enterprise mobility management (emm) josh stroschein oct 2014 @jstrosch
TRANSCRIPT
Enterprise Mobility Management (EMM)
JOSH STROSCHEIN
OCT 2014
@JSTROSCH
About me
Josh Stroschein [email protected]
Instructor at Dakota State University (DSU)
MSIA from DSU
Doctoral Student in Cyber Operations
SD Air National Guard
Software development consultant
Overview What is EMM?
The Mobile Ecosystem
Current Threat landscape
Understanding iOS and Android
Mobile Device Management (MDM)
Mobile Application Management (MAM)
Mobile Information Management (MIM)
Mobile Strategy/BYOD
What is EMM? Enterprise Mobility Management
Centered on devices, operating systems, networks, applications, data and policy
We need to address more than just device management – MDM
This includes managing wireless networks
A fully comprehensive EMM suite will cover devices (MDM), plus applications (MAM) and information (MIM) Network connections to the enterprise, data that is
accessed, shared or generated
Mobile email management, data loss protection, mobile virtualization, app wrapping, app signing…
I think you get the point!
Mobile VS Legacy PC
Mobile Ecosystem Globally, 1.8 Billion mobile phones sold in 2013 (up 1.2% from 2012)
Market share Android - 78.6%
iOS - 15.2%
Blackberry – 1.9%
iDevices dominate the enterprise though [Mobility Index Report 2014]
Estimated 1.2 billion app users by end of 2012 Forecast 4.4 billion by end of 2017
Apps by share Estimated that there is at least 800,000 apps in both the Apple App Store
and Google Play, each!
The market for mobile payments will triple in value by 2015, reaching $670 billion [Juniper]
Mobile OS Market share
Mobile Ecosystem
Mobile Banking (m-banking) Estimates between 500 million and 1.1 billion m-banking
users globally by 2015
More users of m-banking than mobile commerce
Driven by banks helps cut costs, provides convenience
Efforts to reach the “unbanked”
70% of employees use personal devices for company data Is it authorized or not?
Mobile Attack Vectors
User Malicious and risky apps (malware)
Risky behavior
User data leakage: copy/paste, screenshot, open-in
Device Jailbreak/Root
Theft
Networks Rogue AP, MiTM
Consumer App Risks
47% - Companies with BYOD [strategy] that experience a data or security breach as a result of an employee-owned device accessing the network
65% - Companies with NO BYOD policy
34% - Companies with no app security program
Mobile threat increase: up 614%
Threat Landscape Are mobile devices really insecure?
Q1 2014 – 277 new threat families found
275 run on Android (99.3%)
1 on iOS and 1 on Symbian
91% classified as malware, the rest were classed as potentially unwanted apps
According to Kaspersky: 98.05% of all detected malware targeted Android
0.13% Other – this includes iOS
First half of 2014, 175,442 new unique Android malicious programs were detected
18.3% more than all of 2013
Threat Landscape Lone hacker is now a common misconception.
Driven by organized crime
What does all of this malware do? Primarily are Trojans
SMS Sending
File or app downloading
Location Tracking
Fake app scanning
Link Clicking
Banking Fraud
Fee charging
Some are linked to a botnet - ~19%
Most are profit motivated Silently sending SMS messages to premium numbers (Android 4.2)
Charging ‘fee’ for a free app
Threat Landscape Trend in 2013 saw more malware targeting user banking
credentials to access their money Another Android trend, but iOS users should stay alert
423 banking trojans in August of 2013 – 5,967 in July of 2014 More than a 14x increase!
What about iOS? Trojan: IPHONEOS/ADTHIEF.A
Malware hijacks various advertising modules in installed apps to display it’s own advertisements
Only affects jailbroken phones!
Symbian Trojan that silently sends SMS messages
Unusual due to focus on OS with very small market share
Mobile Risk Ecosystem To understand mobile, we need to understand the risks.
It’s like the PC, only different
What are they? Physical Risks
Physical access to device is impossible to defend against
Service Risks
Most apps are just clients, accessing data from a server
How secure is the server?
Social Engineering: How is your tech support?
Self-help portal?
App Risks
Primary Attack surface – apps interacting with platform features
But app to app problems are mitigated by the OS
Application Threats
Sensitive Information Leakage PII, IP, Pins, passwords
Secure on-device storage Secrets do not belong on the device
Poor code/Application security risks Who writes your code?
Open VS Closed Platforms Apple is closed
They control the OS, manufacturing, and the app store
Tougher controls – app signing and vetting
Android is open Custom OS, distributed app stores, self-signing for apps
Upgrading phones depends on agreement with device manufacturer and mobile network operator (MNO)
I’m still running Android 2.3
I was until last week anyway…
What drives the app store? Security or Consumerism?
A little about iOS Security implemented at every level
Remember, Apple controls it all
Secure startup: bootloaders, kernels, baseband firmware – signed by Apple for integrity
Only one port open out of the box – TCP 62087? Minimal network profile, no known vulns
Very little to work with for pen tests, vuln scans, etc
But, updates usually come direct from Apple
App signing Cert comes from Apple
Granular app controls (vs Android manifest)
A little about Android Android is open source w/ bits of closed-source software
Google Apps are closed (when native on device)
Device manufactures and mobile carriers develop custom software, including drivers and apps – closed source
Push updates, if at all, at different schedules
Results in Fragmentation: The same device on two different carriers can have different software
Permission based Enforced at kernel
It’s how Android sandboxes
And the application
Apps must declare permissions in their manifest (AndroidManifest.xml)
App signing: Can use a self-signed certificate – very common
Android Security Model
Secure Use of Android
Only download software from known trusted sources Google Play, Amazon, internal app store
Only visit trusted websites
Avoid charging from untrusted docking stations
Keep the phone updated – if you can!
iOS 7 VS Android Security Controls
Jailbreaking vs ‘rooting’ Android: root – accessing root account
iOS: Jailbreak – overcome several iOS security measures to accomplish – and get root account
Goal is to gain complete control of device/OS Install SSH, VNC, custom theme, alternate apps stores (iOS),
tether, et cetera
Management Concerns How did they jailbreak/root? Install a backdoor?
New services enabled (ssh/ftp/etc)
Entire file system is now vulnerable
iOS: Running apps outside of Apple’s control, negating the Sandbox
Still receiving OS updates? Likely not
Mobile Device Management (MDM)
Frameworks or solutions designed to control, monitor & manage mobile devices on enterprise network
Ability to perform these tasks remotely, over the air (OTA), for devices enrolled in MDM service
Why MDM? We can’t control mobile devices the same way we do
traditional corporate desktop/laptop assets
Loose control over:
System upgrades (provided by carrier)
Installation/Uninstallation of applications
Data on the device
MDM Is MDM provided only by a 3rd party vendor? No, mobile
platforms provide features for MDM Android 2.2 and iOS 4 (OTA support)
Vendors create management framework
Combined, this is the MDM Framework
Examples: MobileIron, AirWatch and BlackBerry Enterprise – MDM Solutions Leverage platform specific MDM frameworks to provide
device management capabilities
Some vendors develop MDM solutions w/o using platform specific MDM features Example is GOOD for Enterprise
MDM Three broad categories
Device Centric: Use platform MDM features to secure and harden device
MobileIron, AirWatch and Tangoe
Data Centric: Secure data/content, does not focus on entire device (Mobile Application Management)
GOOD For Enterprise
Hybrid: Features from other two categories present in this approach
Data Protection + Device Management
Most Desirable?
MDM - Device Provisioning How the MDM solution is implemented
MDM often uses client apps to: Enroll mobile device with MDM server
Manage and enforce policies on devices – once enrolled the server can enforce policies and controls remotely
Provide functionality that the MDM features can not Location information, jailbreak/root detection, the stuff that apps
can do!
Provisioning Profiles Installed on device by MDM client
Often XML or text-based files
Encrypted, signed or both for integrity
MDM – Device Provisioning
MDM - Device Provisioning
Provisioning Process – iOS-centric Device is enrolled
Device receives profile – profile is verified, decrypted and parsed
System files are populated with this info
System files are then parsed by system services to enforce/implement settings
MDM w/ Apple
MDM server generates provisioning profile
Sends to device (Apple Push Notification or MDM app installed)
Device stores profiles at system location /private/var/mobile/Library/ConfigurationProfiles
XML files (plist) with .stub extensions
Device then parses and installs profiles Parsed to populate system files
MDM – Control!
MDM – Managed VS unmanaged apps
Can manage third-party apps from the App Store Enterprise in-house apps as well
But we can’t stop the user from installing apps – this is the difference between unmanaged and managed apps
Can remove managed apps and their data on-demand
Prevent managed app data from being backed-up to iTunes or iCloud
MDM – Remote Wipe (Apple)
If device is out of policy, lost, stolen or employee termination, through MDM can: End MDM Relationship – this removes all managed
settings (accounts,apps, settings, data)
Keep device managed, remove only specific config profiles
Restore to factory default settings – remote wipe
Remote Lock
Reset passcode remotely
MDM - Android Android didn’t support until 2.2
Device Administration API
Same concept as iOS but implemented differently
Conceptually the same, but implementation is different
Does not use a configuration profile Apps interact with Administration API directly
MDM vendors need to develop an app that interacts with Admin API AND MDM Server
Recall fragmentation – it’s back! Device manufacturers can add additional management APIs
MDM - Android
Androids aren’t always updated, and don’t always ship with the most recent version Can’t depend on current admin/management APIs
Overall, much more difficult than iOS MDM Admin API + Core API + OEM API
Best strategy: Define which version of Android, and possible what OEM, has the minimum you need and order/support those devices
MDM - Android What does the enrollment process look like?
Install a Device Administration-enabled app Connects OTA to management server
Users authenticate w/in app
App asks for permission to be device admin
Security changes implemented Further changes through MDM server
May run in background or receive commands OTA Push notifications sent via Google Cloud Messaging
No control over unmanaged apps
How is MDM Bypassed? Modifying MDM Policy Files
Done on a jailbroken or rooted device
MDM framework will attempt to detect these types of devices
MiTM w/ Network traffic
Detecting MDM tampering Often done by 3rd party app to monitor state of device
If device in violation, security reaction can occur (remote lock/wipe/location)
Application Patching and Modification Attacks
Airplane mode
MDM – Jailbreak detection Often offered as a feature upgrade
Leverage client-side solutions (client app)
How effective depends on how the vendor implements detection: Do they just monitor for 3rd party app store?
Proprietary
This can be subverted as well – app patching
MDM Drawbacks
Hard to separate corporate and user data
Added tech support
More restrictive user experience
New phones – will the MDM software keep up?
Is it here to stay???
MDM – Mastering MDM
For iOS, start with the iPhone Configuration Utility/Appe Configurator
Perform all of the configs, queries and management actions as any MDM solution
You won’t be able to do it over the air though w/o an MDM server though
You can also check out Cisco Meraki
They offer a free service It works better with Cisco products though
Uses an agent app
Allows you to work with MDM with a low barrier of entry
Mobile Application Management - MAM
Major shortfall of MDM: inability to manage apps at a granular level MDM is all or nothing on a device, what we really
care about is the data/apps
Personal and corporate apps have to live under the same policies on a device
MDM can’t prevent apps from sharing (or leaking) data with other apps on a device
MAM – Mobile Application Management
Software and services responsible for provisioning and controlling access to apps Very similar to MDM but for apps – password policies and
encryption, geofencing, etc
Good for company provided devices and BYOD Less intrusive
Third-Party and OS-Enabled OS: manage any app, but only specific devices
3rd Party: Special Apps, but run on any device
Goal: Let personal and corporate data live in harmony
Achieve dual-persona
MAM – How does it work?
Building management features into the app.
Why is this good? We don’t need to care about MDM concerns on the
device
The app is MDM – it’s created in a way to ensure how it interacts with corporate resources won’t compromise the data
Not in control of entire device, less intrusive
Work stuff can be ‘just another app’
MAM by 3rd Party Trick is to let corporate apps share data like personal
apps, but not share with personal apps
Develop a suite of corporate apps that work together Email + File Sharing + File Editing + …
There is secure sharing: Encrypt data before it goes into device’s shared
frameworks
Direct app-to-app comms
Use an external service
Combine this functionality into single app…
MAM by 3rd party
Most of the apps in the stores are not MAM ready We can’t get between these apps and the device so we
can’t add them to any app – we need the unsigned binary
Five basic routes Directly from MAM vendors
MAM SDKs when building new apps
App wrapping to add MAM
Apps from ISVs that partner with MAM vendors
Apps that have management features but don’t require a MAM solution
MAM enabled OSes Virtualization is one solution
Android virtualization project
Samsung and Knox MAM/MDM w/o virtualization
iOS 7: New app management capabilities Overall limited, but a step in the right direction
iOS 8 expands on those, more later on
Very early in adoption…
A part of BYOD strategy?
Mobile Information Management - MIM
Device agnostic
Keep sensitive data encrypted, allow only approved applications to access or transmit
What about app leakage? Is it MAM-enabled? How does the OS handle the data? Several drawbacks at this time
What about iOS 8?
Builds on improvements offered by iOS 7, focus on enterprise
Privacy is critical: HealthKit/Health & HomeKit What happens if you do a full wipe?
Includes 4,000 new APIs Extensibility: ability of apps to share data between them
User’s see a seamless experience – we see opportunity for data ‘leakage’
Handoff: Seamless integration between iDevices Should you disable it?
iOS 8 – New MDM
New queries, such as last time a device was backed up
Set device name
On supervised devices, always-on VPN
iCloud document control: restrict use of iCloud drive for managed apps
iOS 8 – Device Restrictions
Policy & Trust
Mobile First Strategy Study by Ponemon Institute, 50 percent of IT professionals in
financial services say their company has no mobile strategy
End-user productivity drives growth of mobile devices in the workplace
Budgeting issues continue to plague effective management
Biggest risks are malware infections and end-user negligence
BYOD is viewed favorably by organizations because of productivity.
Written corporate policy is a essential – define everything we’re about to talk about and more
Mobile First Strategy
Top workplace tasks for mobile devices (Ponemon)
BYOD: Considerations & Strategy Start with some basic considerations
Biggest barriers to implementing a BYOD program are employees who do not want the company to have control of their personal devices and the difficulty in managing these devices.
We’ll also look at a four part strategy:
I. Prepare your organization
II. Build the program
III. Roll out the program
IV. Sustain BYOD security and performance
Eligibility Make clear who can/can’t use personal devices
By role, by demand, by necessity
Determine what they are replacing Phone, laptop, desktop, etc
Is it critical that they have this replacement
Determine stipend, financial consideration for replacement
Ideal for independent contractors Usually expected to bring their own device
Address all legal concerns/update AUP
Allowed Devices
Require the device to be enrolled in EMM/MDM If not feasible, how will you protect the enterprise?
If installing software on a system, set minimum requirements
Consider virtualization All the user needs is a browser – typically
Keeps corporate resources separated from personal space, on the same device!
Easier to maintain and provision
Available on mobile devices
Service Availability Determine what services will be made available
and how you want to make these services accessible Is data already going out? Does this change much
with a BYOD policy – are you monitoring both inbound AND outbound traffic?
Consider requiring employee to purchase license for software Provide a discount
Avoid risk or liability issues for violations
Rollout
Communicate policies and procedures to all affected individuals Understanding will by key
Explain how program will work Reimbursement/stipend
What corporate resources will/won’t be available
Who is eligible
Training/education
Cost Sharing Determine the actual numbers of your BYOD program
Does it truly save costs – not all benefits can be measured
Does it save IT hours or cost more
Who supports the devices? Most likely the owner and where they purchased it from
How does the stipend affect the employee’s income? Often treated as income for tax purposes – may change
the stipend amount
User training & support
Do your users understand your BYOD strategy?
Are they focused on self-service?
Training and education will be critical, this is different than the corporate owned desktop
What type of support will you provide? What should your user’s expect?
I. Prepare the organization Determine your risk tolerance
Your industry may drive your tolerance: Financials, healthcare, etc will need to be more defensive
This step helps to: Focus areas/areas of concern
Range of devices allowed/supported
IT involvement (helpdesk, etc)
Security policies
Result: Will your BYOD program support your company culture and business goals?
I. Prepare the organization
Engage stake-holders early Define program goals
Secure program funding and buy-in
Must meet the needs and expectations of the end-user Any BYOD program that fails to support end-user needs
will likely be rejected
Think through common objections to BYOD to help
Form a steering committee with diverse representation
I. Prepare the organization
Survey and Communicate with employees OS/Devices employees use
Factors that would encourage/discourage BYOD participation
Comfort with self-service support
Perception with work/life balance
Identify mobile IT capabilities Do you have the correct people and resources?
You can perform a capability assessment to help
II. BYOD Infrastructure Infrastructure is much different than a legacy/traditional
desktop environment.
Roles that may be necessary: Mobile Systems Engineer
hardware, software and networking technologies
Mobile Device Expert
Device and software
Mobile Security Expert
Policies & controls
Mobile Applications Developer
Understand app development, whether in-house or outsourced
Mobile Service and Support Resources
III. Program launch
Comes after you’ve defined: Goals, policies, processes and technical infrastructure
Soft launch your program Or use a phased roll out
Helps with trouble shooting – collect feedback as well
Select a well-represented user group
Monitor feedback for improvement
Company wide roll-out Phases are still a good idea
Don’t forget training and support
IV. Maintaining BYOD
Helpdesk is still important, but a good BYOD program will allow for self-service
Add more apps, devices and systems
Safe and effective device retirement Make sure corporate data is not left behind
Mobile devices have a short life-span
Measure value
From Blackberry…
"BlackBerry broke its longstanding business model recently by announcing that its BlackBerry Enterprise Service 10 management platform would be able to manage not just BlackBerry devices, but Android and iOS gadgets as well. Now, in a new announcement, the company is also exploring the flipside of that coin, allowing software from other companies to manage BlackBerry phones. The moves acknowledge a world in which fewer and fewer people are interested in a vertical BlackBerry solution — but also seem to kill the last things that make BlackBerry special."
Resources http://www.wired.com/2012/08/apple-amazon-mat-honan-hac
king/
http://www.securelist.com/en/analysis/204792326/Mobile_Malware_Evolution_2013#01
https://source.android.com/devices/tech/security/
https://developer.apple.com/support/technical/code-signing/
http://support.apple.com/kb/ht3743
https://www.owasp.org/index.php/Mobile_Jailbreaking_Cheat_Sheet