Mobile Hacking

EMM Limits & Solutions

 [ YURY CHEMERKIN ]
• MULTISKILLED SECURITY RESEARCHER
• Work for Advanced Monitoring
• EXPERIENCED IN :
– REVERSE ENGINEERING & AV, DEVELOPMENT (IN
THE PAST)
– MOBILE SECURITY, & CLOUD SECURITY
– IAM, COMPLIANCE, FORENSICS
– PARTICIPATION & SPEAKING AT MANY
CONFERENCES
 AGENDA
• Wild Animals :: < Facts about insecurity of Mobile Apps >

• Wild Tools :: < Forensics Tools, Data/Backup Tools >

• Wild Security Concepts :: < Data Protection Concepts, Best Practices >

• Wild Environment :: < OS: iOS, Android , BlackBerry, WinRT >

• State of Facts :: < Application Security Examination >

• Wild Security Solutions :: < OS Security, EMM Solutions >

• Recommendations :: < MAM, Development Advices, etc. >

• Other Salvation Ideas :: < BlackPhone >

Forensics Capabilities
 DATA PROTECTION CONCEPTS
• Data-at-Rest (DAR) protection

• Data-in-Use (DIU) protection

• Data-in-Transit (DIT) protection

• Data-in-motion (DIM) protection (~DIT)

• Data-in-action (DIA) protection (~DIU)

• App Disablement (~ DIU & DAR)

• Geo-fence (~ DIT & DIM)

 Data-at-Rest (DAR): iOS
• SQLite storage
– any type of data
• Binary cookies
– depends, usually, credentials, tokens
• Keyboard Cache
– auto correction, word list counts 600
• Snapshot Storage
– any preview info, like email from Banks
• File Cache
– attachments, files from clouds, etc.
• Error logs
– any data, even credentials
• iCloud
– all data backup to cloud, even credentials
 Data-at-Rest (DAR): Android
• Where & What stores :: • How does it store
/data/data/<package>/… – Shared preferences
– App (lightweight XML format)
• analytics, dump, misc – Internal storage
– Cache (/data/data/ + shared
• up/downloaded files docs & media)
– Databases – External storage (cache,
• history, chat, bank info debug, db, maps)
– Files – SQLite (DB, discussed
• attachments, crypto-keys earlier)
– Shared_prefs – Network (logs/event,
• credentials, token, history datestamp, credentials)
Data-at-Rest (DAR): BlackBerry
• BlackBerry Backup • Android application data files
– What :: app, app data, app config, all – What :: cached files, any other like
documents, etc. Android App
– How :: ElcomSoft, any other that works – Where ::
with BB backup Device/misc/android/Android/data)
• Shared folders – How :: like a shared folders or remote
– What :: docs, media, backup with access
credentials may happen • Misc tracks
– How :: live access, spyware, rarely – Device/Misc
encrypted • What :: Misc files, backup like whatsapp,
• Remotely accessed data • How:: like a shared folders or remote
access
– What :: device entirely plus SD-Card
– Device/Android except android data
– How :: BB Link should authorized PC • What :: any data Android and Android
before gaining access apps usually store on SD card
• The rest data protected except you got – How :: like a shared folders or remote
an access to backup or find a way how access
to root/jailbreak OS  – Not all android app data found on these
paths (!)
 Data-at-Rest (DAR): WinRT
• <Local>
– Data that exists on the current device and is backed up in the
cloud.
• <Roaming>
– Data that exists on all devices on which the user has installed
the app.
• <Temporary>
– Data that could be removed by the system at any time.
• <Localcache>
– Persistent data that exists only on the current device.

• If your app is removed, these data stores are deleted.

 Data-in-Use (DIU): All OS
• Data-in-Use (DIU)
– Partial vendor code obfuscation
– Custom tools for a code obfuscation (WinRT)
– Once time all data appear in plaintext (user can’t read
encrypted text )
• Data-in-action (DIA)
– Clipboard & Screenshot activities are under restriction
while phone is enabled for an enterprise policy
– Clipboard & Screenshot activities are usually disabled
for all applications
 Data-at-Transit/Motion (DIT/DIM): All OS
• Data-in-Transit (DIT)
– HTTP/HTTPS
– Post/Get, Rest API
– JSON, Soap, XML
– Gzip, Base64
– WebViews
– Custom connections schemes & custom P2P
• Data-in-motion (DIM)
– Networks encryption wrappers
– Networks policy wrappers
– App-level VPNs
– Other corporate stuff
Geo-fence/App Disablement: All OS
• Enterprise app disablement depends on custom EMM capabilities
• iOS
– Restrict geo-location per each app or service
– There is no option “All-in-one” to restrict geo-location for all apps/services
• BlackBerry
– Restrict geo-location per each app or service
– “All-in-one” to restrict geo-location for all apps/services
– Can’t restrict geo-location for Android apps (probably, can do it in future)
• Android
– Can’t manage permissions per app separately except Firefox OS
– There is no option “All-in-one” to restrict geo-location for all apps/services
• WinRT
– Restrict geo-location per each app
– “Flight mode” is kind of “All-in-one” option to block any connection
Examination :: What
Examination :: How
 Results :: Notes
• Researched cross-platform apps updated prior one month before HH event, but may
– not available to download or pretend to the latest version due to countries restrictions
– not available for all platforms
– not refer to analytics sdk like flurry or similar
• Any app data presented here
– stored in shared folders too if it is possible and need for export feature (like BlackBerry)
– stored in memory as is at least one time
• You can do anything in run-time, even repack an application & install on the device
– stored locally in case of Android-app running on any Android-based OS
– Stored in keychain on iOS is not additionally encrypted
– transferred via https or http without any additional protection
• may be under the simple MITM attack via ProxyTools except
– native services of iOS, BlackBerry, Google & Windows Markets
– most of all native BlackBerry Apps & apps like Yandex Disk, Dropbox, Evernote
– stored in snapshots folders on iOS if user swiped down his app
• by default developers never turn off that feature even for bank apps
• apps that have inactive this feature are highlighted additionally
 [ Results :: 4talk ]
• Phone Number
• Login ([email protected])
• Sms code
• Https Auth (login, pass)
• Device Model
• Device Type
• Message
– From/to ID
– Time
– Body
– Device-type + OS
• Avatars
• Addressbook (Name,Phone,Email)
• 4talk vCards
• Jabber client
• Log-file stored locally contains all network sessions (see above)
 [ Results :: Whatsapp ]
• Account
– country code, phone number
– Pw.dat – seems encrypted but not a token definitely
– login / tokens Facebook wasn’t revealed
– Avatars :: [email protected] (jfif)
• Address book
– No records of address book were revealed…
– Check log-file and find these records (!)
• Messages
– Date & Time
– content of message
– ID :: [email protected]
– Attachments (as is)
 [ Results :: Viber ]
 Account  Messages
 country code, phone number  Date & Time
 Device Hardware Key  content of message
 login / tokens of Twitter & Facebook  ID
 Calls history  Attachments & Preview (as is)
 Name + internal ID  VoiceMessages
 Duration + date and time  Media
 Address book
 Snapshots (iOS only)
 Quantity of contacts / viber-contacts
 Snapshot of active chat
 Full name / Email / phone numbers
 Messages  Stored locally
 Conversations  Common paths to stored data
refer to know environments …
 Quantity of messages &
participants per conversations  .. like %Documents%,
%AppFolder%
 Additional participant info (full
name, phone)
 [ Results ::
Facebook & FB Messenger ]
 Media  Full Name, Email , Phone number
 User images/avatar (first of all, of those  Users
who're on messenger/chat)  User ID, User Name , User NickName
 Snapshot of app screen (iOS only)  Has a mobile messenger? Is a Friend ?
 Pic/avatar URL,  Email
 Image cache .jfif  FB Messenger
 Conversation  configs
 Thread ID, Name , Date & Time  User Phone Number
 Quantity of Messages  Friend avatars
 Message / body  Credentials found in traffic
 ID of sender/recipient  Username & password,
 Status :: Unread/archived/can reply  For rest interaction token only
 Account
 Tokens, incl. private
 Lot of configs
 Numeric ID of account
(100001827345335.plist)
 Address book / Synchronized
 [ Results :: Connect ]
• Device Info
– Device ID, Version
– Carrier
– System name (OS)
– Platform, Model
– Orientation
• User/Credentials
– Connect username
– FB token incl. private token
– FB permissions (groups, photo, geo, friend_checkins, email, basic info, friend all info, birthday)
– email
• Credentials
– Nothing revealed
• Captures in traffic
– Fb token from iOS
– Lot of analytics trackers (device root/jail type, device environment, network+carrier type, etc.)
– Has a testflightapp analytics too
– Raw data (maps, event, history, etc.)
 [ Results :: Cloack ]
• Media
– Snapshots
– PNG map shots of friends
• User/Credentials found locally
– FB token
– FB permissions (public profile, user friends, friend photos, stream, geo, friend_checkins,
email, basic info, friend all info, birthday)
• Credentials found in traffic
– Fb token grabbed from iOS
– 4squre token grabbed from 4squre app
– Login, pass, tokens from Twitter, because Cloack performs ‘login’ action via Safari
– Login, pass, tokens from Instagram, because Cloack performs ‘login’ action via Safari
 [ Results :: IFTTT ]
• Receipts (local & traffic)
– What to do (create link in Evernote Notebook, post to Facebook, etc.)
– Numeric ID & Text Name of receipts
– Source link , Headline of ‘news’
– Location notification for iOS if you leave/enter area – postal code, street, city
– Public ID of social profile URLs
– Internal ID/Tokens (?) of the storages like Dropbox
• Credentials captured in traffic
– Username, password, tokens
• Credentials when assigning new services
• Full receipts details belong to the different services like folder in dropbox, etc.
 [ Results :: Vkontakte ]
 Media
 Snapshots
 Messages time
 Conversations
 Attachment Info, URL
 Friends
 Full Name
 Profile URL Avatar
 Birthday
 Misc tokens (?)
 Credentials
 Nothing revealed
 Data-in-Transit
 Uploading attachments in plaintext (all platforms)
 Sending messages in plaintext (iOS only)
 Android has a feature ‘allows https connections’ turned off by default
 iOS doesn’t provide https feature
 [ Results :: Linkedin ]
 Media  Latest three job positions
 Snapshots  Job Title
 Cached friend avatars  Profile Info (Summary, skills ,etc)
 Notifications  Profile
 Date and time  Full name + user ID, Twitter ID
 View profile + quantity  Picture URL
 Invitation request/acceptance  Job Title
 Endorsed (who) for skills  Configs
 Full name of actor  What captured in traffic
 Friends  Login, password, token
 Search request per each contact record from  Address book
your address book  Mails, news …
 Full Name , company are result of the search  ….and everything mentioned above
 Profile Friend URL + avatar URL
 Level of connection (1st, 2nd, 3rd )
 Connections
 Full Name, ID, avatar
 Email, Phone, birthday if available
 [ Results :: 4square/swarm ]
 Media
 Snapshots
 PNG map shots of friends & check-ins
 Uploaded photos via app on check-in event

 User/Credentials
 Search request info by name/location/etc.
 Like, Comments + friend username per
check-ins
 Badges + description and who unlocked it

 Credentials captured in traffic

 Username & password on first registration
 Password on ‘change password’ event
 Tokens to access foursquare & swarm
 Swarm grabbed most data from 4square
 [ Results :: Instagram ]
 Profile Info
 Friend profile URL + Full Name + Photo
 Twitter User name
 FB Permissions – publish stream
 FB token key & expiration
 Login name
 Actions
 Comments & profile name of those who comment photo
 Cache of uploaded photos plus date & time
 Stored on Amazon S3 
 Network (in-transit)
 Profile Name + URL
 Friends’ Name + Url
 Upload /Download photos
 Comments
 Seems everything except credentials
 Username, password, fb token
 Address book, tokens
 Photo & video stream
 [ Results :: Aeroexpress ]
• Account & Credentials (traffic, locally)
– Register key (traffic only)
– User UID (locally only)
– Device ID (traffic only)
– Email address = login
– Password (locally on Android & iOS)
– Phone Number
• Products (locally & traffic)
– Tickets number & QR-ticket
– How to use e-Ticket 
– What time train departs & arrives 
• Payment Info (traffic, locally on Android & iOS)
– Full Name
– Card number
– Expiration Data
– CVV (only in traffic)
• Many analytics libraries
 [ Results :: App-in-the-Air ]
• Account & Credentials
– FB Token & numeric username, nickname/login
– Oauth Secret token
– FB Permissions
• Edu / Work history, Basic info, public profile, email, User geo, friends, about_me,
– Twitter token/secret, Twitter Oauth
– Twitter NickName/login
• some extra data encoded in base64 (probably flurry libraries) ::
– jailbroken/rooted, vendor id, install id, os info
• Data
– Flight info (port/gate, airline, flight # per depart / arrival place)
– Miles per flight
• User Full Name/EmailTrip Info (login, username, email)
– Delay status (low, moderate, high)
– Date & time of the latest info per terminal)
• Device Info
– Device ID, Version, Carrier, System name (OS), Platform, Model
 [ Results :: AnywayAnyday ]
• Credentials
– Login, Password, token
– userID, userProfileID, passenger ID
• Loyalty
– Bonus level
– Loyalty id & types
• Geo - suggest for looking the nearest airports
• Payment – card number, owner Name, CVV not request to type (cards are locally stored only)
• Orders details
– OrderID, orderNumber, date of order, status (canceled/captured)
– Route, depart &arrival dates, price & currency, bonus points
– ScoreForOrder, payment method, ticket number
– trip gate, airline, geo location of cities, stopovers,
• Passport
– Passport number & expiration, document type, gender, Name, nationality, birthdate, age
• Everything found locally and captured in traffic
 [ Results :: British Airways ]
• Account
– ID is locally stored
– Password (is on Android, in captured traffic)
• Loyalty (locally & traffic)
– card number, card & membership expiration
– Loyalty bonuses
• Device info – OS & version (in captured traffic)
• Customer Info
– UID, Birthday, preferred email, plus see “Loyalty”
• Recent transaction (locally & traffic)
– Booking ref, bonus balance per transaction, date
• Tracked Flights Info (iOS)
• Full Name (iOS), Email (iOS)
• Cached images with exif (like NY SkyBridge) if you have stopover there or it’s your
arrival/departure city
 [ Results :: Aeroflot ]
• Number user ID (network), Login
• Session IDs (local only)
• Password (local only)
• Password (Network) – salted hash, PBKDF2 alg
• Flight – no info, because I don’t use this app last year 
• Loyalty ID
• Date of birth
• Phone number
• Passport details
– Number
– Expiration
– Type
– Bonuses activity history (amount, day, activity info like store, flight – incl. airports codes)
• All PASSPORT INFO (not only travel data)
• Home Address (network & local), even you never type it!
• Work Address (network & local) , even you never type it!
• Company name and job title
 [ Results :: Delta ]
• Login ID, Password, Name, Birthday, gender, username
• Loyalty
– ID, Bonus balance, Expiration date
– Phone, Home address, Email
• Payment
– Alias name per card
– Last 4 digit, Payment system (visa, American express)
• Passport data
– Number, program name, Expiration date
• Flight
– Absolutely detailed information (traffic)
– Barcode stored locally in base64
 [ Results :: Booking.com ]
• Account & Credentials
– Crash analytics UID
– Email/login info
• Media
– Cached Hotel Images
– Upload to Google Image Search
– Push Search Button
– Get Hotel Info (!)
• Device OS + Version, SessionID - stored locally plus some extra data encoded in base64
(probably flurry libraries) ::
– jailbroken/rooted, vendor id, install id, os info
• Device os&version, carrier name, device token, auth token, fb ID, hashed user ID & passw
• Last searches (full details) stored locally and captured in traffic
• UID, phone, Name, email, City, login, password, longitude & latitude, network type, device ID
• No reservation info – not booked yet 
 [ Results :: IHG ]
• Reservation (local & network)
– Reservation ID, Status (confirmed or another one), Check-in & Check-out Time
– Hotel Code & Hotel Image URL, Address & Phone & Name, Country Code & Country
Name, Latitude & longitude
– Number of Rooms / Adults / Children, Guest Last Name / No info about optional guest
(2nd guest, etc.)
• Misc (local)
– Flurry UID, Platform ID
• Device ID, Version, Carrier, System name (OS), Platform, Model
• Cached (local)
– Geo data - city, street, country, postal code, lat & lng
– Room Facilities, Hotel Info (see previous) , Room/Hotel photos (JFIF)
• loyaltyID, loyalty balance, phone number, home address, Name, email, Room preferences,
• last 4 card digits, payment system (visa), encrypted card number & exp.date
• Encryption key is a kind of token (local & network),
• Login & password are captured in traffic
 [ Results :: Lufthansa ]
• Lufthansa
– Account
• ID ,bonus card number, password stored in plaintext is not revealed
• Session ID, secret token & expiration date, encrypted login & password (local &
network)
– Information
• Date of birth
• Passport details
– History (airlines, city, flight number only)
• Miles & more
– ID M&M inbox email stored in .PDF locally & capture as html in traffic
– Customer , Home Address, birthday, card #, (both, locally & traffic)
– Name, award miles, activity history (see Lufthansa) - (both, locally & traffic)
– M&M number and pin captured in traffic
 [ Results :: Yandex Disk ]
• Locally
• Network
– Warn on simple MITM attack like a proxy tools
that decrypt ssl
– Flurry & Yandex analytics (not yet examined)
– Client ID, Secret, password, token, Name, uid
– storage quota, used size, available size, avatar
 [ Results :: Dropbox ]
 Logs  Uploads
 iOS version as a log-file-name  Images, resized images
 Settings like upload_over_cell or  Other files as is even (cpp )
geofence_state  Cached PDF as separated jpg pages
 User_id (numeric)  Media
 Perms like “permission.photos.granted”  Snapshots (iOS only), profile photo
 Extension  Credentials
 Connection time – WiFi, Cellular  Nothing revealed
 Size
 Download info (started, finished,
failures)
 Device ID

 Dropbox detects simple MITM

 Nothing captured in traffic, attacks
 [ Results :: Evernote ]
 Account Info
 Account database name
 Current account name
 Camera settings
 Numeric ID account info
 Data/Content
 Linkedin invites & profile via ‘Scan Business card’ Premium feature
 Grabbed data from Business cards
 Html note + attaches
 Html notes with embedded files/content like image or pdf/docx
 Media
 Snapshots (iOS only)
 Nothing captured in traffic, Evernote detects simple MITM attacks
 [ Results :: Onedrive + business,
office mobile, onenote ]
 OneDrive + OneDrive for Business
 Uploads  Office Mobile
 Images, resized images  login name (= email)
 URL to download (have to login via  cached files w/o name
liveID)  Images, resized images
 Full url to download file  Sharepoint URL even it's not public
 Full user name, Permissions info
 Downloaded files as is  Media
 PDF stored NOT as separated jpg  Snapshots (iOS only)
pages  holiday inn reservation pdf as a jpeg
 Credentials
 Nothing revealed  OneNote
 Captured in traffic for all apps  login name (= email)
 XML wrapped documents, media  Cached notes
(photo)
 Token & email
 [ Results :: eFax ]
 Account Info
 Efax message ID like [email protected]
 Email, Full Name
 Efax ID Numeric 442030700520
 Premium or not / expiration date
 Content
 Faxes as separated image (black&white)
 ‘pageCount’ File
 Misc
 Country, Region, TimeZone (Russia, EU, GMT+4)
 CrashAnalytics IDs
 Captured in traffic
 Username, password, handset token
 Faxes as jpg
 [ Results :: Amazon Store ]
• Locally
– downloaded apk-files in local or shared folders (like
downloads or SD cards)
• Network
– Network type, carrier, device manufacturer
– display size, device build & name & OS (full device info)
– API level, all hardware capabilities plus emulator checker
– direct URL, APK
– Run on BlackBerry too, captured
“guardian.blackberry.com” request per install (a kind of
Antivirus from McAfee)
 [ Results :: Alfabank ]
• Locally
– Latest used geo location unless it wiped
– Latest phone number used to transfer money
• Network
– Geo
– Numeric ID & pin code, session ID, timeframe for session id
– Card info
• First 6 and last 4 digits, card name, card description, amount, currency
• Linked phone number (country code, two digit of local code, last 4
digits)
• Virtual card info, payment categories, account number linked to card
• Payment history (not appeared for Android app run on BB)
 [ Results :: Sberbank ]
• Locally
– Guid, Amount & linked card (first 6 & last 4 digits), card
info
– Card, amount and linked account number
• Network
– Numeric login and guid in response, sms code and token in
response, pin code and new token in response, login and
one more token (!) in response
– Each request contains GUID & device ID
– Name, date, last IP, amount, loyalty info
– Amount & linked card (first 6 & last 4 digits), card info
– Card, amount and linked account number, payment history
 [ Results :: RSB ]
• Locally
• Numeric login, encrypted pass (seems HMAC, need to check),
uid, session id
• Network
– Tracker ID (mobileapptracking.com) – not researched
yet
– Numeric login, encrypted pass (seems HMAC, need to
check), OS, Vendor, imei
– Card (first & last 4 digits) and linked account number
plus amount, last transactions
– The same password over several platforms
 [ Results :: RSB ]
• Captured in traffic
– Account & Credentials
• Email = login , Password, session ID, Name, useraccount_ID,
amount
– Payment Info
• Masked bank card number like xxxx****xxxx
• Payment /Transaction History
• Locally stored as is:
– Login/email, password, pin, payment info
 [ Results :: CitiMobile ]
• Captured in traffic
– Account & Credentials
• Username, password, sms, last 4 digits of phone number
• Amount info, transaction history, account number (fully detailed)
– Device name, screen resolution, OS & version,
carrier name
• Nothing special stored locally
[ Results :: Megafon/MailRu.Money ]
• Megafon Money
• Captured in traffic
– Account & Credentials
• Username = phone number, password, token,
• Transfer details
• Token stored locally

• Mail.Ru Money
• Captured in traffic
– Account & Credentials
• Username = login, password, token, payment password, account id
• Transfer details, linked credit card number (first 6 & last 4 digits)
• Stored locally
• linked credit card number (first 6 & last 4 digits)
 Outlines: Fails
App Type/Protection In-Rest In-Memory In-Transit

Rarely Encrypted /
Built-in apps Plain-Text Plain-Text
SSL/HTTPS

IM apps Plain-Text Plain-Text Weak Encryption

Plain-Text & Rarely Store

Social app Plain-Text SSL/HTTPS
some data

Geo Apps Plain-Text Plain-Text SSL/HTTPS

Office Apps Plain-Text Plain-Text SSL/HTTPS

Travel Apps No/weak encryption Plain-Text SSL/HTTPS

Plain Text / Weak

App with payment features Plain Text SSL/HTTPS
Encryption
Rarely Store data / Good
Bank apps Plain-Text SSL/HTTP / Encrypted
Encryption
 Outlines: BlackBerry
• BlackBerry Apps & Services prevent transferring
data via untrusted connection even
• System protection storage couldn’t be easily
access
• Apps usually store data in shared folders (docs,
audio, etc.) are available to read/write for all
• Quite difficult to make BlackBerry trust to the
proxy-certificates
• Android apps running on BlackBerry don’t differ
from other Android apps neither network, nor
local
 Outlines: Android
• Credentials stored or transferred in plaintext locally.
• OS does not provide any protection like a keychain in
iOS
• Data usually stored or transferred structured file type
that simplify an analysis
• Signature-based encryption that helps to quickly
decrypt data (depends on dynamically linked libraries)
• Data stored in SQLite databases usually not encrypted
• Data stored on external memory (SD card) rarely
encrypted
• Keys may be hardcoded or put in data folder
Outlines: Store data everywhere

/data/data/ru.lynx.aero/shared_prefs/activities.main.MainActivity.xml
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="phone">9851719122</string>
<long name="cardExpiryDate" value="1472723015507" />
<long name="scheduleChangesDate" value="1411638096257" />
<long name="scheduleLastUpdateDate" value="1411638096692" />
<string name="password">XXXXXXX</string>
<string name="cardHolder">Yury Chemerkin</string>
<string name="email">[email protected]</string>
<string name="userId">7-7011656</string>
<string name="layout">phone</string>
<string name="login">xxxxxxxxxxxxxx</string>
<string name="language">ru</string>
<string
name="deviceId">bEBDPM1dCdDAPA9……K7iF9_lnAFKLgEE7VHdDCXbyww</string>
<string name="cardNumber">1234567890123456</string>
</map>

53
 Outlines: iOS
• Credentials stored/ transferred in plaintext locally.
• Data stored in a keychain without additional protection or
encryption
• Data usually stored or transferred structured file type that
simplify an analysis
• Signature-based encryption that helps to quickly decrypt
data
• Avoiding protection mechanism in iOS that leads to pure
protection eventually
• Data stored in SQLite databases usually not encrypted
• Application data could be access without jailbreak
• Keys may be hardcoded
Outlines: Snapshots in iOS

55
 Outlines: WinRT
• Credentials stored or transferred in plaintext locally.
• Data usually stored or transferred structured file type
that simplify an analysis
• Signature-based encryption helps quickly decrypt data
(depends on dynamically linked libraries)
• Data stored in SQLite databases usually not encrypted
• Keys may be hardcoded or put in data folder
• Applications could be analyzed on Windows 8 (full
edition rather than WinRT that’s only mobile OS
edition) via known methods like a desktop applications
Outlines: Network / Sniffing the traffic

57
EMM FEATURES : Vendors
 [ EMM FRAMEWORK ]
EMM (Enterprise Mobile Management) 3rd Party Solutions to EMM

NAC: Network Access Control

MDM: Mobile Device Management
(Management)
MAM: Mobile Application
AV: Antiviruses Solution
Management
Mobile SIEM: Log Management
MEM: Mobile Email Management
Solution
MIM: Mobile Information Management DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-
Devices: Smartphones, Tablets
Practices, Guidelines, etc.
 EMM FAILS :: MDM

 HIGH LEVEL DEVICE MANAGEMENT

 OPTIMIZED FOR CONFIGURATIONS DELIVERY
 OPTIMIZED FOR PERMISSIONS DELIVERY
 OPTIMIZED FOR INTERGRATION WITH AN INFRASTRUCTURE
 OPTIMIZED FOR CONFIGURATION DELIVERY
 LACK OF GRANULAR CONTROLS
 SECURITY CONTROLS DEPEND ON MOBILE OS
 EMM FAILS :: MAM

 PACKAGED/WRAPPED APPLICATIONS
 QUANTITY OF APPLICATION CHALLENGE ( OBVIOUSLY > 100  )
 COOPERATION WITH APPLICATION VENDOR
 SEPARATION OF PERSONAL, WORK, AND SUSPICIOUS APP
 SERIOUSLY DIFFERENCE ON APP INTERFACES PER EACH OS WITH THE SAME APP
 VPN
 ENCRYPTION
 ACCESS RESTRICTION (GEO, CREDENTIALS)
 EMM FAILS :: MIM

 LACK OF TYPE FILES’ MANAGEMENT

 LACK OF STORAGE SERVICES’ MANAGEMENT
 LACK OF DEVICE FILES’ MANAGEMENT
 LACK OF VENDOR SUPPORT
 NEED OF A ROOT ACCESS TO DEVICE IN CERTAIN CASES
 MOBILE OS INCAPABILITIES TO BE INTEGRATED WITH MIM SOLUTIONS
 EMM :: WHO IS GOOD FOR ?
AirWatch an MDM and MAM specialist that helped Lowes deploy and manage iPhones
which offers a platform that allows enterprises to deploy their own App stores (hot
App47 opportunity alert)
which supports application deployments and management across iPhone iPad BlackBerry
AppBlade and Android platforms.
AppCentral which also helps enterprises to develop app stores
BlackBerry
(BES/Fusion) is good for MDM partially MIM & MAM. Supports all mobile OS
MaaS360 is good with BlackBerry together
Kony which has a platform that allows partners to build enterprise app stores for customers.
MobileIron focused heavily on MDM
Nukona another provider of enterprise app store technology
the former builder of channel partner communities; now focused on private labeled app
Partnerpedia stores.
WorkLight now owned by IBM; focused on mobile development tools middleware and management
Terria Mobile which offers a platform for app management.
Good Technology supports application deployments and management across modern OS
 GENERAL REMEDIATION/ISSUES
WinRT, iOS & Android & BlackBerry apps have the same behavior & logic issues

Insecure Data Storage

Poor AAA (Authentication Authorization Accounting)
Log Leakage
Weak Cryptography & Communication Protection
Sensitive Information Disclosure
In general, iOS, Android, BlackBerry, WinRT apps have the same behavior
& logic issues
 Remediation: BlackBerry
Follow security programming guide from BlackBerry
Don’t store credentials in shared folders
Encrypt data stored in shared folders
Use implemented protection mechanism in BlackBerry…
But … add extra protection layer beyond just in case
Don’t forget to encrypt SQL databases
Don’t develop Android app-ports
Try to avoid using ported or Android native app under BlackBerry
Develop more and use native apps for BlackBerry 
ANDROID-SPECIFIC REMEDIATION

Follow security programming guide from Google

Call ‘setStorageEncryption’ API for locally stored files (new Android OS v4+)
Encrypt externally stored files on SD Card or Cloud (any OS)
Define when encryption signature doesn’t matter, else avoid it
Reduce using of ‘MODE_WORLD_READABLE ’ unless it really needs
Avoid hardcoded and debug tracks as much as possible (it’s easy to
decompile)
Add extra protect beyond OS (encryption, wiping, etc.)
 Remediation: iOS
Follow security programming guide from Apple
Never store credentials on the phone file system. Use API or web scheme instead
Define when encryption signature doesn’t matter, else avoid it
Use implemented protection mechanism in iOS…
But … add extra protection layer beyond OS protection in case of jailbreak
Use any API and protection mechanisms properly but never default settings
Don’t forget to encrypt SQL databases
 Remediation: WinRT
Follow security programming guide from Microsoft
Don’t try store credentials elsewhere system keystorage
Define when encryption signature doesn’t matter, else avoid it
Don’t forget to encrypt SQL databases
Remember, that all folders to store data are public accessible
Note, that WinRT apps could easily be reversed & debugged under desktop OS
(Windows 8) even on Tablet
App’s code is one of set: C++, .Net, Silverlight, XAML, JavaScript
Try to implement a code obfuscation (it’s possible to do and not restricted)
 MAM SPECIFICS
APP WRAPPING :: ADVANTAGES

 Is a secure bubble around each corporate application and its

associated data
 Helps in creating an encrypted space, or folder, into which
applications and data may be poured
 Newer, more granular approach in which each app is
enclosed in its own encrypted policy wrapper, or container.
 Allows administrators to tailor policies to each app.
 Small vendors with proprietary approaches dominate the
market like Symantec.
 MAM SPECIFICS
APP WRAPPING :: DISADVANTAGES

 A Binary/Source application  Org Limits of wrapper approach

modification
Implementation of missing License limitation
features Consuming mobile device
Interception of API & other call- resources to gather information
methods Many app-agents & app-agents
 Tech Limits of wrapper approach management
Preinstalled, & built-in apps
Access to binary codes depends
on OS
One More Salvation – Black Phone (?)
Black Phone – Paranoid Phone or BlackBerry Clone?

The Blackphone is an announced smartphone developed by SGP Technologies, that will

provide encryption for phone calls, emails, texts, and internet browsing.
Zimmerman said, Mike Janke, CEO clarifies,
I had to wait for the rest of the technology The Blackphone allows unsecure communications are
infrastructure to catch up to make it possible to do certain calls you'll want to encrypt, but "if you're ordering
secure telephony. PGP was kind of a detour for me a pizza or calling your grandma", it's unlikely you'll feel
while waiting for the rest of the technology to catch the weight of the NSA on your shoulders. "This is why
up to make really good secure telephony possible Blackphone is so unique—it gives the user the chance to
choose the level of privacy."
Technica states,
Blackphone will run a custom built Android OS called The Verge states,
PrivatOS. The operating system essentially “closes all The Blackphone looks like a fairly standard Android
backdoors” which are usually found open on major phone. It has a 4.7-inch HD (the exact resolution has yet
mobile operating systems. Some major features of to be announced) IPS display, a 2GHz quad-core
PrivatOS are anonymous search, privacy-enabled processor, 16GB of storage, an 8-megapixel camera, LTE—
bundled apps, smart disabling of Wi-Fi except pretty much everything you'd want in a smartphone, and
trusted hotspots, more control in app permissions, very little you wouldn't. Produced by Silent Circle, a
private communication (calling, texting, video chat, company with an existing portfolio of security- and
browsing, file sharing and conference calls) encryption-related software
 Black Phone Device: Rumors

Website offers no details on how those extra levels of security will be implemented, but..

 Silent Circle is U.S. based company

 Zimmermann is cofounder of mobile privacy software firm Silent Circle
 GeeksPhone is a Spanish smartphone hardware company/start-up
 GeelsPhone sells open Android phones and developer devices of Firefox OS.
 SPG Technology is a Switzerland-based join venture
 IntelliJ IDEA is used to build applications
 Black Phone Software: Rumors & interviews

 How was the idea for the Blackphone  Who should be buying a Blackphone?
conjured up?  There are clearly industries that are
 Large market of folks who didn't want already predisposed to seek privacy,
to build their own car, but they such as stockbrokers, attorneys,
wanted a good car senior executives
 Why should users want to have a  Why is this phone safer than what's
Blackphone? Security Center currently out there?
 At $629 is the total package.  It's safer because it's more usable
 Lot of security magic to stop leaks out  Every bit of information the phone
 Who is buying the Blackphone? sends out is encrypted whether it's a
 45 percent of orders have come from call or a text. No one can offers it now
Europe and 38 percent from North  BYOD/Enterprise?
America  Absolutely, even MDM tools
 Blackphone is gathering as little  How secure is the Blackphone?
information as possible on who is  Anybody who claims that anything is
buying its product hackproof is clearly selling snake oil
 Black Phone - Software
The Blackphone is an announced smartphone developed by SGP Technologies, that will
provide encryption for phone calls, emails, texts, and internet browsing.
 Silent Circle Apps  3rd-party Apps
 Silent Phone  Disconnect Secure Wireless
 Silent Text  SpiderOak Blackphone Edition
 Silent Contacts  Kismet Smart Wi-Fi Manager

 Blackphone-built Apps  Misc

 Blackphone Security Center  PrivatOS
 Blackphone Activation Wizard  International Power Adapter Kit
 Blackphone Remote Wipe
 Black Phone - Examination
Servers of its custom-built network are located in Canada
Also Supports iOS, Android, Windows Desktop
 Silent Phone: Encrypted voice and
video calls on iOS and Android, it can
be used with Wi-Fi, EDGE, 3G or 4G
cellular. Encrypted VoIP from
Windows computers.
 Silent Text: Encrypted text messaging
and secure cloud content transfer
with “burn notice” feature for
permanently deleting messages from
devices.
 Silent Mail: Discontinued August 9,
2013. Encrypted e-mail on Silent
Circle’s private, secure network and
compatibility with popular e-mail
client software.
 Silent Contacts: App is prebuilt with all
previous
 Black Phone - Examination
The company's products enable encrypted mobile phone calls, e-mail, text messaging,
and video chat. Servers of its custom-built network are located in Canada
 Silent Phone/Text/Contact: available for iOS & Android with source code on GitHub
 Remote Wipe: Provides no centralized cloud service to manage device
 Private OS: Android 4.4 KitKat
 International Power Adapter Kit: Android 4.4 KitKat
 Disconnect Secure Wireless: its custom-built VPN client
 Kismet Smart Wi-Fi Manager: Public Wi-Fi Manager
 SpiderOak: Encrypted Cloud Storage
Black Phone /
Smart Wi-Fi Manager
Is that secured ?

 It manages Android phone Wi-Fi

connection by automatically learning
where you use networks. Wi-Fi is only
enabled when you are in a location
have previously used Wi-Fi, increasing
battery life, security, and privacy.
 It is a paid app in Google Play but fully
open source under the GPLv2 license.
 It aims to be smart, invisible and will
manage Wi-Fi state in the background.
 Airplane mode and Wi-Fi Tethering
modes are detected and respected
 Since Wi-Fi will be turned off, your
phone won't be broadcasting your
home network name everywhere you
go! It prevents spoof attacks
 Successfully installed on BlackBerry 10
Black Phone /
SpiderOak
Why not Box or Mega?

 It is US based online backup tool to

back up, share, sync, access and store
data using an off-site server.
 It is accessible through an app for
Windows, Mac and Linux computer
platforms, and Android, N900 Maemo
and iOS mobile platforms
 It uses encrypted cloud storage and
client-side encryption key creation, so
even employees of SpiderOak cannot
access users' information
 It provides automatic de-duplication
of data
Black Phone /
SCMC (MDM)
Oh, God 

 It can be incorporated to the typical under your administration.

policy and management tools in a  Enable outliers, contractors, and third
business environment parties to communicate securely with
 A web-based console which grants a your team on the fly.
nominated customer administrator
“super user” status within his or her
own network.
 Create, organize and bulk distribute
via email to provide team members
with Silent Phone, Silent Text, and
Out-Circle Access.
 Create groups and sub-groups to
reflect your company’s organization
and allocate encrypted mobile apps
accordingly.
 Dynamically manage and control
(enable/deny access) for all users
 Black Phone: Pros & Cons
Fully protected (no any PoC yet) Impractical & too commercial

Encrypted Contacts, splitted for personal & Alike any other app on AppStore or
business uses GooglePlay,WorkBalance MDM Solution

Encrypted Text, Media Messenger TextSecure,CryptoCat, BBM, etc?

VoIP for encrypted Calls VoIP is everywhere for the less price 

Smart WiFi Manager to prevent attacks Gather Geo, Network Data, AutoLearn

Disconnect Secure Wireless VPN VPN is everywhere too

Privat OS is Android 4.4 KitKat GeeksPhone offers a root access …

MDM w/o MAM, MIM, MEM Impractical, MAM need at least

BlackPhone gathers little info on who is buying it Name, Address, Payment method, Personal or
Enterprise
 Black Phone: Pros & Cons
Storages SpiderOak Is that only one?
Provider Encrypted storage Personal Encryption2
Amazon S3 / AWS + +
Box (PreBuild on BlackBerry) + +
CrashPlan + +
ElephantDrive + +
Handy Backup + +
IASO Backup + +
Jungle Disk + +
KeepVault + +
MediaFire + +
MEGA + +
Norton Zone + +
OwnDrive + +
SpiderOak + +
Sync + +
TeamDrive + +
Wuala + +
 Black Phone: Pros & Cons
PrivatOS Enhancement Android Default BlackBerry iOS
Web Search Anonymous Trackable Both & Flexible Both
Many, with privacy disabled
Bundled Apps Few, and all privacy-enabled by default Least privilege access control On-Demand Access

Smart disabling of all Wi-Fi Always on for geolocation

Wi-Fi usage except trusted hotspots and user tracking Separate + Per Apps Global + Separate Per App
Fine-grained control in a
App permissions single interface All-or-nothing Fine-Grained Control On-Demand Access
Private calls, texting, video Traceable dialer, SMS, MMS,
chat, file exchange up to browser. Vulnerable to
100MB, browsing and spoofed cell networks and Both, need VPN Both, need VPN
Communication tools conference calls Wi-Fi configuration configuration

Frequent secure updates Supplied infrequently after Frequent secure updates Frequent secure updates
Updates from Blackphone directly carrier blessing from BlackBerry directly from Apple directly
Requires use of centralized
Remote Wipe & Anti Theft Anonymous (??) cloud account Cloud account Cloud account
Delivering secure & privacy
Delivering privacy as a Personal data mining for as a default valued feature
Business Model premium, valued feature tracking and marketing last 20+ years
Music, App, Games :)
Weak MDM
Management MDM Features/Samsung enhanced MDM, MAM, MEM, MIM,… MDM, MAM, MEM, MIM,…
Y.O.B.A. hacking