Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
-
Upload
priyanka-aash -
Category
Technology
-
view
64 -
download
1
Transcript of Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
![Page 1: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/1.jpg)
For
EnterpriseAttacking BYOD Enterprise Mobile Security Solutions
Vincent TanSenior Security Consultant
![Page 2: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/2.jpg)
1
whoami
• Sunny Singapore
• Senior Security Consultant @ Vantage Point Security
• 4+ years hacking stuff professionally, specializing in
mobile & exotic stuff
![Page 3: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/3.jpg)
2
Agenda
1. iOS Applications in General
2. What is BYOD? Why BYOD? Who uses BYOD?
3. Security Features of BYOD Solutions
4. Good Technology
5. iOS Jailbreaks / Attack Vectors
6. Story of Alice & Bob
• Local & Network Attacks against Good EMS
![Page 4: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/4.jpg)
3
iOS Applications
• > 1.4m Applications1 in iOS App Store
• ~10% in Business Category
• 35% of Enterprises have an Enterprise App Store2
• Simple vs Complex Functionality
• Mobile application capabilities have not caught up with device capabilities
• Maybe 10% of apps have advanced functionality
• MDM, Soft Tokens, Payment Applications, HomeKit.
1 http://www.zdnet.com/article/ios-versus-android-apple-app-store-versus-google-play-here-comes-the-next-battle-in-the-app-wars/2 https://go.apperian.com/rs/300-EOJ-215/images/Apperian%202016%20Executive%20Enterprise%20Mobility%20Report_FINAL_20160216.pdf?aliId=16373787
![Page 5: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/5.jpg)
4
BYOD
• BYOD?
• What and Why?
![Page 6: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/6.jpg)
5
BYOD
https://www.apperian.com/resources/2016-executive-enterprise-mobility-report/
![Page 7: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/7.jpg)
6
BYOD
• BYOD?
• What and Why?
• BYOD Adoption
• 74% using or adopting BYOD
• Governments
• Enterprise Mobile Security
• MAM (Mobile Application Management)
• MIM (Mobile Information Management)
• MDM (Mobile Device Management)
http://www.zdnet.com/article/research-74-percent-using-or-adopting-byod/
![Page 8: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/8.jpg)
7
Protection Claims
“prevent employees from opening files in unsecured apps,
backing up business data to personal cloud-based services, or
copying and pasting business ...”
“Detect OS tampering and other policy
violations”
“…remotely lock or wipe the device.”
“Protect mobile apps and servers from
being hacked…”
![Page 9: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/9.jpg)
8
Enterprise Mobile Security Features
Container
Device PIN
Jailbreak
Container
JB Detection
Application VPN
Container Password
Container Encryption
App Wipe / Lock
![Page 10: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/10.jpg)
9
Good Technology
• Acquired by Blackberry in Nov 2015
• Top 5 EMS Solution Providers
![Page 11: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/11.jpg)
![Page 12: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/12.jpg)
11
Good Technology
• Acquired by Blackberry in Nov 2015
• Top 5 EMS Solution Providers
• GFE received CC EAL4+ in 2013 and GD solution in 2016
• GD platform used as a foundation to the GCS to replace GFE
• GD platform allows developers to create and distribute apps that
integrates with the GD services framework
![Page 13: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/13.jpg)
12
GFE vs GCS
GFE GCS
Email ✔ Good Work
MDM ✔ ✔
File Share Local File Storage Only Good Share – Access enterprise file share
Instant Messaging ✖ Good Connect
Intranet Access ✖ Good Access
Cloud Deployment ✖ ✔
Integrated MAM ✖ ✔
Common Platform ✖ ✔
![Page 14: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/14.jpg)
13
iOS Jailbreaks
iOS Versions
7.0–
7.0.6
7.1–
7.1.2
8.0–
8.1
8.0–
8.3
8.1.3–
8.4
9.0–
9.0.2
9.1–
9.3.3b10b
Jail Broken?
evasi0n7 Pangu Pangu8 TaiG TaiG Pangu9 Not Public Not Public
• Non-Jailbroken Devices?• Resign via developer certificate
• But apps will need to be reactivated
![Page 15: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/15.jpg)
14
• You’ve got to be root?!
• Check out Stefan Esser’s talk on “iOS 678 Security - A Study In Fail”
• Physical Access
• DROPOUTJEEP (think NSA, GCHQ)
• Lost Devices / Stolen Devices
• Remote Attacks
• Jailbreakme.com v1 / 2 / 3
• State sponsored / Corporate Espionage
What about root?
1 http://www.tripwire.com/state-of-security/vulnerability-management/creating-iphone-rootkits-and-like-the-nsas-dropout-jeep/2https://blog.fortinet.com/post/ios-malware-does-exist
![Page 16: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/16.jpg)
15
Attack Vector
• Not normal pen testing…
• Not just setting proxy and using Burp
• I’m not attacking the application
• Changing the environment in which the application runs.
• Not new. API Hooking and DLL Injections on Windows.
LD_PRELOAD on Linux. I’m just doing it on iOS.
![Page 17: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/17.jpg)
16
Swizzler
• How do I change the Environment?
• Built an App… More precisely a Dynamic Library (aka
tweak)
• DYLD_INSERT_LIBRARIES=Swizzler
• Loads itself before an application starts
• Control all functionalities of an application
![Page 18: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/18.jpg)
17
iOS Security Architecture
Substrate
Swizzler
![Page 19: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/19.jpg)
18
Swizzler
![Page 20: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/20.jpg)
19
Swizzler
![Page 21: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/21.jpg)
20
Swizzler
![Page 22: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/22.jpg)
21
Swizzler
![Page 23: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/23.jpg)
22
What else can you control?
![Page 24: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/24.jpg)
Device PIN
Jailbreak
Jailbreak Detection
Container Password
Container
App DLP
App
![Page 25: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/25.jpg)
![Page 26: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/26.jpg)
![Page 27: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/27.jpg)
26
Local Attacks
![Page 28: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/28.jpg)
27
Jailbreak Detection
Container
Device PIN
Jailbreak
Container
JB Detection
Container Password
Container Encryption
App Wipe / Lock
![Page 29: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/29.jpg)
![Page 30: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/30.jpg)
29
Container
Device PIN
Jailbreak
Container
JB Detection
Container Password
Container Encryption
App Wipe / Lock
✔ Device PIN✔ Jailbreak✔ Jailbreak Detection✖ Container Password✖ Container Encryption✖ App Wipe / Lock
![Page 31: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/31.jpg)
30
Blacklist of Files
FILE *file = fopen("/Applications/Cydia.app", "r");if (file) {
fclose(file);return JAILBROKEN;
}
file = fopen("/usr/bin/ssh", "r");if (file) {
fclose(file);return JAILBROKEN;
}
FILE *replaced_fopen (const char *filename, constchar *mode) {
if (blockPath(filename)) {errno = ENOENT;return NULL;
}}
bool blockPath(const char *fpath) {…NSArray *denyPatterns = [[NSArray alloc] initWithObjects: @"Cydia", @"lib/apt", @"/private/var/lib/apt", @"/var/lib/apt", @"/var/tmp/cydia.log", @"/etc/apt/", @"/var/cache/apt”….}
![Page 32: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/32.jpg)
31
Prohibited Functions
int pid = fork();
if(pid>=0){
return JAILBROKEN;}
pid_t replaced_fork(void){ if (disableJBDectection()) {
return -1; }pid_t ret = orig_fork();return ret;
}
![Page 33: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/33.jpg)
32
NSURL openURL
if ([[UIApplication sharedApplication] canOpenURL:[NSURLURLWithString:@"cydia://package/com.example.package"]]){
return JAILBROKEN;}
+ (id)URLWithString:(NSString *)URLString{
NSRange range = [URLString rangeOfString:@"cydia” options:NSRegularExpressionSearch|NSCaseInsensitiveSearch];
if (range.location != NSNotFound) { return nil; }
return %orig;}
![Page 34: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/34.jpg)
33
Jailbreak Detection
• Jailbreak Detection Methods
• Blacklist of files
• Directories
• Symbolic Links
• Prohibited Commands
• File System
• URL Handles
• Kernel Parameters
![Page 35: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/35.jpg)
34
Jailbreak / Policy Implementation
GT::GeneralUtilityClass::constructStringList (GT::GeneralUtilityClass::tamper_detection_method_t, std::vector<std::string, std::allocator<std::string> >
)
![Page 36: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/36.jpg)
35
Jailbreak / Policy Implementation
• GD::GDSecureStorage::handleWrongPwd
• GD::GDSecureStorage::wipeDevice
• GD::PolicyProcessor::processLockAction
• GD::GDLibStartupLayer::checkPartialCompliance
• GD::PolicyComplianceChecker::checkComplianceUnlocked
• GD::PolicyComplianceChecker::checkComplianceLocked
![Page 37: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/37.jpg)
36
Password
Bruteforce
Container
Device PIN
Jailbreak
Container
JB Detection
Container Password
Container Encryption
App Wipe / Lock
![Page 38: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/38.jpg)
![Page 39: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/39.jpg)
38
Container
Device PIN
Jailbreak
Container
JB Detection
Container Password
Container Encryption
App Wipe / Lock
✔ Device PIN✔ Jailbreak✔ Jailbreak Detection✔ Container Password✖ Container Encryption✖ App Wipe / Lock
![Page 40: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/40.jpg)
39
Disable App Lock
&
Device Wipe
Container
Device PIN
Jailbreak
Container
JB Detection
Container Password
Container Encryption
App Wipe / Lock
![Page 41: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/41.jpg)
![Page 42: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/42.jpg)
41
Container
Device PIN
Jailbreak
Container
JB Detection
Container Password
Container Encryption
App Wipe / Lock
✔ Device PIN✔ Jailbreak✔ Jailbreak Detection✔ Container Password✖ Container Encryption✔ App Wipe / Lock
![Page 43: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/43.jpg)
42
Containerization
Container
Device PIN
Jailbreak
Container
JB Detection
Container Password
Container Encryption
App Wipe / Lock
![Page 44: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/44.jpg)
![Page 45: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/45.jpg)
44
Container
Device PIN
Jailbreak
Container
JB Detection
Container Password
Container Encryption
App Wipe / Lock
✔ Device PIN✔ Jailbreak✔ Jailbreak Detection✔ Container Password✔ Container Encryption✔ App Wipe / Lock
![Page 46: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/46.jpg)
![Page 47: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/47.jpg)
46
Network Attacks
![Page 48: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/48.jpg)
47
Container
Device PIN
Jailbreak
Container
JB Detection
Application VPN
Container Password
Container Encryption
App Wipe / Lock
![Page 49: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/49.jpg)
48
Application VPN
![Page 50: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/50.jpg)
49
GD Network
![Page 51: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/51.jpg)
50
GD Network Communications
Two methods of communication with the enterprise application
server,
1. GDHttpRequest
2. Native URL Loading (NSURL, NSMutableURL, etc.)
![Page 52: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/52.jpg)
51
![Page 53: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/53.jpg)
52
GDHttpRequest
• Part of the GD SDK
• #import <GDNETiOS.h>
• Easy to enable proxy
• [GDHttpRequest enableHttpProxy:ip withPort:port];
• [GDHttpRequest disablePeerVerification];
![Page 54: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/54.jpg)
53
Native URL Loading
• Enabled via GDURLLoadingSystem Class
• [GDURLLoadingSystem enableSecureCommunication]
• Enabled by default
• Proxying traffic is harder
• Doesn’t obey iOS network proxy settings
• Swizzle [NSURLConnection initWithRequest]
![Page 55: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/55.jpg)
54
SSL over TCP
HTTP(S) Traffic
Hooking the Network
![Page 56: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/56.jpg)
55
Does everything suck?
• Local device access is important, but remote attacks possible.
• https://www.youtube.com/watch?v=STIHO2XOOiM
• Be careful of USB chargers. BadUSB.
• Intranet == Internet
• Additional security checks on apps
![Page 57: Bad for Enterprise: Attacking BYOD enterprise mobility security solutions](https://reader038.fdocuments.net/reader038/viewer/2022102811/58729d291a28ab07208b4f43/html5/thumbnails/57.jpg)
56
Take Aways!
• Think outside the box to break the box!
• BYOD Policy helps to a certain extent, but such attacks will
always be possible.
• Do not blindly trust what the vendors sell you.
• https://github.com/vtky/swizzler