyoutologoutifsensitivedataorsystemsaretobeused.

www.it-ebooks.info

www.it-ebooks.info

ActiveSyncYoumaygetalongverywellwithoutanyofthesetoolsthatwe’vediscussedsofar.Inaddition,MDMisnotparticularlynecessaryiftheActiveSyncprotocoldeliverstherestrictionsandsecurityfeaturesthatyouneed.TheprotocolwasalsoadoptedbypaidversionsoftheGoogleAppsproductanditisnativelysupportedwhenyouconfigureanExchangee-mailaccountoniOS.

ManyaspectsoftheserverandOutlookWebAccessinterfaceworkinexactlythesamemannerwithiOSastheywouldwithBlackberry,Symbian,WindowsMobile,WindowsPhone,oranAndroiddevice.However,whilethe14.0versionofthespecificationshouldbesupported,theactualapplicablesettingshaveremainedsomewhatunchangedforyears.Recently,Microsofthasbeenpromotingvariousnewproductstomanagemobiledevices,whichsupportthenativemanagementframeworksofeachofthepopularplatforms.

Asarefresher,managementsettingsenforceableviatheActiveSyncprotocolareasfollows:

Wipingthedevice(ifthedeviceislostorstolen)Enforcingadevicepasscode,withcomplexity,expiration,history,timeoutbeforeprompt,andfailedattemptthresholdsAllowinguseofthecamera(whichwasoriginallyfocusedaroundcourtsorgovernment-relatedbuildingsandcontractors)Disablingsyncwhilethedeviceisroamingtohelpwithdatausagewhileyouareoutsidenormalcellularcoverage

Further,viaaconfigurationprofile,youcanlimithowfarinthepastyourmailissynced,alongwithotheraccount-specificsettingslikecertificates.

www.it-ebooks.info

www.it-ebooks.info

SummaryOverthecourseofthischapter,wespentalotoftimeinvestigatingAppleConfigurator.WediscussedthePreparemode,whichcanmakelightweight,one-offchangesasperyourneed.Supervisionandusercheckoutorassignmentsetsuplong-termmanagement“chaperone”relationshipswithiOSdevices.WewentoverhowAppleConfiguratordistributestheolderversionofVPPappcodesandhowitcanlockthedeviceintoanapp.AsActivationLockhelpedtomakeadevice’stheftbecomelesseffective,supervisionalsoprovidedasafetynetforinstitutionsbyallowingthemtoreclaimdevicesviatheRecoverymode.WealsoremindedyouthatbeforeevaluatinganMDM,manyrestriction-relatedfeaturesareactuallyavailabletoActiveSyncasanalternative.

Forsecurityprofessionals,itmayseemlikeAppleiscluelessabouttheneedsoflargeenterprises,andAppleConfiguratormaynothelpwiththatimpression.Butbyprovidingbestpracticeswe’releftwiththemostsupportablemanagement,whichworkswiththeplatforminsteadofagainstit.Applehaspushedtheideaof“tierzero”or“thenewIT”asahands-off,infinitelyscalablesolutionwhereITletsendusersperformmaintenancetasksanditdoesn’tneedtobuildwallsbetweenworkandpersonaldataineveryone’sdevices.Wecandoourbestworkwhenweareprotectingdevicesbyconcentratingonhowlittleofthedeviceneedstobemanaged,eveniftheyareownedbyinstitutions.Evenwhenitseemsthatthecontrolsthatareavailablearen’tofindustrialstrength,practicalconcernsaregoingtotrumpatightlylocked-downexperience.Apple,itscustomers,anditsdevelopersstillneedroomtoexperimentandbringrealinnovationandproductivitytomobiledevices.

www.it-ebooks.info

www.it-ebooks.info

Chapter5.MobileDeviceManagementMobileDeviceManagement(MDM)referstothetechnologythatallowsthecentralizedmanagementofmobiledevices,includingthosethatrunApple’siOS.CentrallycontrollingiOSdevicesisanabsoluterequirementformanylargeorganizations.Centralizedmanagementisalsobecominganecessityinsmallerenvironments.Therearealotofproductsthatcanbeusedtomanagedevices.TheserangefromtoolssuchastheinexpensiveProfileManagerbuiltintotheMacOSXServerapplicationtothird-partytoolssuchasAirWatch,MaaS360(byIBM),MobileIronJAMF’sCasperSuite,andBushel.

NoteIntheinterestoffulldisclosure,Bushelisbeingdevelopedbyoneoftheauthorsofthisbook.Bushelisrepresentedherebecauseofthedepthofknowledgethattheauthorshaveoftheproduct.

Inthischapter,wewillcoverthefollowingtopics:

IntroducingMDMUsingconfiguratorversusmobiledevicemanagementProfileManagerIntroducingBushel

Thesearemeanttoshowcasethetechnologyandarenotanendorsementofanysinglesolution.Thereasonthatit’shardtoendorseanysinglesolutionisthateachhasspecificstrengthsandweaknesses,andeachshouldbeconsideredindependentlyaccordingtotheenvironment.

www.it-ebooks.info

IntroducingMDMAsmentioned,MDMisatechnologythatempowersyoutocentrallymanagemobiledevices.MDM’sframeworkisdevelopedbyAppleandworksusingtheApplePushNotificationservice(APNs)tosendmessagesfromApple.ThenotificationsbytheAPNsdonotactuallycontaincommandsorsettings,butinsteadnotifythedevicetolookbackatanMDMserver,topullcommandsthatarewaitingontheserver.

MDMcommandscanwipe,lock,andperformothertasksondevices.MDMcommandscanalsoleverageprofilestoconfiguresettingsondevices,similartohowweconfiguredsettingsusingAppleConfiguratorinthischapter.However,whenconfiguringsettingsviaanMDMsolution,theprofilesareinstalledovertheair.Thisallowsyoutochangesettingsdailyorbasedonadevicemeetingaspecificrequirement.Forexample,withsomethird-partytools,youcanwipeadevicebasedonthegeographiclocationofthedevice.MDMreferstothemyriadoftechnologiesthatgointofacilitatingthesetransactions.

www.it-ebooks.info

www.it-ebooks.info

ConfiguratorversusMDMInChapter4,OrganizationalControls,welookedatmanagingdeviceslocallyusingtheAppleConfigurator.TheAppleConfiguratorworksbyinstallingprofilesondevicesusingtheUSBconnectionfromthecomputertothedevices.Thisworksgreatincertainenvironments,suchaswhenyoujustwanttoloadsettingsontoadevicepriortogivingitouttoauser.However,foranumberofscenarios,youwillwanttoupdatedevicesovertheair.And,foranumberofotherscenarios,youneedtouseAppleConfiguratororacombinationofAppleConfiguratorandanMDMsolution.

Asmentioned,thereareanumberoftasksthatcannotbemanagedusinganMDMsolution.Theseincludethefollowing:

RestoringdatatodevicesSettingthebackgroundimageofdevicesUpgradingdevicesEnablingsupervision,withtheexceptionofDeviceEnrollmentProgram(DEP)devices(DEPallowsAppledevicestobetiedtoanMDMsolution)

AppleConfigurator,ontheotherhand,canbeusedforalloftheprecedingpoints,aswellasenrollingintoanMDMsolution.ItcanalsobeusedtosupervisedeviceswithoutanMDM,thebenefitsofwhichwediscussedinthepreviouschapter.ThismakesusingAppleConfiguratoraviableusecaseforthetasksitcanperform;italsohelpstoautomatethesetupofalotofdevices.

www.it-ebooks.info

www.it-ebooks.info

TheProfileManagerTherearealotofproviderswithMDMsolutions,suchasSymantec,IBM,Sophos,JAMFSoftware,andothers.We’regoingtouseProfileManagerinthischapter,notbecauseit’sthebestofthem,butbecauseit’sanAppleproduct.ThefeaturesofeachMDMsolutioncanbequicklyandeasilycomparedathttp://www.enterpriseios.com/wiki/Comparison_MDM_Providers.

Inthischapter,wewilllookattwosolutions.ThefirstisApple’sProfileManager.ThisisaserviceincludedaspartoftheServerapplication,whichrunsonMacOSXandisbuiltbyApple.TheServerappcanbepurchasedfromtheMacAppStoreforaround20dollars(USD).However,theProfileManagerisnotacompletesolutionformany;itlackssomescalabilityandeaseofusethatothervendorshavebuiltintotheirproducts.ThesecondisanewcomercalledBushel.TheProfileManagerrequiresanOSXServer,whereasBushelisaSaaSsolution.

www.it-ebooks.info

PreparingtheProfileManagerServerAsmentioned,ProfileManagerrequiresaMacrunningOSXServer.Inmanycases,thisserverisasimpleMacminiserver.BeforewegetstartedwithinstallingtheServerapplicationandshowinghowtouseProfileManager,preparethecomputerthatwillbeusedastheserver.

TipFortesting,theservercanbeavirtualmachinewhenrunningonApplehardware.

SettinguptheProfileManagerinvolvespreparingtheserverbyconfiguringastaticIPaddressontheOSXServer.OnceyouhaveinstalledtheServerappfromtheMacAppStore,configureastaticIPaddressusingtheNetworkSystemPreferencespane.Oncedone,youwillneedtoproperlyconfigureahostname.

ThehostnameinthisexamplewillbeYosemiteserver.krypted.com.Wheninitiallysetup,aself-signedcertificateisinstalled.It’ssimpletogenerateaCSRandinstallacertificatefromaCertificateAuthority(CA);however,doingsoisbeyondthescopeofthisexample.Performthefollowingsteps:

1. First,elevateyourprivilegesbyinvokingbashwithsudo:

sudobash

2. Next,configurethehostnameusingthescutilcommand:

sudoscutil--setHostNameYosemiteserver.krypted.com

3. Then,configurethecomputernameusingtheComputerNameoptionwiththescutilcommand:

sudoscutil--setComputerNameYosemiteserver

4. Finally,configurethelocalhostnameusingtheLocalHostNameoptionwithscutil:

sudoscutil--setLocalHostNameYosemiteserver

NoteTheprecedingComputerNameandLocalHostNameoperationscanbeperformedusingtheSharingSystemPreferencepane;however,wearedoingitheresincewearealreadyinthecommandlineanditsonelessscreenshottotakeuphalfapage.

Oncethenamesareproperlyconfigured,checkwhethertheyfunctionproperlyusingthechangeipcommand:

sudochangeip-checkhostname

Theoutputofthechangeipcommandshouldappearsimilartothefollowingexample:

Primaryaddress=192.168.210.201

CurrentHostName=Yosemiteserver.krypted.com

DNSHostName=Yosemiteserver.krypted.com

www.it-ebooks.info

Thenamesmatch.Thereisnothingtochange.

dirserv:success="success"

Ifyou’reunsuccessfulanddon’tseesuccess,youmayneedtodosomeworktoresolvethedomainnames:

1. WhenhostingyourownDNSfromwithintheServerappontheProfileManagerserver,verifythattheDNSserverissetusingtheIPaddressusedontheserver.

2. WhenhostingaDNSonanActiveDirectory-basedDNSserverorothernon-localDNSserver,verifythatyouhaveproperlyworking,forwardandreverserecordsforthehostnameandIPaddresscombinationinuseontheOSXServerortheActiveDirectoryintegratedserver.

3. FromtheServerappontheProfileManagerserverorotherMac,clickontheWebsitesserviceandthenontheONbutton(whichwouldsayOFFtostartwith).Don’tconfigureanythingelseforthewebserver.

4. Whentheservicestarts,youwillseethepathtothedefaultwebsites(/Library/Server/Web/Data/Sites/Default)andaViewServerWebsitelinkwillbedisplayedonthescreen,asshowninthefollowingfigure:

Thesetupofthewebservice

ClickontheViewServerWebsitelinkatthebottomoftheServerapp.ThenverifythattheWelcometoOSXServerpageloads.Doingsoverifiesthatthewebservice(Apache)startsproperlyandisaccessible.

www.it-ebooks.info

PreparingProfileManagerOnceyouseetheWelcometoOSXServerpage,clickonProfileManagerintheServerappsidebar.Then,clickontheConfigurebutton,showninthefollowingscreenshot:

TheProfileManagerService

TheConfigureDeviceManagementassistantappears.ClickontheNextbutton.

ManyenvironmentswillhaveanexistingdirectoryservicethattheProfileManagerserverconnectsto.IfyouconnecttoActiveDirectory,thenProfileManagerwillrequireanOpenDirectorymasterorreplicatobeaccessible.Ifthereisnone,thenclickontheCreateaNewOpenDirectorydomainintheConfigureNetworkUsersandGroupsscreen(orgoontocreatetheDirectoryAdministratoraccountifpromptedtodosoinstead).ThisdirectoryservicewillbeusedforProfileManager.Ifyouhaveanexistingdirectoryservice,thentheexistingservicewillbeusedforusernamesandpasswordsandthisoneyoujustcreatedwillonlybeusedforProfileManager.

Ifyou’recreatinganOpenDirectorydomain,clickontheNextbutton.Then,provideanadministrativeusernameandpasswordforOpenDirectory.Thedefaultusernameisdiradmin.ClickontheNextbutton.

WhenpromptedontheOrganizationInformationscreen,providethenameofyourorganizationandanadministrator’se-mailaddress(thee-mailaddresstoputoncertificates),asinthefollowingscreenshot,andthenclickontheNextbutton.

www.it-ebooks.info

Providinganorganization’sinformation

ThesettingsyouusedarethendisplayedontheConfirmSettingsscreen.

ClickontheSetUpbutton.Ifpromptedtodoso,chooseacertificate(thenextscreenshot)andthenclickonNext.

www.it-ebooks.info

ConfiguringanSSLCertificate

Forthisexample,wewillusetheself-signedcertificatecreatedbyOpenDirectoryandclickonNext.

TheAPNscertificateestablishesatrustrelationshipbetweenAppleandyourProfileManagerserversothatpushnotificationscanbesenttodevices.YoushoulduseaninstitutionalAppleIDforyourorganization(forexample,<apns@krypted.com>)ratherthanaprivateone(forexample,<charlesedge@krypted.com>).OnceyouhaveenteredthecredentialsforavalidAppleID,clickontheNextbutton.

ProvidedtheAppleIDauthenticatesandeverythingworksasintended,clickontheFinishbuttontocompleteandexittheconfigurationassistant.TheConfigurebuttonshouldthenbegone.OncebackattheProfileManagersettingsinServer,selectSignConfigurationProfiles,displayedinthefollowingscreenshot:

www.it-ebooks.info

Signingupyourconfigurationprofile

FromtheCodeSigningCertificatesheet,choosetheappropriatecertificate,andclickontheOKbutton:

www.it-ebooks.info

Choosingacodesigningcertificate

NoteYoucanalsoimportacertificatehereifyouhavepurchasedacode-signingcertificate.

CompletingPostConfigurationtasksEnabletheIncludeconfigurationforservicesoptiontoautomaticallybuildyourconfigurationprofilesettingsforserviceshostedontheserver(Mail,Calendars,VPN,andsoon).IfyouusetheProfileManagerserverforotherservices,leavethisoptionenabled;otherwise,disableitasseeninthefollowingscreenshot.

www.it-ebooks.info

Enablingconfigurationforservicesrunningontheserver

Apple’sVolumePurchaseProgram(VPP)allowsyoutobuyappsontheMacAppStoreoriOSAppStoreinbulkanddistributethemtousers.Youcanalsorevokeappswhenemployeesleaveyourorganization.VPPalsoallowsyoutomanageiBooksaswell.ProfileManagercanhelpyoudistributetheseappsandiBooks.

ToenabletheVPPfeaturesofProfileManager,youwillfirstneedaVPPaccount,whichcanbeobtainedfromdeploy.apple.com.Onceyouhavecreatedthisaccount,downloadyouruniquetokenfile.Then,backinProfileManager,enablethecheckboxforDistributeappsandbooksfromtheVolumePurchaseProgram.ClickontheChoosebuttonandselectthetokenfileyoudownloadedearlierfromApple.

Oncetheseappsareadded,clickontheONslider(whichwouldsayOFFuntilclicked).DoingsostartstheProfileManagerservice.OnceyouseetheURLtoaccessyourwebinterface,youcanstartmanagingdevicesusingProfileManager:

www.it-ebooks.info

AccessingtheProfileManagerservice

OncetheProfileManagerserviceisstarted,clickonOpenProfileManageratthebottomoftheProfileManagersettingsscreen.AuthenticateyourselfontheloginpagetomanageyouriOSandOSXdevices.

UsingProfileManagerOnceyoulogin,thereisatonofoptions.Youcanconfigurepoliciesfordevicesandplaceholdersandgetlostprettyquickly.Hence,we’regoingtoprovideaprimeronconfiguringprofilesandmanagingdevices.TheeasiestwaytogetstartedistousetheEveryoneprofile.Thisprofileallowsyoutoconfigureprofilesforservicesrunningontheservertodeploysettingstoallusersenrolledontheserver.

TheEveryonegrouphasaRestrictionssection,whichallowsadministratorstorestrictaccesstovariousProfileManageroptions.TheseincluderestrictingaccesstotheMyDevicesportal(we’llcoverusingMyDevicesforenrollmentlaterinthischapter),lockingfordevices(anoptionwithinMyDevices),andtheabilityforuserstowipetheirownAppledevice.

TipTheDEPisasystemthatautomaticallyconfiguresAppledevicestojoinanMDMuponsetup,whichbeginsaprocessthatuserscancomplete.YoucanallowyouruserstoautomaticallyenrollviaDEPhere.

www.it-ebooks.info

ActivationLockisafeatureiniOSthatrestrictsadevicefrombeingerasedandreactivatedwithouttheAppleIDthatwasusedtooriginallysetuptheActivationLockfeatures.Thiscanbechallengingifusersdonotactuallyowntheirdevices.Whenrunningsuperviseddevices,youcandisableActivationLockorgenerateabypasscodetounlockadevicethathasbeenlockedthroughActivationLock,asshowninthefollowingscreenshot:

LoggingintoProfileManagerforthefirsttime

EnrollingintoProfileManagerTomanageadevice,youmustfirstenrollthedeviceinProfileManager.Enrollmentisanopt-inprocedure,unlessthedeviceisassignedtoanMDMserverviaDEP.UsetheURLoftheserverfollowedbyMyDevicestoaccesstheMyDevicesportal,whichishowuserscanenrolltheirowndevicesintoProfileManager.Thisbringsupalistofprofilesthatcanbeinstalledmanually.

www.it-ebooks.info

EnrollingdevicesinProfileManager

TapontheEnrollbuttontoenrolladevice.Whenprompted,taponContinue:

www.it-ebooks.info

Installingprofiles

Youwillreceiveanerrorifyouareinstallingacertificatethathasn’tyetbeentrustedbyathird-partyCertificateAuthority(CA).Ascanbeseeninthefollowingscreenshot,clickontheInstallbutton:

www.it-ebooks.info

AcceptingunverifiedProfiles

Onceyou’reenrolled,clickonProfileintheProfilessectionoftheSettingsapptoseewhatsettingsaredeployedandoptionallyunenrolldevices.UserscanwipeorlocktheirowndevicesfromtheMyDevicesportaloradministratorscanmanagedevicesfromtheadministrativeportal.

DevicemanagementAsmentioned,youcanthenmanageiOSdevicesfromProfileManager.Thefirsttaskwe’llcoverhereisenforcingapasscodepolicyforagroupofdevices.Todoso,clickonDeviceGroupsinProfileManagerandselectagroupofdevices.

Acriticalaspectofanymanagementsolutionistoseetheinventoryinformation.TheinformationshownincludescertificatesinstalledbytheMDMsolution,UDID,LastCheckinTime,Wi-FiMAC,EthernetMACaddresses,DeviceModel,andwhetherthepersonalhotspotisenabled.YoucanalsoseetheappsthattheMDMsolutionhasinstalledandtherestrictionsthathavebeenenforcedbytheMDMsolution.

www.it-ebooks.info

PasscodepoliciesReal-timemanagementofdevicesisdoneusingtheDevicesscreen.Here,wecanaccessmachine-specificinformationandsettingsusingtheSettings(cog)button,aswellaswipeandlockdevices.Trytoalwaysusegroupstodeploypolicies,aswedohere.FromDeviceGroups,selectyourgroupandthenclickontheSettingstab.ClickontheEditbuttonshowninthenextscreenshot:

DeviceGroups

Sincewe’reconfiguringapasscodepolicy,clickonPasscode.Theitemsintheleftcolumnareknownaspayloads.ClickonConfiguretosetupthepasscodepayload.ChecktheboxandenableAllowsimplevalue,asshowninthefollowingscreenshot.Then,settheMinimumpasscodelengthoptiontoanumber.Wereallylikeusingfourcharacters.Then,clickontheOKbuttontosaveyourchanges.

www.it-ebooks.info

Configuringpasscoderequirements

Okay!Thatdidn’tsaveyourchangestotheprofile,onlytothatpayloadwithintheprofile.ClickontheSavebuttonontheSaveChanges?screentofinishtheprocess.You’llknoweverythingworkedwhenthedevicepromptsyouforanewpasscodeifoneisalreadyconfigured.

Wipingadeviceisanothercommonadministrativetask.Makesureyou’reusingadevicewhereyoudon’tmindlosingeverythingbeforeyoufollowalongwiththisexample.Towipeadevice,selectthedevicefromProfileManagerandthenclickontheSettings(cog)button,asyoudidearlier.Thistime,clickonWipe:

www.it-ebooks.info

Wipingadevice

WhentheWipescreencomesup,clickonWipe.Becausethisisdestructivetodataonthedevice,you’llbepromptedtoclickonWipeasecondtime.Ifyoulookatyourdevice,notethatitshouldinstantlygoblack,andthen,rebootthedevice.

TipIfthedeviceisDEP-enabled,itwillautomaticallybegintheenrollmentprocessagainonceitjoinsaWi-Finetworkforthefirsttime.

www.it-ebooks.info

www.it-ebooks.info

IntroducingBushelIntheinterestoffulldisclosure,oneoftheauthorsofthisbookworksatJAMFSoftware,thecompanythatmakesBushel.Itisaverysimple,easy-to-useMDMthatallowsustoshowcase,usingathird-partysolution,tomakechangesondevicesusingthefewestnumberofscreenshotssowecanfitthemintothisbook.

www.it-ebooks.info

SetupYoucansetupaBushelaccountfromsignup.bushel.com.Whenpromptedforyourcompanyname,provideitasubdomainnameaswell,asshowninthefollowingscreenshot:

ConfiguringyourorganizationinBushel

Whentheformisfilledout,clickonNext.

Ontheinitialscreen,provideyourname,e-mailaddress,andapassword,asshowninthenextscreenshot.Theadministrativeusernamefortheaccountwillthenbethise-mailaddress.ClickontheCreateAccountbutton:

www.it-ebooks.info

ConfiguringyourBushelaccountsettings

Youwillreceiveane-mailfromBushel.ClickontheActivatebuttoninthee-mail.ClickonGetStartedandthenprovidethemailsettingsforyourdomainorclickontheSkipbuttontoprovidetheAPNscertificatesothatyoucanenrolliOSdevicesintoyourBushelaccount,asshownbelowinthefollowingscreenshot:

www.it-ebooks.info

InstallinganAPNscertificateinBushel

www.it-ebooks.info

TheenrollmentprocessTheenrollmentprocessissimilartoProfileManagerandotherthird-partyMDMtools.LogintoyourBushelaccount,clickonEnrollment,andwhenpromptedtoEnrollThisDevice,clickontheEnrollbutton.WhenpromptedWhowillthisdevicebelongto?entertheusername(thatistheuser’snameinfrontoftheire-mailaddress,mostlikely,ortheusernameforyoure-mailsystem).

Providethee-mailaddressaswell,andthenclickonEnrollThisDevice.Toenrollthedevice,usethedefaultsettingsateachscreen.Youcanalsosavethemobileconfigfiledownloaded(ifusingaMac)ande-mailortextittoallowausertoenrollwithoutvisitingawebsite.Youwillneedtoleavetheusernamefieldblankifyou’redistributingaprofiletomultiplepeople.

www.it-ebooks.info

RestrictionsApplebuiltafeaturecalledopeninmanagementiniOS.Thisfeatureprotectscompanydatainmailaccounts,apps,andevenSafarilinksdistributedbyanMDM.

OneexampleofopeninmanagementisifyoudownloadNumbersandBoxusingBushelandthenpurchaseDropboxusingyourpersonalAppleIDonthesamedevice,youcanthenopenadocumentthatcameinthroughNumbersusingBox.However,youcan’topenthatsamedocumentusingDropbox,becauseitwasnotsuppliedviatheMDMservice.

Bushelenablesopeninmanagementbydefaultonallaccounts.ThebuttonsaysProtectcorporatedataoniOSdevices.Toverifythatopeninmanagementisenabled,clickontheSetuptab.Then,clickonSecurityinthesidebarandlookforProtectcorporatedataoniOSdevices,asseeninthefollowingscreenshot:

Configurecorporatedataprotection

MakesureyouareusingVPPtodeployyourappsandverifythattheiOSdeviceisusingthemailaccountdeployedviayourMDM,ratherthanamanuallyconfiguredaccount.Tocheckthemailaccount,openSettings,taponMail,andverifythatthesettingsfoundtherecannotbechanged.WewillcovertheVolumePurchasingPrograminthenextsection.

www.it-ebooks.info

VolumePurchasingProgramandMDMVPPisaserviceprovidedbyApplethatallowsorganizationstopurchaseappsinvolume.AppspurchasedinVPPanddeployedthroughanMDMsolutioncanalsocontainerizedatatoonlyexchangedatawithappsdeployedbythatMDMsolution.Todeployanapp,simplyclickonAppsinthesidebar.Ifyouhavea.vpptokenfile(afileyougetfromtheAppleVPPportal),thenyouwillseetheappspurchasedusingtheAppleVPPportalinyourLibrary,asshownhere:

InstallationofAppsusingVPP

ClickonanappandthenclickontheInstallbuttontodeploytheapptoalldevicesenrolledinyourBushelaccount.ThentrytocopydataoutofthatappintotheonemanuallyinstalledfromtheAppStore.Providedthecopyfails,youhavesuccessfullybuiltawalledgardenforyourapp-baseddata.

www.it-ebooks.info

www.it-ebooks.info

SummaryWedidalotinthischapter,whichisgreat.InChapter1,iOSSecurityOverview,welookedatconfiguringpasscodes,andinChapter2,IntroducingAppSecurity,welookedatappdata.Here,wemanagedbothwithverybasicpolicies,deployedbyinexpensiveandeasy-to-useMDMs.YoucangetalotofcomplicatedfunctionalitieswithyourMDM,ifyouchoose.Youcanalsodomuchmorewiththetoolsweprovidedinthischapter,sowehopeyouwillexploreeverythingthesetools(andtheotherthird-partyMDMsuites)havetooffer.

Inthenextchapter,we’llconcludethebookbyturningourattentiontotheinsidesofthedevice,divingintodebuggingtoolssoyoucandiveevendeeperintotheabyss,thatis,reverseengineeringhowthesethingswork.

www.it-ebooks.info

www.it-ebooks.info

Chapter6.DebuggingandConclusionEveryenvironmentisdifferent.UnderstandingtheinternalworkingsofaniOSdeviceenablesyoutoisolateitemsthatyoumightconsidertobeasecuritythreatforyourparticularenvironmentthatwehaven’tidentifiedinthisbook.Inaddition,learningmoreaboutthesedevicesisjustplaincool!Inthischapter,we’regoingtolookatdebuggingandforensicdatacollection.Thesebothshowcasewhatkindofdatacanbepulledofffromdevicesandteachesyoumoreaboutthedevicesthatyou’resecuring.

Aswe’veshowcasedthroughoutthisbook,Appledoesagoodjobofprotectingsensitivedataondevices.Inaddition,applicationvendorshavealotoftoolstokeepyourdatasecureaswell.However,computersbeingwhattheyare,somedatacanbeobtainedfromthem.Inthischapter,we’regoingtocoverthefollowingtopics:

XcodeDivingdeeperintolibimobiledeviceAppcommunicationssuchasidentifyingdevicesandnetworkcommunicationsAppleIDsandApps

We’llbegoingthroughthecommontoolsfordebuggingiOS,reverseengineertoseehowthingsrununderthehood,andleveragethatdataforvarioususecases.ThisprocessstartswiththetoolthatAppleprovidesforwritingappsandthisiscalledXcode.

www.it-ebooks.info

XcodeXcodeiswrittenanddistributedforOSXbyApple.XcodeisusedtowriteappsforbothOSXandiOSanditcanbeusedtowritescriptsinvariouslanguages.Xcodealsocomeswithasuiteoftoolsthatcanbeusedtodebugtheappsthatyou’rewriting.Thesetoolscanalsobeusedtoviewlogsandwatchwhathappensondeviceswhenyou’reusingthem.

XcodeisavailableontheMacAppStoreathttps://itunes.apple.com/us/app/xcode/id497799835?mt=12,asyoucanseeinthefollowingscreenshot:

InstallXcodefromtheMacAppStore

InordertoinstallXcodefromtheMacAppStore,performthefollowingsteps:

1. ClickonInstallandwaitfortheinstallationtocompletetogetXcodeinstalledonyourcomputer.

2. Onceinstalled,openXcodefromthe/Applicationsdirectory.3. ChooseDevicesfromtheWindowmenutoseealistofdevicesthatthecomputer

canconnectto.4. Pluginthedevice.5. Clickonyourdevicetoseebasicinformationaboutthedeviceandthenclickonthe

ViewDeviceLogsbuttontoviewthedevicelogs,asshowninthefollowingscreenshot.

www.it-ebooks.info

TheXcodeDEVICESscreen

NoteNotethatatthebottomleftoftheDeviceInformationpaneisaShow/Hidebutton.Clickingonthisdisplaystheconsoleoftheconnecteddeviceinrealtime.

6. Thelogsarethendisplayed.Whentheyarereviewed,theselogsprovideawealthofinformationaboutdevices,asyoucanseeinthenextscreenshot.

7. Right-clickonalogandyoucandeleteitfromthedevicewithinXcode.Whenyouunplugthedevice,thelogwindowcloses.

TipNotethatyoucanalsoobtainXcodefromtheDeveloperportalofAppleifyouwouldrathernotusetheMacAppStoretodoso.

www.it-ebooks.info

iOSDeviceLogs

ManyofthesamelogscanbeviewedfromdifferentAppledevicesbyopeningtheSettingsappfromthehomescreen,taponPrivacy,tappingonDiagnostics&Usage,andthentaponDiagnostics&UsageData.Fromhere,youcantaponentriestoseethesamedebugginginformationthatisavailableinXcode,asshowninthefollowingscreenshot:

www.it-ebooks.info

Diagnosticsandusagedata

www.it-ebooks.info

www.it-ebooks.info

DivedeeperwithlibimobiledeviceXcodeandothertoolscanbeusedtoviewlogsoniOSdevices.Anothertoolthatisusedtodebugdevicesiscalledlibimobiledevice.Thisisanopensourceprojectthatismeanttohelpsecurityresearchers,developers,andadministratorstrackthegoings-onofiOSdevices.Thelibimobiledevicelibraryisavailableathttp://www.libimobiledevice.org

www.it-ebooks.info

InstallinglibimobiledeviceusingHomebrewIusuallyinstalllibimobiledeviceusingHomebrew,asthereareafewdependenciesthatcanbealittleannoyingtoinstallotherwise.

ToinstallHomebrewifyouhaven’talreadydoneso,performthefollowingsteps:

1. Elevateyourprivilegesbyrunningsudoandinvokingabashshell:

sudobash

2. Runthefollowingcommand:

ruby-e"$(curl-fsSL

https://raw.githubusercontent.com/Homebrew/install/master/install)"

3. Oncethecommandisexecuted,followthepromptstocompletetheinstallation.OnceHomebrewisinstalled,runthefollowingbrewcommandtodownloadtherequiredcomponentsandthenlibimobiledevice:

brewinstall-v--freshautomakeautoconflibtoolwgetlibimobiledevice

4. Then,runideviceinstaller:

brewinstall-v--HEAD--fresh--build-from-sourceideviceinstaller

UsingidevicesyslogandidevicepairOncethesepairoftoolsareinstalled,youcanpluginapaireddevice,unlockit,andusethefollowingcommandtoviewthelogsonthescreen:

Idevicesyslog

Thisisakintorunningatailagainstthedevice.Again,thedevicemustbepaired.Youcanusethecommandline(forexample,ifyou’rerunningthisonLinux)toviewthelogs,butifyou’renotpaired,you’llneedtouseidevicepairtopairyourdevice,followedbythepairverb(whichisverydifferentfromthepearverb):

idevicepairpair

Youcanalsounpairadeviceusingtheunpaircommand:

idevicepairunpair

Whenpairingandunpairing,youshouldseetheappropriateentriesin/var/db/lockdown.

UsingidevicedateandideviceinstallerThenextoptionisdate(veryusefulwhenscriptingunittestsusingthissuite).Toobtainthis,usetheidevicedatecommand;youdonotneedanyoperatorsorverbs:

idevicedate

Next,let’schecktheappsinstalledonadevice.Wecandothiswiththeideviceinstallercommand(thatisalsopartoftheilibmobiledevicesuiteoftools).Here,we’llusethe-l

www.it-ebooks.info

optiontojustlistwhat’sinstalled:

/usr/local/bin/ideviceinstaller-l

Theoutputwouldshowtheappalongwiththeversionoftheappcurrentlyinstalledonthedevice:

com.apple.Pages-Pages1716

Touninstalloneofthelistedapps,usethe--uninstalloption:

ideviceinstaller--uninstallcom.protogeo.Moves

Youcanalsoinstallapps,providedyou’vecachedtheIPAfile(forexample,viaiTunes):

ideviceinstaller--install/Users/charlesedge/Music/iTunes/iTunes\Media/

Mobile\Applications/Box\3.3.0.ipa

NoteNotethattheprecedingfoldermaychangebasedontheoperatingsystemonwhichyourlibrarybeganwith.

Theprecedingcommandreturnsthefollowingoutput:

Copying'/Users/charlesedge/Music/iTunes/iTunesMedia/Mobile

Applications/Box3.3.0.ipa'todevice…DONE.

Installing'net.box.BoxNet'

Install-CreatingStagingDirectory(5%)

Install-ExtractingPackage(15%)

Install-InspectingPackage(20%)

Install-TakingInstallLock(20%)

Install-PreflightingApplication(30%)

Install-VerifyingApplication(40%)

Install-CreatingContainer(50%)

Install-InstallingApplication(60%)

Install-PostflightingApplication(70%)

Install-SandboxingApplication(80%)

Install-GeneratingApplicationMap(90%)

Install-Complete

Whenitisrunagainstadevice,theappcanthenopenotherapps,providedtheusertheAppleIDownstheapp.

Aprovisioningprofileisaprofilethatisusedtoinstallapps.TheseappsareusuallylocatedonamailserverthatsupportstheipaMIMEtypeandtheprofiledefinesthelocationtoobtaintheapp.ThisformsthebasisoftheWirelurkerattack,whereattackersreplaceanappbyspoofingthedomainoftheapp.There’salsoacommandforideviceprovisionthatcanbeusedtoviewinstalledprovisioningprofileswhentheyarerunwiththelistverb:

/usr/local/bin/ideviceprovisionlist

Asmentionedearlier,theideviceprovisioncommandcanalsoinstallaprovisioningprofile;thereforeitcanactuallymakethedeviceinstallanapp.Thisisdoneusingtheideviceprovisioncommandfollowedbytheinstallverbandthename(andpathifthe

www.it-ebooks.info

.mobileprovisionfileisn’tintheworkingdirectoryfromwhereyou’rerunningthecommand)ofthefilethatisbeinginstalled:

/usr/local/bin/ideviceprovisioninstallangrybirds.mobileprovision

YoucanalsoremovethepathoftheworkingdirectorybyfeedingintheUUIDoftheprovisioningprofilethatisobtainedbyusingthelistverbandreplacingMYUUIDfromthefollowingcodeblock:

/usr/local/bin/ideviceprovisionremoveMYUUID

YoucanalsoputadeviceinrecoverymodesothatitwouldneedtobepluggedintoacomputerthatisrunningiTunesandgetanewipswfileinstalled,whichisassimpleasfeedingtheUDIDintoideviceenterrecovery:

/usr/local/bin/ideviceenterrecovery

af36e5d7065d4ad666bf047b6e4de26dd144578c

Thisbringsupaninterestingquestion.HowwouldyougettheUDID?Youcanuseideviceinfotogetthis:

ideviceinfo

TheprecedingideviceinfooutputshowsmoreinformationaboutadevicethanwhatIknewyoucouldactuallygetpreviously.YoucanusegrepforUniqueDeviceIDasfollows:

ideviceinfo|grepUniqueDeviceID|awk'{print$2}'

ThiswouldjustreturntheUDID.Sincethisisblankwhennodeviceisconnectedtothesystem,youcanrunaloopthatwaitsforafewsecondswhentheUDIDisemptyandthenusesthatUDIDasa$1insomescripts.Ofcourse,it’smucheasiertouseacommandthatwasbuiltforthis,whichiscalledidevice_id:

idevice_id-l

Next,youcanuseidevicediagnosticstoobtainsomeinformationaboutthecurrentstateofthedevice:

idevicediagnosticsdiagnosticsAll-u

af36e5d7065d4ad666bf047b6e4de26dd1445789

TheidevicediagnosticscommandhasanXMLoutputwithinformationaboutthedevice,suchashowmuchbatterylifeisstillthere.Youcanalsoquerytheioregfileofthedevice,whichshowswhat’spluggedintothedevice:

idevicediagnosticsioregIODeviceTree-u

af36e5d7065d4ad666bf047b6e4de26dd1445789

Theidevicediagnosticscommandcanalsodosomebasictasks(whereeachtaskissentasaverbwithouttherequiredUDID)suchasrestart,sleep,andshutdown:

idevicediagnosticsrestart

Thecrashreportsonadevice(whichincludereportsofuninstalledappsthatforensicallyprovideaglimpseintowhatappswereremovedfromadeviceandwhentheywere

www.it-ebooks.info

removed)canbeextractedfromapaireddeviceaswell,usingidevicecrashreport:

idevicecrashreport-e/test

NoteTheprecedingdirectorymustexistpriortoexecutingthecommandandthecurrentusermusthavepermissiontowrite.

Youcanthenviewthelogsorgrepthroughthemforspecificpiecesofinformation:

cat/Test/Baseband/log-bb-2014-08-06-stats.plist

Thelastcommandthatwe’regoingtocoverinthissectionisidevicebackup2,whichisusedtobackupdevices.Here,we’regoingtofeedtheUDIDtoit.I’mlazilyusingtheidevice_idcommandfromearlier,inbackticks,tograbtheUDIDandbackitupinthat/testdirectorywhenthedeviceisunlocked.

idevicebackup2-u`idevice_id-l`backup/test

Here,we’vebackedupwhateverdeviceispluggedintothe/testdirectory.Thesubsequentbackupswillbeincremental.

Asyoucansee,thereareanumberoftasksthatcanbeperformedonadevicewhenthedevicehasbeenpairedtoacomputer.Thisfurtheremphasizesthefactthatyoushouldneverpairyourdevicetoanuntrustedcomputer.

YoucanalsousetheinformationobtainedfromthesecommandstotroubleshootandresearchawidevarietyofthingswithregardstodevicesbasedoniOS.Havingabackup,crashreports,andreal-timelogs,andmakingchangessuchasinstallingappsondevicesallowsyoutodoregressiontesting,vulnerabilityresearch,andalotmoreingeneralthatyouwouldn’tbeabletodootherwise.

www.it-ebooks.info

www.it-ebooks.info

AppcommunicationsUpuntilnow,thischapterfocusedonviewingdataondevices,obtaininglogs,andmakingchangestodevicesthemselves.Sincelisteningtonetworktrafficisthebasisofmostofthereconnaissancethatisdoneondevices,we’lllookathowtoobtainmoreinformationaboutdevicesthatarebasedonwhatgoesoverthenetworkmedium.ThisisdonebyfirstidentifyingtheiOSdevicesonanetworkandthenlisteningtorawnetworktrafficusingcommontoolssuchasWireshark.

www.it-ebooks.info

IdentifyingdevicesForstarters,youcanidentifyalliOSdeviceseasilyastheylistenonport62078,whichisauniqueport.ToverifythataniOSdeviceisoccupyinganIPonanetwork,scantheIPaddressforthatport.Forexample,hereweusethebuilt-inportscannerinOSXtoscananIPaddressonthenetworkwithaniPhone:

/System/Library/CoreServices/Applications/Network\

Utility.app/Contents/Resources/stroke192.168.0.126207862078

www.it-ebooks.info

ListeningtonetworkcommunicationsOSXhasacommandcalledrvictlthatcanbeusedtoproxynetworkcommunicationsfromiOSdevicesthroughacomputeroverwhat’sknownasaRemoteVirtualInterface(RVI).TosetupanRVI,you’llneedtheUDIDofadeviceandthedevicewillneedtobepluggedintoaMacandhavethedevicepairedtotheMac.Thismayseemlikealot,butifyou’vefollowedwhatwehavebeendoinguntilnow,thisshouldbeprettysimple.

TosetupanRVI,we’llperformthefollowingsteps:

1. First,we’llpairadeviceusingthefollowingcommand:

idevicepairpair

2. Then,we’lltaponTrustonthedeviceitself.Then,we’llgrabthatUDIDwithidevice_id:

idevice_id-l

3. Next,we’llsetupanRVIwithrvictlandthe-soption(hereI’mjustgoingtograbtheUDIDsinceIonlyhaveonedevicepluggedintomycomputer):

rvictl-s`idevice_id-l`

4. Then,wecanlisttheconnectionsusingrvictlwiththe-loption:

rvictl-l

5. Next,we’llrunatcpdumpcommandusingthisnewlyconstructedrvi0:

tcpdump-n-irvi0

6. Next,we’llgetalotoflogs.Let’sfireuptheNikeFuelBandappandrefreshourstatus.Whilewatchingtheresultanttraffic,we’llseealinelikethis:

22:42:29.485691IP192.168.0.12.57850>54.241.32.20.443:Flags[S],

seq3936380112,win65535,options[mss1460,nop,wscale5,nop,nop,TS

val706439445ecr0,sackOK,eol],length0

There’sanIPinthisline—54.241.32.20.Wecanlookthisupandwe’llbeabletoseethattheserversaresittingonAmazonWebServices,andonverifyingit,wecometoknowthatit’sNike.Bywatchingthetrafficwithtcpdump,wecanobtainGET,POST,andotherinformationthatissentandreceived.UsingWireshark,wecangetevenmoredetaileddata.

Overall,thisbookismeanttofocusontheiOSsideofinformationsecurityandnotondebuggingandrefiningtheapproachtousingtcpdump/wireshark.ThervictltoolisagreattoolintheiOSdevelopmentcycleandforsecurityresearcherswhoarelookingintothenumberoftheappsoniOSdevicesthatexchangedata.

TipWhileI’vefoundthatrvictlisabletoshowmeprettymuchanythingIneedaccessto,if

www.it-ebooks.info

youfindanyissueswithit,gotohttps://github.com/libimobiledevice/usbmuxd.Thisisanopensourceprojectthatisbeingdevelopedmoreaggressivelyandcanbeusedtodosimilartasks.

www.it-ebooks.info

www.it-ebooks.info

AppleIDsandAppsOneitemthatisnotoftencoveredwhenconsideringiOSsecurityistheAppleIDthatisusedtomanageadevice.TheAppleIDcanpotentiallybeusedtowipeadevice(forexample,viatheFindMyiPhoneapp),restoreadevice’sbackup,orevenviewthepurchasedmedia(songs,movies,iBooks,andapps)thatmaynotbeavailableonadevice.

Whenyouuninstallanapp,theappisstillinyourpurchasehistory.Asyoucanseeinthefollowingscreenshot,youcangetafairamountofinformationaboutwhatsomeoneusesadevicefor:

AppleIDsandPurchasedHistory

www.it-ebooks.info

TheonlywaytopreventsomeonefromlookingatsuchinformationistosecuretheAppleID.Usestrongpasswordsfortheseandchangethemfromtimetotime.Whenanemployeeleavesanorganization,youmightalsobeabletoresettheirpasswordusingane-mailaddressiftheAppleIDusesacorporatee-mailaddress.

www.it-ebooks.info

www.it-ebooks.info

ForensicsSofar,we’vediscussedlookingatdataondevices.Whenyouuseadevice,unlessyoumadeaforensicimageofthedevicepriortousingit,youaretaintingevidence.Thisisnotabookonforensics,butwecanletyouknowaboutsometoolsthatwillallowyoutoacquireaforensicallysoundimageofadevicewithoutmuchfanfare.

NoteManyofthesetoolsareonlyavailabletolawenforcementprofessionals.Applehasrecentlygonetogreatlengthstomaketheirdevices“leak”lessdata,eventolawenforcement.SinceiOS7,it’sbeenpracticallyimpossibletobruteforcepasscodesandafterApplefixedthebootroomexploitsofiPhone4/iPad2,it’snolongerpossibletoobtainanimageofthedevice’sflashstorageforofflineanalysis.

ThefollowinglinksareavailabletohelpyouproperlyacquireevidencefromiOSdevicesandcomputersthataccessiOSdevices:

iOSForensicToolkit:http://www.elcomsoft.com/eift.htmlMobilyze:https://www.blackbagtech.com/mobilyze.htmlAccessDataForensicToolkit:http://www.elcomsoft.com/ios-forensic-toolkit.htmlLantern:https://katanaforensics.com/products/Blacklight:https://www.blackbagtech.com/forensics/blacklight/blacklight.htmliPhoneBackupAnalyzer:http://ipbackupanalyzer.com/Oxygen:http://www.oxygen-forensic.com/en/ForensicHardware:http://www.cellebrite.com/iXAM:http://www.ixam-forensics.com/devices.aspSecureView:http://mobileforensics.susteen.com/

TipManyofthesetoolscanalsobruteforcepasswordsthatareusedondevices.However,thismightbealengthyprocess.

Abasictoolthatdoesn’trequiretobepurchasedthroughlawenforcementbutcaninteractdirectlywithadeviceisiExplorerfromMacroplant.Thistooldoesnotexposeitemsthatareinsecureenclavesonthedevice,butitallowsyoutohavealotmoreaccessthanwhatyouwouldotherwisehave.iExplorerallowsyoutoviewContacts,Messages,Notes,Safari’shistory,backups,andsomeappdata.Asyoucanseeinthefollowingscreenshot,onceitisinstalled,youcanviewSafari’sbrowsinghistory:

www.it-ebooks.info

Macroplant’siExplorer

Asyoucanseeinthefollowingscreenshot,youcanalsoviewbooksandotherformsofmediainthefoldersinwhichtheseitemsarestoredonthedevice.Ausercanaccessthesefolderswithoutjailbreakingadevice.

ViewingiBooksData

Togofurtherintoadeviceandviewpreferences,operatingsystemfiles,andsoon,youwillneedtojailbreakitanduseatoolsuchasiFunBoxoriFileviaCydia,whichisanappstoreforjail-brokendevices.iFunBoxisaMac/Windowstoolforexaminingthedevice’sfilesystemandiFileisanappthatyoucaninstallonjail-brokendevices.SinceiOS7,

www.it-ebooks.info

you’llneedtoinstallahackedAppleFileConduit(AFC2)fromCydiaonajail-brokendevicetoaccessanythingoutsidethenormalsandboxedAFCareasofthedevice.(Seehttps://cydia.saurik.com/info/com.saurik.afc2d/formoreinformationonthis.)

TipFormoreinformationonjailbreakingdevices,searchforthetermJailbreakandalsoprovidethemodelofdeviceyouhaveonGoogle.Alotofsitesonjailbreakingcomeandgo,sowe’renotgoingtoincludealinkhere,butit’sworthcheckingouthowpeoplegoaboutsuchthingsandthelimitationsondevicesoncethey’rejail-broken.

www.it-ebooks.info

www.it-ebooks.info

ApplicationsecurityEarlierinthischapter,wecoveredhowtoobtainmoreinformationabouthowapplicationscommunicatewithservers.Here,we’regoingtotakeabrieflookathowyoucanobtainmoreinformationaboutthedataand/orbinarieswithinanapp.Inapps,theseareusuallycompiled,soyouwillnottypicallyseerawsourcecode.Mostapplicationvendorswillnotprovideyouwithaccesstotheirsourcecodeeither.

IPAfilesarezippedapplicationbundles.Youcanunzipthembeforeattemptingtodisassemblethebinary.Todoso,youcanright-clickonanIPAfileandopenitwithArchiveUtilitytoquicklyunzipanappbundle.Insidetheresultingfolder,you’llseeaPayloadfolderthatcontainstheappitself.Onceyoucanseetheapp,youcanviewthepackagecontentsontheappbundleandlocatethebinaryfilewithin.Unfortunately,inmanycasesalthoughyoucanviewthestrings,attemptingtodisassembleaniOSappbinarywithatoollikeHoppercanbefruitlessbecauseappsfromtheAppStoreareusuallyencrypted.

Adhocandenterprisedistributionappscanbeexaminedwiththesetools;however,manyenterpriseappdevelopersuseobfuscationtechniquesorwrapperstoreducetheusefulnessofdisassemblyontheirproductionbinaries.

Insummary,thesedisassemblytechniquesprobablyaren’tusefultothereaderinanymeaningfulway.Unlessyouareanexperienceddeveloperwithsomeassemblylanguageknowledge,disassemblyofevenasimpleunencryptedbinaryofanysortisn’tlikelytohelpyoulearnanything.

www.it-ebooks.info

www.it-ebooks.info

ViewinganAppThereareanumberoftoolsthatcanhelpyoutoobtainmoreinformationaboutanapp.Youcanuseacommandlinetoviewthecontentsofafile,andwhenitiscompiled,there’sstillafairamountofinformationthatcanbederivedfromaniOSapplicationfile(anIPAfile).Todothis,simplyusethecatcommandforafilefromyourapplibrary:

Cat/Users/charlesedge/Music/iTunes/iTunes\Media/Mobile\Applications/

Amex\4.6.0.ipa

Youcanalsoviewdatainthefilewithoutallthespecialcharactersusingthestringscommand:

Strings/Users/charlesedge/Music/iTunes/iTunes\Media/Mobile\

Applications/Amex\4.6.0.ipa

Therearealsodisassemblersthathavedifferentlevelsofluckinobtaininginformationaboutafile.Forexample,HopperDisassemblerthatcanbepurchasedfromtheMacAppStoreathttps://itunes.apple.com/us/app/hopper-disassembler/id422856039?mt=12.ThefollowingscreenshotshowstheHopperDisassembler:

HopperDisassembler

There’salsoatoolcalledClutch,whichisavailableonGitHubathttps://github.com/KJCracks/Clutch.Clutchmustberunfromajail-brokendevice,soitrequiresasomewhatthought-outmethodtodecompilecode;however,itisabletoobtainmoredatathananyothertoolthatwe’veseen.

Therearemanybooksthatareavailableonlinethatcanhelpyoutounderstandnativeprogramminglanguagesifyouaren’talreadyawareofthem.

www.it-ebooks.info

www.it-ebooks.info

SummaryThereareanumberofplaceswherewestoppedourselvesfromwritingmoreinthischapter.Thischapterdoesnotprovidein-depthinformationaboutpacketcapturing,forensicacquisition,applicationdevelopment,oriOSsystemsinternals.Instead,similartotherestofthebook,wearepointingyoutowardsthenecessarycontenttodomoreifyouchoose.

Theauthorsofthisbookarestrongproponentsofthehackermentality.Therereallyisn’tmoresecurityinformationaboutdevicesthatareavailablewithoutjailbreakingdevicesoraccessingApple’sDeveloperportalathttp://developer.apple.com.Wedohopethatyouwilldothembothatsomepoint.Wedon’tbelievethatyoucanfullysecureajailbrokendevice,soyoushould,therefore,refrainfromputtingthemintoproduction.However,wealsobelieveinlearningasmuchaswecan,whichmeanseventuallyjailbreakingadeviceandseeingwhatreallymakesthoselittleSpeak-and-Spellappstick.

www.it-ebooks.info

IndexA

AccessDataForensicToolkitURL/Forensics

ActivationLockabout/ActivationLockandFindMyiPhonereferences/ActivationLockandFindMyiPhone

ActiveSyncabout/ActiveSyncmanagementsettings/ActiveSync

advancedoptions,SafariWebsiteData/Safariandbuilt-inAppprotectionsJavaScript/Safariandbuilt-inAppprotectionsWebInspector/Safariandbuilt-inAppprotections

AirDropabout/AirDrop

Always-Onabout/VPN(Always-On,APN,Per-App,On-Demand)

appsignatureverificationprocess/Installingappscommunication/AppcommunicationHandoffandContinuity/HandoffandContinuitydatastorage/SandboxingandAppdatastorageviewing/ViewinganApp

appcommunicationsabout/Appcommunicationsdevices,identifying/Identifyingdevicesnetworkcommunications/Listeningtonetworkcommunications

AppleURL,fordocumentation/ActivationLockandFindMyiPhone

AppleConfiguratorabout/AppleConfigurator,Apps,VPP,andAppleConfigurator,IntroducingMDMintendedworkflows/Intendedworkflowsinteractionmodes/Theinteractionmodes–Prepare,Supervise,andAssignsupervision,significance/Theimportanceofsupervisionmassrestoring/Massrestoringandnamingofdevicesdevices,naming/Massrestoringandnamingofdevicesbackupconcerns/Backupconcernsaschaperone/ConfiguratoraschaperoneversusDEP/DEPversusAppleConfiguratorversusMDM/ConfiguratorversusMDM

www.it-ebooks.info

AppleFileConduit(AFC2)about/Forensics

AppleIDsabout/AppleIDsandApps

ApplePushNotificationservice(APNs)about/IntroducingMDM

AppleTVabout/Abugorafeature?

applicationsecurityabout/Applicationsecurity

AppLockabout/SingleAppmode,AppLock,andGuidedAccessversusSingleAppMode/GuidedAccessversusAppLockversusSingleAppModeversusGuidedAccess/GuidedAccessversusAppLockversusSingleAppMode

appsinstalling/Installingappsstoreaccess,blocking/BlockingaccesstotheAppStoreabout/Apps,VPP,andAppleConfigurator,AppleIDsandApps

www.it-ebooks.info

BBackupkeybag/ViewingiOSdatainiTunesbackups

taking,iTunesused/TakingbackupsusingiTunesBlacklight

URL/Forensicsbuilt-inAppprotections

andSafari/Safariandbuilt-inAppprotectionsBushel

about/IntroducingBushelaccount,settingup/Setupenrollmentprocess/Theenrollmentprocessrestrictions/Restrictions

www.it-ebooks.info

Ccaching

about/GlobalHTTPProxy,caching,andthewebcontentfilterCertificateAuthority(CA)/PreparingtheProfileManagerServer,EnrollingintoProfileManagerCertificationAuthority(CA)/InstallingappsChaperoneCertificateIssuer/ConfiguratoraschaperoneChaperoneCertificateSerial/ConfiguratoraschaperoneClutch

about/ViewinganAppconfigurationfiles

about/ConfigurationprofilesContinuity

andHandoff/HandoffandContinuityCryptographicMessageSyntax(CMS)standard/Signing,encryption,anddelivery

www.it-ebooks.info

Ddelivery

about/Signing,encryption,anddeliveryDEP

about/DEPversusAppleConfiguratorversusAppleConfigurator/DEPversusAppleConfiguratorreferences/DEPversusAppleConfigurator

DEPusecases,AppleConfiguratorURL/DEPversusAppleConfigurator

devicebackingup/Backingupyourdevice

DeviceCertificateabout/Pairing

diagnosticsgathering/Lesser-knownwaysforAppletogatherdiagnostics

DigitalRightsManagement(DRM)/Installingapps

www.it-ebooks.info

Eencryption

about/Signing,encryption,anddeliveryEscrowBag

about/Pairingextensions

andkeyboards/Keyboardsandextensionsaccess,securing/Securingwhatextensionscanaccess

www.it-ebooks.info

FFindMyiPhonefeature/ActivationLockandFindMyiPhoneForensicHardward

URL/Forensicsforensics

about/Forensics

www.it-ebooks.info

GGlobalHTTPProxy

about/GlobalHTTPProxy,caching,andthewebcontentfilterGlobalServiceExchange/Lesser-knownwaysforAppletogatherdiagnosticsGroundControl

about/AddressingtheroughspotsURL/Addressingtheroughspots

GuidedAccessabout/SingleAppmode,AppLock,andGuidedAccessURL/SingleAppmode,AppLock,andGuidedAccessversusAppLock/GuidedAccessversusAppLockversusSingleAppModeversusSingleAppMode/GuidedAccessversusAppLockversusSingleAppMode

www.it-ebooks.info

HHandoff

andContinuity/HandoffandContinuityHealthapp/HealthappHomebrew

used,forinstallinglibimobiledevice/InstallinglibimobiledeviceusingHomebrew

Homebrew,forinstallinglibimobiledeviceidevicesyslog,usedfor/Usingidevicesyslogandidevicepairidevicepair,usedfor/Usingidevicesyslogandidevicepairidevicedate,usedfor/Usingidevicedateandideviceinstallerideviceinstaller,usedfor/Usingidevicedateandideviceinstaller

HostCertificateabout/Pairing

HostIDabout/Pairing

HostPrivateKeyabout/Pairing

www.it-ebooks.info

IiBackupExtractor/ViewingiOSdatainiTunesiCloudbackups

about/iCloudbackupsidevicediagnosticscommand/Usingidevicedateandideviceinstallerin-houseappdevelopment

about/Introductiontoin-houseAppdevelopmentinitialsecuritychecklist

about/Initialsecuritychecklistpasscode,configuring/Configuringapasscodeprivacysettings,configuring/Configuringprivacysettings

IntegratedDevelopmentEnvironment(IDE)/Installingappsinteractionmodes,AppleConfigurator

Prepare/Theinteractionmodes–Prepare,Supervise,andAssignSupervise/Theinteractionmodes–Prepare,Supervise,andAssignAssign/Theinteractionmodes–Prepare,Supervise,andAssign

iOSactivating/SecurebootandactivatingiOS

iOSConsoleURL/Configurationprofiles

iOSdataviewing,iniTunes/ViewingiOSdatainiTunes

iOSForensicToolkitURL/Forensics

iOSnetworkcommunicationabout/IntroductiontoiOSnetworkcommunication

iPhoneBackupAnalyzerURL/Forensics

iPhoneConfigurationUtility(iPCU)about/Configurationprofiles,AppleConfigurator

iTunesused,fortakingbackups/TakingbackupsusingiTunesiOSdata,viewingin/ViewingiOSdatainiTunes

iXAMURL/Forensics

www.it-ebooks.info

Kkeybag

about/Keybagsandkeychainskeyboards

andextensions/Keyboardsandextensionskeychains

about/Appcommunication,Keybagsandkeychains

www.it-ebooks.info

LLantern

URL/Forensicslibimobiledevice

about/DivedeeperwithlibimobiledeviceURL/Divedeeperwithlibimobiledeviceinstalling,Homebrewused/InstallinglibimobiledeviceusingHomebrew

www.it-ebooks.info

MMDM

URL/Abugorafeature?about/IntroducingMDMversusAppleConfigurator/ConfiguratorversusMDMandVPP/VolumePurchasingProgramandMDM

MDMProviders,comparisonreferencelink/TheProfileManager

MobileDeviceManagement(MDM)/SingleAppmode,AppLock,andGuidedAccessMobilyze

URL/Forensics

www.it-ebooks.info

OOnDemand

about/VPN(Always-On,APN,Per-App,On-Demand)openinmanagementfeature,iOS/RestrictionsOxygen

URL/Forensics

www.it-ebooks.info

Ppairing

about/PairingPassbook

about/PassbookandTouchIDforApplePaypasscode

configuring/ConfiguringapasscodeTodayoption/ConfiguringapasscodeNotificationsViewoption/ConfiguringapasscodeSirioption/ConfiguringapasscodePassbooktool/ConfiguringapasscodeReplywithMessagetool/Configuringapasscode

passcodepoliciesabout/Passcodepolicies

PaymentCardIndustry(PCI)about/Privacy-relatedconcerns

Per-Appabout/VPN(Always-On,APN,Per-App,On-Demand)

PINabout/PassbookandTouchIDforApplePay

predictivesearch/Predictivesearchandspotlightpreferencedomains

about/ConfigurationprofilesPrivacy&Securityoptions,Safari

DoNotTrack/Safariandbuilt-inAppprotectionsBlockCookies/Safariandbuilt-inAppprotectionsFraudulentWebsiteWarning/Safariandbuilt-inAppprotectionsClearHistoryandWebsiteData/Safariandbuilt-inAppprotectionsUseCellularData/Safariandbuilt-inAppprotections

privacy-relatedconcernsabout/Privacy-relatedconcerns

ProfileManagerabout/TheProfileManagerpreparing/PreparingProfileManagerPostConfigurationtasks,completing/CompletingPostConfigurationtasksusing/UsingProfileManagerenrollinginto/EnrollingintoProfileManagerdevicemanagement/Devicemanagementpasscodepolicies/Passcodepolicies

ProfileManagerServerpreparing/PreparingtheProfileManagerServer

www.it-ebooks.info

RRecBoot/ActivationLockandFindMyiPhonerecoverymode/ActivationLockandFindMyiPhonereflector

URL/SingleAppmode,AppLock,andGuidedAccessRemoteVirtualInterface(RVI)

about/Listeningtonetworkcommunicationssettingup/Listeningtonetworkcommunications

RootCertificateabout/Pairing

RootPrivateKeyabout/Pairing

www.it-ebooks.info

SSafari

andbuilt-inAppprotections/Safariandbuilt-inAppprotectionsSafaripreferences,forsecuringiOSdevices

Passwords&AutoFill/Safariandbuilt-inAppprotectionsFavorites/Safariandbuilt-inAppprotectionsOpenLinks/Safariandbuilt-inAppprotectionsBlockPop-ups/Safariandbuilt-inAppprotections

sandboxingabout/SandboxingandAppdatastorage

securebootchainabout/SecurebootandactivatingiOS

SecureEnclaveabout/SecurebootandactivatingiOS

SecureViewURL/Forensics

signingabout/Signing,encryption,anddelivery

SingleAppModeversusGuidedAccess/GuidedAccessversusAppLockversusSingleAppModeversusAppLock/GuidedAccessversusAppLockversusSingleAppMode

SingleAppmodeabout/SingleAppmode,AppLock,andGuidedAccess

spotlight/PredictivesearchandspotlightSupervision

about/VPN(Always-On,APN,Per-App,On-Demand)SystemBUID

about/Pairingsystemscope/ConfigurationprofilesSystemSoftwareAuthorization

about/SecurebootandactivatingiOS

www.it-ebooks.info

TTouchID

about/PassbookandTouchIDforApplePay

www.it-ebooks.info

Uusercontext

about/Usercontext

www.it-ebooks.info

Vverifiedboot

about/SecurebootandactivatingiOSVPNOnDemand

about/VPN(Always-On,APN,Per-App,On-Demand)VPP

about/AppleConfigurator,Apps,VPP,andAppleConfigurator,CompletingPostConfigurationtasks,VolumePurchasingProgramandMDMandMDM/VolumePurchasingProgramandMDM

www.it-ebooks.info

Wwebcontentfilter

about/GlobalHTTPProxy,caching,andthewebcontentfilterWiFiMACAddress

about/Pairing

www.it-ebooks.info

XXcode

about/XcodeURL/Xcodeinstalling/Xcode

XPC/Securingwhatextensionscanaccess

www.it-ebooks.info