YURY_CHEMERKIN_NotaCon_2014_Conference.pdf
YuryChemerkin
19 views
39 slides
Jul 21, 2024
Slide 1 of 39
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
About This Presentation
This presentation from NotaCon 2014 examines the shift from Mobile Device Management (MDM) to Mobile Application Management (MAM) and the new challenges in mobile security. It discusses various aspects of enterprise mobile management, including network access control, antivirus solutions, mobile SIE...
Slide Content
MDM is gone, MAM is come.
New Challenges on mobile security
YURY CHEMERKIN
NotaCon2014
New Challenges on mobile security
YURY CHEMERKIN
NotaCon2014
MULTISKILLED SECURITY RESEARCHER, WORKS FOR RUSSIAN COMPANY
EXPERIENCED IN :
REVERSE ENGINEERING & AV, DEVELOPMENT (IN THE PAST)
MOBILE SECURITY, INCL. IAM, MDM, MAM, etc.
CYBER SECURITY & CLOUD SECURITY (INCL. IAM)
COMPLIANCE & FORENSICS ON MOBILE & CLOUD
WRITING(STO BLOG, HAKING, PENTEST, eFORENSICSMagazines)
PARTICIPATION AT CONFERENCES:
INFOSECURITY RUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,
DEFCON MOSCOW, HACKERHALTED, HACKTIVITY, HACKFEST, NOTACON
CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL
ICITST, CTICON, ITA, I-SOCIETY
[ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkinhttp://sto-strategy.com [email protected]
EXPERIENCED IN :
REVERSE ENGINEERING & AV, DEVELOPMENT (IN THE PAST)
MOBILE SECURITY, INCL. IAM, MDM, MAM, etc.
CYBER SECURITY & CLOUD SECURITY (INCL. IAM)
COMPLIANCE & FORENSICS ON MOBILE & CLOUD
WRITING(STO BLOG, HAKING, PENTEST, eFORENSICSMagazines)
PARTICIPATION AT CONFERENCES:
INFOSECURITY RUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,
DEFCON MOSCOW, HACKERHALTED, HACKTIVITY, HACKFEST, NOTACON
CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL
ICITST, CTICON, ITA, I-SOCIETY
[ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkinhttp://sto-strategy.com [email protected]
[ MDM FRAMEWORK ]
EMM (Enterprise Mobile Management)3
rd
Party Solutions to EMM
NAC: Network Access Control
(Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management
Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-
Practices, Guidelines, etc.
MDM: Mobile Device Management
MAM: Mobile Application
Management
MEM: Mobile Email Management
MIM: Mobile Information Management
Devices: Smartphones, Tablets
EMM (Enterprise Mobile Management)3
rd
Party Solutions to EMM
NAC: Network Access Control
(Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management
Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-
Practices, Guidelines, etc.
MDM: Mobile Device Management
MAM: Mobile Application
Management
MEM: Mobile Email Management
MIM: Mobile Information Management
Devices: Smartphones, Tablets
[ MDM FRAMEWORK :: MDM SOLUTIONS]
NAC: Network Access Control
(Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management
Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-
Practices, Guidelines, etc.
MDM: Mobile Device
Management
MAM: Mobile Application
Management
MEM: Mobile Email Management
MIM: Mobile Information
Management
Devices: Smartphones, Tablets
NAC: Network Access Control
(Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management
Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-
Practices, Guidelines, etc.
MDM: Mobile Device
Management
MAM: Mobile Application
Management
MEM: Mobile Email Management
MIM: Mobile Information
Management
Devices: Smartphones, Tablets
[ MDM FRAMEWORK :: MAM SOLUTIONS]
NAC: Network Access Control
(Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management
Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-
Practices, Guidelines, etc.
MDM: Mobile Device
Management
MAM: Mobile Application
Management
MEM: Mobile Email Management
MIM: Mobile Information
Management
Devices: Smartphones, Tablets
NAC: Network Access Control
(Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management
Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-
Practices, Guidelines, etc.
MDM: Mobile Device
Management
MAM: Mobile Application
Management
MEM: Mobile Email Management
MIM: Mobile Information
Management
Devices: Smartphones, Tablets
[ MDM FRAMEWORK :: MEM SOLUTIONS]
NAC: Network Access Control
(Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management
Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-
Practices, Guidelines, etc.
MDM: Mobile Device
Management
MAM: Mobile Application
Management
MEM: Mobile Email Management
MIM: Mobile Information
Management
Devices: Smartphones, Tablets
NAC: Network Access Control
(Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management
Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-
Practices, Guidelines, etc.
MDM: Mobile Device
Management
MAM: Mobile Application
Management
MEM: Mobile Email Management
MIM: Mobile Information
Management
Devices: Smartphones, Tablets
[ MOBILE DEVICE MANAGEMENT FRAMEWORK ]
NAC: Network Access Control
(Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management
Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-
Practices, Guidelines, etc.
MDM: Mobile Device
Management
MAM: Mobile Application
Management
MEM: Mobile Email Management
MIM: Mobile Information
Management
Devices: Smartphones, Tablets
NAC: Network Access Control
(Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management
Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-
Practices, Guidelines, etc.
MDM: Mobile Device
Management
MAM: Mobile Application
Management
MEM: Mobile Email Management
MIM: Mobile Information
Management
Devices: Smartphones, Tablets
EMM FEATURES : Who’re Vendors
Mobile platforms supporting
Mobile device management
Application management
Security
Document/content management
Network management
Service management
Integration with PC management
tools
Reporting
EMM FEATURES
KEY COMPONENTS
Mobile device management
Application management
Security
Document/content management
Network management
Service management
Integration with PC management
tools
Reporting
EMM FEATURES
KEY COMPONENTS
iOS
Android
Android Zoo ::
KNOX, SAFE, LG Gate, Kindle Fire
HD and Kindle Fire HDX, Nook HD
and Nook HD+, tablets, HTC One,
Nokia Lumina, Pidion&Panasonic
BlackBerry
Windows Mobile
Windows Phone
Mac OS X
Windows 8
Windows RT
EMM FEATURES
MOBILE PLATFORMS SUPPORTED :: ALMOST OF ALL
Android
Android Zoo ::
KNOX, SAFE, LG Gate, Kindle Fire
HD and Kindle Fire HDX, Nook HD
and Nook HD+, tablets, HTC One,
Nokia Lumina, Pidion&Panasonic
BlackBerry
Windows Mobile
Windows Phone
Mac OS X
Windows 8
Windows RT
EMM FEATURES
MOBILE PLATFORMS SUPPORTED :: ALMOST OF ALL
Password protection & reset
Remote & Selective device wipe
Remote lock
Set VPN, Wi-Fi, APN, proxy/gateway settings
Configuration monitoring/auditing
Automated provisioning/enrollment
Disable basic features (camera, Bluetooth, Wi-Fi, NFC, Cellular, etc.)
Manage mobile-attached devices (e.gprinters, scanners)
EMM FEATURES
EMM :: MDM
Remote & Selective device wipe
Remote lock
Set VPN, Wi-Fi, APN, proxy/gateway settings
Configuration monitoring/auditing
Automated provisioning/enrollment
Disable basic features (camera, Bluetooth, Wi-Fi, NFC, Cellular, etc.)
Manage mobile-attached devices (e.gprinters, scanners)
EMM FEATURES
EMM :: MDM
Full-featured enterprise app store
Containerization/sandboxing
App containerization using developer SDK/toolkit, app wrapping
Block copy/paste between apps, from email, etc.
Restrict which apps can open a given file
App inventory tracking / usage monitoring
Remote desktop access to apps and data on desktop from mobile
EMM FEATURES
EMM :: MAM
Containerization/sandboxing
App containerization using developer SDK/toolkit, app wrapping
Block copy/paste between apps, from email, etc.
Restrict which apps can open a given file
App inventory tracking / usage monitoring
Remote desktop access to apps and data on desktop from mobile
EMM FEATURES
EMM :: MAM
Application blacklisting/whitelisting, and Firewall
Data loss prevention (DLP)
Device compromise detection (jailbreak/rooting)
Device-level encryption, folders, emails
Geo-fencing, time-fencing
Mobile VPN, App-level micro VPN
Multifactor device/app authentication
Malware detection
EMM FEATURES
EMM :: SECURITY
Data loss prevention (DLP)
Device compromise detection (jailbreak/rooting)
Device-level encryption, folders, emails
Geo-fencing, time-fencing
Mobile VPN, App-level micro VPN
Multifactor device/app authentication
Malware detection
EMM FEATURES
EMM :: SECURITY
EMM FEATURES
EMM :: MANAGEMENT
Document -content
management
Network Management
Service Management
EMM :: MANAGEMENT
Document -content
management
Network Management
Service Management
Integrationwith PC management tools
Offers a separate or integrated PC management
tool
Integrates with a third-party tool
Offers integrated management console for PC
and mobile management
Offers integrated app store for both desktop
and mobile app deployment
Reports
Alerts
Automated responses to alerts
Automated, scheduled report delivery
Real-time dashboards
Device-level analytics
App-level analytics
EMM FEATURES
EMM :: MANAGEMENT
Offers a separate or integrated PC management
tool
Integrates with a third-party tool
Offers integrated management console for PC
and mobile management
Offers integrated app store for both desktop
and mobile app deployment
Reports
Alerts
Automated responses to alerts
Automated, scheduled report delivery
Real-time dashboards
Device-level analytics
App-level analytics
EMM FEATURES
EMM :: MANAGEMENT
[ MOBILE DEVICE MANAGEMENT FRAMEWORK ]
NAC: Network Access Control
(Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management
Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-
Practices, Guidelines, etc.
MDM: Mobile Device
Management
MAM: Mobile Application
Management
MEM: Mobile Email Management
MIM: Mobile Information
Management
Devices: Smartphones, Tablets
NAC: Network Access Control
(Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management
Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-
Practices, Guidelines, etc.
MDM: Mobile Device
Management
MAM: Mobile Application
Management
MEM: Mobile Email Management
MIM: Mobile Information
Management
Devices: Smartphones, Tablets
SECURE BOOTLOADER
SYSTEM SOFTWARE SECURITY (UPDATES)
APPLICATION CODE SIGNING
RUNTIME PROCESS SECURITY (SANDBOX, APIs)
HARDWARE SECURITY FEATURES
IN-REST PROTECTION
IN-TRANSIT PROTECTION (SSL, TLS, VPN)
PASSCODE PROTECTION
CENTRALIZED APPLICATION DISTRIBUTION
SETTINGS DELIVERY (PERMISSIONS, CONFIGURATIONS)
REMOTE MAGAGEMENT
LOG COLLECTION
[ MOBILE DEVICE SECURITY ENVIRONMENT ]
SPOT THE DIFFERENCE
SYSTEM SOFTWARE SECURITY (UPDATES)
APPLICATION CODE SIGNING
RUNTIME PROCESS SECURITY (SANDBOX, APIs)
HARDWARE SECURITY FEATURES
IN-REST PROTECTION
IN-TRANSIT PROTECTION (SSL, TLS, VPN)
PASSCODE PROTECTION
CENTRALIZED APPLICATION DISTRIBUTION
SETTINGS DELIVERY (PERMISSIONS, CONFIGURATIONS)
REMOTE MAGAGEMENT
LOG COLLECTION
[ MOBILE DEVICE SECURITY ENVIRONMENT ]
SPOT THE DIFFERENCE
GOALS -MOBILE RESOURCES / AIM OF ATTACK
DEVICE RESOURCES
OUTSIDE-OF-DEVICE RESOURCES
ATTACKS –SET OF ACTIONS UNDER THE THREAT
APIs -RESOURCES WIDELY AVAILABLE TO CODERS
SECURITY FEATURES
KERNEL PROTECTION , NON-APP FEATURES
PERMISSIONS -EXPLICITLY CONFIGURED
3
RD
PARTY
AV, FIREWALL, VPN, MDM
COMPLIANCE -RULES TO DESIGN SECURITY IN
ALIGNMENT WITH COMPLIANCE TO…
[ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACK’S VECTORAV, MDM,
DLP, VPN
Goals
Attacks
APIs
APIs
Permissions
Kernel
protection
Non-app
features
MDM features
DEVICE RESOURCES
OUTSIDE-OF-DEVICE RESOURCES
ATTACKS –SET OF ACTIONS UNDER THE THREAT
APIs -RESOURCES WIDELY AVAILABLE TO CODERS
SECURITY FEATURES
KERNEL PROTECTION , NON-APP FEATURES
PERMISSIONS -EXPLICITLY CONFIGURED
3
RD
PARTY
AV, FIREWALL, VPN, MDM
COMPLIANCE -RULES TO DESIGN SECURITY IN
ALIGNMENT WITH COMPLIANCE TO…
[ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACK’S VECTORAV, MDM,
DLP, VPN
Goals
Attacks
APIs
APIs
Permissions
Kernel
protection
Non-app
features
MDM features
�=�∪�∪�∪??????, �⊂�, ??????⊆�, ??????⊂??????
�–set of OS permissions, �–set of device permissions, �–set
of MDM permissions, �–set of missed permissions (lack of
controls), ??????–set of rules are explicitly should be applied to gain
a compliance
�=�+�, �⊃�∪�
�–set of APIs , �–set of APIs that interact with sensitive data,
�–set of APIs that do not interact with sensitive data
To get a mobile security designed with full granularity the set�
should be empty set to get �⊇�∪�instead of �⊃�∪�, so
the matter how is it closer to empty. On another hand it should
find out whether assumptions ??????⊆�, ??????⊂??????are true and if it is
possible to get ⊆??????.
Set of permissions < Set of activities efficiency is
typical case < 100%,
ability to control each API = 100%
More than 1 permission per APIs >100%
lack of knowledge about possible attacks
improper granularity
[ DEVICE MANAGEMENT ]
LACK OF GRANULATION CONTROLMDM features
AV, MDM, DLP,
VPN
Non-app features
Permissions
Kernel protection
�–set of OS permissions, �–set of device permissions, �–set
of MDM permissions, �–set of missed permissions (lack of
controls), ??????–set of rules are explicitly should be applied to gain
a compliance
�=�+�, �⊃�∪�
�–set of APIs , �–set of APIs that interact with sensitive data,
�–set of APIs that do not interact with sensitive data
To get a mobile security designed with full granularity the set�
should be empty set to get �⊇�∪�instead of �⊃�∪�, so
the matter how is it closer to empty. On another hand it should
find out whether assumptions ??????⊆�, ??????⊂??????are true and if it is
possible to get ⊆??????.
Set of permissions < Set of activities efficiency is
typical case < 100%,
ability to control each API = 100%
More than 1 permission per APIs >100%
lack of knowledge about possible attacks
improper granularity
[ DEVICE MANAGEMENT ]
LACK OF GRANULATION CONTROLMDM features
AV, MDM, DLP,
VPN
Non-app features
Permissions
Kernel protection
CAMERA AND VIDEO
HIDE THE DEFAULT CAMERA APPLICATION
PASSWORD
DEFINE PASSWORD PROPERTIES
REQUIRE LETTERS (incl. case)
REQUIRE NUMBERS
REQUIRE SPECIAL CHARACTERS
DELETE DATA AND APPLICATIONS FROM THE
DEVICE AFTER
INCORRECT PASSWORD ATTEMPTS
DEVICE PASSWORD
ENABLE AUTO-LOCK
LIMIT PASSWORD AGE
LIMIT PASSWORD HISTORY
RESTRICT PASSWORD LENGTH
MINIMUM LENGTH FOR THE DEVICE
PASSWORD THAT IS ALLOWED
ENCRYPTION
APPLY ENCRYPTION RULES
ENCRYPT INTERNAL DEVICE STORAGE
TOUCHDOWN SUPPORT
MICROSOFT EXCHANGE SYNCHRONIZATION
EMAIL PROFILES
ACTIVESYNC
MDM :: Believe in extending device security capabilities
Android has ~150 Permissions combined by 30 groupswhile MDM CONTROLS FOUR GROUPS ONLY
HIDE THE DEFAULT CAMERA APPLICATION
PASSWORD
DEFINE PASSWORD PROPERTIES
REQUIRE LETTERS (incl. case)
REQUIRE NUMBERS
REQUIRE SPECIAL CHARACTERS
DELETE DATA AND APPLICATIONS FROM THE
DEVICE AFTER
INCORRECT PASSWORD ATTEMPTS
DEVICE PASSWORD
ENABLE AUTO-LOCK
LIMIT PASSWORD AGE
LIMIT PASSWORD HISTORY
RESTRICT PASSWORD LENGTH
MINIMUM LENGTH FOR THE DEVICE
PASSWORD THAT IS ALLOWED
ENCRYPTION
APPLY ENCRYPTION RULES
ENCRYPT INTERNAL DEVICE STORAGE
TOUCHDOWN SUPPORT
MICROSOFT EXCHANGE SYNCHRONIZATION
EMAIL PROFILES
ACTIVESYNC
MDM :: Believe in extending device security capabilities
Android has ~150 Permissions combined by 30 groupswhile MDM CONTROLS FOUR GROUPS ONLY
BROWSER
DEFAULT APP,
AUTOFILL, COOKIES, JAVASCRIPT, POPUPS
CAMERA, VIDEO, VIDEO CONF
OUTPUT, SCREEN CAPTURE, DEFAULT APP
CERTIFICATES (UNTRUSTED CERTs)
CLOUD SERVICES
BACKUP / DOCUMENT / PICTURE / SHARING
CONNECTIVITY
NETWORK, WIRELESS, ROAMING
DATA, VOICE WHEN ROAMING
CONTENT
CONTENT (incl. EXPLICIT)
RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS
DIAGNOSTICS AND USAGE (SUBMISSION LOGS)
MESSAGING (DEFAULT APP)
BACKUP / DOCUMENT PICTURE / SHARING
ONLINE STORE
ONLINE STORES , PURCHASES, PASSWORD
DEFAULT STORE / BOOK / MUSIC APP
MESSAGING (DEFAULT APP)
PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)
PHONE AND MESSAGING (VOICE DIALING)
PROFILE & CERTs (INTERACTIVE INSTALLATION)
SOCIAL (DEFAULT APP)
SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER
DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS
STORAGE AND BACKUP
DEVICE BACKUP AND ENCRYPTION
VOICE ASSISTANT (DEFAULT APP)
MDM :: Believe in extending device security capabilities
iOS has ~20 Permissions while MDM CONTROLS16 GROUPS ONLY
DEFAULT APP,
AUTOFILL, COOKIES, JAVASCRIPT, POPUPS
CAMERA, VIDEO, VIDEO CONF
OUTPUT, SCREEN CAPTURE, DEFAULT APP
CERTIFICATES (UNTRUSTED CERTs)
CLOUD SERVICES
BACKUP / DOCUMENT / PICTURE / SHARING
CONNECTIVITY
NETWORK, WIRELESS, ROAMING
DATA, VOICE WHEN ROAMING
CONTENT
CONTENT (incl. EXPLICIT)
RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS
DIAGNOSTICS AND USAGE (SUBMISSION LOGS)
MESSAGING (DEFAULT APP)
BACKUP / DOCUMENT PICTURE / SHARING
ONLINE STORE
ONLINE STORES , PURCHASES, PASSWORD
DEFAULT STORE / BOOK / MUSIC APP
MESSAGING (DEFAULT APP)
PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)
PHONE AND MESSAGING (VOICE DIALING)
PROFILE & CERTs (INTERACTIVE INSTALLATION)
SOCIAL (DEFAULT APP)
SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER
DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS
STORAGE AND BACKUP
DEVICE BACKUP AND ENCRYPTION
VOICE ASSISTANT (DEFAULT APP)
MDM :: Believe in extending device security capabilities
iOS has ~20 Permissions while MDM CONTROLS16 GROUPS ONLY
GENERAL
MOBILE HOTSPOT AND TETHERING
PLANS APP, APPWORLD
PASSWORD (THE SAME WITH ANDROID, iOS)
BES MANAGEMENT (SMARTPHONES, TABLETS)
SOFTWARE
OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER
TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE
BBM VIDEO ACCESS TO WORK NETWORK
VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK
SECURITY
WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE
VOICE CONTROL & DICTATION IN WORK & USER APPS
BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE
PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)
PERSONAL SPACE DATA ENCRYPTION
NETWORK ACCESS CONTROL FOR WORK APPS
PERSONAL APPS ACCESS TO WORK CONTACTS
SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING
WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
EMAIL PROFILES
CERTIFICATES & CIPHERS & S/MIME
HASH & ENCRYPTION ALGS AND KEY PARAMS
TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC
WI-FI PROFILES
ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS
PROXY PASSWORD/PORT/SERVER/SUBNET MASK
VPN PROFILES
PROXY, SCEP, AUTH PROFILE PARAMS
TOKENS, IKE, IPSEC OTHER PARAMS
PROXY PORTS, USERNAME, OTHER PARAMS
MDM . Extend your device security capabilities
BlackBerry (new, 10, QNX) CONTROLLED 7 GROUPS ONLY
MOBILE HOTSPOT AND TETHERING
PLANS APP, APPWORLD
PASSWORD (THE SAME WITH ANDROID, iOS)
BES MANAGEMENT (SMARTPHONES, TABLETS)
SOFTWARE
OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER
TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE
BBM VIDEO ACCESS TO WORK NETWORK
VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK
SECURITY
WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE
VOICE CONTROL & DICTATION IN WORK & USER APPS
BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE
PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)
PERSONAL SPACE DATA ENCRYPTION
NETWORK ACCESS CONTROL FOR WORK APPS
PERSONAL APPS ACCESS TO WORK CONTACTS
SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING
WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
EMAIL PROFILES
CERTIFICATES & CIPHERS & S/MIME
HASH & ENCRYPTION ALGS AND KEY PARAMS
TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC
WI-FI PROFILES
ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS
PROXY PASSWORD/PORT/SERVER/SUBNET MASK
VPN PROFILES
PROXY, SCEP, AUTH PROFILE PARAMS
TOKENS, IKE, IPSEC OTHER PARAMS
PROXY PORTS, USERNAME, OTHER PARAMS
MDM . Extend your device security capabilities
BlackBerry (new, 10, QNX) CONTROLLED 7 GROUPS ONLY
THERE 55 GROUPS CONTROLLED IN ALL
EACH GROUP CONTAINSFROM 10 TO 30 UNITS
ARE CONTROLLED TOO
EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs
INSTEADOF A WAY ‘DISABLE/ENABLED &
HIDE/UNHIDE’
EACH EVENT IS
CONTROLLED BY CERTAIN PERMISSION
ALLOWED TO CONTROL BY SIMILAR
PERMISSIONS TO BE MORE FLEXIBLE
DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME
MORE THAN OTHER DOCUMENTS
EACH UNIT CAN’T CONTROL ACTIVITY UNDER
ITSELF
‘CREATE, READ, WRITE/SAVE, SEND,
DELETE’ ACTIONS IN REGARDS TO
MESSAGES LEAD TO SPOOFING BY
REQUESTING A ‘MESSAGE’ PERMISSION
ONLY
SOME PERMISSIONS AREN’T REQUIRED (TO
DELETE ANY OTHER APP)
SOME PERMISSIONS ARE RELATED TO APP,
WHICH 3
RD
PARTY PLUGIN WAS EMBEDDED
IN, INSTEAD OF THAT PLUGIN
MDM . Extend your device security capabilities
Blackberry (old) Huge amount of permissions are MDM & device built-in
EACH GROUP CONTAINSFROM 10 TO 30 UNITS
ARE CONTROLLED TOO
EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs
INSTEADOF A WAY ‘DISABLE/ENABLED &
HIDE/UNHIDE’
EACH EVENT IS
CONTROLLED BY CERTAIN PERMISSION
ALLOWED TO CONTROL BY SIMILAR
PERMISSIONS TO BE MORE FLEXIBLE
DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME
MORE THAN OTHER DOCUMENTS
EACH UNIT CAN’T CONTROL ACTIVITY UNDER
ITSELF
‘CREATE, READ, WRITE/SAVE, SEND,
DELETE’ ACTIONS IN REGARDS TO
MESSAGES LEAD TO SPOOFING BY
REQUESTING A ‘MESSAGE’ PERMISSION
ONLY
SOME PERMISSIONS AREN’T REQUIRED (TO
DELETE ANY OTHER APP)
SOME PERMISSIONS ARE RELATED TO APP,
WHICH 3
RD
PARTY PLUGIN WAS EMBEDDED
IN, INSTEAD OF THAT PLUGIN
MDM . Extend your device security capabilities
Blackberry (old) Huge amount of permissions are MDM & device built-in
HIGH LEVEL DEVICE MANAGEMENT
OPTIMIZED FOR CONFIGURATIONS DELIVERY
OPTIMIZED FOR PERMISSIONS DELIVERY
OPTIMIZED FOR INTERGRATION WITH AN INFRASTRUCTURE
OPTIMIZED FOR CONFIGURATION DELIVERY
LACK OF GRANULAR CONTROLS
SECURITY CONTROLS DEPEND ON MOBILE OS
EMM FAILS :: MDM
OPTIMIZED FOR CONFIGURATIONS DELIVERY
OPTIMIZED FOR PERMISSIONS DELIVERY
OPTIMIZED FOR INTERGRATION WITH AN INFRASTRUCTURE
OPTIMIZED FOR CONFIGURATION DELIVERY
LACK OF GRANULAR CONTROLS
SECURITY CONTROLS DEPEND ON MOBILE OS
EMM FAILS :: MDM
PACKAGED/WRAPPED APPLICATIONS
QUANTITY OF APPLICATION CHALLENGE ( OBVIOUSLY > 100 )
COOPERATION WITH APPLICATION VENDOR
SEPARATION OF PERSONAL, WORK, AND SUSPICIOUS APP
SERIOUSLY DIFFERENCE ON APP INTERFACES PER EACH OS WITH THE SAME APP
VPN
ENCRYPTION
ACCESS RESTRICTION (GEO, CREDENTIALS)
EMM FAILS :: MAM
QUANTITY OF APPLICATION CHALLENGE ( OBVIOUSLY > 100 )
COOPERATION WITH APPLICATION VENDOR
SEPARATION OF PERSONAL, WORK, AND SUSPICIOUS APP
SERIOUSLY DIFFERENCE ON APP INTERFACES PER EACH OS WITH THE SAME APP
VPN
ENCRYPTION
ACCESS RESTRICTION (GEO, CREDENTIALS)
EMM FAILS :: MAM
LACK OF TYPE FILES’ MANAGEMENT
LACK OF STORAGE SERVICES’ MANAGEMENT
LACK OF DEVICE FILES’ MANAGEMENT
LACK OF VENDOR SUPPORT
NEED OF A ROOT ACCESS TO DEVICE IN CERTAIN CASES
MOBILE OS INCAPABILITIES TO BE INTEGRATED WITH MIM SOLUTIONS
EMM FAILS :: MIM
LACK OF STORAGE SERVICES’ MANAGEMENT
LACK OF DEVICE FILES’ MANAGEMENT
LACK OF VENDOR SUPPORT
NEED OF A ROOT ACCESS TO DEVICE IN CERTAIN CASES
MOBILE OS INCAPABILITIES TO BE INTEGRATED WITH MIM SOLUTIONS
EMM FAILS :: MIM
[ KNOW YOUR APPLICATIONS ]
AFFECTED PLATFORMS
AFFECTED PLATFORMS
[ KNOW YOUR APPLICATIONS ]
Email, 73.00%
Messages, 85.00%
Calendar, 76.00%
Contacts, 95.00%
Notes, 89.00%
Calls, 93.00%
FEATURES VS PRIVACY :: BUILT-IN APP
Email, 73.00%
Messages, 85.00%
Calendar, 76.00%
Contacts, 95.00%
Notes, 89.00%
Calls, 93.00%
FEATURES VS PRIVACY :: BUILT-IN APP
[ KNOW YOUR APPLICATIONS ]
Kik Messenger,
79.00%
Viber, 87.00%
Whatsapp, 85.00%
Hangouts, 80.00%
Yahoo Messenger,
75.00%
Skout, 76.00%
WeChat, 78.00%
BBM, 86.00%
Facebook
Messenger, 87.00%
Lync, 61.00%
FEATURES VS PRIVACY :: IM APP
Kik Messenger,
79.00%
Viber, 87.00%
Whatsapp, 85.00%
Hangouts, 80.00%
Yahoo Messenger,
75.00%
Skout, 76.00%
WeChat, 78.00%
BBM, 86.00%
Messenger, 87.00%
Lync, 61.00%
FEATURES VS PRIVACY :: IM APP
[ KNOW YOUR APPLICATIONS ]
Vkontakte, 78.00%
Facebook, 83.00%
Instagram, 67.00%
Twitter, 81.00%
Google+, 55.00%
LinkedIn, 59.00%
Pinterest, 57.00%
MySpace, 61.00%
Groupon, 68.00%
So.Cl, 42.00%
Scribd, 63.00%
SlideShare, 67.00%
FEATURES VS PRIVACY :: SOCIAL APP
Vkontakte, 78.00%
Facebook, 83.00%
Instagram, 67.00%
Twitter, 81.00%
Google+, 55.00%
LinkedIn, 59.00%
Pinterest, 57.00%
MySpace, 61.00%
Groupon, 68.00%
So.Cl, 42.00%
Scribd, 63.00%
SlideShare, 67.00%
FEATURES VS PRIVACY :: SOCIAL APP
[ KNOW YOUR APPLICATIONS ]
Google Maps,
73.00%
FourSquare, 85.00%
Yandex Maps,
76.00%
Navitel, 64.00%TrackMe, 51.00%
GeoBucket, 54.00%
2GIS, 61.00%
Banjo, 62.00%
Trover, 69.00%
FEATURES VS PRIVACY :: GEO APP
Google Maps,
73.00%
FourSquare, 85.00%
Yandex Maps,
76.00%
Navitel, 64.00%TrackMe, 51.00%
GeoBucket, 54.00%
2GIS, 61.00%
Banjo, 62.00%
Trover, 69.00%
FEATURES VS PRIVACY :: GEO APP
[ KNOW YOUR APPLICATIONS ]
Box, 67.00%
Dropbox, 67.00%
OneDrive, 51.00%
Yandex.Disk, 65.00%
Mail.Ru, 65.00%
Amazon Cloud
Drive, 67.00%
DocsToGo, 71.00%
AdobeReader,
51.00%
QuickOffice, 71.00%
Office Mobile,
51.00%
eFax, 73.00%
AsusWebStorage,
51.00%
Google Disk, 57.00%
FEATURES VS PRIVACY :: OFFICE APP
Box, 67.00%
Dropbox, 67.00%
OneDrive, 51.00%
Yandex.Disk, 65.00%
Mail.Ru, 65.00%
Amazon Cloud
Drive, 67.00%
DocsToGo, 71.00%
AdobeReader,
51.00%
QuickOffice, 71.00%
Office Mobile,
51.00%
eFax, 73.00%
AsusWebStorage,
51.00%
Google Disk, 57.00%
FEATURES VS PRIVACY :: OFFICE APP
[ KNOW YOUR APPLICATIONS ]
Yelp, 57.00%
Hotels.com, 64.00%
BlackBerry Travel,
73.00%
Hilton, 78.00%
IHG, 81.00%
Hilton, 73.00%
SPG, 79.00%
Booking.com, 54.00%
Marriott, 56.00%Delta, 67.00%
British Airways, 23.00%
Aeroflot, 73.00%
United Airlines, 61.00%
American Airlines,
56.00%
JetBlue, 43.00%
HotelByMe, 23.00%
Miles & More, 27.00%
Lufthansa, 26.00%
KLM, 64.00%
S7, 62.00%
AnywayAnyday, 74.00%Taxi (any), 31.00%
FEATURES VS PRIVACY :: TRAVEL APP
Yelp, 57.00%
Hotels.com, 64.00%
BlackBerry Travel,
73.00%
Hilton, 78.00%
IHG, 81.00%
Hilton, 73.00%
SPG, 79.00%
Booking.com, 54.00%
Marriott, 56.00%Delta, 67.00%
British Airways, 23.00%
Aeroflot, 73.00%
United Airlines, 61.00%
American Airlines,
56.00%
JetBlue, 43.00%
HotelByMe, 23.00%
Miles & More, 27.00%
Lufthansa, 26.00%
KLM, 64.00%
S7, 62.00%
AnywayAnyday, 74.00%Taxi (any), 31.00%
FEATURES VS PRIVACY :: TRAVEL APP
[ KNOW YOUR APPLICATIONS ]
AlfaBank, 4.00%Raffeisen, 4.00%
RSB, 4.00%
Sberbank, 6.00%
Citibak, 3.00%
Tinkoff, 3.00%
Paypal, 16.00%
Qiwi, 14.00%
Megafon Money,
17.00%
Yandex Money,
17.00%
RBK Money, 22.00%
Mail.Ru Money,
15.00%
FEATURES VS PRIVACY :: BANK APP
AlfaBank, 4.00%Raffeisen, 4.00%
RSB, 4.00%
Sberbank, 6.00%
Citibak, 3.00%
Tinkoff, 3.00%
Paypal, 16.00%
Qiwi, 14.00%
Megafon Money,
17.00%
Yandex Money,
17.00%
RBK Money, 22.00%
Mail.Ru Money,
15.00%
FEATURES VS PRIVACY :: BANK APP
[ KNOW YOUR APPLICATIONS ]
In-the-Rest, 57.00%
In-the-Transit,
71.00%
In-the-Memory,
95.00%
PRIVACY LEAKAGE :: % OF DATA LEAKAGE
In-the-Rest, 57.00%
In-the-Transit,
71.00%
In-the-Memory,
95.00%
PRIVACY LEAKAGE :: % OF DATA LEAKAGE
[ KNOW YOUR APPLICATIONS ]
FORENSICS APPLICATION EXAMINATION :: EXCITING FAILS
App Type/ProtectionIn-Rest In-Memory In-Transit
built-in apps Plain-Text Plain-TextRarely Encrypted
IM apps Plain-Text Plain-TextWeak Encryption or SSL
Social app Plain-Text & Rarely Store smth Plain-TextBest case -SSL/HTTPS
Geo Apps Plain-Text Plain-TextBest case -SSL/HTTPS
Office Apps Plain-Text Plain-TextSSL/HTTPS
Travel Apps Best case -weak encryption Plain-TextPartially Encrypted
Bank apps Rarely Store smth & Good EncryptionPlain-TextEncrypted
FORENSICS APPLICATION EXAMINATION :: EXCITING FAILS
App Type/ProtectionIn-Rest In-Memory In-Transit
built-in apps Plain-Text Plain-TextRarely Encrypted
IM apps Plain-Text Plain-TextWeak Encryption or SSL
Social app Plain-Text & Rarely Store smth Plain-TextBest case -SSL/HTTPS
Geo Apps Plain-Text Plain-TextBest case -SSL/HTTPS
Office Apps Plain-Text Plain-TextSSL/HTTPS
Travel Apps Best case -weak encryption Plain-TextPartially Encrypted
Bank apps Rarely Store smth & Good EncryptionPlain-TextEncrypted
Is a secure bubble around each corporate application and its associated data
Helps in creating an encrypted space, or folder, into which applications and data
may be poured
Newer, more granular approach in which each app is enclosed in its own
encrypted policy wrapper, or container.
Allows administrators to tailor policies to each app.
Small vendors with proprietary approaches dominate the market, including
Mocana, BitzerMobile, OpenPeakand Symantec.
MAM SPECIFICS
APP WRAPPING :: ADVANTAGES
Helps in creating an encrypted space, or folder, into which applications and data
may be poured
Newer, more granular approach in which each app is enclosed in its own
encrypted policy wrapper, or container.
Allows administrators to tailor policies to each app.
Small vendors with proprietary approaches dominate the market, including
Mocana, BitzerMobile, OpenPeakand Symantec.
MAM SPECIFICS
APP WRAPPING :: ADVANTAGES
A Binary/Source application
modification
Implementation of missing features
Interception of API & other call-
methods
Tech Limits of wrapper approach
Preinstalled, & built-in apps
Access to binary codes depends on
OS
Org Limits of wrapper approach
License limitation
Consuming mobile device resources
to gather information
Many app-agents & app-agents
management
MAM SPECIFICS
APP WRAPPING :: DISADVANTAGES
modification
Implementation of missing features
Interception of API & other call-
methods
Tech Limits of wrapper approach
Preinstalled, & built-in apps
Access to binary codes depends on
OS
Org Limits of wrapper approach
License limitation
Consuming mobile device resources
to gather information
Many app-agents & app-agents
management
MAM SPECIFICS
APP WRAPPING :: DISADVANTAGES
Q & A
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 19
- Slides 39
- Age 499 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
30 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
31 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
30 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
27 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
28 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
31 views