(IN-)EFFICIENCY OF SECURITY FEATURES

ON MOBILE SECURITY AND COMPLIANCE

YURY CHEMERKIN
Balkan Computer Congress (BalCCON 2013)
 [ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin http://sto-strategy.com yury.s@chemerkin.com

 EXPERIENCED IN :
 REVERSE ENGINEERING & AV
 SOFTWARE PROGRAMMING & DOCUMENTATION
 MOBILE SECURITY AND MDM
 CYBER SECURITY & CLOUD SECURITY
 COMPLIANCE & TRANSPARENCY
 FORENSICS AND SECURITY WRITING
 HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA
 PARTICIPATION AT CONFERENCES
 INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,
 DEFCONMOSCOW, HACTIVITY, HACKFEST
 CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL
 ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY
 [ OPINIONS ]
BLACKBERRY IS SAFER THAN WINDOWS THAT IS SAFER THAN iOS THAT IS SAFER THAN ANDROID IN TURN
 APPLE’S CENTRALIZED POINT OF DISTRIBUTION
IS PROVIDING WITH CONFIDENCE THROUGH THE
VALIDATION BY APPLE, EXCEPT 
 THE SUBMISSION OF SUSPICIOUS APP BY
Ch. MILLER THAT HAD BEEN SUCCESSFULLY
APPROVED BY APPLE
 INSTALLING CYDIA &THE REST APPS AFTER
THAT
 MICROSOFT (WINDOWS PHONE) HAS A
CENTRALIZED MARKET WITH DEEPER TESTING
AND VALIDATION LIKE APPLE
 GOOGLE PROVIDES A CENTRALIZED MARKET
TOO, HOWEVER PROVIDES ABILITY TO INSTALL
APPS FROM 3RD-PARTY SOURCES SUCH AS
AMAZON.
 ANY OTHER ARE ORIGINATE FROM
MALWARE HOTSPOTS
 ANY ALTERNATIVE MARKETS FOR SO-
CALLED “CRACKED” DISTRIBUTE FOR FREE
REPACKAGES
 BLACKBERRY IS THE SAFEST OS BECAUSE IT IS
THE MOST MANAGEABLE AND SECURE MAINLY
AS IT IS ON AN ENTERPRISE WAY
 10

0
1
2
3
4
5
6
7
9

8
2004
2005
2007
2007
2007
2008
2008
2008
2008
2008
2009
2009
2009
2009
2009
2009
2009
2009
2009
2010
2010
2010
2010
2010
2010

Score - iOS
2010
2010
2011
2011
2011
2011
2011
2011
2011
2012
Score - Android
2012
2012
2012
2012
2012
2012
2012
Score - BB

2012
2012
2012
2012
2012
2013
2013
[ Vulnerabilities of OS and apps ]

2013
2013
 [ Vulnerabilities of OS and apps ]
MIN & AVERAGE SCORE
Android Average; 8,2

iOS Average; 6,3

BB-Average; 6,3

BB Min; 2,1
Android Min; 1,9
iOS Min; 1,2

Min & Average Score

 [ SOURCE & BINARY ANALYSIS TOOLS ]
HEYDUDE, WHYIS IT VULNERABLEAGAIN? SORRY,BIGBOSS,I’D JUST BEENCOMMITEDA WRONGBRANCH

HOW MANY THE TOOLS ARE (approx): BUGS TYPE (OBVIOUS | LIKELY)
 iOS – 10  MISSED CONSTRUCTIONS LIKE
 ANDROID – 50 DOUBLE/TRIPLE FREE ()
 WINDOWS PHONE – 40  DEBUG PATHS, KEY, AND ETC.
 BLACKBERRY - 10  PLAINTEXT & HARD-CODE PASSWORDS,
 QUANTITY OF BUGS / SECURITY FLAWS TOKENS, MASTER-KEYS, ETC.
 AVERAGE – 50  NON-SECURE FLAWS, CONSTRUCTIONS,
 MIN – 20 ETC.
 MAX – INFINITY   CHECK IT OUT
 WARINING :: ADS  THE SQL-INJECTION IS POSSIBLE
 VERACODE THE MOST USEFUL   THERE IS NO HTTPS HERE
 [ MOBILE SECURITY CAPABILITIES ]
THE SAME CAPABILITIES AMONG MOBILE OPERATION SYSTEMS

 SECURE BOOTLOADER  REMOTE MAGAGEMENT

 SYSTEM SOFTWARE SECURITY (UPDATES)  MDM
 APPLICATION CODE SIGNING  REMOTE WIPE
 RUNTIME PROCESS SECURITY
 SANDBOX
 APIs
 HARDWARE SECURITY FEATURES
 FILE DATA PROTECTION
 SSL, TLS, VPN
 PASSCODE PROTECTION
 SETTINGS
 PERMISSIONS/ RESTRICTIONS
 CONFIGURATIONS
 [ SECURITY ENVIRONMENT ]
EACH OS EVALUATESEVERY REQUEST THAT AN APPLICATION MAKES TO ACCESSTO…

MDM SERVICES HELPS MANAGE AND PROTECT BLACKBERRY, IOS, WINDOWS, AND ANDROID DEVICES.

MDM SERVICES PROVIDE UNIFIED COMMUNICATION AND COLLABORATION SOFTWARE AND SERVICE (SaaS)

EACH OS IS DESIGNED TO PROTECT DATA IN TRANSIT, IN MEMORY AND STORAGE … AT ALL POINTS …

MDM SERVICES ENHANCED BY MANAGING THE BEHAVIOR OF THE DEVICE

OS PROVIDES A CAPABILITY TO PROTECT ANY APPLICATION DATA USING SANDBOXING

OS PROVIDES A CAPABILITY TO MANAGE PERMISSIONS TO ACCESS ITS CAPABILITIES

OS EVALUATES ALL REQUEST MADE BY APP ... BUT LEADS AWAY FROM ANY DETAILS AND APIs
 [ KNOWN ISSUES ]
THREATSBOUNDSBECOME UNCLEAR…
 ALL CONTROLLED OBJECTS ARE LIMITED BY
SANDBOX
PERMISSIONS
SECURITY FEATURES ON DEVICEs & MDMs
ADDITIONAL FEATURES AREN’T ACCESSIBLE ON
DEVICE
 USER-MODE MALWARE
 SPYWARE, ROOTKITS
 EXPLOTS & ATTACKS
 REVERSING NETWORK LAYER
 RECOVERING DATA VS. SANBOX&MEMORY
 EXPLOITING TO GET SUPER PRIVILIGIES
MDM& COMPLIANCE BRINGS COMMON
RECOMMENDATIONS
 MDM vs. COMPLIANCE
 COMMON RECOMMENDATIONS
 SET IS LESSER THAN SET OF MDM FEATURES
 QUITE BETTER TO MANAGE MDM SOLUTIONS
THAN DEVICE AT ALL
 TOO FAR FROM DETAILS
 YOUNG STANDARDS
 FIRST REVISIONS, DRAFT REVISIONS
 MOBILE SECURITY SOFWARE
 READ-ONLY MODE / INFORMATION ONLY
 APPLICATION FIREWALL (CALLS, MESSAGES…)
 NETWORK FIREWALL REQUIRES ROOT
 NO REAL SECURITY IF YOU BREAK A SANDBOX
 [ KNOWN ISSUES. Examples ]
 BYPASS MDM SOLUTIONS
 iOS, ANDROID
 EXPLOITS, DUMP /MEM TO GET EMAILS
 BLACKHAT EU’13 http://goo.gl/HN829p
 BLACKBERRY PLAYBOOK
 EXPLOITS, MITM, DUMP ‘.ALL’ FILES
 SECTO’11R, INFILTRATE’12, SOURCE
BOSTON’13 http://goo.gl/KaTtFG
 GAIN ROOT ACCESS
 ANDROID
 APP SIGNATURE EXPLOITATION
 APP MODIFICATION
 BLACKHAT USA’13 http://goo.gl/p5FhWG
 TIME-FRAME TO FIX
 7+ MONTH or WAIT FOR A NEXT UPDATE
 WAIT FOR A VENDOR’S INTEREST TO YOU
 ANALYSIS OF APP’S DATA IN THE REST
 BLACKBERRY, iOS
 DATA LEAKAGE
 REVEAL PASSWORDS, MASTERKEYS, ETC.
 BLACKHAT EU’12 http://goo.gl/STpSll
 ANDROID
 DATA LEAKAGE
 WEAKNESS OF CRYPTO ENGINGE
 PHDAY III ‘13 http://goo.gl/x1PPGK
 [ KNOWN ISSUES. Examples ]
 PLAYBOOK ARTIFACTS (see the previous slide)
 BROWSERS HISTORY
 NETWORKING IDs, FLAGS, MACs
 VIDEO CALLS DETAILS
 ACCESS TO INTERNAL NETWORK
 KERNEL
 BLACKBERRY Z10
 DUMP MICROKERNEL
 EVEN DEVELOPERS’ CREDENTIALS
(FACEBOOK, MOBILE, EMAILS) BLACKHAT
DEFCON MOSCOW http://goo.gl/R74leX
 GUI FAILS
 BLACKBERRY OS
 DATA LEAKAGE
 REVEAL PASSWORDS, … ANYTHING
 NO PERMISSIONS REQUESTED
 BORROW PERMISSIONS OF ANOTHER APP
 NullCon’13, CONFIDENCE’13
 http://goo.gl/phMey2
 [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

 Account  Conversations
 country code, phone number  Quantity of messages & participants
 Device Hardware Key per conversations
 login / tokens of Twitter & Facebook  Additional participant info (full name,
 Calls history phone)
 Name + internal ID  Messages
 Duration + date and time  Date & Time
 Address book  content of message
 Quantity of contacts / viber-contacts  ID
 Full name / Email / phone numbers
 Messages
 [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

 Account  content of message

 country code, phone number  ID :: phone@s.whatsapp.net
 login / tokens Facebook wasn’t revealed
 ‘Buy me for….$$$’ 
 Avatars :: phone+@s.whatsapp.net.j (jfif)
 Address book
 No records of address book were revealed…
 Check log-file and find these records (!)
 Messages
 Messages
 Date & Time
 [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

 Account  Connected cards

 Phone number  Encryption?
 Password, secret code weren’t revealed  No 
 Trace app, find the methods use it  Bank cards
 Repack app and have a fun  Masked card number only
 No masking of data typed  Qiwi Bank cards
 Information  Full & masked number
 Amount  Cvv/cvc
 Full info in history section (incl. info about  All other card info 
who receive money)
 [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

 Account  Connected cards

 ID , email, password  Encryption?
 Information  AES
 Loyalty (bonus) of your membership  256 bit
 all you ever type  On password
 Date of birth anywayanydayanywayanyday
 Passport details  Store in plaintext
 Book/order history  Sizeof(anywayanydayanywayanyday) =
 Routes, 192 bit
 Date and time,
 Bonus earning
 Full info per each order
 [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

 Account
 ID ,bonus card number, password not revealed
 Other id & tokens
 Information
 Date of birth
 Passport details
 History (airlines, city, flight number only)
 Flights tickets, logins credentials
 Repack app and grab it 
 [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

 Account
 ID , password
 Loyalty (bonus) card number
 Information
 Not revealed (tickets, history or else)
 Repack app 
 [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

 Account
 ID , email, password
 Other id & tokens
 Information
 Loyalty (bonus) of your membership
 all you ever type
 Date of birth
 Passport details
 All PASSPORT INFO (not only travel data)
 Your work data (address, job, etc.) you have never typed!
 Flights tickets
 Repack app and grab it
 [ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACK’SVECTOR

 GOALS - MOBILE RESOURCES / AIM OF ATTACK

 DEVICE RESOURCES Goals
 OUTSIDE-OF-DEVICE RESOURCES AV, MDM,
DLP, VPN Non-app
 ATTACKS – SET OF ACTIOSN UNDER THE THREAT features

 APIs - RESOURCES WIDELY AVAILABLE TO CODERS

 SECURITY FEATURES MDM features Kernel
 KERNEL PROTECTION , NON-APP FEATURES protection

 PERMISSIONS - EXPLICITLY CONFIGURED

Permissions
 3RD PARTY
APIs
 AV, FIREWALL, VPN, MDM APIs

 COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY

Attacks
IN ALIGNMENT WITH COMPLIANCE TO…
 [ DEVICE MANAGEMENT ]
Concurrencyover native & additional security features The situationis very serious 

𝚫 = 𝚨 ∪ 𝚩 ∪ 𝚪 ∪ 𝚼 , 𝚨 ⊂ 𝚩, 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 Set of permissions < Set of activities  efficiency is

𝛥 – set of OS permissions, 𝛢 – set of device permissions, 𝛣 – set  typical case < 100%,
of MDM permissions, 𝛤 – set of missed permissions (lack of  ability to control each API = 100%
controls), 𝜰 – set of rules are explicitly should be applied to gain  More than 1 permission per APIs >100%
a compliance  lack of knowledge about possible attacks
𝚮 = 𝚬+𝚭,𝚬 ⊃ 𝚨∪𝚩  improper granularity
𝛨 – set of APIs , 𝛦 – set of APIs that interact with sensitive data,
𝛧 – set of APIs that do not interact with sensitive data AV, MDM, DLP,
VPN
To get a mobile security designed with full granularity the set 𝛤 Non-app features
MDM features
should be empty set to get 𝚬 ⊇ 𝚨 ∪ 𝚩 instead of 𝚬 ⊃ 𝚨 ∪ 𝚩, so
the matter how is it closer to empty. On another hand it should
find out whether assumptions 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 are true and if it is
Kernel protection
possible to get ⊆ 𝐀.
Permissions
 [ BLACKBERRY. PERMISSIONS ]
BB 10 Cascades SDK BB 10 AIR SDK PB (NDK/AIR)
Background processing + +
BlackBerry Messenger - -
Calendar, Contacts + via invoke calls
Camera + +
Device identifying information + +
Email and PIN messages + via invoke calls
GPS location + +
Internet + +
Location + -
Microphone + +
Narrow swipe up - +
Notebooks + -
Notifications + +
Player - +
Phone + -
Push + -
Shared files + +
Text messages + -
Volume - +
 [ BLACKBERRY. Significant APIs ]
Feature Q. APIs Q. sign. APIs % (sign .APIs) Controlled ?
BlackBerry Messenger 77 70 90,91 +
Calendar 443 126 28,44 +
Camera 47 41 87,23 +
Contacts 316 150 47,47 +
Device identifying info 15 14 93,33 +
Email & PIN messages 347 211 60,81 +
Internet 161 145 90,06 +
Microphone 21 15 71,43 +
Notebooks 123 86 69,92 +
Notifications 32 24 75,00 +
Phone 27 22 81,48 +
Push 25 22 88,00 +
Shared files 78 70 89,74 +
Text messages 10 6 60,00 +
Account 66 21 31,82 -
MediaPlayer 66 63 95,45 -
NFC 24 11 45,83 -
Radio & SIM 68 51 75,00 -
Clipboard 6 4 66,67 -
 [ BLACKBERRY. Common activities ]
35 34
30
25 21
20 18 17
14
15
10 7 8
6 5 6
3 3 4 4 4 3 4
5 4 2 4 2 5
3 2 2 2 2 2
0 1 1 1 1 1 1 1 1 1 1

Q. of m.+a. activity Q. of m.+a. permission

 [ BLACKBERRY. Derived activities ]
120 116

100 89
80
59
60 47 46
40 25 27
24 23 19 24
16 11
20 6 7 9
3 3 2
4 3 3 3 8 5
0 1 1 1 2 2 2 1 2 1 1 1 2 1

Q. of derived activities Q. of derived perm

 [ BLACKBERRY. Efficiency (%) ]
250,00
250,00 250,00
200,00
3,45
66,67
150,00 16,67 12,50 66,67 8,00
8,70 88,89
5,08 3,37 6,25 4,26 9,09 5,26 3,70
100,00 2,17 4,17
60,00 14,29 66,67 66,67
50,00 50,00 50,00
50,00 16,67 19,05 25,00 25,00 25,00 33,33
5,88 14,29 5,56 16,67 11,76 7,14
0,00

% m+a activity vs perm % m+a derived activity vs perm

 [ iOS. Info.plist(app capabilities) ]
Key Description
auto-focus-camera handle autofocus capabilities in the device’s still camera in case of a macro photography or image processing.

bluetooth-le handle the presence of Bluetooth low-energy hardware on the device.

camera-flash handle a camera flash for taking pictures or shooting video.
front-facing-camera handle a forward-facing camera such as capturing video from the device’s camera.
gamekit handle a Game Center.
gps handle a GPS (or AGPS) hardware to track a locations in case of need the higher accuracy more than Cellular/Wi-Fi.

location-services retrieve the device’s current location using the Core Location framework though Cellular/Wi-Fi

microphone handle the built-in microphone and its accessories

peer-peer handle peer-to-peer connectivity over a Bluetooth network.
sms handle the presence of the Messages application such as opening URLs with the sms scheme.

still-camera handle the presence of a camera on the device such as capturing images from the device’s still camera.

telephony handle the presence of the Phone application such as opening URLs with the telephony scheme.

video-camera handle the presence of a camera with video capabilities on device such as capturing video from the device’s camera.

wifi access to the networking features of the device.

 [ iOS. Settings ]
Component Unit
Safari
Camera, FaceTime
Restrictions :: Native application iTunes Store, iBookstore
Siri
Manage applications*
Manage applications*
Explicit Language (Siri)
Restrictions :: 3rd application
Privacy*, Accounts*
Content Type Restrictions*
Unit subcomponents
Per each 3rd party app
Privacy :: Location
For system services
Contacts, Calendar, Reminders, Photos
Privacy :: Private Info Bluetooth Sharing
Twitter, Facebook
Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts
Accounts Find My Friends
Volume limit
Ratings per country and region
Music and podcasts
Content Type Restrictions Movies, Books, Apps, TV shows
In-app purchases
Require Passwords (in-app purchases)
Multiplayer Games
Game Center
Adding Friends (Game Center)
Installing Apps
Manage applications
Removing Apps
 [ iOS. Common activities ]
20 1
18 17
2
16 1 1
2 3 13 0 3
14 12 0 10 0
12 10 0 10 4
8 0
10 0 1
8 0 6 1
5 1 0 0 1
6 0 3 0 1
4 3 1 3 2 0 2 1
0
2
0

Q. of m.+a. activity Q. of m.+a. permission Q. of m.+a. perm plus parental perm

 [ iOS. Derived activities ]
4
82 3
80 1
70 0 1
60 0 1 2 1
0 0
50 0 0
9 13 1 1 0 2
40
0 0 25 1
30 20 3 13 0 18 12 0
1 1
0
20 9 0 10 6 1
10 2 10
10
0

Q. of derived activities Q. of derived perm Q. of derived perm + plus parental perm

 [ iOS. Efficiency (%) ]
100% 4,88
90% 15,00 7,69 5,56 50,00 10,00
16,67 8,00
80% 11,11
70% 40,00
50,00 16,67
60% 7,69
25,00
0,00 11,76
50%
0,00 0,00 0,00 50,00 10,00 33,33
40% 10,00 33,33 0,00 5,56
0,00 0,00
3,66
30% 20,00 0,00 4,00
0,00
0,00 0,00 0,00
20% 16,67 30,00
0,00 7,69 0,00 50,00 0,00 0,00
10% 0,00 16,67 0,00 0,00 0,00 5,88
0,00 0,00 0,00
0% 0,00 0,00 0,00

% m+a activity vs perm % m+a derived activity vs perm Q. of m.+a. perm plus parental perm Q. of derived perm + plus parental perm
 [ Windows. Permissions ]
Permission Description
General use capabilities
musicLibrary provides access to the user's Music library, allowing the app to enumerate and access all files w/o user interaction.
picturesLibrary provides access to the user's Pictures library, allowing to enumerate and access all files w/o user interaction.
videosLibrary provides access to the user's Videos library, allowing the app to enumerate and access all w/o user interaction.
removableStorage provides access to files on removable storage, such as USB keys and external hard drives, filtered to the file type
microphone provides access to the microphone’s audio feed, which allows to record audio from connected microphones..

webcam provides access to the webcam’s video feed, which allows to capture snapshots, movies from a connected webcam.
location provides access to location functionality like a GPS sensor or derived from available network info.
enables multiple devices in close proximity to communicate with one another via possible connection, incl.
proximity
Bluetooth, WiFi, and the internet.
internetClient,
provides outbound (inbound is for server only) access to the Internet, public networks via the firewall.
internetClientServer
provides inbound and outbound access to home and work networks through the firewall for games or for
privateNetworkClientServer
applications that share data across local devices.
Special use capabilities
enable a user to log into remote resources using their credentials, and act as if a user provided their user name and
enterpriseAuthentication
password.
sharedUserCertificates enables an access to software and hardware certificates like smart card.
documentsLibrary provides access to the user's Documents library, filtered to the file type associations
 [ Windows. Significant APIs ]
Feature Q. APIs Q. sign. APIs % (sign. APIs) Controlled?
General use capabilities
Notifications 68 4 5,88 +
Music library 1300 138 10,62 +
Pictures library 1157 133 11,50 +
Videos library 1300 138 10,62 +
Removable storage 1045 109 10,43 +
Microphone 274 33 12,04 +
Webcam 409 91 22,25 +
Location 37 5 13,51 +
Proximity 54 19 35,19 +
Internet and public networks 488 134 27,46 +
Home and work networks 488 134 27,46 +
Special use capabilities
Enterprise authentication 8 4 50,00 +
Shared User Certificates 20 5 25,00 +
Documents library 1045 126 12,06 +
Non-controlled capabilities
Clipboard 132 20 15,15 -
Phone 18 6 33,33 -
SMS 122 25 20,49 -
Contacts 97 31 31,96 -
Device Info 221 30 13,57 -
 [ Windows. Common Activities ]
14
14
12
10
8 8
8
6
6 5 6
4 5 4
4 3 3 3 3 3
3 2 2
2 1 1 1 1 2 2 2 1
1 1 1 1 1 1 1 1
0 0 0 0 0 0

Q. of m.+a. activity Q. of m.+a. permission

 [ Windows. Derived Activities ]
25
21
20
16 15
15 14
11 12 12 11
10
10 8 8 7 8 8 8
5 6
5 6 3 5
1 3
1 2 2 2 1 1 1 2 1 2 2
0 0 0 0 0 0

Q. of derived activities Q. of derived perm

 [ Windows. Efficiency (%) ]
120,00 125,00
120,00 100,00
100,00 100,00
100,00 100,00 100,00 100,00 100,00
80,00
27,27 42,86
60,00 33,33 50,00
25,00 25,00 20,00
40,00 33,33 33,33 14,29 31,25 33,33
20,00 0,00 0,00 0,00 0,00 0,00
16,67
14,29 9,52 16,67 16,6716,67
20,00
0,00 0,00 0,00 0,00 0,00
0,00

% m+a activity vs perm % m+a derived activity vs perm

 [ A droid. Permissions ]
List contains~150 permissions I have ever seen that on old BlackBerry devices

ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION, OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS

ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_ ,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH,

ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE, PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION

ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_ ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P ,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P
MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S

TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA

,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_ TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR
VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C

PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_ MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_ REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET

PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY, OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_ TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC
BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI

MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN

NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_ GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W
ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS, RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY,

LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET
TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
 [ A droid. Permission Groups ]
But there only 30 permissions groups I have ever seen that on old BlackBerry devices too

 ACCOUNTS  LOCATION  USER_DICTIONARY

 AFFECTS_BATTERY  MESSAGES  VOICEMAIL
 APP_INFO  MICROPHONE  WALLPAPER
 AUDIO_SETTINGS  NETWORK  WRITE_USER_DICTIONARY
 BLUETOOTH_NETWORK  PERSONAL_INFO
 BOOKMARKS  PHONE_CALLS
 CALENDAR  SCREENLOCK
 CAMERA  SOCIAL_INFO
 COST_MONEY  STATUS_BAR
 DEVELOPMENT_TOOLS  STORAGE
 DEVICE_ALARMS  SYNC_SETTINGS
 DISPLAY  SYSTEM_CLOCK
 HARDWARE_CONTROLS  SYSTEM_TOOLS
 [ A droid. Efficiency (%) ]
50,00
45,00
40,00
35,00 33,33
30,00 28,57
20,00 25,00
25,00
20,00 20,00
20,00 15,38 15,38
10,71 2,91 7,14
15,00
10,00
10,00
9,52 8,334,55 7,14
0,00 0,00 0,00 0,00 4,00 5,88
5,00 2,00 3,13 3,13
0,00
0,00

% m+a activity vs perm % m+a derived activity vs perm

 [ Average quantitative indicators ]
100%
102,74
90%
60,63
119,31 8,86 29,26 1,89 2,32 42,04 48,06
80% 30,48 32,79

70%
9,06
60,38 0,64 16,99
60% 0,69 5,94 9,21
435,95 7,43 17,07
50%
1,47 1,63 54 20,97
40% 9,68 58,06 22,76
62,37 3,84
30%

20% 394,86 32,48 2,01 2,19 27,6

67,48 9,23 38,4 27,6
10% 38,4

0%
Q. APIs Q. sign APIs Q. of m.+a. Q. of derived Q. of m.+a. Q. of derived % m+a activities %m+a derived vs % m+a vs perm % derived vs
activities activities permissions permissions vs perm perm enhanced by perm enhanced
MDM by MDM

Android Windows iOS BlackBerry

 MDM . Extend your device security capabilities
Android CONTROLLED FOUR GROUPS ONLY

 CAMERA AND VIDEO  LIMIT PASSWORD AGE

 HIDE THE DEFAULT CAMERA APPLICATION
 PASSWORD
 DEFINE PASSWORD PROPERTIES
 REQUIRE LETTERS (incl. case)
 REQUIRE NUMBERS
 REQUIRE SPECIAL CHARACTERS
 DELETE DATA AND APPLICATIONS FROM THE
DEVICE AFTER
 INCORRECT PASSWORD ATTEMPTS
 DEVICE PASSWORD
 ENABLE AUTO-LOCK
 LIMIT PASSWORD HISTORY
 RESTRICT PASSWORD LENGTH
 MINIMUM LENGTH FOR THE DEVICE
PASSWORD THAT IS ALLOWED
 ENCRYPTION
 APPLY ENCRYPTION RULES
 ENCRYPT INTERNAL DEVICE STORAGE
 TOUCHDOWN SUPPORT
 MICROSOFT EXCHANGE SYNCHRONIZATION
 EMAIL PROFILES
 ACTIVESYNC
 MDM . Extend your device security capabilities
iOS
 BROWSER
 DEFAULT APP,
 AUTOFILL, COOKIES, JAVASCRIPT, POPUPS
 CAMERA, VIDEO, VIDEO CONF
 OUTPUT, SCREEN CAPTURE, DEFAULT APP
 CERTIFICATES (UNTRUSTED CERTs)
 CLOUD SERVICES
 BACKUP / DOCUMENT / PICTURE / SHARING
 CONNECTIVITY
 NETWORK, WIRELESS, ROAMING
 DATA, VOICE WHEN ROAMING
 CONTENT
 CONTENT (incl. EXPLICIT)
 RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS
 DIAGNOSTICS AND USAGE (SUBMISSION LOGS)
CONTROLLED 16 GROUPSONLY
 MESSAGING (DEFAULT APP)
 BACKUP / DOCUMENT PICTURE / SHARING
 ONLINE STORE
 ONLINE STORES , PURCHASES, PASSWORD
 DEFAULT STORE / BOOK / MUSIC APP
 MESSAGING (DEFAULT APP)
 PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)
 PHONE AND MESSAGING (VOICE DIALING)
 PROFILE & CERTs (INTERACTIVE INSTALLATION)
 SOCIAL (DEFAULT APP)
 SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER
 DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS
 STORAGE AND BACKUP
 DEVICE BACKUP AND ENCRYPTION
 VOICE ASSISTANT (DEFAULT APP)
 MDM . Extend your device security capabilities
BlackBerry (new, 10, qnx) CONTROLLED 7 GROUPSONLY

 GENERAL  NETWORK ACCESS CONTROL FOR WORK APPS

 PERSONAL APPS ACCESS TO WORK CONTACTS
 MOBILE HOTSPOT AND TETHERING
 SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING
 PLANS APP, APPWORLD
 WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
 PASSWORD (THE SAME WITH ANDROID, iOS)
 EMAIL PROFILES
 BES MANAGEMENT (SMARTPHONES, TABLETS)
 CERTIFICATES & CIPHERS & S/MIME
 SOFTWARE  HASH & ENCRYPTION ALGS AND KEY PARAMS
 OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER  TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC
 TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE  WI-FI PROFILES
 BBM VIDEO ACCESS TO WORK NETWORK
 ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS
 VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK
 PROXY PASSWORD/PORT/SERVER/SUBNET MASK
 SECURITY
 VPN PROFILES
 WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE
 PROXY, SCEP, AUTH PROFILE PARAMS
 VOICE CONTROL & DICTATION IN WORK & USER APPS
 TOKENS, IKE, IPSEC OTHER PARAMS
 BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE
 PROXY PORTS, USERNAME, OTHER PARAMS
 PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)
 PERSONAL SPACE DATA ENCRYPTION
 MDM . Extend your device security capabilities
Blackberry (old)
 THERE 55 GROUPS CONTROLLED IN ALL
 EACH GROUP CONTAINS FROM 10 TO 30 UNITS
ARE CONTROLLED TOO
 EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs
INSTEAD OF A WAY ‘DISABLE/ENABLED &
HIDE/UNHIDE’
 EACH EVENT IS
 CONTROLLED BY CERTAIN PERMISSION
 ALLOWED TO CONTROL BY SIMILAR
PERMISSIONS TO BE MORE FLEXIBLE
 DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME
MORE THAN OTHER DOCUMENTS
Huge amount of permissions are MDM & device built-in
 EACH UNIT CAN’T CONTROL ACTIVITY UNDER
ITSELF
 ‘CREATE, READ, WRITE/SAVE, SEND,
DELETE’ ACTIONS IN REGARDS TO
MESSAGES LEAD TO SPOOFING BY
REQUESTING A ‘MESSAGE’ PERMISSION
ONLY
 SOME PERMISSIONS AREN’T REQUIRED (TO
DELETE ANY OTHER APP)
 SOME PERMISSIONS ARE RELATED TO APP,
WHICH 3RD PARTY PLUGIN WAS EMBEDDED
IN, INSTEAD OF THAT PLUGIN
 ISSUES : USELESS SOLUTIONS
USERFULL IDEASAT FIRST GLANCE BUT INSTEADMAKE NO SENSE

 MERGING PERMISSIONS INTO GROUPS, e.g.

 ‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ SEPARATED (BlackBerry old)
 ‘SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS’ MERGED INTO ONE UNIT (BlackBerry new)
 SCREEN CAPTURE
 IS ALLOWED VIA HARDWARE BUTTONS ONLY
 NO EMULATION OF HARDWARE BUTTONS AS IT WAS IN OLD BLACKBERRY DEVICES
 LOCKS WHEN WORK PERIMITER HAS BECOME TO PREVENT SCREEN-CAPTURE LOGGERS
 OFFICIALLY ANNOUNCED SANDBOX
 MALWARE IS STILL A PERSONAL APPLICATION SUBTYPE IN TERMS OF (IN-)SECURITY
 SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS
 INABILITY OF BACKUP MAKE DEVELOPERS TO STORE DATA IN SHARED FOLDERS
 ISSUES : USELESS SOLUTIONS
USERFULL IDEASAT FIRST GLANCE BUT INSTEADMAKE NO SENSE

 SECURE & INSECURE APP IN THE SAME TIME

 HAS ENCRYPTED COMMUNICATION SESSIONS, AND MAY STORE CHAT COVERSATION WITHOUT ENCRYPTION
 STORE SENSITIVE DATA IN PLAINTEXT (PASSW, PASSPORT DETAILS, CARD INFO) AND BELIEVE IN POWER OF SANDBOX
 UPGRADE FEATURE AFFECT EVERYTHING
 MAY UPDATE/REMOVE ANY OTHER APP - SURPRISE 
 REPACKAGES STILL HAVE AN ACCESS TO THE SAME DATA AS AN ORIGINAL APP
 DEBUG/NOT ORIGINAL SIGNATURE PROBLEM – THAT’S NOT A PROBLEM
 CLIPBOARD (SECURE CLIPBOARD HAS NEVER EXISTED ANYWHERE AND MIGHT HAVE EVER)
 REVEAL THE DATA IN REAL TIME BY ONE API CALL
 ACCESSIBLE BY APIs AS WELL AS FILE DATA (DEPENDS ON YOUR OS)
 NATIVE WALLETS PROTECTS BY RETURNING NULL (ONLY OLD-BLACKBERRY)
 WHILE THE ON TOP || JUST MINIMIZE OR CLOSE IT TO GET FULL ACCESS
 EVERY USER MUST MINIMIZE APP TO PASTE A PASSWORD
 ISSUES : USELESS SOLUTIONS
USERFULL IDEASAT FIRST GLANCE BUT INSTEADMAKE NO SENSE

 GUI EXPLOITATION HAPPENS (OLD BLACKBERRY, ANDROID REPACKAGES)

 REDRAWING THE SCREENS (OLD BB ONLY), GRABBING THE TEXT FROM ANY FIELDs (INCL. PASSWORD FIELD)
 ADDING, REMOVING THE FIELD DATA
 ORIGINAL DATA IS INACCESSIBLE BUT NOT AFFECTED
 KASPERSKY MOBILE SECURITY PROVIDES AN INSECURITY,
 NO PROTECTION FROM REMOVING.CODs & UNDER SIMULATOR
 EXAMING THE TRAFFIC, BEHAVIOUR
 JUST SHOULD CHECK API “IS SIMULATOR” ONLY
 SMS MANAGEMENT VIA “QUITE” SECRET SMS (NOT ENCRYPTED, HASH ONLY)…
 THE SAME SECRET AMONG OPERATING SYSTEMS (BB, ANDROID, WINDOWS,…)
 PASSWORD IS 4–16 DIGITS,AND MODIFIED IN REAL-TIME (OLD BLACKBERRY, OR ANDROID REPACKAGES)
 SMS IS A HALF A HASH VALUE OF GOST R 34.11-94
 HASH IMPLEMENTATION USES TEST CRYPTO VALUES AND NO SALT
 TABLES (VALUEHASH) ARE EASY BUILT
 OUTCOMING SMS CAN BE SPOOFED WITHOUT ANY NOTIFICATION, BECAUSE KMS DELETE THE SENT MESSAGES
 OUTCOMING SMS COULD BLOCK/WIPE THE SAME/ANOTHER DEVICE
 COMPLIANCE AND MDM
CSA Mobile Device Management: Key Components NIST-124

Device diversity Refers to NIST-800-53 and other

Configuration management  Sometimes missed requirements such as
Software Distribution locking device, however it is in NIST-800-53
Device policy compliance & enforcement A bit details than CSA
Enterprise Activation No statements on permission management
Logging Make you sure to start managing security under
Security Settings uncertain terms without AI 
Security Wipe, Lock
IAM
Make you sure to start managing security under
uncertain terms without AI 
 CONCLUSION
PRIVILEGEDGENERAL PERMISSIONS
 DENIAL OF SERVICE
 REPLACING/REMOVING FILES
 DOS’ing EVENTs, GUI INTERCEPT
 INFORMATION DISCLOSURE
 CLIPBOARD, SCREEN CAPTURE
 GUI INTERCEPT
 SHARED FOLDERS
 DUMPING .COD/.BAR/APK… FILES
OWN APPs, NATIVE & 3RD PARTY APPs FEATURES
 MITM (INTERCEPTION / SPOOFING)
 MESSAGES
 GUI INTERCEPT, THIRD PARTY APPs
 FAKE WINDOW/CLICKJACKING
 GENERAL PERMISSIONS
 INSTEAD OF SPECIFIC SUB-PERMISSIONS
 A FEW NOTIFICATION/EVENT LOGs FOR
USER
 BUILT PER APPLICATION INSTEAD OF APP
SCREENs
 CONCLUSION
THE VENDOR SECURITY VISION HAS NOTHING WITH REALITY AGGRAVATEDBY SIMPLICITY

 SIMPLIFICATION AND REDUCING SECURITY CONTROLS

 MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER
 NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY
 ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL
 A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS
 THE SANDBOX PROTECT ONLY APPLICATION DATA
 USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE
 APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY
 MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY
 THE NATIVE SPOOFING AND INTERCEPTION FEATURES
 COMPLIANCE DOES NOT EXTEND MDM CAPABILITIES – JUST REPEATS IT
 THE MOST GRANULAR SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES
 PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST
Q&A