MOBILE SECURITY & PRIVACY ARE SET FACE TO FACE

YURY CHEMERKIN
HackMiami 2014
 [ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin http://sto-strategy.com yury.s@chemerkin.com
 MULTISKILLED SECURITY RESEARCHER

 EXPERIENCED IN :
 REVERSE ENGINEERING & AV, DEVELOPMENT (IN THE PAST)
 MOBILE SECURITY, INCL. IAM, MDM, MAM, etc.
 CYBER SECURITY & CLOUD SECURITY (INCL. IAM)
 IAM & COMPLIANCE & FORENSICS ON MOBILE & CLOUD SECURITY
 WRITING (STO BLOG, HAKING, PENTEST, eFORENSICS Magazines)

 PARTICIPATION AT CONFERENCES:
 INFOSECURITY RUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS, HACKERHALTED,
 DEFCON MOSCOW, HACKTIVITY, HACKFEST, NOTACON, HACKMIAMI;
 CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL;
 ICITST, CTICON, ITA, I-SOCIETY;
Forensics Capabilities on Application Data Access
Forensics Capabilities on Application Data Access
App Data
 Get logins and passwords to the app
 Find geo-location of the last run
 Inspect all used or created app files
 Know exactly when the app was used
 Access to system and user apps
 Filter apps by a certain term
 Export and print selected items
Example :: IM
 Chat history with individuals (including
unauthorized contacts) and groups
 Contact list with photos, all fields and notes
 Sent SMS text, recipient phone number,
timestamp and cost
 Complete calls information: recipient name or
phone number; direction; length; time stamp and
even cost
 Account details: name, address, phone numbers,
e-mail, birthday and other information
 Geo-location where the action took place
 DATA PROTECTION CONCEPTS
Type Roots

Data-at-Rest (DAR) protection Depends on sandbox & FS architecture

Data-in-Use (DIU) protection More about developer’s imagination
Data-in-Transit (DIT) protection Mix two previous in regards to whole device
Data-in-motion (DIM) protection (~DIT) Like DIT but depends on app
Data-in-action (DIA) protection (~DIU) OS API and developer’s imagination 

App Disablement (similar to DIU & DAR) Rule based policies, out of dev activity
Location Masking (similar to DIT/DIM) Policies & DIM/DIT characteristics
 Storing Information on device ::
iOS data-in-rest Specifics
SQLite storage
 any type of data File Cache
 attachments, files from clouds, etc.
Binary cookies
 depends, usually, credentials, tokens Error logs
 any data, even credentials
Keyboard Cache
 auto correction, word list counts 600 iCloud
 all data backup to cloud, even credentials
Snapshot Storage
 any preview info, like email from Banks
 Storing Information on device ::
Android data-in-rest Specifics
Where & What stores :: /data/data/<package>/… How does it store
 App  Shared preferences (lightweight XML format)
 analytics, dump, misc
 Cache  Internal storage (/data/data/ + shared docs &
 up/downloaded files media)
 Databases
 history, chat, bank info  External storage (cache, debug, db, maps)
 Files
 attachments, crypto-keys  SQLite (DB, discussed earlier)
 Shared_prefs
 credentials, token, history  Network (logs/event, datestamp, credentials)
 Storing Information on device ::
BlackBerry data-in-rest Specifics
 BlackBerry Backup
 What :: app, app data, app config, all documents, etc.
 How :: ElcomSoft, any other that works with BB backup
 Shared folders
 What :: docs, media, backup with credentials may happen
 How :: live access, spyware, rarely encrypted
 Remotely accessed data
 What :: device entirely plus SD-Card
 How :: BB Link should authorized PC before gaining access
 Android application data files
 What :: cached files, any other like Android App
 Where :: Device/misc/android/Android/data)
 How :: like a shared folders or remote access
 Misc tracks
 Device/Misc
 What :: Misc files, backup like whatsapp,
 How:: like a shared folders or remote access
 Device/Android except android data
 What :: any data Android and Android apps usually
store on SD card
 How :: :: like a shared folders or remote access
 The rest data protected except you got an access to backup or find
a way how to root/jailbreak OS 
EMM FEATURES : Vendors
 EMM FEATURES
MOBILE PLATFORMS SUPPORTED :: ALMOST OF ALL 
 iOS  Android Zoo (? Not yet) ::
 BlackBerry OS
 KNOX, SAFE, LG Gate,
 Windows OS  Kindle Fire HD and Kindle Fire HDX,
 Windows Mobile  Nook HD and Nook HD+,
 Windows Phone  Smart watches / devices
 Windows RT  Tablets
 Android OS
 [ EMM FRAMEWORK ]
EMM (Enterprise Mobile Management) 3rd Party Solutions to EMM

NAC: Network Access Control

MDM: Mobile Device Management
(Management)
MAM: Mobile Application
AV: Antiviruses Solution
Management
Mobile SIEM: Log Management
MEM: Mobile Email Management
Solution
MIM: Mobile Information Management DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-
Devices: Smartphones, Tablets
Practices, Guidelines, etc.
 EMM FEATURES
EMM :: MDM
 Password protection & reset
 Remote & Selective device wipe
 Remote lock
 Set VPN, Wi-Fi, APN, proxy/gateway settings
 Configuration monitoring/auditing
 Automated provisioning/enrollment
 Disable basic features (camera, Bluetooth, Wi-Fi, NFC, Cellular, etc.)
 Manage mobile-attached devices (e.g printers, scanners)
 EMM FEATURES
EMM :: MAM
 Full-featured enterprise app store
 Containerization/sandboxing
 App containerization using developer SDK/toolkit, app wrapping
 Block copy/paste between apps, from email, etc.
 Restrict which apps can open a given file
 App inventory tracking / usage monitoring
 Remote desktop access to apps and data on desktop from mobile
[ EMM FRAMEWORK :: MEM SOLUTIONS ]
MDM: Mobile Device NAC: Network Access Control
Management (Management)

MAM: Mobile Application

AV: Antiviruses Solution
Management

Mobile SIEM: Log Management

MEM: Mobile Email Management
Solution

MIM: Mobile Information

DLP: Data-Leakage Prevention
Management

COMPLIANCE: Standards, Best-

Devices: Smartphones, Tablets
Practices, Guidelines, etc.
[ EMM FRAMEWORK :: MIM SOLUTIONS ]
MDM: Mobile Device NAC: Network Access Control
Management (Management)

MAM: Mobile Application

AV: Antiviruses Solution
Management

Mobile SIEM: Log Management

MEM: Mobile Email Management
Solution

MIM: Mobile Information

DLP: Data-Leakage Prevention
Management

COMPLIANCE: Standards, Best-

Devices: Smartphones, Tablets
Practices, Guidelines, etc.
 [ MOBILE DEVICE SECURITY ENVIRONMENT ]
SPOT THE DIFFERENCE  NO DIFFERENCE, RIGHT 
 SECURE BOOTLOADER
 SYSTEM SOFTWARE SECURITY (UPDATES)
 APPLICATION CODE SIGNING
 RUNTIME PROCESS SECURITY (SANDBOX, APIs)
 HARDWARE SECURITY FEATURES
 IN-REST PROTECTION
 IN-TRANSIT PROTECTION (SSL, TLS, VPN)
 PASSCODE PROTECTION
 CENTRALIZED APPLICATION DISTRIBUTION
 SETTINGS DELIVERY (PERMISSIONS, CONFIGURATIONS)
 REMOTE MAGAGEMENT
 LOG COLLECTION
 [ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACK’S VECTOR

 GOALS - MOBILE RESOURCES / AIM OF ATTACK

 DEVICE RESOURCES
 OUTSIDE-OF-DEVICE RESOURCES
 ATTACKS – SET OF ACTIONS UNDER THE THREAT
 APIs – FREE TO USE
 SECURITY FEATURES
 KERNEL PROTECTION ,
 NON-APP FEATURES
 PERMISSIONS - EXPLICITLY CONFIGURED
 3RD PARTY AV, FIREWALL, VPN, MDM
 COMPLIANCE
 RULES TO DESIGN IN ALIGNMENT TO…
 [ DEVICE MANAGEMENT ]
LACK OF GRANULATION CONTROL

𝚫𝚫 = 𝚨𝚨 ∪ 𝚩𝚩 ∪ 𝚪𝚪 ∪ 𝚼𝚼 , 𝚨𝚨 ⊂ 𝚩𝚩, 𝚼𝚼 ⊆ 𝚩𝚩, 𝚼𝚼 ⊂ 𝐀𝐀 SET OF PERMISSIONS VS. SET OF ACTIVITIESEFFICIENCY IS

𝛥𝛥 – set of OS permissions, 𝛢𝛢 – set of device permissions, 𝛣𝛣 – set
of MDM permissions, 𝛤𝛤 – set of missed permissions (lack of  TYPICAL CASE < 100%,
controls), 𝜰𝜰 – set of rules are explicitly should be applied to gain
a compliance  ABILITY TO CONTROL EACH API = 100%
𝚮𝚮 = 𝚬𝚬 + 𝚭𝚭 , 𝚬𝚬 ⊃ 𝚨𝚨 ∪ 𝚩𝚩
𝛨𝛨 – set of APIs , 𝛦𝛦 – set of APIs that interact with sensitive data,  MORE THAN 1 PERMISSION PER APIS >100%
𝛧𝛧 – set of APIs that do not interact with sensitive data
To get a mobile security designed with full granularity the set 𝛤𝛤  LACK OF KNOWLEDGE ABOUT POSSIBLE ATTACKS
should be empty set to get 𝚬𝚬 ⊇ 𝚨𝚨 ∪ 𝚩𝚩 instead of 𝚬𝚬 ⊃ 𝚨𝚨 ∪ 𝚩𝚩, so
the matter how is it closer to empty. On another hand it should
find out whether assumptions 𝚼𝚼 ⊆ 𝚩𝚩, 𝚼𝚼 ⊂ 𝐀𝐀 are true and if it is  IMPROPER GRANULARITY
possible to get ⊆ 𝐀𝐀.
[ KNOW YOUR APPLICATIONS ]
AFFECTED PLATFORMS
 [ KNOW YOUR APPLICATIONS ]
FEATURES VS PRIVACY :: BUILT-IN APP

Calls; 93,00% Email; 73,00%

Messages; 85,00%

Notes; 89,00%

Calendar; 76,00%
Contacts; 95,00%
 [ KNOW YOUR APPLICATIONS ]
FEATURES VS PRIVACY :: IM APP
Kik Messenger;
Lync; 61,00% 79,00%
Facebook
Messenger; 87,00% Viber; 87,00%

BBM; 86,00%

Whatsapp; 85,00%

WeChat; 78,00%
Hangouts; 80,00%

Skout; 76,00% Yahoo Messenger;

75,00%
 [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

 Account ::: PIN , Names, Status "74afbe19","Yury Chemerkin“, "*fly*“, "@ Holiday Inn (MOSCOW)"
 Information
 Barcode / QR history (when, what) "QR_CODE","bbm:2343678095c7649723436780","1382891450014"
 Transferred files "RemotePin“, "Path","ContentType“, "image/jpeg“, "23436780“,
 "/storage/sdcard0/Android/data/com.skype.raider/cache/photo_1383731771908.jpg“
 Transferred as a JFIF file :: FFD8FFE000104A464946 ......JFIF
 Invitations: "Pin","Greeting","Timestamp",”LocalPublicKey/PrivateKey","EncryptionKey«
 Messages (Date, Text,…) :: "1383060689","Gde","Edu k metro esche, probka tut","Park pobedy”,"Aha","А
щас","Belorusskaja","Долго"
 Logs
 Revealing PINs, Email, device information,
 Applications actions associated with applications modules *.c files, *.so, etc.
 It helps to analyze .apk in future
 [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

 Account  Conversations
 country code, phone number  Quantity of messages & participants
 Device Hardware Key per conversations
 login / tokens of Twitter & Facebook  Additional participant info (full name,
 Calls history phone)
 Name + internal ID  Messages
 Duration + date and time  Date & Time
 Address book  content of message
 Quantity of contacts / viber-contacts  ID
 Full name / Email / phone numbers
 Messages
 [ KNOW YOUR APPLICATIONS ]
FEATURES VS PRIVACY :: SOCIAL APP
SlideShare; 67,00% Vkontakte; 78,00%
Scribd; 63,00%
Facebook; 83,00%
So.Cl; 42,00%

Instagram; 67,00%
Groupon; 68,00%

MySpace; 61,00% Twitter; 81,00%

Pinterest; 57,00% Google+; 55,00%

LinkedIn; 59,00%
 [ KNOW YOUR APPLICATIONS ]
FEATURES VS PRIVACY :: GEO APP
Google Maps;
Trover; 69,00% 73,00%

Banjo; 62,00%
FourSquare; 85,00%

2GIS; 61,00%
Yandex Maps;
76,00%
GeoBucket; 54,00%

TrackMe; 51,00% Navitel; 64,00%

 [ KNOW YOUR APPLICATIONS ]
FEATURES VS PRIVACY :: OFFICE APP
AsusWebStorage;
Google Disk; 57,00% Box; 67,00%
51,00% Dropbox; 67,00%
eFax; 73,00%
OneDrive; 51,00%

Office Mobile;
51,00% Yandex.Disk; 65,00%

QuickOffice; 71,00%
Mail.Ru; 65,00%

AdobeReader;
51,00% Amazon Cloud
DocsToGo; 71,00% Drive; 67,00%
 [ KNOW YOUR APPLICATIONS ]
FEATURES VS PRIVACY :: TRAVEL APP
Taxi (any); 31,00% Yelp; 57,00%
AnywayAnyday; 74,00% Hotels.com; 64,00% Travel;
S7; 62,00% BlackBerry
73,00%
KLM; 64,00%
Lufthansa; 26,00% Hilton; 78,00%
Miles & More; 27,00%
HotelByMe; 23,00%

IHG; 81,00%
JetBlue; 43,00%
American Airlines;
56,00% Hilton; 73,00%
United Airlines; 61,00%
SPG; 79,00%
Aeroflot; 73,00%
British Airways; 23,00% Booking.com; 54,00%
Delta; 67,00% Marriott; 56,00%
 [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

 Account  Connected cards

 ID , email, password  Encryption?
 Information  AES
 Loyalty (bonus) of your membership  256 bit
 all you ever type  On password
 Date of birth anywayanydayanywayanyday
 Passport details  Store in plaintext
 Book/order history  Sizeof(anywayanydayanywayanyday) =
 Routes, 192 bit
 Date and time,
 Bonus earning
 Full info per each order
 [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

 Account
 ID ,bonus card number, password not revealed
 Other id & tokens
 Information
 Date of birth
 Passport details
 History (airlines, city, flight number only)
 Flights tickets, logins credentials
 Repack app and grab it 
 [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

 Account
 ID , password
 Loyalty (bonus) card number
 Information
 Not revealed (tickets, history or else)
 Repack app 
 [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

 Account
 ID , however password is encrypted
 Information
 Loyalty (bonus) of your membership, program name 901***** \\ Skymiles
 Flight
 confirmations, depart time, flight #:: GCXXXX || 0467 || 2013-11-07T12:40:00+04:00 || DL90
 "checkedIn": "false“, "seatNumber": "09B",
 Issued date, ticket # :: "2013-10-26T15:37:00-04:00", 006xxxxxxxxxxx
 Aeroports ::
 SVO/ "Sheremetyevo Arpt, JFK/"John F Kennedy International“, NYC / "New York-Kennedy“…
 [ KNOW YOUR APPLICATIONS ]
FEATURES VS PRIVACY :: BANK APP
Mail.Ru Money;
15,00% AlfaBank; 4,00% 4,00%
Raffeisen;
RSB; 4,00%
Sberbank; 6,00%
Citibak; 3,00%
Tinkoff; 3,00%
RBK Money; 22,00%

Paypal; 16,00%

Yandex Money;
17,00% Qiwi; 14,00%

Megafon Money;
17,00%
 [ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

 Account  Connected cards

 Phone number  Encryption?
 Password, secret code weren’t revealed  No 
 Trace app, find the methods use it  Bank cards
 Repack app and have a fun  Masked card number only
 No masking of data typed  Qiwi Bank cards
 Information  Full & masked number
 Amount  Cvv/cvc
 Full info in history section (incl. info about  All other card info 
who receive money)
 [ KNOW YOUR APPLICATIONS ]
PRIVACY LEAKAGE :: % OF DATA LEAKAGE

In-the-Rest; 57,00%
In-the-Memory;
95,00%

In-the-Transit;
71,00%
 [ KNOW YOUR APPLICATIONS ]
FORENSICS APPLICATION EXAMINATION :: EXCITING FAILS

App Type/Protection In-Rest In-Memory In-Transit

built-in apps Plain-Text Plain-Text Rarely Encrypted

IM apps Plain-Text Plain-Text Weak Encryption or SSL

Social app Plain-Text & Rarely Store smth Plain-Text Best case - SSL/HTTPS

Geo Apps Plain-Text Plain-Text Best case - SSL/HTTPS

Office Apps Plain-Text Plain-Text SSL/HTTPS

Travel Apps Best case - weak encryption Plain-Text Partially Encrypted

Bank apps Rarely Store smth & Good Encryption Plain-Text Encrypted
 EMM FAILS :: MAM

 PACKAGED/WRAPPED APPLICATIONS
 QUANTITY OF APPLICATION CHALLENGE ( OBVIOUSLY > 100  )
 COOPERATION WITH APPLICATION VENDOR
 SEPARATION OF PERSONAL, WORK, AND SUSPICIOUS APP
 SERIOUSLY DIFFERENCE ON APP INTERFACES PER EACH OS WITH THE SAME APP
 VPN
 ENCRYPTION
 ACCESS RESTRICTION (GEO, CREDENTIALS)
 EMM FAILS :: MIM

 LACK OF TYPE FILES’ MANAGEMENT

 LACK OF STORAGE SERVICES’ MANAGEMENT
 LACK OF DEVICE FILES’ MANAGEMENT
 LACK OF VENDOR SUPPORT
 NEED OF A ROOT ACCESS TO DEVICE IN CERTAIN CASES
 MOBILE OS INCAPABILITIES TO BE INTEGRATED WITH MIM SOLUTIONS
 EMM :: WHO IS GOOD FOR ?
AirWatch an MDM and MAM specialist that helped Lowes deploy and manage iPhones

App47 which offers a platform that allows enterprises to deploy their own App stores (hot opportunity alert)

AppBlade which supports application deployments and management across iPhone iPad BlackBerry and Android platforms.
AppCentral which also helps enterprises to develop app stores
BlackBerry
(BES/Fusion) is good for MDM partially MIM & MAM. Supports all mobile OS
MaaS360 is good with BlackBerry together

Kony which has a platform that allows partners to build enterprise app stores for customers.
MobileIron focused heavily on MDM
Nukona another provider of enterprise app store technology

Partnerpedia the former builder of channel partner communities; now focused on private labeled app stores.

WorkLight now owned by IBM; focused on mobile development tools middleware and management
Terria Mobile which offers a platform for app management.
Good Technology supports application deployments and management across modern OS
 GENERAL REMEDIATION/ISSUE S
iOS & Android & BlackBerry apps have the same behavior & logic issues

Insecure Data Storage

Poor AAA (Authentication Authorization Accounting)

Log Leakage

Weak Cryptography & Communication Protection

Sensitive Information Disclosure

In general, iOS & Android & BlackBerry apps have the same behavior & logic issues
 ANDROID SPECIFIC REMEDIATION

Call ‘setStorageEncryption’ API for locally stored files (new Android OS v4+)
Encrypt externally stored files on SD Card or Cloud (any OS)
Reduce using of ‘MODE_WORLD_READABLE ’ unless it really needs
Avoid hardcoded and debug tracks as much as possible (it’s easy to decompile)
Add extra protect beyond OS (encryption, wiping, etc.)
 iOS SPECIFIC REMEDIATION

Never store credentials on the phone file system. Use API or web scheme instead

Define when encryption signature doesn’t matter, else avoid it

Use implemented protection mechanism in iOS…

But … add extra protection layer beyond OS protection in case of jailbreak

Use any API and protection mechanisms properly but never default settings

Don’t forget to encrypt SQL databases

 MAM SPECIFICS
APP WRAPPING :: ADVANTAGES
 Is a secure bubble around each corporate application and its associated data
 Helps in creating an encrypted space, or folder, into which applications and data
may be poured
 Newer, more granular approach in which each app is enclosed in its own
encrypted policy wrapper, or container.
 Allows administrators to tailor policies to each app.
 Small vendors with proprietary approaches dominate the market like Symantec.
 MAM SPECIFICS
APP WRAPPING :: DISADVANTAGES
 A Binary/Source application  Org Limits of wrapper approach
modification
 License limitation
 Implementation of missing features
 Consuming mobile device resources
 Interception of API & other call-
to gather information
methods
 Tech Limits of wrapper approach  Many app-agents & app-agents
 Preinstalled, & built-in apps management
 Access to binary codes depends on
OS
Q&A