(IN-)EFFICIENCY OF SECURITY FEATURES ON MOBILE SECURITY AND COMPLIANCE

YURY CHEMERKIN

Balkan Computer Congress (BalCCON 2013)

EXPERIENCED IN :

REVERSE ENGINEERING & AV

SOFTWARE PROGRAMMING & DOCUMENTATION

MOBILE SECURITY AND MDM

CYBER SECURITY & CLOUD SECURITY

COMPLIANCE & TRANSPARENCY

FORENSICS AND SECURITY WRITING

HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA

PARTICIPATION AT CONFERENCES

INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,

DEFCONMOSCOW, HACTIVITY, HACKFEST

CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL

ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY

[ YURY CHEMERKIN ]

www.linkedin.com/in/yurychemerkin http://sto-strategy.com yury.s@chemerkin.com

APPLE’S CENTRALIZED POINT OF DISTRIBUTION IS PROVIDING WITH CONFIDENCE THROUGH THE VALIDATION BY APPLE, EXCEPT

THE SUBMISSION OF SUSPICIOUS APP BY Ch. MILLER THAT HAD BEEN SUCCESSFULLY APPROVED BY APPLE

INSTALLING CYDIA &THE REST APPS AFTER THAT

MICROSOFT (WINDOWS PHONE) HAS A CENTRALIZED MARKET WITH DEEPER TESTING AND VALIDATION LIKE APPLE

GOOGLE PROVIDES A CENTRALIZED MARKET TOO, HOWEVER PROVIDES ABILITY TO INSTALL APPS FROM 3RD-PARTY SOURCES SUCH AS AMAZON.

ANY OTHER ARE ORIGINATE FROM MALWARE HOTSPOTS

ANY ALTERNATIVE MARKETS FOR SO-CALLED “CRACKED” DISTRIBUTE FOR FREE REPACKAGES

BLACKBERRY IS THE SAFEST OS BECAUSE IT ISTHE MOST MANAGEABLE AND SECURE MAINLYAS IT IS ON AN ENTERPRISE WAY

[ OPINIONS ]

BLACKBERRY IS SAFER THAN WINDOWS THAT IS SAFER THAN iOS THAT IS SAFER THAN ANDROID IN TURN

[ Vulnerabilities of OS and apps ]

0

1

2

3

4

5

6

7

8

9

10

2004

2005

2007

2007

2007

2008

2008

2008

2008

2008

2009

2009

2009

2009

2009

2009

2009

2009

2009

2010

2010

2010

2010

2010

2010

2010

2010

2011

2011

2011

2011

2011

2011

2011

2012

2012

2012

2012

2012

2012

2012

2012

2012

2012

2012

2012

2012

2013

2013

2013

2013

Score - iOS Score - Android Score - BB

[ Vulnerabilities of OS and apps ]

iOS Average; 6,3

Android Average; 8,2

BB-Average; 6,3

iOS Min; 1,2Android Min; 1,9

BB Min; 2,1

Min & Average Score

MIN & AVERAGE SCORE

HOW MANY THE TOOLS ARE (approx): iOS – 10 ANDROID – 50 WINDOWS PHONE – 40 BLACKBERRY - 10

QUANTITY OF BUGS / SECURITY FLAWS AVERAGE – 50 MIN – 20 MAX – INFINITY

WARINING :: ADS VERACODE THE MOST USEFUL

BUGS TYPE (OBVIOUS | LIKELY) MISSED CONSTRUCTIONS LIKE

DOUBLE/TRIPLE FREE () DEBUG PATHS, KEY, AND ETC. PLAINTEXT & HARD-CODE PASSWORDS,

TOKENS, MASTER-KEYS, ETC.

NON-SECURE FLAWS, CONSTRUCTIONS, ETC.

CHECK IT OUT THE SQL-INJECTION IS POSSIBLE THERE IS NO HTTPS HERE

[ SOURCE & BINARY ANALYSIS TOOLS ]

HEY DUDE, WHY IS IT VULNERABLE AGAIN? SORRY, BIG BOSS, I’D JUST BEEN COMMITED A WRONG BRANCH

SECURE BOOTLOADER

SYSTEM SOFTWARE SECURITY (UPDATES)

APPLICATION CODE SIGNING

RUNTIME PROCESS SECURITY

SANDBOX

APIs

HARDWARE SECURITY FEATURES

FILE DATA PROTECTION

SSL, TLS, VPN

PASSCODE PROTECTION

SETTINGS

PERMISSIONS/ RESTRICTIONS

CONFIGURATIONS

REMOTE MAGAGEMENT

MDM

REMOTE WIPE

[ MOBILE SECURITY CAPABILITIES ]

THE SAME CAPABILITIES AMONG MOBILE OPERATION SYSTEMS

MDM SERVICES HELPS MANAGE AND PROTECT BLACKBERRY, IOS, WINDOWS, AND ANDROID DEVICES.

MDM SERVICES PROVIDE UNIFIED COMMUNICATION AND COLLABORATION SOFTWARE AND SERVICE (SaaS)

EACH OS IS DESIGNED TO PROTECT DATA IN TRANSIT, IN MEMORY AND STORAGE … AT ALL POINTS …

MDM SERVICES ENHANCED BY MANAGING THE BEHAVIOR OF THE DEVICE

OS PROVIDES A CAPABILITY TO PROTECT ANY APPLICATION DATA USING SANDBOXING

OS PROVIDES A CAPABILITY TO MANAGE PERMISSIONS TO ACCESS ITS CAPABILITIES

OS EVALUATES ALL REQUEST MADE BY APP ... BUT LEADS AWAY FROM ANY DETAILS AND APIs

[ SECURITY ENVIRONMENT ]

EACH OS EVALUATES EVERY REQUEST THAT AN APPLICATION MAKES TO ACCESS TO…

ALL CONTROLLED OBJECTS ARE LIMITED BY

SANDBOX

PERMISSIONS

SECURITY FEATURES ON DEVICEs & MDMs

ADDITIONAL FEATURES AREN’T ACCESSIBLE ON DEVICE

USER-MODE MALWARE

SPYWARE, ROOTKITS

EXPLOTS & ATTACKS

REVERSING NETWORK LAYER

RECOVERING DATA VS. SANBOX&MEMORY

EXPLOITING TO GET SUPER PRIVILIGIES

MDM vs. COMPLIANCE

COMMON RECOMMENDATIONS

SET IS LESSER THAN SET OF MDM FEATURES

QUITE BETTER TO MANAGE MDM SOLUTIONS THAN DEVICE AT ALL

TOO FAR FROM DETAILS

YOUNG STANDARDS

FIRST REVISIONS, DRAFT REVISIONS

MOBILE SECURITY SOFWARE

READ-ONLY MODE / INFORMATION ONLY

APPLICATION FIREWALL (CALLS, MESSAGES…)

NETWORK FIREWALL REQUIRES ROOT

NO REAL SECURITY IF YOU BREAK A SANDBOX

[ KNOWN ISSUES ]

THREATS BOUNDS BECOME UNCLEAR… MDM& COMPLIANCE BRINGS COMMON RECOMMENDATIONS

BYPASS MDM SOLUTIONS

iOS, ANDROID

EXPLOITS, DUMP /MEM TO GET EMAILS

BLACKHAT EU’13 http://goo.gl/HN829p

BLACKBERRY PLAYBOOK

EXPLOITS, MITM, DUMP ‘.ALL’ FILES

SECTO’11R, INFILTRATE’12, SOURCE BOSTON’13 http://goo.gl/KaTtFG

GAIN ROOT ACCESS

ANDROID

APP SIGNATURE EXPLOITATION

APP MODIFICATION

BLACKHAT USA’13 http://goo.gl/p5FhWG

TIME-FRAME TO FIX

7+ MONTH or WAIT FOR A NEXT UPDATE

WAIT FOR A VENDOR’S INTEREST TO YOU ANALYSIS OF APP’S DATA IN THE REST

BLACKBERRY, iOS

DATA LEAKAGE

REVEAL PASSWORDS, MASTERKEYS, ETC.

BLACKHAT EU’12 http://goo.gl/STpSll

ANDROID

DATA LEAKAGE

WEAKNESS OF CRYPTO ENGINGE

PHDAY III ‘13 http://goo.gl/x1PPGK

[ KNOWN ISSUES. Examples ]

PLAYBOOK ARTIFACTS (see the previous slide)

BROWSERS HISTORY

NETWORKING IDs, FLAGS, MACs

VIDEO CALLS DETAILS

ACCESS TO INTERNAL NETWORK KERNEL

BLACKBERRY Z10

DUMP MICROKERNEL

EVEN DEVELOPERS’ CREDENTIALS (FACEBOOK, MOBILE, EMAILS) BLACKHAT DEFCON MOSCOW http://goo.gl/R74leX

GUI FAILS

BLACKBERRY OS

DATA LEAKAGE

REVEAL PASSWORDS, … ANYTHING

NO PERMISSIONS REQUESTED

BORROW PERMISSIONS OF ANOTHER APP

NullCon’13, CONFIDENCE’13

http://goo.gl/phMey2

[ KNOWN ISSUES. Examples ]

Account

country code, phone number

Device Hardware Key

login / tokens of Twitter & Facebook

Calls history

Name + internal ID

Duration + date and time Address book

Quantity of contacts / viber-contacts

Full name / Email / phone numbers Messages

Conversations

Quantity of messages & participants per conversations

Additional participant info (full name, phone)

Messages

Date & Time

content of message

ID

[ APPLICATION EXAMINATION ]

ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

Account

country code, phone number

login / tokens Facebook wasn’t revealed

‘Buy me for….$$$’

Avatars :: phone+@s.whatsapp.net.j (jfif) Address book

No records of address book were revealed…

Check log-file and find these records (!) Messages

Messages

Date & Time

content of message

ID :: phone@s.whatsapp.net

[ APPLICATION EXAMINATION ]

ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

Account

Phone number

Password, secret code weren’t revealed

Trace app, find the methods use it

Repack app and have a fun

No masking of data typed Information

Amount

Full info in history section (incl. info about who receive money)

Connected cards

Encryption?

No

Bank cards

Masked card number only

Qiwi Bank cards

Full & masked number

Cvv/cvc

All other card info

[ APPLICATION EXAMINATION ]

ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

Account

ID , email, password Information

Loyalty (bonus) of your membership

all you ever type

Date of birth

Passport details Book/order history

Routes,

Date and time,

Bonus earning

Full info per each order

Connected cards

Encryption?

AES

256 bit

On password anywayanydayanywayanyday

Store in plaintext

Sizeof(anywayanydayanywayanyday) = 192 bit

[ APPLICATION EXAMINATION ]

ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

Account

ID ,bonus card number, password not revealed

Other id & tokens Information

Date of birth

Passport details

History (airlines, city, flight number only) Flights tickets, logins credentials

Repack app and grab it

[ APPLICATION EXAMINATION ]

ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

Account

ID , password

Loyalty (bonus) card number Information

Not revealed (tickets, history or else)

Repack app

[ APPLICATION EXAMINATION ]

ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

Account

ID , email, password

Other id & tokens Information

Loyalty (bonus) of your membership

all you ever type

Date of birth

Passport details

All PASSPORT INFO (not only travel data)

Your work data (address, job, etc.) you have never typed! Flights tickets

Repack app and grab it

[ APPLICATION EXAMINATION ]

ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

GOALS - MOBILE RESOURCES / AIM OF ATTACK

DEVICE RESOURCES

OUTSIDE-OF-DEVICE RESOURCES ATTACKS – SET OF ACTIOSN UNDER THE THREAT APIs - RESOURCES WIDELY AVAILABLE TO CODERS SECURITY FEATURES

KERNEL PROTECTION , NON-APP FEATURES

PERMISSIONS - EXPLICITLY CONFIGURED

3RD PARTY

AV, FIREWALL, VPN, MDM COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY

IN ALIGNMENT WITH COMPLIANCE TO…

[ DEVICE MANAGEMENT ]

APPLICATION LEVEL ATTACK’S VECTOR

AV, MDM,

DLP, VPN

Goals

Attacks

APIs APIs

Permissions

Kernel

protection

Non-app

features

MDM features

𝚫 = 𝚨 ∪ 𝚩 ∪ 𝚪 ∪ 𝚼 , 𝚨 ⊂ 𝚩, 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀

𝛥 – set of OS permissions, 𝛢 – set of device permissions, 𝛣 – set

of MDM permissions, 𝛤 – set of missed permissions (lack of

controls), 𝜰 – set of rules are explicitly should be applied to gain

a compliance

𝚮 = 𝚬 + 𝚭 , 𝚬 ⊃ 𝚨 ∪ 𝚩

𝛨 – set of APIs , 𝛦 – set of APIs that interact with sensitive data,

𝛧 – set of APIs that do not interact with sensitive data

To get a mobile security designed with full granularity the set 𝛤

should be empty set to get 𝚬 ⊇ 𝚨 ∪ 𝚩 instead of 𝚬 ⊃ 𝚨 ∪ 𝚩, so

the matter how is it closer to empty. On another hand it should

find out whether assumptions 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 are true and if it is

possible to get ⊆ 𝐀.

Set of permissions < Set of activities efficiency is

typical case < 100%,

ability to control each API = 100%

More than 1 permission per APIs >100%

lack of knowledge about possible attacks

improper granularity

[ DEVICE MANAGEMENT ]

Concurrency over native & additional security features The situation is very serious

MDM features

AV, MDM, DLP,

VPN Non-app features

Permissions

Kernel protection

[ BLACKBERRY. PERMISSIONS ]

BB 10 Cascades SDK BB 10 AIR SDK PB (NDK/AIR)Background processing + +BlackBerry Messenger - -

Calendar, Contacts + via invoke callsCamera + +

Device identifying information + +Email and PIN messages + via invoke calls

GPS location + +Internet + +Location + -

Microphone + +Narrow swipe up - +

Notebooks + -Notifications + +

Player - +Phone + -Push + -

Shared files + +Text messages + -

Volume - +

[ BLACKBERRY. Significant APIs ]

Feature Q. APIs Q. sign. APIs % (sign .APIs) Controlled ?

BlackBerry Messenger 77 70 90,91 +

Calendar 443 126 28,44 +

Camera 47 41 87,23 +

Contacts 316 150 47,47 +

Device identifying info 15 14 93,33 +

Email & PIN messages 347 211 60,81 +

Internet 161 145 90,06 +

Microphone 21 15 71,43 +

Notebooks 123 86 69,92 +

Notifications 32 24 75,00 +

Phone 27 22 81,48 +

Push 25 22 88,00 +

Shared files 78 70 89,74 +

Text messages 10 6 60,00 +

Account 66 21 31,82 -

MediaPlayer 66 63 95,45 -

NFC 24 11 45,83 -

Radio & SIM 68 51 75,00 -

Clipboard 6 4 66,67 -

[ BLACKBERRY. Common activities ]

6

21

5

34

7

18

63

17

3 42

4 4

8

3 42

14

14 3 2 1 1 1 2 2 2 1 1 1 1

41 2

5

10

5

10

15

20

25

30

35

Q. of m.+a. activity Q. of m.+a. permission

[ BLACKBERRY. Derived activities ]

6

116

24

59

7

89

1623

47

311

3

19

46

9

24 25

2

27

1 4 3 3 1 3 1 2 2 2 1 2 1 18

1 2 5 10

20

40

60

80

100

120

Q. of derived activities Q. of derived perm

[ BLACKBERRY. Efficiency (%) ]

16,67 19,05

60,00

5,88 14,29 5,5616,67

66,67

11,76

66,67

25,0050,00

25,00 25,0050,00

33,3350,00

250,00

7,14

16,67

3,45

12,50

5,08

14,29

3,37 6,25

8,704,26

66,67

9,09

66,67

5,262,17

88,89

4,17

8,00

250,00

3,70

0,00

50,00

100,00

150,00

200,00

250,00

% m+a activity vs perm % m+a derived activity vs perm

[ iOS. Info.plist (app capabilities) ]

Key Descriptionauto-focus-camera handle autofocus capabilities in the device’s still camera in case of a macro photography or image processing.

bluetooth-le handle the presence of Bluetooth low-energy hardware on the device.camera-flash handle a camera flash for taking pictures or shooting video.front-facing-camera handle a forward-facing camera such as capturing video from the device’s camera.gamekit handle a Game Center.gps handle a GPS (or AGPS) hardware to track a locations in case of need the higher accuracy more than Cellular/Wi-Fi.

location-services retrieve the device’s current location using the Core Location framework though Cellular/Wi-Fi

microphone handle the built-in microphone and its accessoriespeer-peer handle peer-to-peer connectivity over a Bluetooth network.sms handle the presence of the Messages application such as opening URLs with the sms scheme.

still-camera handle the presence of a camera on the device such as capturing images from the device’s still camera.

telephony handle the presence of the Phone application such as opening URLs with the telephony scheme.

video-camera handle the presence of a camera with video capabilities on device such as capturing video from the device’s camera.

wifi access to the networking features of the device.

[ iOS. Settings ]Component Unit

Restrictions :: Native application

SafariCamera, FaceTime

iTunes Store, iBookstoreSiri

Manage applications*

Restrictions :: 3rd application

Manage applications*Explicit Language (Siri)

Privacy*, Accounts*Content Type Restrictions*

Unit subcomponents

Privacy :: LocationPer each 3rd party app

For system services

Privacy :: Private InfoContacts, Calendar, Reminders, Photos

Bluetooth SharingTwitter, Facebook

AccountsDisables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts

Find My FriendsVolume limit

Content Type Restrictions

Ratings per country and regionMusic and podcasts

Movies, Books, Apps, TV showsIn-app purchases

Require Passwords (in-app purchases)

Game CenterMultiplayer Games

Adding Friends (Game Center)

Manage applicationsInstalling AppsRemoving Apps

[ iOS. Common activities ]

5

12

3 3

8

13

2

10

2

6

10

3

17

10

0

2

0 0

0

1

0

0

1

1

0

0

1

3

1

3

1 0

0

1

0

0

1

1

0

1

2

4

02468

101214161820

Q. of m.+a. activity Q. of m.+a. permission Q. of m.+a. perm plus parental perm

[ iOS. Derived activities ]

9

20

13

139

18 12

10 2 10 10 6

25

82

0 2

0

0

0

1

0

0

1 10

0

1

3

1

3

1

00

1

0

0 1 10

1

2

4

0

10

20

30

40

50

60

70

80

Q. of derived activities Q. of derived perm Q. of derived perm + plus parental perm

[ iOS. Efficiency (%) ]

0,00

16,67

0,00 0,00

0,007,69

0,000,00

50,0016,67 0,00

0,005,88

30,00

0,00

10,00

0,00

0,00

0,00

5,560,00

0,00

50,00 10,00

0,000,00

4,00

3,6620,00

25,00

33,33

0,00

0,00

7,69

0,00

0,00

50,00 16,67

0,0033,33

11,76

40,00

11,1115,00 7,69

0,000,00

5,56

0,00 0,00

50,00 10,00

0,00

16,67 8,00

4,88

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

% m+a activity vs perm % m+a derived activity vs perm Q. of m.+a. perm plus parental perm Q. of derived perm + plus parental perm

[ Windows. Permissions ]Permission Description

General use capabilities

musicLibrary provides access to the user's Music library, allowing the app to enumerate and access all files w/o user interaction.

picturesLibrary provides access to the user's Pictures library, allowing to enumerate and access all files w/o user interaction.

videosLibrary provides access to the user's Videos library, allowing the app to enumerate and access all w/o user interaction.

removableStorage provides access to files on removable storage, such as USB keys and external hard drives, filtered to the file type

microphone provides access to the microphone’s audio feed, which allows to record audio from connected microphones..

webcam provides access to the webcam’s video feed, which allows to capture snapshots, movies from a connected webcam.

location provides access to location functionality like a GPS sensor or derived from available network info.

proximityenables multiple devices in close proximity to communicate with one another via possible connection, incl.

Bluetooth, WiFi, and the internet.

internetClient, internetClientServer

provides outbound (inbound is for server only) access to the Internet, public networks via the firewall.

privateNetworkClientServerprovides inbound and outbound access to home and work networks through the firewall for games or for

applications that share data across local devices.Special use capabilities

enterpriseAuthenticationenable a user to log into remote resources using their credentials, and act as if a user provided their user name and

password.

sharedUserCertificates enables an access to software and hardware certificates like smart card.

documentsLibrary provides access to the user's Documents library, filtered to the file type associations

[ Windows. Significant APIs ]

Feature Q. APIs Q. sign. APIs % (sign. APIs) Controlled?General use capabilities

Notifications 68 4 5,88 +Music library 1300 138 10,62 +Pictures library 1157 133 11,50 +Videos library 1300 138 10,62 +Removable storage 1045 109 10,43 +Microphone 274 33 12,04 +Webcam 409 91 22,25 +Location 37 5 13,51 +Proximity 54 19 35,19 +Internet and public networks 488 134 27,46 +Home and work networks 488 134 27,46 +

Special use capabilitiesEnterprise authentication 8 4 50,00 +Shared User Certificates 20 5 25,00 +Documents library 1045 126 12,06 +

Non-controlled capabilitiesClipboard 132 20 15,15 -Phone 18 6 33,33 -SMS 122 25 20,49 -Contacts 97 31 31,96 -Device Info 221 30 13,57 -

[ Windows. Common Activities ]

1 1

3

1 1

3

5

3

6

14

43

4

23

8 8

12

1 1 1 1 1

3

6

1 12

5

12 2

0 0 0 0 00

2

4

6

8

10

12

14

Q. of m.+a. activity Q. of m.+a. permission

[ Windows. Derived Activities ]

1

810

8

5

11

14

3

7

21

16

6

12 12

8

15

11

8 8

1 2 2 2 13

6

1 1 2

5

1 2 20 0 0 0 00

5

10

15

20

25

Q. of derived activities Q. of derived perm

[ Windows. Efficiency (%) ]

100,00 100,00

33,33

100,00100,00

100,00

120,00

33,33

16,6714,29

125,00

33,33

50,00

100,00

0,00 0,00 0,00 0,00 0,00

100,00

25,00

20,00

25,0020,00

27,2742,8633,33

14,29

9,52

31,25

16,67 16,6716,670,00 0,00 0,00 0,00 0,00

0,00

20,00

40,00

60,00

80,00

100,00

120,00

% m+a activity vs perm % m+a derived activity vs perm

ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION,

ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM

ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE,

ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_

MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT

TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET

,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE

VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL

PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_

PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY,

BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA

MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO

NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M

ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C

LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE

TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN

OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC

TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_

PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE

ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P

ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK

GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T

OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_

PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN

MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_

OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_

CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE

R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L

OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_

SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS,

READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET

ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO

RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS

,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH,

SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION

,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P

ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S

ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA

TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR

ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C

REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET

TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC

TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI

STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN

GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W

RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY,

[ A droid. Permissions ]

List contains ~150 permissions I have ever seen that on old BlackBerry devices

ACCOUNTS

AFFECTS_BATTERY

APP_INFO

AUDIO_SETTINGS

BLUETOOTH_NETWORK

BOOKMARKS

CALENDAR

CAMERA

COST_MONEY

DEVELOPMENT_TOOLS

DEVICE_ALARMS

DISPLAY

HARDWARE_CONTROLS

LOCATION

MESSAGES

MICROPHONE

NETWORK

PERSONAL_INFO

PHONE_CALLS

SCREENLOCK

SOCIAL_INFO

STATUS_BAR

STORAGE

SYNC_SETTINGS

SYSTEM_CLOCK

SYSTEM_TOOLS

USER_DICTIONARY

VOICEMAIL

WALLPAPER

WRITE_USER_DICTIONARY

[ A droid. Permission Groups ]

But there only 30 permissions groups I have ever seen that on old BlackBerry devices too

[ A droid. Efficiency (%) ]

20,00

15,38

28,57

9,52

33,33

25,00

2,00

20,00

8,33 7,144,00

10,00

5,88

20,00

15,38

0,00 0,00

10,71

0,00

2,91

0,00

4,557,14

3,130,00

3,13

0,00

5,00

10,00

15,00

20,00

25,00

30,00

35,00

40,00

45,00

50,00

% m+a activity vs perm % m+a derived activity vs perm

[ Average quantitative indicators ]

394,8667,48 9,23

32,48 2,01 2,1938,4

27,638,4

27,6

435,95

62,37 3,849,68

1,47 1,63 54 20,9758,06 22,76

119,31

60,38

7,43 17,070,64 0,69

9,06

5,9416,99

9,21

102,74

60,638,86 29,26 1,89 2,32 42,04

30,4848,06

32,79

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Q. APIs Q. sign APIs Q. of m.+a.activities

Q. of derivedactivities

Q. of m.+a.permissions

Q. of derivedpermissions

% m+a activitiesvs perm

%m+a derived vsperm

% m+a vs permenhanced by

MDM

% derived vsperm enhanced

by MDM

Android Windows iOS BlackBerry

CAMERA AND VIDEO

HIDE THE DEFAULT CAMERA APPLICATION PASSWORD

DEFINE PASSWORD PROPERTIES

REQUIRE LETTERS (incl. case)

REQUIRE NUMBERS

REQUIRE SPECIAL CHARACTERS

DELETE DATA AND APPLICATIONS FROM THE DEVICE AFTER

INCORRECT PASSWORD ATTEMPTS

DEVICE PASSWORD

ENABLE AUTO-LOCK

LIMIT PASSWORD AGE

LIMIT PASSWORD HISTORY

RESTRICT PASSWORD LENGTH

MINIMUM LENGTH FOR THE DEVICE PASSWORD THAT IS ALLOWED

ENCRYPTION

APPLY ENCRYPTION RULES

ENCRYPT INTERNAL DEVICE STORAGE TOUCHDOWN SUPPORT

MICROSOFT EXCHANGE SYNCHRONIZATION

EMAIL PROFILES

ACTIVESYNC

MDM . Extend your device security capabilities

Android CONTROLLED FOUR GROUPS ONLY

BROWSER

DEFAULT APP,

AUTOFILL, COOKIES, JAVASCRIPT, POPUPS

CAMERA, VIDEO, VIDEO CONF

OUTPUT, SCREEN CAPTURE, DEFAULT APP

CERTIFICATES (UNTRUSTED CERTs)

CLOUD SERVICES

BACKUP / DOCUMENT / PICTURE / SHARING

CONNECTIVITY

NETWORK, WIRELESS, ROAMING

DATA, VOICE WHEN ROAMING

CONTENT

CONTENT (incl. EXPLICIT)

RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS

DIAGNOSTICS AND USAGE (SUBMISSION LOGS)

MESSAGING (DEFAULT APP)

BACKUP / DOCUMENT PICTURE / SHARING

ONLINE STORE

ONLINE STORES , PURCHASES, PASSWORD

DEFAULT STORE / BOOK / MUSIC APP

MESSAGING (DEFAULT APP)

PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)

PHONE AND MESSAGING (VOICE DIALING)

PROFILE & CERTs (INTERACTIVE INSTALLATION)

SOCIAL (DEFAULT APP)

SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER

DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS

STORAGE AND BACKUP

DEVICE BACKUP AND ENCRYPTION

VOICE ASSISTANT (DEFAULT APP)

MDM . Extend your device security capabilities

iOS CONTROLLED 16 GROUPS ONLY

GENERAL

MOBILE HOTSPOT AND TETHERING

PLANS APP, APPWORLD

PASSWORD (THE SAME WITH ANDROID, iOS)

BES MANAGEMENT (SMARTPHONES, TABLETS)

SOFTWARE

OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER

TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE

BBM VIDEO ACCESS TO WORK NETWORK

VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK

SECURITY

WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE

VOICE CONTROL & DICTATION IN WORK & USER APPS

BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE

PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)

PERSONAL SPACE DATA ENCRYPTION

NETWORK ACCESS CONTROL FOR WORK APPS

PERSONAL APPS ACCESS TO WORK CONTACTS

SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING

WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS

EMAIL PROFILES

CERTIFICATES & CIPHERS & S/MIME

HASH & ENCRYPTION ALGS AND KEY PARAMS

TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC

WI-FI PROFILES

ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS

PROXY PASSWORD/PORT/SERVER/SUBNET MASK

VPN PROFILES

PROXY, SCEP, AUTH PROFILE PARAMS

TOKENS, IKE, IPSEC OTHER PARAMS

PROXY PORTS, USERNAME, OTHER PARAMS

MDM . Extend your device security capabilities

BlackBerry (new, 10, qnx) CONTROLLED 7 GROUPS ONLY

THERE 55 GROUPS CONTROLLED IN ALL EACH GROUP CONTAINS FROM 10 TO 30 UNITS

ARE CONTROLLED TOO EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs

INSTEAD OF A WAY ‘DISABLE/ENABLED & HIDE/UNHIDE’

EACH EVENT IS

CONTROLLED BY CERTAIN PERMISSION

ALLOWED TO CONTROL BY SIMILAR PERMISSIONS TO BE MORE FLEXIBLE

DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME MORE THAN OTHER DOCUMENTS

EACH UNIT CAN’T CONTROL ACTIVITY UNDER ITSELF

‘CREATE, READ, WRITE/SAVE, SEND, DELETE’ ACTIONS IN REGARDS TO MESSAGES LEAD TO SPOOFING BY REQUESTING A ‘MESSAGE’ PERMISSION ONLY

SOME PERMISSIONS AREN’T REQUIRED (TO DELETE ANY OTHER APP)

SOME PERMISSIONS ARE RELATED TO APP, WHICH 3RD PARTY PLUGIN WAS EMBEDDED IN, INSTEAD OF THAT PLUGIN

MDM . Extend your device security capabilities

Blackberry (old) Huge amount of permissions are MDM & device built-in

MERGING PERMISSIONS INTO GROUPS, e.g.

‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ SEPARATED (BlackBerry old)

‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ MERGED INTO ONE UNIT (BlackBerry new) SCREEN CAPTURE

IS ALLOWED VIA HARDWARE BUTTONS ONLY

NO EMULATION OF HARDWARE BUTTONS AS IT WAS IN OLD BLACKBERRY DEVICES

LOCKS WHEN WORK PERIMITER HAS BECOME TO PREVENT SCREEN-CAPTURE LOGGERS OFFICIALLY ANNOUNCED SANDBOX

MALWARE IS STILL A PERSONAL APPLICATION SUBTYPE IN TERMS OF (IN-)SECURITY

SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS

INABILITY OF BACKUP MAKE DEVELOPERS TO STORE DATA IN SHARED FOLDERS

ISSUES : USELESS SOLUTIONS

USERFULL IDEAS AT FIRST GLANCE BUT INSTEAD MAKE NO SENSE

SECURE & INSECURE APP IN THE SAME TIME

HAS ENCRYPTED COMMUNICATION SESSIONS, AND MAY STORE CHAT COVERSATION WITHOUT ENCRYPTION

STORE SENSITIVE DATA IN PLAINTEXT (PASSW, PASSPORT DETAILS, CARD INFO) AND BELIEVE IN POWER OF SANDBOX

UPGRADE FEATURE AFFECT EVERYTHING

MAY UPDATE/REMOVE ANY OTHER APP - SURPRISE

REPACKAGES STILL HAVE AN ACCESS TO THE SAME DATA AS AN ORIGINAL APP

DEBUG/NOT ORIGINAL SIGNATURE PROBLEM – THAT’S NOT A PROBLEM

CLIPBOARD (SECURE CLIPBOARD HAS NEVER EXISTED ANYWHERE AND MIGHT HAVE EVER)

REVEAL THE DATA IN REAL TIME BY ONE API CALL

ACCESSIBLE BY APIs AS WELL AS FILE DATA (DEPENDS ON YOUR OS)

NATIVE WALLETS PROTECTS BY RETURNING NULL (ONLY OLD-BLACKBERRY)

WHILE THE ON TOP || JUST MINIMIZE OR CLOSE IT TO GET FULL ACCESS

EVERY USER MUST MINIMIZE APP TO PASTE A PASSWORD

ISSUES : USELESS SOLUTIONS

USERFULL IDEAS AT FIRST GLANCE BUT INSTEAD MAKE NO SENSE

GUI EXPLOITATION HAPPENS (OLD BLACKBERRY, ANDROID REPACKAGES)

REDRAWING THE SCREENS (OLD BB ONLY), GRABBING THE TEXT FROM ANY FIELDs (INCL. PASSWORD FIELD)

ADDING, REMOVING THE FIELD DATA

ORIGINAL DATA IS INACCESSIBLE BUT NOT AFFECTED

KASPERSKY MOBILE SECURITY PROVIDES AN INSECURITY,

NO PROTECTION FROM REMOVING.CODs & UNDER SIMULATOR

EXAMING THE TRAFFIC, BEHAVIOUR

JUST SHOULD CHECK API “IS SIMULATOR” ONLY

SMS MANAGEMENT VIA “QUITE” SECRET SMS (NOT ENCRYPTED, HASH ONLY)…

THE SAME SECRET AMONG OPERATING SYSTEMS (BB, ANDROID, WINDOWS,…)

PASSWORD IS 4–16 DIGITS,AND MODIFIED IN REAL-TIME (OLD BLACKBERRY, OR ANDROID REPACKAGES)

SMS IS A HALF A HASH VALUE OF GOST R 34.11-94

HASH IMPLEMENTATION USES TEST CRYPTO VALUES AND NO SALT

TABLES (VALUEHASH) ARE EASY BUILT

OUTCOMING SMS CAN BE SPOOFED WITHOUT ANY NOTIFICATION, BECAUSE KMS DELETE THE SENT MESSAGES

OUTCOMING SMS COULD BLOCK/WIPE THE SAME/ANOTHER DEVICE

ISSUES : USELESS SOLUTIONS

USERFULL IDEAS AT FIRST GLANCE BUT INSTEAD MAKE NO SENSE

Device diversityConfiguration managementSoftware DistributionDevice policy compliance & enforcementEnterprise ActivationLoggingSecurity SettingsSecurity Wipe, LockIAMMake you sure to start managing security under

uncertain terms without AI

Refers to NIST-800-53 and other

Sometimes missed requirements such as locking device, however it is in NIST-800-53

A bit details than CSANo statements on permission managementMake you sure to start managing security under

uncertain terms without AI

COMPLIANCE AND MDM

CSA Mobile Device Management: Key Components NIST-124

DENIAL OF SERVICE

REPLACING/REMOVING FILES

DOS’ing EVENTs, GUI INTERCEPT INFORMATION DISCLOSURE

CLIPBOARD, SCREEN CAPTURE

GUI INTERCEPT

SHARED FOLDERS

DUMPING .COD/.BAR/APK… FILES

MITM (INTERCEPTION / SPOOFING)

MESSAGES

GUI INTERCEPT, THIRD PARTY APPs

FAKE WINDOW/CLICKJACKING GENERAL PERMISSIONS

INSTEAD OF SPECIFIC SUB-PERMISSIONS

A FEW NOTIFICATION/EVENT LOGs FOR USER

BUILT PER APPLICATION INSTEAD OF APP SCREENs

CONCLUSION

PRIVILEGED GENERAL PERMISSIONS OWN APPs, NATIVE & 3RD PARTY APPs FEATURES

SIMPLIFICATION AND REDUCING SECURITY CONTROLS MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS THE SANDBOX PROTECT ONLY APPLICATION DATA USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY THE NATIVE SPOOFING AND INTERCEPTION FEATURES COMPLIANCE DOES NOT EXTEND MDM CAPABILITIES – JUST REPEATS IT THE MOST GRANULAR SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST

CONCLUSION

THE VENDOR SECURITY VISION HAS NOTHING WITH REALITY AGGRAVATED BY SIMPLICITY

Q & A