(PDF) Yury Chemerkin Balccon 2013

7/22/2019 (PDF) Yury Chemerkin Balccon 2013

1/50

(IN

-

)EFFICIENCY OF SECURITY F

ON MOBILE SECURITY AND COM

YU

Balkan Computer Congre


2/50

EXPERIENCED IN :

REVERSE ENGINEERING & AV

SOFTWARE PROGRAMMING & DOCUMENTATION

MOBILE SECURITY AND MDM

CYBER SECURITY & CLOUD SECURITY

COMPLIANCE & TRANSPARENCY

FORENSICS AND SECURITY WRITING

HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA

PARTICIPATION AT CONFERENCES

INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,

DEFCONMOSCOW, HACTIVITY, HACKFEST

CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL

ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY

[ YURY CHEMERKIN ]

www.linkedin.com/in/yurychemerkin

http://sto

-

strategy.com yury.s@che
http://www.linkedin.com/in/yurychemerkinhttp://www.linkedin.com/in/yurychemerkinhttp://sto-strategy.com/http://sto-strategy.com/http://sto-strategy.com/mailto:[email protected]://sto-strategy.com/mailto:[email protected]://www.linkedin.com/in/yurychemerkinhttp://eforensicsmag.com/http://pentestmag.com/http://hakin9.org/mailto:[email protected]://sto-strategy.com/http://www.linkedin.com/in/yurychemerkin


3/50

APPLES CENTRALIZED POINT OF DISTRIBUTIONIS PROVIDING WITH CONFIDENCE THROUGH THEVALIDATION BY APPLE, EXCEPT

THE SUBMISSION OF SUSPICIOUS APP BY

Ch. MILLER THAT HAD BEEN SUCCESSFULLY

APPROVED BY APPLE INSTALLING CYDIA &THE REST APPS AFTER

THAT

MICROSOFT (WINDOWS PHONE) HAS ACENTRALIZED MARKET WITH DEEPER TESTINGAND VALIDATION LIKE APPLE

GOOGLE PROVIDES A CENTRALTOO, HOWEVER PROVIDES ABILAPPS FROM 3RD-PARTY SOURCEAMAZON.

ANY OTHER ARE ORIGINA

MALWARE HOTSPOTS ANY ALTERNATIVE MARKE

CALLED CRACKED DISTR

REPACKAGES

BLACKBERRY

IS

THE

SAFEST

THE

MOST

MANAGEABLE

AND

AS

IT

IS

ON

AN

ENTERPRISE

WA

[ OPINIONS ]

BLACKBERRY IS SAFER THAN WINDOWS THAT IS SAFER THAN

iOS

THAT IS SAFER THAN AN


4/50

[ Vulnerabilities of OS and apps ]

0

1

2

3

4

5

6

7

8

9

10

2004

2005

2007

2007

2007

2008

2008

2008

2008

2008

2009

2009

2009

2009

2009

2009

2009

2009

2009

2010

2010

2010

2010

2010

2010

2010

2010

2011

2011

2011

2011

2011

2011

2011

2012

2012

2012

2012

2012

2012

2012

2012

2012

2012

2012

2012

2012

2013

2013

2013

2 0 1 3

Score - iOS Score - Android Score - BB


5/50

[ Vulnerabilities of OS and apps ]

iOS Average; 6,3

Android Average; 8,2

BB-Average; 6,3

iOS Min; 1,2

Android Min; 1,9

BB Min

Min & Average Score

MIN & AVERAGE SCORE


6/50

HOW MANY THE TOOLS ARE (approx):

iOS 10

ANDROID 50

WINDOWS PHONE 40

BLACKBERRY - 10

QUANTITY OF BUGS / SECURITY FLAWS AVERAGE 50

MIN 20

MAX INFINITY WARINING :: ADS

VERACODE THE MOST USEFUL

BUGS TYPE (OBVIOUS | LIKELY)

MISSED CONSTRUCTIONSDOUBLE/TRIPLE FREE ()

DEBUG PATHS, KEY, AND E

PLAINTEXT & HARD-CODETOKENS, MASTER-KEYS, E

NON-SECURE FLAWS, COETC.

CHECK IT OUT THE SQL-INJECTION I

THERE IS NO HTTPS H

[ SOURCE & BINARY ANALYSIS TOO

HEY DUDE, WHY IS IT VULNERABLE AGAIN? SORRY, BIG BOSS, ID JUST BEEN COMMITED


7/50

SECURE BOOTLOADER

SYSTEM SOFTWARE SECURITY (UPDATES)

APPLICATION CODE SIGNING

RUNTIME PROCESS SECURITY

SANDBOX

APIs

HARDWARE SECURITY FEATURES

FILE DATA PROTECTION

SSL, TLS, VPN

PASSCODE PROTECTION

SETTINGS

PERMISSIONS/ RESTRICTIONS

CONFIGURATIONS

REMOTE MAGAGEMENT

MDM

REMOTE WIPE

[ MOBILE SECURITY CAPABILITIES

THE SAME CAPABILITIES AMONG MOBILE OPERATION SYSTEMS


8/50

MDM SERVICES HELPS MANAGE AND PROTECT BLACKBERRY, IOS, WINDOWS, AND ANDROID

MDM SERVICES PROVIDE UNIFIED COMMUNICATION AND COLLABORATION SOFTWARE AND

EACH OS IS DESIGNED TO PROTECT DATA IN TRANSIT, IN MEMORY AND STORAGE AT ALL PO

MDM SERVICES ENHANCED BY MANAGING THE BEHAVIOR OF THE DEVICE

OS PROVIDES A CAPABILITY TO PROTECT ANY APPLICATION DATA USING SANDBOXING

OS PROVIDES A CAPABILITY TO MANAGE PERMISSIONS TO ACCESS ITS CAPABILITIES

OS EVALUATES ALL REQUEST MADE BY APP ... BUT LEADS AWAY FROM ANY DETAILS AND

[ SECURITY ENVIRONMENT ]

EACH OS EVALUATESEVERY REQUEST THAT AN APPLICATION MAKES TO ACCES


9/50

ALL CONTROLLED OBJECTS ARE LIMITED BY

SANDBOX

PERMISSIONS

SECURITY FEATURES ON DEVICEs & MDMs

ADDITIONAL FEATURES ARENT ACCESSIBLE ON

DEVICE

USER-MODE MALWARE

SPYWARE, ROOTKITS

EXPLOTS & ATTACKS

REVERSING NETWORK LAYER

RECOVERING DATA VS. SANBOX&MEMORY

EXPLOITING TO GET SUPER PRIVILIGIES

MDM vs. COMPLIANCE

COMMON RECOMMENDATI

SET IS LESSER THAN SET OF M

QUITE BETTER TO MANAGE

THAN DEVICE AT ALL

TOO FAR FROM DETAILS

YOUNG STANDARDS

FIRST REVISIONS, DRA

MOBILE SECURITY SOFWARE

READ-ONLY MODE / INFORM

APPLICATION FIREWALL (CAL

NETWORK FIREWALL REQUIR

NO REAL SECURITY IF YOU BR

[ KNOWN ISSUES ]

THREATS BOUNDS BECOME UNCLEAR MDM& COMPLIANCE BRINGS COM

RECOMMENDATIONS


10/50

BYPASS MDM SOLUTIONS

iOS, ANDROID

EXPLOITS, DUMP /MEM TO GET EMAILS

BLACKHAT EU13 http://goo.gl/HN829p

BLACKBERRY PLAYBOOK

EXPLOITS, MITM, DUMP .ALL FILES SECTO11R, INFILTRATE12, SOURCE

BOSTON13 http://goo.gl/KaTtFG

GAIN ROOT ACCESS

ANDROID

APP SIGNATURE EXPLOITATION

APP MODIFICATION

BLACKHAT USA13 http://goo.gl/p5FhWG

TIME-FRAME TO FIX

7+ MONTH or WAIT FOR

WAIT FOR A VENDORS I ANALYSIS OF APPS DATA IN THE

BLACKBERRY, iOS

DATA LEAKAGE REVEAL PASSWORDS,

BLACKHAT EU12 http

ANDROID

DATA LEAKAGE

WEAKNESS OF CRYPT

PHDAY III 13 http://g

[ KNOWN ISSUES. Examples ]
http://goo.gl/HN829phttp://goo.gl/HN829phttp://goo.gl/KaTtFGhttp://goo.gl/p5FhWGhttp://goo.gl/p5FhWGhttp://goo.gl/STpSllhttp://goo.gl/x1PPGKhttp://goo.gl/x1PPGKhttp://goo.gl/x1PPGKhttp://goo.gl/STpSllhttp://goo.gl/p5FhWGhttp://goo.gl/KaTtFGhttp://goo.gl/HN829p


11/50

PLAYBOOK ARTIFACTS (see the previous slide)

BROWSERS HISTORY

NETWORKING IDs, FLAGS, MACs

VIDEO CALLS DETAILS

ACCESS TO INTERNAL NETWORK

KERNEL BLACKBERRY Z10

DUMP MICROKERNEL

EVEN DEVELOPERS CREDENTIALS

(FACEBOOK, MOBILE, EMAILS) BLACKHAT

DEFCON MOSCOW http://goo.gl/R74leX

GUI FAILS

BLACKBERRY OS

DATA LEAKAGE

REVEAL PASSWORDS, A

NO PERMISSIONS REQUE

BORROW PERMISSIONS

NullCon13, CONFIDENC

http://goo.gl/phMey2

[ KNOWN ISSUES. Examples ]
http://goo.gl/R74leXhttp://goo.gl/R74leXhttp://goo.gl/phMey2http://goo.gl/phMey2http://goo.gl/phMey2http://goo.gl/phMey2http://goo.gl/R74leX


12/50

Account

country code, phone number

Device Hardware Key

login / tokens of Twitter & Facebook

Calls history

Name + internal ID

Duration + date and time

Address book

Quantity of contacts / viber-contacts

Full name / Email / phone numbers

Messages

Conversations

Quantity of message

per conversations

Additional participan

phone)

Messages Date & Time

content of message

ID

[ APPLICATION EXAMINATION ]

ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION


13/50

Account

country code, phone number

login / tokens Facebook wasnt revealed

Buy me for.$$$

Avatars :: [email protected] (jfif)

Address book No records of address book were revealed

Check log-file and find these records (!)

Messages

Messages

Date & Time

content of message

ID :: [email protected]




14/50

Account

Phone number

Password, secret code werent revealed

Trace app, find the methods use it

Repack app and have a fun

No masking of data typed Information

Amount

Full info in history section (incl. info about

who receive money)

Connected cards

Encryption?

No

Bank cards

Masked card number

Qiwi Bank cards

Full & masked numbe

Cvv/cvc

All other card info




15/50

Account

ID , email, password

Information

Loyalty (bonus) of your membership

all you ever type

Date of birth Passport details

Book/order history

Routes,

Date and time,

Bonus earning

Full info per each order

Connected cards

Encryption?

AES

256 bit

On password

anywayanydayanywa Store in plaintext

Sizeof(anywayanyday

192 bit




16/50

Account

ID ,bonus card number, password not revealed

Other id & tokens

Information

Date of birth

Passport details History (airlines, city, flight number only)

Flights tickets, logins credentials

Repack app and grab it




17/50

Account

ID , password

Loyalty (bonus) card number

Information

Not revealed (tickets, history or else)

Repack app




18/50

Account

ID , email, password

Other id & tokens

Information

Loyalty (bonus) of your membership

all you ever type Date of birth

Passport details

All PASSPORT INFO (not only travel data)

Your work data (address, job, etc.) you have never typed!

Flights tickets

Repack app and grab it




19/50

GOALS - MOBILE RESOURCES / AIM OF ATTACK

DEVICE RESOURCES

OUTSIDE-OF-DEVICE RESOURCES

ATTACKS SET OF ACTIOSN UNDER THE THREAT

APIs - RESOURCES WIDELY AVAILABLE TO CODERS

SECURITY FEATURES

KERNEL PROTECTION , NON-APP FEATURES

PERMISSIONS - EXPLICITLY CONFIGURED

3RD PARTY

AV, FIREWALL, VPN, MDM

COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY

IN ALIGNMENT WITH COMPLIANCE TO

[ DEVICE MANAGEMENT ]

APPLICATION LEVEL ATTACKS VECTOR

AV, MDM,

DLP, VPN

Attacks

APIs

MDM feature


20/50

= , , ,

set of OS permissions, set of device permissions, set

of MDM permissions, set of missed permissions (lack of

controls), set of rules are explicitly should be applied to gain

a compliance

= + ,

set of APIs ,

set of APIs that interact with sensitive data, set of APIs that do not interact with sensitive data

To get a mobile security designed with full granularity the set

should be empty set to get instead of , so

the matter how is it closer to empty. On another hand it should

find out whether assumptions , are true and if it is

possible to get .

Set of permissions < Set of activities ef

typical case < 100%,

ability to control each API = 100%

More than 1 permission per APIs >10

lack of knowledge about possi

improper granularity

[ DEVICE MANAGEMENT ]

Concurrency over native& additional security features The situation is very serio

MDM features

P


21/50

[ BLACKBERRY. PERMISSIONS ]

BB 10 Cascades SDK BB 10 AIR SDK PB (ND

Background processing + +

BlackBerry Messenger -

Calendar, Contacts + via invo

Camera + +

Device identifying information + +

Email and PIN messages + via invo

GPS location + +

Internet + +

Location +

Microphone + +

Narrow swipe up - +Notebooks +

Notifications + +

Player - +

Phone +

Push +

Shared files + +

Text messages +

Volume - +


22/50

[ BLACKBERRY. Significant APIs ]

Feature Q. APIs Q. sign. APIs % (sign .APIs)

BlackBerry Messenger 77 70 90,91

Calendar 443 126 28,44

Camera 47 41 87,23

Contacts 316 150 47,47

Device identifying info 15 14 93,33

Email & PIN messages 347 211 60,81

Internet 161 145 90,06

Microphone 21 15 71,43

Notebooks 123 86 69,92

Notifications 32 24 75,00

Phone 27 22 81,48Push 25 22 88,00

Shared files 78 70 89,74

Text messages 10 6 60,00

Account 66 21 31,82

MediaPlayer 66 63 95,45

NFC 24 11 45,83

Radio & SIM 68 51 75,00

Clipboard 6 4 66,67


23/50

[ BLACKBERRY. Common activities

6

21

5

34

7

18

63

17

3 4 24 4

8

14 3 2 1 1 1 2 2 2 1 1 1 10

5

10

15

20

25

30

35

Q. of m.+a. activity Q. of m.+a. permission


24/50

[ BLACKBERRY. Derived activities ]

6

116

24

59

7

89

1623

47

311

3

19

46

9

1 4 3 3 1 3 1 2 2 2 1 2 1 10

20

40

60

80

100

120

Q. of derived activities Q. of derived perm


25/50

[ BLACKBERRY. Efficiency (%) ]

16,67 19,05

60,00

5,88 14,29 5,5616,67

66,67

11,76

66,67

25,0050,00

25,00 25,00

50,0

16,67

3,45

12,50

5,08

14,29

3,37 6,25

8,704,26

66,67

9,09

66,67

5,262,17

88

0,00

50,00

100,00

150,00

200,00

250,00

% m+a activity vs perm % m+a derived activity vs perm


26/50

[ iOS. Info.plist (app capabilities) ]

Key Description

auto-focus-camera handle a utofocus c apabilities i n the devices still camera in case of a macro photography or im

bluetooth-le handle the p resence of Bluetooth low-energy hardware on the device.

camera-flash handle a camera flash for taking pictures or shooting video.

front-facing-camera handlea forward-facingcamerasuch as capturing video from the devices camera.

gamekit handle a Game Center.

gps handle a GPS (or AGPS) hardware to track a locations in case of need the higher accuracy more

location-services retrieve the devices current location using the Core Location framework though Cellular/Wi-F

microphone handle the built-in microphone and its accessories

peer-peer handle peer-to-peer connectivity over a Bluetooth network.

sms handle the presence of the Messages application such as opening URLs with the sms scheme.

still-camera handle the p resence of a camera on the device such as c apturing images from the devices stil

telephony handle the p resence of the Phone application such as opening URLs with t he telephony schem

video-camera handle t he presence o fa camerawith video capabilitieso n d evice such ascapturing v ideo fro

wifi access to the networking features of the device.


27/50

[ iOS. Settings ]

Component Unit

Restrictions :: Native application

Safari

Camera, FaceTime

iTunes Store, iBookstore

Siri

Manage applications*

Restrictions :: 3rd application

Manage applications*Explicit Language (Siri)

Privacy*, Accounts*

Content Type Restrictions*

Unit subcomponents

Privacy :: LocationPer each 3rd party app

For system services

Privacy :: Private Info

Contacts, Calendar, Reminders, P

Bluetooth Sharing

Twitter, Facebook

Accounts

Disables changes to Mail, Contacts, Calendars, iClou

Find My Friends

Volume limit

Content Type Restrictions

Ratings per country and regio

Music and podcasts

Movies, Books, Apps, TV show

In-app purchasesRequire Passwords (in-app purch

Game CenterMultiplayer Games

Adding Friends (Game Center

Manage applicationsInstalling Apps

Removing Apps


28/50

[ iOS. Common activities ]

5

12

3 3

8

13

2

10

2

6

10

3

0

2

0 0

0

1

0

0

1

1

0

1

3

1 0

0

1

0

0

1

1

0

02468

1012141618

20

Q. of m.+a. activity Q. of m.+a. permission Q. of m.+a. perm plus parenta


29/50

[ iOS. Derived activities ]

9

20

13

13

918 12

10 2 10 10 6

0 2

0

0

0

1

0

0

1 10

1

3

1

00

1

0

0 11

0

010

20

30

40

50

60

70

80

Q. of derived activities Q. of derived perm Q. of derived perm + plus paren


30/50

[ iOS. Efficiency (%) ]

0,00

16,67

0,00 0,00

0,007,69

0,000,00

50,0016,67 0,00

0,0,00

10,00

0,00

0,00

0,00

5,560,00

0,00

50,00 10,00

0,00

0

20,00

25,00

33,33

0,00

0,00

7,69

0,00

0,00

50,00 16,67

0,0033

11,1115,00 7,69

0,000,00

5,56

0,000,00

50,00 10,00

0,00

16

0%

10%

20%

30%

40%

50%

60%70%

80%

90%

100%

% m+a activity vs perm % m+a derived activity vs perm Q. of m.+a. perm plus parental perm Q. of derive


31/50

[ Windows. Permissions ]

Permission Description

General use capabilities

musicLibrary provides access to the user's Music library, allowing the app to enumerate and access all fipicturesLibrary provides access to the user's Pictures library, allowing to enumerate and access all files

videosLibrary provides access to the user's Videos library, allowing the app to enumerate and access al

removableStorage provides access to files on removable storage, such as USB keys and external hard drives,

microphone provides access to the microphones audio feed, which allows to record audio from conn

webcam provides access to the webcams video feed, which allows to capture snapshots, movies fro

location provides access to location functionality like a GPS sensor or derived from availab

proximityenables multiple devices in close proximity to communicate with one another via poss

Bluetooth, WiFi, and the internet.internetClient,

internetClientServerprovides outbound (inbound is for server only) access to the Internet, public networ

privateNetworkClientServerprovides inbound and outbound access to home and work networks through the firew

applications that share data across local devices.Special use capabilities

enterpriseAuthenticationenable a user to log into remote resources using their credentials, and act as if a user provid

password.

sharedUserCertificates enables an access to software and hardware certificates like smart card

documentsLibrary provides access to the user's Documents library, filtered to the file type asso


32/50

[ Windows. Significant APIs ]

Feature Q. APIs Q. sign. APIs % (sign. APIs) Co

General use capabilities

Notifications 68 4 5,88 +Music library 1300 138 10,62 +Pictures library 1157 133 11,50 +Videos library 1300 138 10,62 +Removablestorage 1045 109 10,43 +Microphone 274 33 12,04 +Webcam 409 91 22,25 +Location 37 5 13,51 +Proximity 54 19 35,19 +Internet and public networks 488 134 27,46 +Home and work networks 488 134 27,46 +

Special use capabilities

Enterprise authentication 8 4 50,00 +Shared User Certificates 20 5 25,00 +Documentslibrary 1045 126 12,06 +

Non-controlled capabilities

Clipboard 132 20 15,15 -Phone 18 6 33,33 -SMS 122 25 20,49 -Contacts 97 31 31,96 -Device Info 221 30 13,57 -


33/50

[ Windows. Common Activities ]

1 1

3

1 1

3

5

3

6

14

43

4

2

1 1 1 1 1

3

6

1 12

5

12 2

0

2

4

6

8

10

12

14

Q. of m.+a. activity Q. of m.+a. permission

[ d d ]


34/50

[ Windows. Derived Activities ]

1

810

8

5

11

14

3

7

21

16

6

12 12

12 2 2

13

6

1 12

5

12 2

0

5

10

15

20

25

Q. of derived activities Q. of derived perm

[ d ff ( ) ]


35/50

[ Windows. Efficiency (%) ]

100,00 100,00

33,33

100,00100,00

100,00

120,00

33,33

16,6714,29

125,00

33,33

50,00

100,00

0,

100,00

25,00

20,00

25,0020,00

27,2742,8633,33

14,29

9,52

31,25

16,67 16,6716,67

0,00

20,00

40,00

60,00

80,00

100,00

120,00


[ A d id P i i ]


36/50

ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION,

ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM

ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE,

ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_

MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT

TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET

,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE

VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL

PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_

PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY,

BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA

MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO

NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M

ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C

LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE

TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN

OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC

TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_

PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE

ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P

ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK

GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T

OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_

PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN

MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_

OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_

CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE

R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L

OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_

SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS,

READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET

ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO

RD_AUDIO,REORDER_TASKS

,SET_ACTIVITY_WATCHER,SE

SET_ANIMATION_SCALE,SET

,SET_POINTER_SPEED,SET_P

ROCESS_LIMIT,SET_TIME,SET

ET_WALLPAPER_HINTS,SIGN

TUS_BAR,SUBSCRIBED_FEED

ITE,SYSTEM_ALERT_WINDOW

REDENTIALS,USE_SIP,VIBRAT

TINGS,WRITE_CALENDAR,W

TS,WRITE_EXTERNAL_STORA

STORY_BOOKMARKS,WRITE_

GS,WRITE_SETTINGS,WRITE_

RITE_SYNC_SETTINGS,WRITE

[ A droid. Permissions ]

List contains ~150 permissions I have ever seen that on old BlackBerry

[ A d id P i i G ]


37/50

ACCOUNTS

AFFECTS_BATTERY

APP_INFO

AUDIO_SETTINGS

BLUETOOTH_NETWORK

BOOKMARKS

CALENDAR

CAMERA

COST_MONEY

DEVELOPMENT_TOOLS

DEVICE_ALARMS

DISPLAY

HARDWARE_CONTROLS

LOCATION

MESSAGES

MICROPHONE

NETWORK

PERSONAL_INFO

PHONE_CALLS

SCREENLOCK

SOCIAL_INFO

STATUS_BAR

STORAGE

SYNC_SETTINGS

SYSTEM_CLOCK

SYSTEM_TOOLS

USER_DICTIONA

VOICEMAIL

WALLPAPER

WRITE_USER_D

[ A droid. Permission Groups ]

But there only 30 permissions groups Ihave ever seen that on old BlackBerry

[ A d id Effi i (%) ]


38/50

[ A droid. Efficiency (%) ]

20,00

15,38

28,57

9,52

33,33

25,00

2,00

20,00

8,33 7,14

20,00

15,38

0,00 0,00

10,71

0,00

2,91

0,00

4,557,14

0,00

5,00

10,00

15,00

20,00

25,00

30,00

35,00

40,00

45,00

50,00


[ A i i i di ]


39/50

[ Average quantitative indicators ]

394,8667,48

9,2332,48 2,01 2,19

38,427,6

435,95

62,37 3,849,68

1,47 1,63 54 20,97

119,31

60,38

7,43 17,07

0,64 0,69

9,06

5,94

102,74

60,638,86 29,26 1,89 2,32

42,0430,48

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Q. APIs Q. sign APIs Q. of m.+a.

activities

Q. of derived

activities

Q. of m.+a.

permissions

Q. of derived

permissions

% m+a activities

vs perm

%m+a derived vs

perm

Android Windows iOS BlackBerry

MDM

E d

d i i


40/50

CAMERA AND VIDEO

HIDE THE DEFAULT CAMERA APPLICATION

PASSWORD

DEFINE PASSWORD PROPERTIES

REQUIRE LETTERS (incl. case)

REQUIRE NUMBERS

REQUIRE SPECIAL CHARACTERS DELETE DATA AND APPLICATIONS FROM THE

DEVICE AFTER

INCORRECT PASSWORD ATTEMPTS

DEVICE PASSWORD

ENABLE AUTO-LOCK

LIMIT PASSWORD AGE

LIMIT PASSWORD HISTORY

RESTRICT PASSWORD LENG

MINIMUM LENGTH FOR TPASSWORD THAT IS ALLOW

ENCRYPTION

APPLY ENCRYPTION RULES

ENCRYPT INTERNAL DEVIC

TOUCHDOWN SUPPORT

MICROSOFT EXCHANGE SY

EMAIL PROFILES

ACTIVESYNC

MDM . Extendyour device security capa

Android CONTROLLEDFOUR GROU

MDM E t d d i it


41/50

BROWSER

DEFAULT APP,

AUTOFILL, COOKIES, JAVASCRIPT, POPUPS

CAMERA, VIDEO, VIDEO CONF

OUTPUT, SCREEN CAPTURE, DEFAULT APP

CERTIFICATES (UNTRUSTED CERTs)

CLOUD SERVICES

BACKUP / DOCUMENT / PICTURE / SHARING

CONNECTIVITY

NETWORK, WIRELESS, ROAMING

DATA, VOICE WHEN ROAMING

CONTENT

CONTENT (incl. EXPLICIT)

RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS

DIAGNOSTICS AND USAGE (SUBMISSION LOGS)

MESSAGING (DEFAULT APP)

BACKUP / DOCUMENT PICTURE / SHA

ONLINE STORE

ONLINE STORES , PURCHASES, PASSW

DEFAULT STORE / BOOK / MUSIC APP

MESSAGING (DEFAULT APP)

PASSWORD (THE SAME WITH ANDROID, NEW BLA

PHONE AND MESSAGING (VOICE DIALING)

PROFILE & CERTs (INTERACTIVE INSTALLATION)

SOCIAL (DEFAULT APP)

SOCIAL APPS / GAMING / ADDING FRI

DEFAULT SOCIAL-GAMING / SOCIAL-V

STORAGE AND BACKUP

DEVICE BACKUP AND ENCRYPTION

VOICE ASSISTANT (DEFAULT APP)

MDM . Extend your device security capa

iOS CONTROLLED16 GROUP

MDM E t d d i it


42/50

GENERAL

MOBILE HOTSPOT AND TETHERING

PLANS APP, APPWORLD

PASSWORD (THE SAME WITH ANDROID, iOS)

BES MANAGEMENT (SMARTPHONES, TABLETS)

SOFTWARE

OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER

TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE

BBM VIDEO ACCESS TO WORK NETWORK

VIDEO CHAT APP USES ORGANIZATIONS WI-FI/VPN NETWORK

SECURITY

WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE

VOICE CONTROL & DICTATION IN WORK & USER APPS

BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE

PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)

PERSONAL SPACE DATA ENCRYPTION

NETWORK ACCESS CONTROL FOR WO

PERSONAL APPS ACCESS TO WORK CO

SHARE WORK DATA DURING BBM VID

WORK DOMAINS, WORK NETWORK U

EMAIL PROFILES

CERTIFICATES & CIPHERS & S/MIME

HASH & ENCRYPTION ALGS AND KEY P

TASK/MEMO/CALENDAR/CONTACT/D

WI-FI PROFILES

ACCESS POINT, DEFAULT GATEWAY, D

PROXY PASSWORD/PORT/SERVER/SU

VPN PROFILES

PROXY, SCEP, AUTH PROFILE PARAMS

TOKENS, IKE, IPSEC OTHER PARAMS

PROXY PORTS, USERNAME, OTHER PA


BlackBerry (new, 10,qnx) CONTROLLED7 GROUPSONLY

MDM Extend yo r device sec rity capa


43/50

THERE 55 GROUPS CONTROLLED IN ALL

EACH GROUP CONTAINS FROM 10 TO 30 UNITS

ARE CONTROLLED TOO

EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs

INSTEAD OF A WAY DISABLE/ENABLED &HIDE/UNHIDE

EACH EVENT IS

CONTROLLED BY CERTAIN PERMISSION

ALLOWED TO CONTROL BY SIMILAR

PERMISSIONS TO BE MORE FLEXIBLE

DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME

MORE THAN OTHER DOCUMENTS

EACH UNIT CANT CONTROL ACTITSELF

CREATE, READ, WRITE/S

DELETE ACTIONS IN REG

MESSAGES LEAD TO SPO

REQUESTING A MESSAG

ONLY SOME PERMISSIONS ARE

DELETE ANY OTHER APP

SOME PERMISSIONS ARE

WHICH 3RD PARTY PLUGI

IN, INSTEAD OF THAT PLU


Blackberry(old) Huge amountofpermissions are MD

ISSUES : USELESS SOLUTIONS


44/50

MERGING PERMISSIONS INTO GROUPS, e.g.

SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS SEPARATED (BlackBerry old)

SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS MERGED INTO ONE UNIT (Black SCREEN CAPTURE

IS ALLOWED VIA HARDWARE BUTTONS ONLY

NO EMULATION OF HARDWARE BUTTONSAS IT WAS IN OLD BLACKBERRY DEVICES

LOCKS WHEN WORK PERIMITER HAS BECOME TO PREVENT SCREEN-CAPTURE LOGG

OFFICIALLY ANNOUNCED SANDBOX

MALWARE IS STILL A PERSONAL APPLICATION SUBTYPE IN TERMS OF (IN-)SECURITY

SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDE

INABILITY OF BACKUP MAKE DEVELOPERS TO STORE DATA IN SHARED FOLDERS


USERFULL IDEAS AT FIRST GLANCE BUT INSTEAD MAKE NO SENSE



45/50

SECURE & INSECURE APP IN THE SAME TIME

HAS ENCRYPTED COMMUNICATION SESSIONS, AND MAY STORE CHAT COVERSATION WITHOUT E

STORE SENSITIVE DATA IN PLAINTEXT (PASSW, PASSPORT DETAILS, CARD INFO) AND BELIEVE IN PO

UPGRADE FEATURE AFFECT EVERYTHING

MAY UPDATE/REMOVE ANY OTHER APP - SURPRISE

REPACKAGES STILL HAVE AN ACCESS TO THE SAME DATA AS AN ORIGINAL APP

DEBUG/NOT ORIGINAL SIGNATURE PROBLEM THATS NOT A PROBLEM CLIPBOARD (SECURE CLIPBOARD HAS NEVER EXISTED ANYWHERE AND MIGHT HAVE EVER)

REVEAL THE DATA IN REAL TIME BY ONE API CALL

ACCESSIBLE BY APIs AS WELL AS FILE DATA (DEPENDS ON YOUR OS)

NATIVE WALLETS PROTECTS BY RETURNING NULL (ONLY OLD-BLACKBERRY)

WHILE THE ON TOP || JUST MINIMIZE OR CLOSE IT TO GET FULL ACCESS

EVERY USER MUST MINIMIZE APP TO PASTE A PASSWORD





46/50

GUI EXPLOITATION HAPPENS (OLD BLACKBERRY, ANDROID REPACKAGES)

REDRAWING THE SCREENS (OLD BB ONLY), GRABBING THE TEXT FROM ANY FIELDs (INCL. PASSWORD FIELD)

ADDING, REMOVING THE FIELD DATA

ORIGINAL DATA IS INACCESSIBLE BUT NOT AFFECTED

KASPERSKY MOBILE SECURITY PROVIDES AN INSECURITY,

NO PROTECTION FROM REMOVING.CODs & UNDER SIMULATOR

EXAMING THE TRAFFIC, BEHAVIOUR

JUST SHOULD CHECK API IS SIMULATOR ONLY SMS MANAGEMENT VIA QUITE SECRET SMS (NOT ENCRYPTED, HASH ONLY)

THE SAME SECRET AMONG OPERATING SYSTEMS (BB, ANDROID, WINDOWS,)

PASSWORD IS 416 DIGITS,AND MODIFIED IN REAL-TIME (OLD BLACKBERRY, OR ANDROID REPACKAGES)

SMS IS A HALF A HASH VALUE OF GOST R 34.11-94

HASH IMPLEMENTATION USES TEST CRYPTO VALUES AND NO SALT

TABLES (VALUEHASH) ARE EASY BUILT

OUTCOMING SMS CAN BE SPOOFED WITHOUT ANY NOTIFICATION, BECAUSE KMS DELETE THE SENT MESSAGES

OUTCOMING SMS COULD BLOCK/WIPE THE SAME/ANOTHER DEVICE



COMPLIANCE AND MDM


47/50

Device diversity

Configuration management

Software Distribution

Device policy compliance & enforcement

Enterprise Activation

Logging

Security Settings

Security Wipe, LockIAM

Make you sure to start managing security under

uncertain terms without AI

Refers to NIST-800-53 and other

Sometimes missed requirem

locking device, however it i

A bit details than CSA

No statements on permission man

Make you sure to start managing

uncertain terms without AI

COMPLIANCE AND MDM

CSA Mobile Device Management: KeyComponents NIST-124

CONCLUSION


48/50

DENIAL OF SERVICE

REPLACING/REMOVING FILES

DOSing EVENTs, GUI INTERCEPT INFORMATION DISCLOSURE

CLIPBOARD, SCREEN CAPTURE

GUI INTERCEPT

SHARED FOLDERS

DUMPING .COD/.BAR/APK FILES

MITM (INTERCEPTION / SPOOFI

MESSAGES

GUI INTERCEPT, THIRD PA

FAKE WINDOW/CLICKJAC

GENERAL PERMISSIONS

INSTEAD OF SPECIFIC SU

A FEW NOTIFICATION/EV

USER

BUILT PER APPLICATION

SCREENs

CONCLUSION

PRIVILEGED GENERAL PERMISSIONS OWNAPPs, NATIVE & 3RDPARTY APP

CONCLUSION


49/50

SIMPLIFICATION AND REDUCING SECURITY CONTROLS

MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER

NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY

ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KER

A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS

THE SANDBOX PROTECT ONLY APPLICATION DATA

USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE

APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANC MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY

THE NATIVE SPOOFING AND INTERCEPTION FEATURES

COMPLIANCE DOES NOT EXTEND MDM CAPABILITIES JUST REPEATS IT THE MOST GRANULAR SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES

PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PE

CONCLUSION

THEVENDOR SECURITYVISION HAS NOTHING WITH REALITY AGGRAVATED BY S
http://scribd.com/ychemerkin


50/50

Q & A
https://plus.google.com/108216608239392698703mailto:[email protected]://twitter.com/sto_bloghttps://twitter.com/yury.chemerkinhttp://scribd.com/ychemerkinhttps://www.facebook.com/yury.chemerkinhttp://www.slideshare.net/YuryChemerkin/http://www.linkedin.com/in/yurychemerkinhttp://sto-strategy.com/http://eforensicsmag.com/http://pentestmag.com/http://hakin9.org/