bad for enterprise: attacking byod enterprise mobile security solutions
TRANSCRIPT
![Page 1: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/1.jpg)
For$Enterprise
Attacking)BYOD)Enterprise)Mobile)Security)Solutions
Vincent'TanSenior)Security)Consultant)
![Page 2: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/2.jpg)
2
whoami
• Sunny Singapore
• Senior Security Consultant @ Vantage Point Security
• 4+ years hacking stuff professionally, specializing in
mobile & exotic stuff
![Page 3: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/3.jpg)
3
Agenda
1. iOS Applications in General
2. What is BYOD? Why BYOD? Who uses BYOD?
3. Security Features of BYOD Solutions
4. Good Technology
5. iOS Jailbreaks / Attack Vectors
6. Local & Network Attacks against Good EMS
• Story of Alice & Bob
![Page 4: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/4.jpg)
4
iOS Applications
• > 1.4m Applications1 in iOS App Store• ~10% in Business Category
• 35% of Enterprises have an Enterprise App Store2
• Simple vs Complex Functionality• Mobile application capabilities have not caught up with device capabilities• Maybe 10% of apps have advanced functionality• MDM, Soft Tokens, Payment Applications, HomeKit.
1)http://www.zdnet.com/article/iosDversusDandroidDappleDappDstoreDversusDgoogleDplayDhereDcomesDtheDnextDbattleDinDtheDappDwars/2 https://go.apperian.com/rs/300DEOJD215/images/Apperian%202016%20Executive%20Enterprise%20Mobility%20Report_FINAL_20160216.pdf?aliId=16373787
![Page 5: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/5.jpg)
5
BYOD
• BYOD?• What and Why?
![Page 6: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/6.jpg)
6
BYOD
https://www.apperian.com/resources/2016DexecutiveDenterpriseDmobilityDreport/
![Page 7: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/7.jpg)
7
BYOD
• BYOD?• What and Why?
• BYOD Adoption• 74% using or adopting BYOD• Governments
• Enterprise Mobile Security• MAM (Mobile Application Management)• MIM (Mobile Information Management)• MDM (Mobile Device Management)
http://www.zdnet.com/article/researchD74DpercentDusingDorDadoptingDbyod/
![Page 8: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/8.jpg)
8
Protection Claims
“prevent employees from opening files in unsecured apps, backing up business data to personal cloud-based services, or copying and pasting business ...”
“Detect OS tampering and other policy violations”
“…remotely lock or wipe the device.”
“Protect mobile apps and servers from being hacked…”
![Page 9: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/9.jpg)
9
Enterprise Mobile Security Features
Container
Device)PIN
Jailbreak
Container
JB)Detection
Application'VPN
Container)
Password
Container)
Encryption
App)
Wipe)/)Lock
![Page 10: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/10.jpg)
10
Good Technology
• Acquired by Blackberry in Nov 2015
• Top 5 EMS Solution Providers
![Page 11: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/11.jpg)
![Page 12: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/12.jpg)
12
Good Technology
• Acquired by Blackberry in Nov 2015
• Top 5 EMS Solution Providers
• GFE received CC EAL4+ in 2013 and GD solution in 2016
• GD platform used as a foundation to the GCS to replace GFE
• GD platform allows developers to create and distribute apps that
integrates with the GD services framework
![Page 13: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/13.jpg)
13
GFE vs GCSGood'For'Enterprise
(GFE)Good'Collaboration'Suite'
(GCS)Email � Good)Work
MDM � �
File)Share Local)File)Storage Only Good)Share)– Access)
enterprise)file)share
Instant)Messaging � Good)Connect
Intranet)Access � Good)Access
Cloud)Deployment � �
Integrated)MAM � �
Common)Platform � �
![Page 14: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/14.jpg)
14
iOS Jailbreaks
iOS'Versions
7.0
–
7.0.6
7.1
–
7.1.2
8.0
–
8.1
8.0
–
8.3
8.1.3
–
8.4
9.0
–
9.0.2
9.1
–
9.3.3b
10b
Jail'Broken? evasi0n7 Pangu Pangu8 TaiG TaiG Pangu9 Pangu Not)Public
• Check out Stefan Esser’s talk on “iOS 678
Security - A Study In Fail”
![Page 15: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/15.jpg)
15
• Non-Jailbroken Devices?• Resign via developer certificate
• But apps will need to be reactivated
• Physical Access
• DROPOUTJEEP (think NSA, GCHQ)
• Lost Devices / Stolen Devices
• Remote Attacks
• Jailbreakme.com v1 / 2 / 3
• State sponsored / Corporate Espionage
What about root?
1)http://www.tripwire.com/stateDofDsecurity/vulnerabilityDmanagement/creatingDiphoneDrootkitsDandDlikeDtheDnsasDdropoutDjeep/
2https://blog.fortinet.com/post/iosDmalwareDdoesDexist
![Page 16: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/16.jpg)
16
Attack Vector
• Not normal pen testing…
• Not just setting proxy and using Burp
• I’m not attacking the application
• Changing the environment in which the application runs.
• Not new. API Hooking and DLL Injections on Windows.
LD_PRELOAD on Linux. I’m just doing it on iOS.
![Page 17: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/17.jpg)
17
Swizzler
• How do I change the Environment?
• Built an App… More precisely a Dynamic Library (aka tweak)
• DYLD_INSERT_LIBRARIES=Swizzler
• Loads itself before an application starts
• Control all functionalities of an application
![Page 18: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/18.jpg)
18
iOS Security Architecture
Substrate
Swizzler
![Page 19: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/19.jpg)
19
Swizzler
![Page 20: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/20.jpg)
20
Swizzler
![Page 21: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/21.jpg)
21
Swizzler
![Page 22: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/22.jpg)
22
Swizzler
![Page 23: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/23.jpg)
23
What else can you control?
![Page 24: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/24.jpg)
Device'PIN
Jailbreak
Jailbreak'Detection
Container'Password
Container
App'DLP
App
![Page 25: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/25.jpg)
25
Local & Network Attacks Against Good EMS
![Page 26: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/26.jpg)
![Page 27: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/27.jpg)
![Page 28: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/28.jpg)
28
Local Attacks
![Page 29: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/29.jpg)
29
Jailbreak DetectionContainer
Device)PIN
Jailbreak
Container
JB)Detection
Container)
Password
Container)
Encryption
App)
Wipe)/)Lock
![Page 30: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/30.jpg)
![Page 31: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/31.jpg)
31
Container
Device)PIN
Jailbreak
Container
JB)Detection
Container)
Password
Container)
Encryption
App)
Wipe)/)Lock
� Device)PIN
� Jailbreak
� Jailbreak)Detection
� Container)Password
� Container)Encryption
� App)Wipe)/)Lock
![Page 32: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/32.jpg)
32
Blacklist of Files
FILE *file)=)fopen("/Applications/Cydia.app",)
"r");
if)(file)){
fclose(file);
return)JAILBROKEN;
}
file)=)fopen("/usr/bin/ssh",)"r");
if)(file)){
fclose(file);
return)JAILBROKEN;
}
FILE *replaced_fopen (const char)*filename,)const
char)*mode)){
if)(blockPath(filename))){
errno =)ENOENT;
return)NULL;
}
}
bool blockPath(const char)*fpath)){
…
NSArray *denyPatterns =)[[NSArray alloc])
initWithObjects:))))))))@"Cydia",))))))))@"lib/apt",))))))))
@"/private/var/lib/apt",))))))))@"/var/lib/apt",))))))))
@"/var/tmp/cydia.log",))))))))@"/etc/apt/",))))))))
@"/var/cache/apt”
….
}
![Page 33: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/33.jpg)
33
Prohibited Functions
int pid =)fork();
if(pid>=0)
{
return JAILBROKEN;
}
pid_t replaced_fork(void){))))
if)(disableJBDectection())){
return)D1;))))
}
pid_t ret)=)orig_fork();
return)ret;
}
![Page 34: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/34.jpg)
34
Jailbreak Detection
• Jailbreak Detection Methods• Blacklist of files• Directories• Symbolic Links• Prohibited Commands• File System• URL Handles• Kernel Parameters & many more ...
![Page 35: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/35.jpg)
35
Jailbreak / Policy ImplementationGT::GeneralUtilityClass::constructStringList (
GT::GeneralUtilityClass::tamper_detection_method_t,)
std::vector<std::string,)std::allocator<std::string>)>)
)
![Page 36: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/36.jpg)
36
Jailbreak / Policy Implementation
• GD::GDSecureStorage::handleWrongPwd
• GD::GDSecureStorage::wipeDevice
• GD::PolicyProcessor::processLockAction
• GD::GDLibStartupLayer::checkPartialCompliance
• GD::PolicyComplianceChecker::checkComplianceUnlocked
• GD::PolicyComplianceChecker::checkComplianceLocked
![Page 37: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/37.jpg)
37
Password BruteforceContainer
Device)PIN
Jailbreak
Container
JB)Detection
Container)
Password
Container)
Encryption
App)
Wipe)/)Lock
![Page 38: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/38.jpg)
![Page 39: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/39.jpg)
39
Container
Device)PIN
Jailbreak
Container
JB)Detection
Container)
Password
Container)
Encryption
App)
Wipe)/)Lock
� Device)PIN
� Jailbreak
� Jailbreak)Detection
� Container)Password
� Container)Encryption
� App)Wipe)/)Lock
![Page 40: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/40.jpg)
40
Disable App Lock&
Device Wipe
Container
Device)PIN
Jailbreak
Container
JB)Detection
Container)
Password
Container)
Encryption
App)
Wipe)/)Lock
![Page 41: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/41.jpg)
![Page 42: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/42.jpg)
42
Container
Device)PIN
Jailbreak
Container
JB)Detection
Container)
Password
Container)
Encryption
App)
Wipe)/)Lock
� Device)PIN
� Jailbreak
� Jailbreak)Detection
� Container)Password
� Container)Encryption
� App)Wipe)/)Lock
![Page 43: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/43.jpg)
43
ContainerizationContainer
Device)PIN
Jailbreak
Container
JB)Detection
Container)
Password
Container)
Encryption
App)
Wipe)/)Lock
![Page 44: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/44.jpg)
![Page 45: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/45.jpg)
45
Container
Device)PIN
Jailbreak
Container
JB)Detection
Container)
Password
Container)
Encryption
App)
Wipe)/)Lock
� Device)PIN
� Jailbreak
� Jailbreak)Detection
� Container)Password
� Container)Encryption
� App)Wipe)/)Lock
![Page 46: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/46.jpg)
![Page 47: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/47.jpg)
47
Network Attacks
![Page 48: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/48.jpg)
48
Container
Device)PIN
Jailbreak
Container
JB)Detection
Application'VPN
Container)
Password
Container)
Encryption
App)
Wipe)/)Lock
![Page 49: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/49.jpg)
49
Application VPN
![Page 50: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/50.jpg)
50
GD Network
![Page 51: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/51.jpg)
51
GD Network Communications
Two methods of communication with the enterprise application server,
1. GDHttpRequest
2. Native URL Loading (NSURL, NSMutableURL, etc.)
![Page 52: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/52.jpg)
52
![Page 53: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/53.jpg)
53
GDHttpRequest
• Part of the GD SDK• #import <GDNETiOS.h>
• Easy to enable proxy• [GDHttpRequest enableHttpProxy:ip withPort:port];• [GDHttpRequest disablePeerVerification];
![Page 54: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/54.jpg)
54
Native URL Loading
• Enabled via GDURLLoadingSystem Class
• [GDURLLoadingSystem enableSecureCommunication]
• Enabled by default
• Proxying traffic is harder
• Doesn’t obey iOS network proxy settings
• Swizzle [NSURLConnection initWithRequest]
![Page 55: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/55.jpg)
55
SSL)over)TCP
3.)HTTP(S))Traffic
Hooking the Network
![Page 56: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/56.jpg)
![Page 57: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/57.jpg)
57
Does everything suck?
• Local device access is important, but remote attacks possible.
• https://www.youtube.com/watch?v=STIHO2XOOiM
• Employee Education.
• Be careful of USB chargers. BadUSB.
• Intranet == Internet
• Additional security checks on apps
![Page 58: Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions](https://reader034.vdocuments.mx/reader034/viewer/2022042707/58ee13631a28ab6c128b4715/html5/thumbnails/58.jpg)
58
Take Aways!
• Think outside the box to break the box!
• BYOD Policy helps to a certain extent, but such attacks will always
be possible.
• Do not blindly trust what the vendors sell you.
• https://github.com/vtky/Swizzler