Professional Documents
Culture Documents
Yury Chemerkin Balccon 2013
Yury Chemerkin Balccon 2013
YURY CHEMERKIN
Balkan Computer Congress (BalCCON 2013)
[ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin http://sto-strategy.com yury.s@chemerkin.com
EXPERIENCED IN :
REVERSE ENGINEERING & AV
SOFTWARE PROGRAMMING & DOCUMENTATION
MOBILE SECURITY AND MDM
CYBER SECURITY & CLOUD SECURITY
COMPLIANCE & TRANSPARENCY
FORENSICS AND SECURITY WRITING
HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA
PARTICIPATION AT CONFERENCES
INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,
DEFCONMOSCOW, HACTIVITY, HACKFEST
CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL
ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY
[ OPINIONS ]
BLACKBERRY IS SAFER THAN WINDOWS THAT IS SAFER THAN iOS THAT IS SAFER THAN ANDROID IN TURN
0
1
2
3
4
5
6
7
9
8
2004
2005
2007
2007
2007
2008
2008
2008
2008
2008
2009
2009
2009
2009
2009
2009
2009
2009
2009
2010
2010
2010
2010
2010
2010
Score - iOS
2010
2010
2011
2011
2011
2011
2011
2011
2011
2012
Score - Android
2012
2012
2012
2012
2012
2012
2012
Score - BB
2012
2012
2012
2012
2012
2013
2013
[ Vulnerabilities of OS and apps ]
2013
2013
[ Vulnerabilities of OS and apps ]
MIN & AVERAGE SCORE
Android Average; 8,2
BB Min; 2,1
Android Min; 1,9
iOS Min; 1,2
HOW MANY THE TOOLS ARE (approx): BUGS TYPE (OBVIOUS | LIKELY)
iOS – 10 MISSED CONSTRUCTIONS LIKE
ANDROID – 50 DOUBLE/TRIPLE FREE ()
WINDOWS PHONE – 40 DEBUG PATHS, KEY, AND ETC.
BLACKBERRY - 10 PLAINTEXT & HARD-CODE PASSWORDS,
QUANTITY OF BUGS / SECURITY FLAWS TOKENS, MASTER-KEYS, ETC.
AVERAGE – 50 NON-SECURE FLAWS, CONSTRUCTIONS,
MIN – 20 ETC.
MAX – INFINITY CHECK IT OUT
WARINING :: ADS THE SQL-INJECTION IS POSSIBLE
VERACODE THE MOST USEFUL THERE IS NO HTTPS HERE
[ MOBILE SECURITY CAPABILITIES ]
THE SAME CAPABILITIES AMONG MOBILE OPERATION SYSTEMS
MDM SERVICES HELPS MANAGE AND PROTECT BLACKBERRY, IOS, WINDOWS, AND ANDROID DEVICES.
MDM SERVICES PROVIDE UNIFIED COMMUNICATION AND COLLABORATION SOFTWARE AND SERVICE (SaaS)
EACH OS IS DESIGNED TO PROTECT DATA IN TRANSIT, IN MEMORY AND STORAGE … AT ALL POINTS …
OS EVALUATES ALL REQUEST MADE BY APP ... BUT LEADS AWAY FROM ANY DETAILS AND APIs
[ KNOWN ISSUES ]
THREATSBOUNDSBECOME UNCLEAR… MDM& COMPLIANCE BRINGS COMMON
RECOMMENDATIONS
ALL CONTROLLED OBJECTS ARE LIMITED BY MDM vs. COMPLIANCE
SANDBOX COMMON RECOMMENDATIONS
PERMISSIONS SET IS LESSER THAN SET OF MDM FEATURES
SECURITY FEATURES ON DEVICEs & MDMs QUITE BETTER TO MANAGE MDM SOLUTIONS
ADDITIONAL FEATURES AREN’T ACCESSIBLE ON THAN DEVICE AT ALL
DEVICE TOO FAR FROM DETAILS
USER-MODE MALWARE YOUNG STANDARDS
SPYWARE, ROOTKITS FIRST REVISIONS, DRAFT REVISIONS
EXPLOTS & ATTACKS MOBILE SECURITY SOFWARE
REVERSING NETWORK LAYER READ-ONLY MODE / INFORMATION ONLY
RECOVERING DATA VS. SANBOX&MEMORY APPLICATION FIREWALL (CALLS, MESSAGES…)
EXPLOITING TO GET SUPER PRIVILIGIES NETWORK FIREWALL REQUIRES ROOT
NO REAL SECURITY IF YOU BREAK A SANDBOX
[ KNOWN ISSUES. Examples ]
Account Conversations
country code, phone number Quantity of messages & participants
Device Hardware Key per conversations
login / tokens of Twitter & Facebook Additional participant info (full name,
Calls history phone)
Name + internal ID Messages
Duration + date and time Date & Time
Address book content of message
Quantity of contacts / viber-contacts ID
Full name / Email / phone numbers
Messages
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Account
ID ,bonus card number, password not revealed
Other id & tokens
Information
Date of birth
Passport details
History (airlines, city, flight number only)
Flights tickets, logins credentials
Repack app and grab it
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Account
ID , password
Loyalty (bonus) card number
Information
Not revealed (tickets, history or else)
Repack app
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Account
ID , email, password
Other id & tokens
Information
Loyalty (bonus) of your membership
all you ever type
Date of birth
Passport details
All PASSPORT INFO (not only travel data)
Your work data (address, job, etc.) you have never typed!
Flights tickets
Repack app and grab it
[ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACK’SVECTOR
100 89
80
59
60 47 46
40 25 27
24 23 19 24
16 11
20 6 7 9
3 3 2
4 3 3 3 8 5
0 1 1 1 2 2 2 1 2 1 1 1 2 1
location-services retrieve the device’s current location using the Core Location framework though Cellular/Wi-Fi
still-camera handle the presence of a camera on the device such as capturing images from the device’s still camera.
telephony handle the presence of the Phone application such as opening URLs with the telephony scheme.
video-camera handle the presence of a camera with video capabilities on device such as capturing video from the device’s camera.
% m+a activity vs perm % m+a derived activity vs perm Q. of m.+a. perm plus parental perm Q. of derived perm + plus parental perm
[ Windows. Permissions ]
Permission Description
General use capabilities
musicLibrary provides access to the user's Music library, allowing the app to enumerate and access all files w/o user interaction.
picturesLibrary provides access to the user's Pictures library, allowing to enumerate and access all files w/o user interaction.
videosLibrary provides access to the user's Videos library, allowing the app to enumerate and access all w/o user interaction.
removableStorage provides access to files on removable storage, such as USB keys and external hard drives, filtered to the file type
microphone provides access to the microphone’s audio feed, which allows to record audio from connected microphones..
webcam provides access to the webcam’s video feed, which allows to capture snapshots, movies from a connected webcam.
location provides access to location functionality like a GPS sensor or derived from available network info.
enables multiple devices in close proximity to communicate with one another via possible connection, incl.
proximity
Bluetooth, WiFi, and the internet.
internetClient,
provides outbound (inbound is for server only) access to the Internet, public networks via the firewall.
internetClientServer
provides inbound and outbound access to home and work networks through the firewall for games or for
privateNetworkClientServer
applications that share data across local devices.
Special use capabilities
enable a user to log into remote resources using their credentials, and act as if a user provided their user name and
enterpriseAuthentication
password.
sharedUserCertificates enables an access to software and hardware certificates like smart card.
documentsLibrary provides access to the user's Documents library, filtered to the file type associations
[ Windows. Significant APIs ]
Feature Q. APIs Q. sign. APIs % (sign. APIs) Controlled?
General use capabilities
Notifications 68 4 5,88 +
Music library 1300 138 10,62 +
Pictures library 1157 133 11,50 +
Videos library 1300 138 10,62 +
Removable storage 1045 109 10,43 +
Microphone 274 33 12,04 +
Webcam 409 91 22,25 +
Location 37 5 13,51 +
Proximity 54 19 35,19 +
Internet and public networks 488 134 27,46 +
Home and work networks 488 134 27,46 +
Special use capabilities
Enterprise authentication 8 4 50,00 +
Shared User Certificates 20 5 25,00 +
Documents library 1045 126 12,06 +
Non-controlled capabilities
Clipboard 132 20 15,15 -
Phone 18 6 33,33 -
SMS 122 25 20,49 -
Contacts 97 31 31,96 -
Device Info 221 30 13,57 -
[ Windows. Common Activities ]
14
14
12
10
8 8
8
6
6 5 6
4 5 4
4 3 3 3 3 3
3 2 2
2 1 1 1 1 2 2 2 1
1 1 1 1 1 1 1 1
0 0 0 0 0 0
LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET
TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
[ A droid. Permission Groups ]
But there only 30 permissions groups I have ever seen that on old BlackBerry devices too
70%
9,06
60,38 0,64 16,99
60% 0,69 5,94 9,21
435,95 7,43 17,07
50%
1,47 1,63 54 20,97
40% 9,68 58,06 22,76
62,37 3,84
30%
0%
Q. APIs Q. sign APIs Q. of m.+a. Q. of derived Q. of m.+a. Q. of derived % m+a activities %m+a derived vs % m+a vs perm % derived vs
activities activities permissions permissions vs perm perm enhanced by perm enhanced
MDM by MDM
THERE 55 GROUPS CONTROLLED IN ALL EACH UNIT CAN’T CONTROL ACTIVITY UNDER
EACH GROUP CONTAINS FROM 10 TO 30 UNITS ITSELF
ARE CONTROLLED TOO ‘CREATE, READ, WRITE/SAVE, SEND,
EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs DELETE’ ACTIONS IN REGARDS TO
INSTEAD OF A WAY ‘DISABLE/ENABLED & MESSAGES LEAD TO SPOOFING BY
HIDE/UNHIDE’ REQUESTING A ‘MESSAGE’ PERMISSION
EACH EVENT IS
ONLY
CONTROLLED BY CERTAIN PERMISSION
SOME PERMISSIONS AREN’T REQUIRED (TO
ALLOWED TO CONTROL BY SIMILAR DELETE ANY OTHER APP)
PERMISSIONS TO BE MORE FLEXIBLE
SOME PERMISSIONS ARE RELATED TO APP,
DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME
WHICH 3RD PARTY PLUGIN WAS EMBEDDED
MORE THAN OTHER DOCUMENTS
IN, INSTEAD OF THAT PLUGIN
ISSUES : USELESS SOLUTIONS
USERFULL IDEASAT FIRST GLANCE BUT INSTEADMAKE NO SENSE