Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About...
Transcript of Learning iOS Security · Table of Contents Learning iOS Security Credits About the Authors About...
www.it-ebooks.info
www.it-ebooks.info
TableofContents
LearningiOSSecurity
Credits
AbouttheAuthors
AbouttheReviewers
www.PacktPub.com
Supportfiles,eBooks,discountoffers,andmore
Whysubscribe?
FreeaccessforPacktaccountholders
Preface
Whatthisbookcovers
Whatyouneedforthisbook
Whothisbookisfor
Conventions
Readerfeedback
Customersupport
Errata
Piracy
Questions
1.iOSSecurityOverview
Pairing
Backingupyourdevice
iCloudbackups
TakingbackupsusingiTunes
ViewingiOSdatainiTunes
Initialsecuritychecklist
Configuringapasscode
Configuringprivacysettings
Safariandbuilt-inAppprotections
Predictivesearchandspotlight
www.it-ebooks.info
Summary
2.IntroducingAppSecurity
Installingapps
BlockingaccesstotheAppStore
SingleAppmode,AppLock,andGuidedAccess
Appcommunication
HandoffandContinuity
Keybagsandkeychains
Keyboardsandextensions
Securingwhatextensionscanaccess
Usercontext
SandboxingandAppdatastorage
Introductiontoin-houseAppdevelopment
Summary
3.EncryptingDevices
SecurebootandactivatingiOS
PassbookandTouchIDforApplePay
IntroductiontoiOSnetworkcommunication
AirDrop
Abugorafeature?
VPN(Always-On,APN,Per-App,On-Demand)
GlobalHTTPProxy,caching,andthewebcontentfilter
Privacy-relatedconcerns
Lesser-knownwaysforAppletogatherdiagnostics
Healthapp
Configurationprofiles
Signing,encryption,anddelivery
Summary
4.OrganizationalControls
AppleConfigurator
Intendedworkflows
www.it-ebooks.info
Theinteractionmodes–Prepare,Supervise,andAssign
Theimportanceofsupervision
Apps,VPP,andAppleConfigurator
Massrestoringandnamingofdevices
Backupconcerns
Configuratoraschaperone
ActivationLockandFindMyiPhone
Addressingtheroughspots
DEPversusAppleConfigurator
GuidedAccessversusAppLockversusSingleAppMode
ActiveSync
Summary
5.MobileDeviceManagement
IntroducingMDM
ConfiguratorversusMDM
TheProfileManager
PreparingtheProfileManagerServer
PreparingProfileManager
CompletingPostConfigurationtasks
UsingProfileManager
EnrollingintoProfileManager
Devicemanagement
Passcodepolicies
IntroducingBushel
Setup
Theenrollmentprocess
Restrictions
VolumePurchasingProgramandMDM
Summary
6.DebuggingandConclusion
Xcode
www.it-ebooks.info
Divedeeperwithlibimobiledevice
InstallinglibimobiledeviceusingHomebrew
Usingidevicesyslogandidevicepair
Usingidevicedateandideviceinstaller
Appcommunications
Identifyingdevices
Listeningtonetworkcommunications
AppleIDsandApps
Forensics
Applicationsecurity
ViewinganApp
Summary
Index
www.it-ebooks.info
www.it-ebooks.info
www.it-ebooks.info
LearningiOSSecurityCopyright©2015PacktPublishing
Allrightsreserved.Nopartofthisbookmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,withoutthepriorwrittenpermissionofthepublisher,exceptinthecaseofbriefquotationsembeddedincriticalarticlesorreviews.
Everyefforthasbeenmadeinthepreparationofthisbooktoensuretheaccuracyoftheinformationpresented.However,theinformationcontainedinthisbookissoldwithoutwarranty,eitherexpressorimplied.Neithertheauthors,norPacktPublishing,anditsdealersanddistributorswillbeheldliableforanydamagescausedorallegedtobecauseddirectlyorindirectlybythisbook.
PacktPublishinghasendeavoredtoprovidetrademarkinformationaboutallofthecompaniesandproductsmentionedinthisbookbytheappropriateuseofcapitals.However,PacktPublishingcannotguaranteetheaccuracyofthisinformation.
Firstpublished:February2015
Productionreference:2240215
PublishedbyPacktPublishingLtd.
LiveryPlace
35LiveryStreet
BirminghamB32PB,UK.
ISBN978-1-78355-174-3
www.packtpub.com
www.it-ebooks.info
www.it-ebooks.info
CreditsAuthors
AllisterBanks
CharlesS.Edge
Reviewers
JeremyAgostino
WilliamSmith
CommissioningEditor
AshwinNair
AcquisitionEditor
HemalDesai
ContentDevelopmentEditor
MamataWalkar
TechnicalEditor
MenzaMathew
CopyEditors
JasmineNadar
WishvaShah
ProjectCoordinator
ShipraChawhan
Proofreaders
SafisEditing
PaulHindle
Indexer
TejalSoni
ProductionCoordinator
MelwynD’sa
CoverWork
MelwynD’sa
www.it-ebooks.info
www.it-ebooks.info
AbouttheAuthorsAllisterBanksisanenthusiast.He’sveryexcitedtobeintheexceedinglylimited,exclusiveclubofcoauthorsofCharlesS.Edge.AfterworkingforadecadewithITconsultingcompaniesonboththecoastsoftheU.S.,henowworksforamedical-focusedinstitutionwitheducationanddatacenteraspects.HehasgivenspeechesatLOPSA-East,MacTechConference,andMacAdminsConferenceatPennState.HelivesinNewYork.HecontributestovariousopensourceprojectsandspeaksenoughJapanesetoorderfood.
CharlesS.EdgehasbeenworkingwithAppleproductssincehewasachild.Professionally,CharlesstartedwiththeMacOSandAppleserverofferingsin1999afterworkingofyearswithvariousflavorsofUnix.CharlesbeganhisconsultingcareerwithSupportTechnologiesandAndersenConsulting.Asthechieftechnologyofficerof318,Inc.,aconsultingfirminSantaMonica,California,Charlesbuiltandnurturedateamofover50engineers,whichwasthelargestMacteamintheworldatthattime.CharlesisnowaproductmanageratJAMFSoftware,withafocusonBushel(http://www.bushel.com).
CharleshasspokenatavarietyofconferencesincludingDefCon,BlackHat,LinuxWorld,MacWorld,MacSysAdmin,andAppleWorldwideDevelopersConference.Charleshasalsowritten12books,over3,000blogposts,andanumberofprintedarticlesonAppleproducts.
www.it-ebooks.info
www.it-ebooks.info
AbouttheReviewersJeremyAgostinoisalongtimeMacandiOSdeveloperwithaprofessionalfocusonhardwaresupportanddevicedrivers.HehasassistedinthedesignandimplementationofcustomtechnicalsolutionstomanagesomeofthelargestiOSdeploymentsintheU.S.JeremyiscurrentlyleadingtheengineeringteamatGroundControlSolutions,whereheisdevelopingapowerfuldeploymentandmanagementtoolforiOSdevices.
WilliamSmithisasolutionsarchitectfor318,Inc.,whichisanITconsultancythatisbasedinSantaMonica,California.Heisatechnologyveteranwithmorethan20yearsofexperience.HelivesinSaintPaul,Minnesota,wherehehasprovidedtrainingandconsultingservicesonbehalfofcustomerssuchasAppleandJAMFSoftware.
WilliamenjoyswritingandpresentingontechnologytopicsandhehasspokenatJAMFNationUserConference,MacIT,PSUMacAdmins,andotherconferences.HehasbeenaMicrosoftMVPformorethan11yearsandisco-ownerofOfficeforMacHelp.com.Currently,heisapartofthesteeringcommitteeforthenewTwinCitiesMacAdminsprofessionalsgroup—acommunitythatsupportsallthingsApple,fromeducationtoenterprise.
www.it-ebooks.info
www.it-ebooks.info
Supportfiles,eBooks,discountoffers,andmoreForsupportfilesanddownloadsrelatedtoyourbook,pleasevisitwww.PacktPub.com.
DidyouknowthatPacktofferseBookversionsofeverybookpublished,withPDFandePubfilesavailable?YoucanupgradetotheeBookversionatwww.PacktPub.comandasaprintbookcustomer,youareentitledtoadiscountontheeBookcopy.Getintouchwithusat<[email protected]>formoredetails.
Atwww.PacktPub.com,youcanalsoreadacollectionoffreetechnicalarticles,signupforarangeoffreenewslettersandreceiveexclusivediscountsandoffersonPacktbooksandeBooks.
https://www2.packtpub.com/books/subscription/packtlib
DoyouneedinstantsolutionstoyourITquestions?PacktLibisPackt’sonlinedigitalbooklibrary.Here,youcansearch,access,andreadPackt’sentirelibraryofbooks.
www.it-ebooks.info
Whysubscribe?FullysearchableacrosseverybookpublishedbyPacktCopyandpaste,print,andbookmarkcontentOndemandandaccessibleviaawebbrowser
www.it-ebooks.info
FreeaccessforPacktaccountholdersIfyouhaveanaccountwithPacktatwww.PacktPub.com,youcanusethistoaccessPacktLibtodayandview9entirelyfreebooks.Simplyuseyourlogincredentialsforimmediateaccess.
www.it-ebooks.info
www.it-ebooks.info
PrefaceNowadays,iOSisbecomingmoreandmoreprevalentincompaniesandlargerorganizations.WhetherthisisatrendthatisdrivenbyBringYourOwnDevice(BYOD)orsomethingthatiscomingfromwithintheITdepartment,ourknowledgeofplatformsisbeingstretchedmoreandmoreallthetime.It’sgettingharderandhardertobeanexpertoneveryplatformthatisinuseinourorganizations!
YouneedtosecureyouriOSdevices.LearningiOSsecuritygivesyoutheknowledgetobuildsecurityintolarge-scaleiOSdeployments.Thisbooktakesyouthroughgoodsecuritypractices;theseincludeconfiguringprivacyoptionstokeeppersonaldataawayfrompryingeyes,learningaboutencryptionoptionstokeepdatasafeatrest,securingappstoreducetherisksintroducedbythird-partyapps,andthenlayingdownpracticalstepsandproceduresforcarryingoutthesesteps,bothon-screenondevicesandatscaleusingAppleConfigurator,profiles,andMobileDeviceManagement(MDM)solutions.
Thisbookalsoincludesasectionondebuggingandviewingdatasothatyoucancheckouthowtofurthersecureitemsnotcoveredindetailinthebook.Weteachyouhowtoprovideenterprise-classsecuritytoyouriPhone,iPad,andiPodTouchdeployments.Thisincludesaquickrun-downofbasicsecuritystepsandmassdeploymentofthesestepstoaidinyourlarge-scaledeploymentofiOSdevices.
Thisbookismeanttobeaneasy-to-digestguidethatfollowsreal-worldexamplestoimplementbestsecuritypractices.Eachtopiciscoveredinatheoreticalcontextandfurtherresourcesareprovidedwheretheyareneeded/applicable.
www.it-ebooks.info
WhatthisbookcoversChapter1,iOSSecurityOverview,isaquick-and-dirtyoverviewofthemanystepstotaketoinitiallysecureaniPad,iPhone,andiPodTouch.Thepurposeofthischapterisn’ttogointotoomuchdepthwithanygiventechnology,buttoprovideacheatsheetofsortstogetyoustartedwithiOSsecurity.
Chapter2,IntroducingAppSecurity,isamorethoroughreviewofhowtochooseappsandsecurethemduringaniOSdeployment.Here,welookatanoverviewofsandboxingtechniquesandhowtouseSingleAppModeandkeybags.Wealsolookatin-houseApps.
Chapter3,EncryptingDevices,explainstheencryptiontypesandtechniquesthatareusediniOS.Here,welookatTouchID,ApplePay,networkencryption,andprivacyconcerns.
Chapter4,OrganizationalControls,introducesAppleConfiguratorandprofilemanagement.Here,wealsolookattheFindMyiPhoneappasitpertainstoActivationLock,ActiveSyncpolicies(EASPolicies),anddevicesupervision.
Chapter5,MobileDeviceManagement,looksatApple’sProfileManagerandasimplethird-partyMDMcalledBushel.Here,welookatOvertheAir(OTA)profilemanagement.
Chapter6,DebuggingandConclusion,coverswaystotroubleshootanddebugdevicesinlargerdeployments.Inthischapter,we’lllookathowtofindlogsandinterpretthem,howtogetmoredatathanyoucanusefromdevices,andthenwewillwrapupthebook.
www.it-ebooks.info
www.it-ebooks.info
WhatyouneedforthisbookThisbookfocusesonusingaMactomanageAppleiOSdevices.Therefore,youshouldhaveaMacthatrunsOSX10.10orahigherversionandaniOSdevicethatrunsiOS8orahigherversion.YoucanuseaWindowsorLinuxcomputerinsteadofaMac,butnotallofthecontentcoveredinthisbookwillbeapplicableifyoudothis.
www.it-ebooks.info
www.it-ebooks.info
WhothisbookisforThisbookisintendedforsystemsadministratorsandsecurityprofessionalswhowanttolearnhowtoimplementgoodsecuritypracticesoniOSdevices.ThereadersshouldknowsomethingabouttheInformationTechnologyindustry,buttheyneednotbeveteranswhohaveanexperienceofmorethan30years.
www.it-ebooks.info
www.it-ebooks.info
ConventionsInthisbook,youwillfindanumberofstylesoftextthatdistinguishbetweendifferentkindsofinformation.Herearesomeexamplesofthesestyles,andanexplanationoftheirmeaning.
Codewordsintext,databasetablenames,foldernames,filenames,fileextensions,pathnames,dummyURLs,userinput,andTwitterhandlesareshownasfollows:“Whilenotexactlysimple,onecoulduseopensslonvariousoperatingsystems,intandemwitharootcertificatefromatrustedcertificateauthority,toapplysignaturestoconfigurationprofiles,whichdeviceswillthenseeastrusted.”
Anycommand-lineinputoroutputiswrittenasfollows:
codesign-d-vv/Users/abanks/Music/iTunes/iTunes\Media/Mobile\
Applications/Dropbox\3.5.2/Payload/Dropbox.app
Newtermsandimportantwordsareshowninbold.Wordsthatyouseeonthescreen,inmenusordialogboxesforexample,appearinthetextlikethis:“ThisisexposedtoenduserswithaSendAllTrafficsliderwhenoptional.
NoteWarningsorimportantnotesappearinaboxlikethis.
TipTipsandtricksappearlikethis.
www.it-ebooks.info
www.it-ebooks.info
ReaderfeedbackFeedbackfromourreadersisalwayswelcome.Letusknowwhatyouthinkaboutthisbook—whatyoulikedormayhavedisliked.Readerfeedbackisimportantforustodeveloptitlesthatyoureallygetthemostoutof.
Tosendusgeneralfeedback,simplysendane-mailto<[email protected]>,andmentionthebooktitleviathesubjectofyourmessage.
Ifthereisatopicthatyouhaveexpertiseinandyouareinterestedineitherwritingorcontributingtoabook,seeourauthorguideonwww.packtpub.com/authors.
www.it-ebooks.info
www.it-ebooks.info
CustomersupportNowthatyouaretheproudownerofaPacktbook,wehaveanumberofthingstohelpyoutogetthemostfromyourpurchase.
www.it-ebooks.info
ErrataAlthoughwehavetakeneverycaretoensuretheaccuracyofourcontent,mistakesdohappen.Ifyoufindamistakeinoneofourbooks—maybeamistakeinthetextorthecode—wewouldbegratefulifyouwouldreportthistous.Bydoingso,youcansaveotherreadersfromfrustrationandhelpusimprovesubsequentversionsofthisbook.Ifyoufindanyerrata,pleasereportthembyvisitinghttp://www.packtpub.com/submit-errata,selectingyourbook,clickingontheerratasubmissionformlink,andenteringthedetailsofyourerrata.Onceyourerrataareverified,yoursubmissionwillbeacceptedandtheerratawillbeuploadedonourwebsite,oraddedtoanylistofexistingerrata,undertheErratasectionofthattitle.Anyexistingerratacanbeviewedbyselectingyourtitlefromhttp://www.packtpub.com/support.
www.it-ebooks.info
PiracyPiracyofcopyrightmaterialontheInternetisanongoingproblemacrossallmedia.AtPackt,wetaketheprotectionofourcopyrightandlicensesveryseriously.Ifyoucomeacrossanyillegalcopiesofourworks,inanyform,ontheInternet,pleaseprovideuswiththelocationaddressorwebsitenameimmediatelysothatwecanpursuearemedy.
Pleasecontactusat<[email protected]>withalinktothesuspectedpiratedmaterial.
Weappreciateyourhelpinprotectingourauthors,andourabilitytobringyouvaluablecontent.
www.it-ebooks.info
QuestionsYoucancontactusat<[email protected]>ifyouarehavingaproblemwithanyaspectofthebook,andwewilldoourbesttoaddressit.
www.it-ebooks.info
www.it-ebooks.info
Chapter1.iOSSecurityOverviewOutofthebox,iOSisoneofthemostsecureoperatingsystemsavailable.Thereareanumberoffactorsthatcontributetotheelevatedsecuritylevel.Theseincludethefactthatuserscannotaccesstheunderlyingoperatingsystem.Appsalsohavedatainasilo(sandbox),soinsteadofaccessingthesystem’sinternalstheycanaccessthesilo.AppdeveloperschoosewhethertostoresettingssuchaspasswordsintheapporoniCloudKeychain,whichisasecurelocationforsuchdataonadevice.Finally,Applehasanumberofcontrolsinplaceondevicestohelpprotectuserswhileprovidinganelegantuserexperience.
However,devicescanbemadeevenmoresecurethantheyarenow.Inthischapter,we’regoingtogetsomebasicsecuritytasksunderourbeltinordertogetsomebasicbestpracticesofsecurity.Wherewefeelmoreexplanationisneededaboutwhatwedidondevices,we’llexplorethetechnologyitselfeitherinthischapter,orothers.
Thischapterwillcoverthefollowingtopics:
PairingBackingupyourdeviceInitialsecuritychecklistSafariandbuilt-inappprotectionPredictivesearchandspotlight
TokickofftheoverviewofiOSsecurity,we’llquicklysecureoursystemsbyinitiallyprovidingasimplechecklistoftasks,wherewe’llconfigureafewdeviceprotectionsthatwefeeleveryoneshoulduse.Then,we’lllookathowtotakeabackupofourdevicesandfinally,athowtouseabuilt-inwebbrowserandprotectionsaroundabrowser.
www.it-ebooks.info
PairingWhenyouconnectadevicetoacomputerthatrunsiTunesforthefirsttime,youarepromptedtoenterapassword.Doingsoallowsyoutosynchronizethedevicetoacomputer.ApplicationsthatcancommunicateoverthischannelincludeiTunes,iPhoto,Xcode,andothers.
TopairadevicetoaMac,simplyplugthedevicein(ifyouhaveapasscode,you’llneedtoenterthatinordertopairthedevice.)Whenthedeviceispluggedin,you’llbepromptedonboththedeviceandthecomputertoestablishatrust.SimplytaponTrustontheiOSdevice,asshowninthefollowingscreenshot:
Trustingacomputer
www.it-ebooks.info
ForthecomputertocommunicatewiththeiOSdevice,you’llalsoneedtoacceptthepairingonyourcomputer(although,whenyouuselibimobiledevice,whichisthecommandtopair,doesnotrequiredoingso,becauseyouusethecommandlinetoaccept.ThiscommandiscoveredinChapter6,DebuggingandConclusion).Whenprompted,clickonContinuetoestablishthepairing,asseeninthefollowingscreenshot(thescreenshotisthesameinWindows):
Trustingadevice
Whenadeviceispaired,afileiscreatedin/var/db/lockdown,whichistheUDIDofthedevicewithapropertylist(plist)extension.ApropertylistisanAppleXMLfilethatstoresavarietyofattributes.InWindows,iOSdataisstoredintheMobileSyncfolder,whichyoucanaccessbynavigatingto\Users\(username)\AppData\Roaming\AppleComputer\MobileSync.Theinformationinthisfilesetsupatrustbetweenthecomputersandincludesthefollowingattributes:
DeviceCertificate:Thiscertificateisuniquetoeachdevice.EscrowBag:ThekeybagofEscrowBagcontainsclasskeysusedtodecryptthedevice.HostCertificate:Thiscertificateisforthehostwho’spairedwithiOSdevices(usually,thesameforallfilesthatyou’vepaireddeviceswith,onyourcomputer).HostID:ThisisageneratedIDforthehost.HostPrivateKey:ThisistheprivatekeyforyourMac(shouldbethesameinallfilesonagivencomputer).RootCertificate:Thisisthecertificateusedtogeneratekeys(shouldbethesameinallfilesonagivencomputer).RootPrivateKey:ThisistheprivatekeyofthecomputerthatrunsiTunesforthatdevice.SystemBUID:ThisreferstotheIDofthecomputerthatrunsiTunes.WiFiMACAddress:ThisistheMacaddressoftheWi-Fiinterfaceofthedevicethatispairedtothecomputer.IfyoudonothaveanactiveWi-Fiinterface,MACisstillusedwhilepairing.
Whydoesthismatter?It’simportanttoknowhowadeviceinterfaceswithacomputer.Thesefilescanbemovedbetweencomputersandcontainavarietyofinformationaboutadevice,includingprivatekeys.
Havingkeysisn’tallthatisrequiredforacomputertocommunicatewithadevice.When
www.it-ebooks.info
thedevicesareinterfacingwithacomputeroverUSB,ifyouhaveapasscodeenabledonthedevice,youwillberequiredtoenterthatpasscodeinordertounlockthedevice.
Onceacomputerisabletocommunicatewithadevice,youneedtobecarefulasthebackupsofadevice,appsthatgetsynchronizedtoadevice,andotherdatathatgetsexchangedwithadevicecanbeexposedwhileatrestondevices.
www.it-ebooks.info
www.it-ebooks.info
BackingupyourdeviceWhatdomostpeopledotomaximizethesecurityofiOSdevices?Beforewedoanything,weneedtotakeabackupofourdevices.Thisprotectsthedevicefromusbyprovidingarestorepoint.Thisalsosecuresthedatafromthepossibilityoflosingitthroughasillymistake.Therearetwoways,whicharemostcommonlyusedtotakebackups:iCloudandiTunes.Asthenamesimply,thefirstmakesbackupsforthedataonApple’scloudserviceandthesecondondesktopcomputers.
We’llcoverhowtotakeabackuponiCloudfirst.
www.it-ebooks.info
iCloudbackupsAniCloudaccountcomeswithfreestorage,tobackupyourAppledevices.AniOSdevicetakesabackuptoAppleserversandcanberestoredwhenanewdeviceissetupfromthosesameservers(it’sascreenthatappearsduringtheactivationprocessofanewdevice.Also,itappearsasanoptioniniTunesifyoubackuptoiTunesoverUSB—coveredlaterinthischapter).
SettingupandcheckingthestatusofiCloudbackupsisastraightforwardprocess.FromtheSettingsapp,taponiCloudandthenBackup.AsyoucanseefromtheBackupscreen,youhavetwooptions,iCloudBackup,whichenablesautomaticbackupsofthedevicetoyouriCloudaccount,andBackUpNow,whichrunsanimmediatebackupofthedevice.
iCloudbackups
AllowingiCloudtotakebackupsondevicesisoptional.Asyou’llseeinChapter5,MobileDeviceManagement,andChapter6,DebuggingandConclusion,youcandisableaccesstoiCloudandiCloudbackups.However,doingsoisrarelyagoodideaasyouarelimitingthefunctionalityofthedeviceandputtingthedataonyourdeviceatrisk,ifthatdataisn’tbackedupanotherwaysuchasthroughiTunes.Manypeoplehavereservationsaboutstoringdataonpublicclouds;especially,dataasprivateasphonedata(texts,phone
www.it-ebooks.info
callhistory,andsoon).FormoreinformationonApple’ssecurityandprivacyaroundiCloud,refertohttp://support.apple.com/en-us/HT202303.IfyoudonottrustAppleoritscloud,thenyoucanalsotakeabackupofyourdeviceusingiTunes,describedinthenextsection.
www.it-ebooks.info
TakingbackupsusingiTunesOriginally,iTuneswasusedtotakebackupsforiOSdevices.YoucanstilluseiTunesandit’slikelyyouwillhaveasecondbackupevenifyouareusingiCloud,simplyforaquickrestoreifnothingelse.
Backupsareusuallyprettysmall.Thereasonisthattheoperatingsystemisnotpartofbackups,sinceuserscan’teditanyofthosefiles.Therefore,youcanuseanipswfile(theoperatingsystem)torestoreadevice.
TheseareaccessedthroughAppleConfigurator(whichiscoveredfurtherinChapter4,OrganizationalControls),orthroughiTunesifyouhavearestorefilewaitingtobeinstalled.Thesecanbeseenin~/Library/iTunes,andthenameofthedeviceanditssoftwareupdates,ascanbeseeninthefollowingscreenshot:
IPSWfiles
Backupsarestoredinthe~/Library/ApplicationSupport/MobileSync/Backupdirectory.Here,you’llseeanumberofdirectoriesthatareassociatedwiththeUDIDofthedevices,andwithinthose,you’llseeanumberoffilesthatmakeupthemodularincrementalbackupsbeyondtheinitialbackup.It’saprettysmartsystemandallowsyoutorestoreadeviceatdifferentpointsintimewithouttakingtoolongtoperformeachbackup.
Backupsarestoredinthe\DocumentsandSettings\USERNAME\ApplicationData\AppleComputer\MobileSync\Backup\directoryonWindowsXPandinthe\Users\USERNAME\AppData\Roaming\AppleComputer\MobileSync\Backup\directoryforneweroperatingsystems.
ToenableaniTunesbackup,plugadeviceintoacomputer,andthenopeniTunes.Clickonthedeviceforittoshowthedevicedetailsscreen.ThetopsectionofthescreenisforBackups(inthefollowingscreenshot,youcansetabackuptoThiscomputer,whichtakesabackuponthecomputeryouareon).
TipIwouldrecommendyoutoalwayschoosetheEncryptiPhonebackupoptionasitforcesyoutosaveapasswordinordertorestorethebackup.
Additionally,youcanusetheBackUpNowbuttontokickoffthefirstbackup,asshown
www.it-ebooks.info
ViewingiOSdatainiTunesToshowwhyit’simportanttoencryptbackups,let’slookatwhatcanbepulledoutofthosebackups.Thereareafewtoolsthatcanextractbackups,providedyouhaveapassword.Here,we’lllookatiBackupExtractortoviewthebackupofyourbrowsinghistory,calendars,callhistory,contacts,iMessages,notes,photos,andvoicemails.
Togetstarted,downloadiBackupExtractorfromhttp://www.wideanglesoftware.com/ibackupextractor.WhenyouopeniBackupExtractorforthefirsttime,simplychoosethedevicebackupyouwishtoextractiniBackupExtractor.Asyoucanseeinfollowingscreenshot,youwillbepromptedforapasswordinordertounlocktheBackupkeybag.Enterthepasswordtounlockthesystem.
Unlockthebackups
NotethatthefiletreeinthefollowingscreenshotgivesawaysomeinformationonthestructureoftheiOSfilesystem,oratleast,thedatastoredinthebackupsoftheiOSdevice,whichwe’llcoverindetailinChapter6,DebuggingandConclusion.Fornow,simplyclickonBrowsertoseealistoffilesthatcanbeextractedfromthebackup,asyoucanseeinthenextscreenshot:
www.it-ebooks.info
ViewdevicecontentsusingiBackupExtractor
NotetheprevalenceofSQLdatabasesinthefiles.Mostappsusethesetypesofdatabasestostoredataondevices.Also,checkouttheotheroptionssuchasextractingnotes(manythatwerepossiblydeleted),texts(somethathavebeendeletedfromdevices),andothertypesofdatafromdevices.
Nowthatwe’veexhaustedbackupsandproventhatyoushouldreallyputapasswordinplaceforyourbackups,let’sfinallygettosomebasicsecuritytaskstobeperformedonthesedevices!
www.it-ebooks.info
www.it-ebooks.info
InitialsecuritychecklistApplehasbuiltiOStobeoneofthemostsecureoperatingsystemsintheworld.Thishasbeenmadepossiblebyrestrictingaccesstomuchoftheoperatingsystembyendusers,unlessyoujailbreakadevice.Inthisbook,wedon’tcoverjail-breakingdevicesmuchduetothefactthatsecuringthedevicesthenbecomesawholenewtopic.Instead,wehavefocusedonwhatyouneedtodo,howyoucandothosetasks,whattheimpactsare,and,howtomanagesecuritysettingsbasedonapolicy.
ThebasicstepsrequiredtosecureaniOSdevicestartwithencryptingdevices,whichisdonebyassigningapasscodetoadevice.WewillthenconfigurehowmuchinactivetimebeforeadevicerequiresaPINandaccordinglymanagetheprivacysettings.Thesesettingsallowustogetsomeverybasicsecurityfeaturesunderourbelt,andsetthestagetoexplainwhatsomeofthefeaturesactuallydo,andhowwecansetthemviaapolicyinsubsequentchaptersofthisbook.
www.it-ebooks.info
ConfiguringapasscodeThefirstthingmostofusneedtodoonaniOSdeviceisconfigureapasscodeforthedevice.Severalthingshappenwhenapasscodeisenabled,asshowninthefollowingsteps:
1. Thedeviceisencrypted.2. Thedevicethenrequiresapasscodetowakeup.3. Anidletimeoutisautomaticallysetthatputsthedevicetosleepafterafewminutes
ofinactivity.
Thismeansthatthreeofthemostimportantthingsyoucandotosecureadeviceareenabledwhenyousetupapasscode.
Bestofall,Applerecommendssettingupapasscodeduringtheinitialsetupofnewdevices.Youcanmanagepasscodesettingsusingpolicies(orprofilesasApplelikestocalltheminiOS),whichwewillcoverinChapter4,OrganizationalControls,andChapter5,MobileDeviceManagement.
Bestofall—youcansetapasscodeandthenuseyourfingerprintontheHomebuttoninsteadofthatpasscode.Wehavefoundthatbythetimeourphoneisoutofourpocketandifourfingerisonthehomebutton,thedeviceisunlockedbythetimewecheckit.WithiPhone6andhigherversions,youcannowusethatsamefingerprinttosecurepaymentinformation,whichiscoveredinChapter2,IntroducingAppSecurity.
Checkwhetherapasscodehasbeenconfigured,andifneeded,configureapasscodeusingtheSettingsapp.TheSettingsappisbydefaultontheHomescreenwheremanysettingsonthedevice,includingWi-Finetworksthedevicehasbeenjoinedto,apppreferences,mailaccounts,andothersettingsareconfigured.
Tosetapasscode,opentheSettingsappandtaponTouchID&PasscodeIfapasscodehasbeenset,youwillseetheTurnPasscodeOff(asseeninthefollowingscreenshot)optionIfapasscodehasnotbeenset,thenyoucandosoatthisscreenaswellAdditionally,youcanchangeapasscodethathasbeensetusingtheChangePasscodebuttonanddefineafingerprintoradditionalfingerprintsthatcanbeusedwithatouchID
TherearetwooptionsintheUSETOUCHIDFORsectionofthescreen.Youcanchoosewhether,ornot,youneedtoenterthepasscodeinordertounlockaphone,whichyoushoulduseunlessthedeviceisalsousedbysmallchildrenorasakiosk.Inthesecases,youdon’tneedtoencryptortakeabackupofthedeviceanyway.ThesecondoptionistoforcetheenteringofapasscodewhileusingtheAppStoreandiTunes.Thiscancostyoumoneyifsomeoneelseisusingyourdevice,soletthedefaultvalueremain,whichrequiresyoutoenterapasscodetounlocktheoptions.
www.it-ebooks.info
ConfigureaPasscode
Thepasscodesettingsareveryeasytoconfigure;so,theyshouldbeconfiguredwhenpossible.Scrolldownonthisscreenandyou’llseeseveralotherfeatures,asshowninthenextscreenshot.ThefirstoptiononthescreenisSimplePasscode.MostuserswanttouseasimplepinwithaniOSdevice.Tryingtousealphanumericandlongpasscodessimplycausesmostuserstotrytocircumventtherequirement.Toaddafingerprintasapasscode,simplytaponAddaFingerprint…,whichyoucanseeintheprecedingscreenshot,andfollowtheonscreeninstructions.
Additionally,thefollowingcanbeaccessedwhenthedeviceislocked,andyoucanchoosetoturnthemoff:
Today:Thisshowsanoverviewofupcomingcalendaritems
www.it-ebooks.info
NotificationsView:Thisshowsyoutherecentpushnotifications(appsthathaveupdatesonthedevice)Siri:ThisrepresentsthevoicecontrolofthedevicePassbook:ThistoolisusedtomakepaymentsanddisplayticketsforconcertvenuesandmeetupsReplywithMessage:Thistoolallowsyoutosendatextreplytoanincomingcall(usefulifyou’reonthetreadmill)
Eachorganizationcandecidewhetheritconsiderstheseoptionstobeasecurityriskanddirectusershowtodealwiththem,ortheycanimplementapolicyaroundtheseoptions.
PasscodeSettings
Therearen’talotofsecurityoptionsaroundpasscodesandencryptionbecausebyand
www.it-ebooks.info
large,Applesecuresthedevicebygivingyoufeweroptionsthanyou’llactuallyuse.Underthehood,(forexamplethroughAppleConfiguratorandMobileDeviceManagement,coveredinChapter4,OrganizationalControlsandChapter5,MobileDeviceManagement,respectively)therearealotofotheroptions,butthesearen’texposedtoendusersofdevices.Forthemostpart,asimplefour-characterpasscodewillsufficeformostenvironments.Whenyoucomplicatepasscodes,devicesbecomemuchmoredifficulttounlock,anduserstendtolookforwaysaroundpasscodeenforcementpolicies.Thepasscodeisonlyusedonthedevice,socomplicatingthepasscodewillonlyreducethelikelihoodthatapasscodewouldbeguessedbeforeswipingopenadevice,whichtypicallyoccurswithin10tries.
Finally,todisableapasscodeandthereforeencryption,simplygototheTouchID&PasscodeoptionintheSettingsappandtaponTurnPasscodeOff.
www.it-ebooks.info
ConfiguringprivacysettingsOnceapasscodeissetandthedeviceisencrypted,it’stimetoconfiguretheprivacysettings.Third-partyappscannotcommunicatewithoneanotherbydefaultiniOS.Therefore,youmustenablecommunicationbetweenthem(alsobetweenthird-partyappsandbuilt-iniOSappsthathaveAPIs).ThisisafundamentalconceptwhenitcomestosecuringiOSdevices.
Toconfigureprivacyoptions,opentheSettingsappandtapontheentryforPrivacy.OnthePrivacyscreen,you’llseealistofeachappthatcanbecommunicatedwithbyotherapps,asshowninthefollowingscreenshot:
PrivacyOptions
www.it-ebooks.info
Asanexample,tapontheLocationServicesentry,asshowninthenextscreenshot.Here,youcansetwhichappscancommunicatewithLocationServicesandwhen.IfanappissettoWhileUsing,theappcancommunicatewithLocationServiceswhentheappisopen.IfanappissettoAlways,thentheappcanonlycommunicatewithLocationServiceswhentheappisopenandnotwhenitrunsinthebackground.
ConfigureLocationServices
OnthePrivacyscreen,taponPhotos.Here,youhavefeweroptionsbecauseunlikethelocationofadevice,youcan’taccessphotoswhentheappisrunninginthebackground.Here,youcanenableordisableanappbycommunicatingwiththephotolibraryonadevice,asseeninthenextscreenshot:
www.it-ebooks.info
ConfigurewhatAppscanaccessyourCameraRoll
EachappshouldbeconfiguredinsuchawaythatitcancommunicatewiththefeaturesofiOSorotherappsthatareabsolutelynecessary.
OtherprivacyoptionswhichyoucanconsiderdisablingincludeSiriandHandoff.SirihasthevoicecontrolsofaniOS.BecauseSiricanbeusedevenwhenyourphoneislocked,considertodisableitbyopeningtheSettingsapp,tappingonGeneralandthenonSiri,andyouwillbeabledisablethevoicecontrols.TodisableHandoff,youshouldusetheGeneralSystemPreferencepaneinanyOSXcomputerpairedtoaniOSdevice.There,unchecktheAllowHandoffbetweenthisMacandyouriClouddevicesoption.
www.it-ebooks.info
www.it-ebooks.info
Safariandbuilt-inAppprotectionsWebbrowsershaveaccesstoalotofdata.Oneofthemostpopulartargetsonotherplatformshasbeenwebbrowsers.ThedefaultbrowseronaniOSdeviceisSafari.
OpentheSettingsappandthentaponSafari.TheSafaripreferencestosecureiOSdevicesincludethefollowing:
Passwords&AutoFill:Thisisascreenthatincludescontactinformation,alistofsavedpasswordsandcreditcardsusedinwebbrowsers.ThisdataisstoredinaniCloudKeychainifiCloudKeychainhasbeenenabledinyourphone.Favorites:Thisperformsthefunctionofbookmarkmanagement.ThisshowsbookmarksiniOS.OpenLinks:Thisconfigureshowlinksaremanaged.BlockPop-ups:Thisenablesapop-upblocker.
Scrolldownandyou’llseethePrivacy&Securityoptions(asseeninthenextscreenshot).Here,youcandothefollowing:
DoNotTrack:Bythis,youcanblockthetrackingofbrowsingactivitybywebsites.BlockCookies:Acookieisasmallpieceofdatasentfromawebsitetoavisitor’sbrowser.Manysiteswillsendcookiestothird-partysites,sothemanagementofcookiesbecomesanobstacletotheprivacyofmany.Bydefault,Safarionlyallowscookiesfromwebsitesthatyouvisit(AllowfromWebsitesIVisit).SettheCookiesoptiontoAlwaysBlockinordertodisableitsabilitytoacceptanycookies;settheoptiontoAlwaysAllowtoacceptcookiesfromanysource;andsettheoptiontoAllowfromCurrentWebsiteOnlytoonlyallowcookiesfromcertainwebsites.FraudulentWebsiteWarning:Thisblocksphishingattacks(sitesthatonlyexisttostealpersonalinformation).ClearHistoryandWebsiteData:Thisclearsanycachedhistory,webfiles,andpasswordsfromtheSafaribrowser.UseCellularData:Whenthisoptionisturnedoff,itdisableswebtrafficovercellularconnections(sowebtrafficwillonlyworkwhenthephoneisconnectedtoaWi-Finetwork).
www.it-ebooks.info
ConfigurePrivacySettingsforSafari
TherearealsoanumberofadvancedoptionsthatcanbeaccessedbyclickingontheAdvancedbutton,asshowninthefollowingscreenshot:
www.it-ebooks.info
ConfiguretheAdvancedSafariOptions
Theseadvancedoptionsincludethefollowing:
WebsiteData:Thisoption(asyoucanseeinthenextscreenshot)showstheamountofdatastoredfromeachsitethatcachesfilesonthedevice,andallowsyoutoswipeleftontheseentriestoaccessanyfilessavedforthesite.TaponRemoveAllWebsiteDatatoremovedataforallthesitesatonce.JavaScript:ThisallowsyoutodisableanyJavaScriptsfromrunningonsitesthedevicebrowses.WebInspector:ThisshowsthedeviceintheDevelopmenuonacomputerconnectedtothedevice.IftheWebInspectoroptionhasbeendisabled,useAdvancedPreferencesintheSafariPreferencesoptionofSafari.
www.it-ebooks.info
Viewwebsitedataondevices
Browsersecurityisanimportantaspectofanyoperatingsystem.
www.it-ebooks.info
www.it-ebooks.info
PredictivesearchandspotlightThefinalaspectofsecuringthesettingsonaniOSdevicethatwe’llcoverinthischapterincludespredictivesearchandspotlight.WhenyouusethespotlightfeatureiniOS,usagedataissenttoApplealongwiththeinformationfromLocationServices.Additionally,youcansearchforanythingonadevice,includingitemspreviouslyblockedfrombeingaccessed.Theabilitytosearchforblockedcontentwarrantstheinclusioninlockingdownadevice.
Thatdataisthenusedtogeneratefuturesearches.ThisfeaturecanbedisabledbyopeningtheSettingsapp,taponPrivacy,thenLocationServices,andthenSystemServices.SimplyslideSpotlightSuggestionstoOfftodisablethelocationdatafromgoingoverthatconnection.Tolimitthetypeofdatathatspotlightsends,opentheSettingsapp,taponGeneral,andthenonSpotlightSearch.Uncheckeachitemyoudon’twantindexedintheSpotlightdatabase.Thefollowingscreenshotshowsthementionedoptions:
www.it-ebooks.info
ConfigureWhatSpotlightIndexes
Nowthatwe’velookedatsomebasictacticaltasksthatsecuredevices,it’stimetoturnourattentiontothetheorybehindsomeoftheseandtomakesureyourappsaresecure,inthenextchapter.
www.it-ebooks.info
www.it-ebooks.info
SummaryThischapterwasawhirlwindofquickchangesthatsecureadevice.Here,wepaireddevices,tookabackup,setapasscode,andsecuredappdataandSafari.Thisisbyfarthesimplestchapterofthisbook,butalsolaysthegroundworktocoversomeofthemoreesotericcontent.Inthischapter,weshowedhowtomanuallydosometasksthatwewillsetviapolicieslaterinthebook.
Inthenextchapter,wewillmoveontosecuringappsandlearnhowappscommunicatewithoneanother.
www.it-ebooks.info
www.it-ebooks.info
Chapter2.IntroducingAppSecurityInthischapter,wewilllookatoneofthemostimportantthingstosecureoniOS:apps.Thisincludesdatawithinapps,thecontextinwhichappsareallowedtorun,howappscommunicateviaextensions,andhownewerfeaturesinOScontinuetoputthefocusonanAppleIDasthemostimportantaccounttocontrolonyourdevice.However,thereasonwhymostpeoplesignupforanAppleIDistoinstallapps.
ManyoftheconceptsdiscussedinthischapterwillbeanadditiontoorareinforcementofourknowledgeabouttheOSXarchitectureuponwhichiOSisbased,whichwillbeespeciallyhelpfulifyouarecomingfromtheWindowsorBlackberryplatforms.EvenLinux,withitsprocessmodelechoingUnix,stillhasenoughnotabledifferenceswiththeappliance-stylecomputingexperienceshowcasedoniOSthatitwillbehelpfultocoverthesemorefundamentalpoints.Wewillalsobrieflytouchonin-houseappdevelopment,whichcanbeaugmentedbythemanagementsystemsthatwewillbediscussinginChapter4,OrganizationalControls,andChapter5,MobileDeviceManagement.
Thetopicsthatwewillcoverinthischapter,whichunderpinappsecurity,include:
Howappsaredistributed,installed,andrestrictedSingleappmode(alsoknownasLocktoApp)andGuidedAccessTraditionalandcurrentinter-app(anddevice)communicationClarificationofwhenkeybagsareutilizedbyiOSKeyboards,sandboxing,andextensionsIntroductiontosecurelydistributingcustomin-houseapps
www.it-ebooks.info
InstallingappsHowtoinstallanappisconsideredatrivialexerciseatthispoint,withcommonadvertisementsdoingnothingmorethanshowingtheiconsoftheplatformtosuggestthattheywantyoutogettheirappfromthecorrespondingstore.Thatbeingsaid,thereareotherwaystodownloadandinstallanappthansimplyopeninganappstoreonadeviceandtappingonGet.Anappcanbepushedovertheairwithmanagementsystems,putonthedevicewithtoolssuchasAppleConfigurator(discussedinChapter4,OrganizationalControls),andinstalledonceitiscompiledfromthesourcecodewithXcode(Apple’sIntegratedDevelopmentEnvironment(IDE),whichisdiscussedwithothertoolsthatcanperforminstallationsinChapter6,DebuggingandConclusion).
ThereisnoconceptofsideloadingappsoniOSincomparisontootherplatformswhereyoumaybeabletoplaceadeviceintodevelopermode.Likewiseyouwilllikelyneverhaveimplicitorotherwisestatedencouragementtogainrootaccesstothedevice.We’lldiscoverthelengthstowhichApplegoestoensurethisinthenextchapter,butsufficeittosaythatyousimplycannottransferabinarytoaniOSdeviceandbringaboutasystem-widechangeinanybuttheendorsedwayswhileplayingwithinApple’sso-calledwalledgarden.
AppsthemselvescanonlybedistributedbyAppleviatheAppStorethat’savailableonthedevice,andiniTunesonaMacorPC,throughaspecialBusiness-to-BusinessstorewiththeVolumePurchaseProgram,orwhenexplicitlyassociatedwithanAppleDeveloperProgram.Theselimitedoptionsdecreasetheroutesthroughwhichapplicationscanbeacquired,butifyouhaveadeveloperaccount,youcancompileapplicationsreleasedasopensourceandinstallthemondevicesatwill.Similarly,thecompressed.ipaarchivethatcontainsaniOSapplicationcanbetransferredlikeanydata,butgettingtheinstallerprocessintheOStopickuponitisanothermatter.
Securityaroundappinstallationmanifestsitselfinthefactthatthekernelperformsverificationatinstallationtimeandeverysubsequentlaunchtoensurethattheexecutablebundleandframeworksinsidethearchivehavebeensignedwithanapproveddeveloper’scertificatethatAppletrusts.ThereisnoinstallerbinaryforIPAfilesoniOS,soverificationliketheonethatisdonewiththepkgencapsulationformatontheMacisnotapartoftheprocess.Aslongasthecodedeliveredbyanarchivechecksoutassigned,itisallowedtobeinstalledandrun.Onecanspeculatethatthisallowsmorecachingpossibilitiessincethereislesslikelihoodofcorruption,asallyouneedtochangeistheDigitalRightsManagement(DRM)softwareupondeliverytoanewdevice.
YoucanseetheappsignatureverificationprocessonaMacusingthefollowingsteps:
1. First,downloadanappfromiTunesandnavigatetoitintheFinder.Normally,itcanbefoundbynavigatingto/Users/yourusername/Music/iTunes/MobileApplications,Duplicatethefile(ifyou’dliketokeepafresh,unalteredversion)andhighlightthecopy.Then,fromtheFilemenu,chooseOpenWith|ArchiveUtilitytoexpandit.
2. Youwillthenseeafolderofthesamenamewithseveralthingsinsideit,oneof
www.it-ebooks.info
whichisafolderlabeledPayload.3. LaunchtheTerminalapplicationthatyouwillfindintheOtherfolderin
Launchpad.Youwouldfirsttypecodesign–d–vvandthendraganddroptheapplicationyoufindinsidethePayloadfolder,andthenhitreturn.Onexecutingthecommand,youwillseesomethinglikethefollowing:
codesign-d-vv/Users/abanks/Music/iTunes/iTunes\Media/Mobile\
Applications/Dropbox\3.5.2/Payload/Dropbox.app
Executable=/Users/abanks/Music/iTunes/iTunesMedia/Mobile
Applications/Dropbox3.5.2/Payload/Dropbox.app/Dropbox
Identifier=com.getdropbox.Dropbox
Format=bundlewithMach-Ouniversal(armv7arm64)
CodeDirectoryv=20200size=54086flags=0x0(none)hashes=2695+5
location=embedded
Signaturesize=3487
Authority=AppleiPhoneOSApplicationSigning
Authority=AppleiPhoneCertificationAuthority
Authority=AppleRootCA
Anoutputsuchastheprecedingonewillappear,whichwillshowthechainoftrustinaction.Apple’sRootCertificateAuthority(CA)ispresentasatrustedauthoritytoverifythattheapplicationinsidethe.ipafilethatweacquiredhasnotbeentamperedwith.
www.it-ebooks.info
BlockingaccesstotheAppStoreOnecanpotentiallyhidetheAppStoreapplicationonthedevice,butifthedevicecanstillconnecttoanenduserscomputerthatisrunningiTunes,youwillnotbeabletoeffectivelycutofftheinstallationofapps.
NoteTherehavebeenadditional,undocumentedwaystohidefeaturesandappsthatareactuallypresentonadeviceincertainjurisdictions,mostofwhichrelyinsomepartonconfigurationprofiles,butthatisbeyondthescopeofthisbook.
Asdemonstratedbytheaccessgrantedtodataonthedevicebybackingituptoacomputerinthelastchapter,whenallowingenduserstodirectlyinteractwiththebackupprocess,itshouldbethoroughlyexaminedandaccountedforinawrittenpolicy.
ThemostsimplisticformofapplyingmanagementtoaniOSdeviceistonavigatetoSettings|General|Restrictions,taponEnableRestrictions,andthensetanewpasswordthatisdistinctfromtheoneusedtounlockthedevice.Then,youcangranularlydisableInstallingApps,DeletingApps,andIn-AppPurchasesandessentiallyshutoffallinteractionswiththeappsonadevice,asshowninthefollowingfigure:
www.it-ebooks.info
RestrictingAppStoreFunctionality
ManagementtoolssuchasAppleConfiguratorandiTuneswillalsonotbeabletoinstallorremoveappsoncethesesettingsareenabled,whichmakescontrollingaccesstoRestrictionsofparticularimportancetoeducationalenvironments.
www.it-ebooks.info
www.it-ebooks.info
SingleAppmode,AppLock,andGuidedAccessWhendevicesaremadetoworkashared-usagemodel,forexample,manynursesusingthesameiPadduringshiftsatahospital,onemethodtorestrictaccessandstandardizetheexperiencewouldbetolockthedevicetoasingleapp.Thisisreferredtobydifferentnamesbasedonhowitisinitiated,anditcanbeachievedwiththetoolsthatwewilldiscussinfuturechapters.Thedeviceshowsonlythedesignatedappandnevergoestothehomescreen(alsoreferredtointernallyastheSpringboard).TheHomebuttonisessentiallydisabledandControlCenter(whichisaccessedbyswipingupfromthebottomedgeofaniOSdevice)isalsonotaccessible.Thiscanalsoenableakiosk-typeexperience,wherethedeviceisprotectedfrommisusebydictatingthatonlyasingleappcanrun.
InrecentreleasesofiOS,developershavebeengrantedAPIstoenableapplockwhentheyenteracertainstatewithintheapporuntilaspecificrequirementismet;however,thisisapplicableonlyforappsdistributedviaMobileDeviceManagement(MDM).Thismeetsthecriteriaforeducationalusewhereyoudonotwantstudentstolookupanswers.Itcanalsopreventexfiltrationofdatawithintheappsonadeviceifyoucancoordinatewithadevelopertoenablethisfeature.Financialprocessing,securedocumentviewing,andothersensitiveappinteractionmaybenefitfromthisaswell.
YoucansimulatehowalockeddevicewillperformatanytimebyenablingafeaturecalledGuidedAccess.YoucaninitiatethismodebypressingtheHomebuttonthreetimesfromwithinanapp.Youwillthenbepresentedwithoptionstocontrolmotion(theabilitytorotatethescreens’orientation)andtheuseofthekeyboard.Itdetectsscreenelements,soyoucandesignatespecificregionsofthescreentobeoff-limits,forexample,thein-apppurchasebuttonorads.ExitingGuidedAccessrequiresyetanotherdistinctfour-digitpassword,butitcanbedisabledwiththefingerprintunlockfeatureondevicesthatareequippedwithTouchID.
Youcanfindmoreinformationaboutthisathttp://support.apple.com/HT202612.ThefollowingscreenshotshowstheGuidedAccessconfigurationscreenonaniPhone:
www.it-ebooks.info
EnablingGuidedAccess
Now,thefollowingscreenshotshowshowthecontrolsofanappcanbeselectivelydisabled:
www.it-ebooks.info
DisablingControlsinanApp
Oneofthethingsthatpeopleutilizingthisfunctionalitydiscoverasasupportconcernisthatyoucannotturnoffthedevicenorputthescreeninsleepmode.Thismakespoweringthedeviceofcriticalimportance,asdoesensuringaconsistentWi-Ficonnection;thereisnowaytore-entercredentialsorswitchnetworks.TheprecedingscreenshotsshowhowyoucanenableGuidedAccessandwhatyouwouldseewhenyouconfigureit,whereasnoconfigurationispresentedwhenusingMDMorin-appfunctionalitytoLocktoApp;furtherrestrictionsmaybenecessaryifyouwouldliketodisablein-apppurchasesorunnecessarywebviews.
TipDocumentinganobscurefeaturelikeGuidedAccessisactuallyquiteachallenge,asthe
www.it-ebooks.info
normal,simpletousescreenshotcontrolsonthedeviceareeffectivelydisabled.Insteadofmessingaboutwithvideocaptureviaaphysicaladapterorcable,Apple’sAirPlayfeaturecanbepairedwithanapplikeReflectorbySquirrels(http://www.airsquirrels.com/reflector/)tomirrorthescreentoaMac,PC,oranAndroiddevicefromwhichyoucanthentakescreenshots.
www.it-ebooks.info
www.it-ebooks.info
AppcommunicationHistorically,veryfewaffordancesweremadewhenonedeveloperwantedtocommunicatewiththeapplicationdataofanotherdeveloper.URLschemesweremanipulatedforthispurposeandtheyallowedadeveloper’sapptobesummonedbyanidentifierthatwasusuallybasedonthebundleID.InthelastfewmajorreleasesofiOS,therewasatleasttheaffordanceforsharedcredentialstobeaccessedbetweenappsbythesamedeveloper.Thissharingofakeychainbyanappgroupnowalsoincludesthesharingoffilestorageandpreferencedata,whichwaspreviouslyaccomplishedbyseparateaccountswiththird-partysyncserviceslikeDropbox.iCloudDrivehasbeenintroducedtoperformsimilaradhocfilestorageandsharingtasks.Ifthissoundssomewhatlimiting,it’sbecausehistoricallyithasbeen,butwewilltouchuponthenewwaysinwhichappfunctionalityanddatacanleakoutfromtheone-app-at-a-timesiloafterwediscusshowappdatacannowpassmoreeasilybetweendevices.ThefollowingscreenshotshowsawebpageinSafarionaniOS8devicethatisbeingofferedtoaMacrunningOSX10.10:
AwebpageinSafarionaniOS8devicethatisbeingofferedtoaMacrunningOSX10.10
www.it-ebooks.info
HandoffandContinuityLet’sstartbysigningintothesameAppleIDonaMacrunningOSX10.10(Yosemite)andaniPhoneoriPadrunningiOS8.OpenawebpageinSafariontheiOSdeviceandyouwillseeaniconinyourDock(analogoustothetaskbaronWindows)tocontinueviewingthewebpageontheMac.ThisisHandoffinaction.It’salsoreferredtoundertheContinuityheadinginApple’smarketingmaterial.ManyAppleappsareshippingwiththisfunctionalityiniOS8,andthedevelopersofpopularappslikeGoogle’sChromewebbrowserarerapidlyadoptingitaswell.
iCloudandthenewestoperatingsystemsarethegluethatholdallthistogetherandthesefeaturesworkbetweeniOSdevices.ForotherContinuityfeaturessuchasphone/textmessagerelay,youmayneedtoexplicitlysetuptherelationshipbetweendeviceswhenprompted,asshowninthefollowingfigure:
www.it-ebooks.info
AuthorizinganiPadtoreceivetextmessages(SMSandMMS)
TipAsatroubleshootingstep,makesurethatanydevicethatwillpiggybackonaniPhone’sserviceisusingthephonenumberofaniPhoneandthee-mailaddressoftheAppleIDtoidentifyitselftoiCloud-basedservices.Youcanfindmoredetailsaboutthisathttp://support.apple.com/HT6337.
Somepeoplehavecriticizedthisduplicationofpossiblyredundantorsensitiveapplicationstatesacrossdevices,whichyouwouldbeautomaticallyopted-intouseifyouhaveaniPhoneandwhichusesthesameAppleIDandphonenumberastheprimaryidentifierofiCloud-basedservicessuchasiMessageandFaceTime.ThisincreasesthemovingpartsthatneedtobesecuredandtheimportanceofthedevicewipefeaturethatispresentinActiveSync,FindMyiPhone,andtheMDM-basedenterprisewipe.
www.it-ebooks.info
www.it-ebooks.info
KeybagsandkeychainsAsdiscussedinthepreviouschapter,thekeychainisknownasawaytocentrallystoreandmanagecredentialsandothersecretdatathatareinusebyapplicationsonthebehalfoftheuser,carriedoverfromOSX.Thereisalsotheconceptofakeybag,whichinpracticeisagroupingofsecrets(ormorepractically,keys)thatallowthesystemtomanagethemovingpartsaroundspecificinteractions.Besides,whenusedbythesystemitselftomanagetheencryptionofthedata,thesedealwithprimarilywhenabackupwillruneitheroverWi-FitoiTunes,whentetheredbyUSBtoiTunes,orwhilethedeviceispluggedintoapowersourceandlockedasarequirementtosendtoiCloudBackup.
Explainingkeybagsasaconceptisaminorpoint,buttherehasbeenterminologyconfusionregardingthingssuchasthesecuringofappswithdigitalrightsmanagementandtheuseofthekeychain,neitherofwhicharedirectlyrelated.Tosummarize,keybagsareanabstractionforsecretslikekeychainitems,sotheycanbesecuredindependentofthedatawithin.Thisallowsformoreflexiblesecuritybyaddinganinteraction-specificlayertoeventssuchastherotationofcredentials,amongothercommoninteractions.
NoteSomekeychainitemscanbemarkedastiedtoaspecificdevicewhentheyarecreatedbyanapplication,disallowingthemfrombeingrestoredtoanotherdevice.Googleappearstobeusingthisintheirpopulartwo-stepauthenticationappGoogleAuthenticator,whereasotherservicesdonotimposethislimitation.
www.it-ebooks.info
www.it-ebooks.info
KeyboardsandextensionsOneofthegreatlyanticipatedfeaturesofiOS8wastheconceptofExtensions.Whileshuttlingaroundthestateofanapplicationisallwellandgood,extensionsallowappstohavetheirfunctionalityappearinnewplaces.
Thisisimplementedthroughtheadditionofspecificabilitiespresentedtodevelopersthatarereferredtoasextensionpoints,withthemostanticipatedbeingthird-partykeyboards.AmorepopularkeyboardthatisavailableforotherplatformsisSwype(thoughIampersonallywaitingforthereturnofPalm’sGraffiti),whichallowsmorefluid,one-handedtextentry.
ApplegroupedotherpossibleextensioncategoriesunderTodaywidgets(TodaybeinganewlyexpandedviewinNotificationCenteroniOSandMac),photoeditingenhancements(forexample,filtersfrompopularappslikeVSCOCam),documentprovidersforimportingfilesfrompopularsyncserviceslikeDropbox,andshareproviderslikethepre-existingbutsystemprovidedFacebooksharingfunctionality.Morebroadly,thevaguelynamedcustomactionsallowappstobeinteractiveevenwhenthescreenislocked,andfromwithinasmalldrop-downinterfacewhentheyreceivenotificationswhilethescreenisunlocked.
ThesecurityandprivacyconcernsthatApplehasaddressedforkeyboardsinparticulararehowinputsforpasswordfieldsandnetworkcommunicationarehandled,sothatakeyboardappcannotsendkeystrokesoverthenetworkandbecometheleastimposing-lookingkeylogger.Extensionsaredistributedinregularappbundlesandfollowcommonprivacyandsecuritycontrols.Inaddition,onemustexplicitlyallownetworktrafficforakeyboardinSettings,butevenApple’sownPredictiveTextkeyboardadd-oncannotentertextinadesignated(properlycoded)passwordfield.
TipNotethatmuchoftheAppleWatch’spreliminaryappfunctionalityisenabledviaextensionsandalltheprocessinghappensintheiPhone.ThesearethensenttothedeviceoverBluetoothLowEnergy.Verylittleisstoredaboutanapponthewatchitself(UIstoryboardsthatcancontaindynamicallyupdatingcontentlikewatchfaces),sosecuringtheiPhonewillbesufficient.
www.it-ebooks.info
SecuringwhatextensionscanaccessTheabilitytoenforcetheseexpandedprivacyandnetworkaccesscontrolswaspreparedbyhavinginterapplicationcommunication(undertheprotocolnameXPC)addedaspartofiOS5(andOSX10.7).ThespecificAPIsforthistypeofcommunicationensurethatappswillnotsharethesamefileormemoryspacewithanextension.
Essentially,bothpartiesstayintheirownsandboxbutXPCarbitratesandactsasaproxybetweenthem.IntermsofPrivacy,whileanyrightgrantedtotheextension’scontainerappwillbeinheritedbyit,anewappwillnotshareitsprivacysettingswithanotherdeveloper’sextensionthatisaccessiblewithinit.
WhilewewilldiscussMDMindepthlater,theiruseaddsthepotentialtoapplymoreon-the-flycontrols,whichincludelimitingthemailaccountsthroughwhichdatacanbesent,orthesharinganddocumentprovidersenabledonadevicethatdatacanbemovedto.AlotofthisalsodependsontheMDMactuallysupplyingtheapplications,butthisbecomesverypowerfulwhenpairedwithanin-houseapp.
www.it-ebooks.info
UsercontextTheoldUnixsecuritymodel,fromwhentheonlywayfortheaveragepersontouseacomputerwasbysharingtimeonamainframe,statedthatnobodywastrustedexceptthesystemadministrator.Whenonewasgivenastandarduseraccounttologin,therewasonlyalimitedrangeofthingsthatonecoulddotointroduceinstabilitytothesystem.iOSanditsprecursorOSXaredescendantsofNeXT,andBSDbeforethat.Thisputstheconceptofsystemprocessesrunningunderuseraccountswiththeirassociatedprivilegesintofocus.
iOSrunsappsonbehalfofastandarduseraccountnamedmobile,andunlikeOSX,itdoesn’thelptoenableanawarenessofmultipleusersonthesystem.WhenusinganiOSdevice,wedonotthinkabouttraditionaluseraccounts(thereisnointerfacetoaddmoreusers),asthedesignassumptionisthatthereisonlyoneownerofthishighlypersonalizeddeviceandtherefore,thereisonlyoneactualuser.Roleaccountsthatwouldrundaemonsonbehalfofthird-partyapplicationprocessesareabsent,aswhatisallowedtorunisstrictlylimitedoniOS(asitisonaMacnow;withthemanyrestrictionsthathavebeenimposedontheappsthatareallowedinitscorrespondingAppStore).
www.it-ebooks.info
www.it-ebooks.info
SandboxingandAppdatastorageAswementionedinthebeginningofthechapter,acodesignatureisplacedontheappbundleitselfwithadditionalprotection,sothatthesignatureisverifiednotonlywhentheappisinstalled,butalsoatruntimewhentheappislaunched,tomakesurethatithasnotbeenmodifiedinthemeantime.Thisisforstabilityasmuchasitisforsecurity,sincecodethathasbeenmodifiedorallowedtorunroughshodonthesystemcancausethedevice,whichwemightjustwanttobeabletousetocall911inanemergency,tocrash.
Wespokeaboutamobileuserwhichwouldhaveahomefolder.UnlikethecommonconsumercomputerOS,thedatastoragelocationofanappisrandomlygeneratedandkeptseparatefromtheuser(besidesthecontainerizationofspecificpreferencesthathelpsharingamongadeveloper’sapps,sothosesettingspersistevenifanappisdeleted).Thereareframeworks,whichareshippedbyAppleinitsSDK,thatencouragestoringappdatainanencryptedformat.However,someexploitshaveusedanimpersonationofanapp’sbundleidentifiertomakeittrustworthytootherapplicationsthatwillbeabletoexchangedatawithit.Todate,forensicdeconstructionoftheseattemptshasfoundthatusersmustexplicitlyenablenon-standardbehaviorthroughseveralextenuatingcircumstancesforexploitstowork.Thepotentialfordataleakagehasnotbeensubstantialonnon-jailbrokendevices,butsecurityprofessionalsshouldbeawareofthisshortcomingwhereendusersareinvolvedintheinstallationofapps.
Plainfilestorageisnottheonlywayinwhichdataissegregatedandtreateddiscriminatelyonthesystem;otherprivacyordeviceusage-relatedpermissionsmustberequestedbyanappthroughentitlements.ThepreviouslyintroducedextensionscanbecontrastedwithAndroidintents,astheyarebothinitiatedbytheend-userandarefocusedfromthatperspective(althoughAndroidappstendtobroadcasttheircapabilitiestoreceivedatawithoutastrictorclearoversight,whichsomewouldargueisactuallybeneficialduetoaperceivedincreasesinproductivityandfunctionality).EntitlementsareonlyslightlydifferentfromWindowsphonecontracts,andApple’sstatedmodelmentionsthatappsshouldaskforasfewrightsaspossible,whichendusersshouldbe(asunobtrusivelyaspossible)promptedtoexplicitlygrantaccessfor,andeventhen,onlywhenitisabsolutelynecessaryforthefullusageofanapp’scapabilities.ThesearespecifiedintheapplicationbundleandcanbeinvestigatedwiththecodesignbinaryonaMac.
www.it-ebooks.info
www.it-ebooks.info
Introductiontoin-houseAppdevelopmentSo,youhavefoundaneedtodeployacustomapptothedevicesinyourorganizationandhavereceivedthego-aheadtobuildone.AppleencouragesorganizationsandtheirdeveloperstosignupwithitsEnterpriseDeveloperProgramsothattheycanbegrantedthecapabilitytobuildanddistributecustom-builtappsoutsidetheAppStore.ManyITdepartmentshavealreadysignedupindividualstonotonlytestareleaseoftheoperatingsystem,butthetinkerersamongstuscanalsobuildopensourceappsforpersonaluse,whichcanalsobeachievedwithastandard,standalonedeveloperaccount.Youcanfindmoreinformationaboutthisathttps://developer.apple.com/enterprise/.
Theprocessoftyingtherequiredcertificatesandidentifiersforanapptothedesireddevicesfortestingisreferredtoasprovisioning.Creatingandmanagingprovisioningprofileswillnotalwaysbenecessary;however,itdependsonhowclosetoin-houseyouractualdevelopmentmaybe.WhenyouuseApple’sapprovalprocesstoclearanin-housedevelopedappforinternaluse,youwillmostoftenusetheBusinessVolumePurchaseprogramandleverageApple’sinfrastructuretodistributeit.Thisisbyfartheeasiestwayfromaprocurementandongoingsupportperspective,andthisisoftenthecaseforwhite-labeledappsthataremadebyprofessionalappdevelopmentcompanies.AppsintheBusiness-to-Business,VolumePurchaseappstorearenotvisibletothegeneralpublic,whichmayalsobebeneficialdependingonthesituation.
Adhocdistributionallowslimitedbetatestingonregistereddevices.ThisrequiresallthesamestepsthatanindividualwillperformtogetanappontheAppStore,includingregisteringasadeveloper,applyingtohavetheirappIDconsideredasunique,acquiringthecorrectcertificatessothatdevicestrusttheappwhenitisinstalled,andpreparingthebuiltapplicationfordeploymentonceallthementionedrequirementsarecomplete.Youwilladditionallyneedtogothroughtheprocessofbuildingateamentitytoidentifythedevelopersworkingonyourbehalfandgrantthemaccesstoyouraccountwhentheybuildtheapplications.Whenitcomestowidertestingwithmanydevices,ApplehasrecentlyacquiredanoutsideservicecalledTestFlightthatmakesthisprocesseasierforalargenumberoftesters,althoughanumberofothersolutionsstillexistoutsideofApplethatoptimizedifferentpartsofthetestingprocess.Youcanfindmoreinformationathttps://developer.apple.com/testflight/.
EnterprisedistributiondoesnotrequireeverydevicetoberegisteredwithApple,butitmustbedeliveredwithMDM.Therefore,itisrequiredtohavedirectaccessorsomecommunicationwiththefolkswhomanagethedevice,whethercompany-ownedorotherwise.OnepointtokeepinmindisthatdifferentMDMprovidersneeddifferentlevelsofinvolvementwhentheyareaskedtodistributeappsonyourbehalf.Theycanmakeyoushootyourselfinthefoot,sotospeak,byallowingamismatchoftheprovisioningprofileyouwoulduploadandtheassociatedappbundle,resultinginanappwithaprettyiconthatwon’tlaunch.OtherMDMsinsistondirectinteractionwithyourdevelopmentteamtoreducethepossibilityofissues.Keepinmindthatcertificatesareanintegralpartoftheprocessaswell;therefore,theyneedtoberenewedsothatapps
www.it-ebooks.info
www.it-ebooks.info
SummaryInthischapter,wewentoverhowappsaredistributedandhowtheyprovetheirintegritytothesystemoncetheyareinstalled.WedemonstratedtheconceptoflockingadeviceintoanappwithGuidedAccess.Inter-app(anddevice)communicationviaextensionsandContinuitywasalsodiscussedalongwiththenewcomplimentaryprivacycontrolsforthingslikekeyboards.Asthischapterwasaboutthecustomizationandcontrolsyou’dwanttoplaceonapps,wegaveabriefintroductiontosecurelydistributingyourownin-houseapps.
SincethetimetheiPhonefirstcamealong,thewaymanypeopleinteractwithappshaschangedsignificantly.Limitedmethodsofinstallation,silosforcategoriesofdataandthecapabilitiesofapps,andthekeychainconceptfromOSXhaveallcometobearoniOS’overallsecurity.Youshouldnowhaveenoughbackgroundonhowappsfunctiontobegintounderstandwhythelimitationsarethewaytheyare,andwhattokeepinmindwhenyouaretaskedwithsecuringappdata.
Inthenextchapter,wewillcoverhowiOStakesadvantageofitshardwaretocreateasecureenvironmentevenbeforewegettorunanyapps,startingfromthemomentthedeviceisturnedon.
www.it-ebooks.info
www.it-ebooks.info
Chapter3.EncryptingDevicesInthischapter,wewillbelookingatiOSdeviceencryption.Youmightthinkthiswouldbetheshortestchapter,asthefilesystemitselfhasbeenfullyencryptedformanyrevisionsoftheOS.Thismakeswipingthedevicewhengivingitawayorsellingitaveryquickprocess,asallyou’redoinginessenceisforgettingthemasterencryptionkeytounlockthealreadyscrambleddataandrenderingitirretrievable.Wearlevelingconcernsforflashstoragelikethosewhichareusedinmobiledevicesnowadaysmakesthispracticalforanotherreason,asscrubbingallblocks(orpages)onthestoragedeviceisnotnecessarytoensurethatthedataisunrecoverable.We’lllookintomoretopicsthanjustthedatabitsatrestthough,includingnetworktrafficandVPN.
Whileitmayseemconsumer-focused,wecannowusethesedevicesalongwithNFC(shortforNearFieldCommunication)forpayments,andconcernsoveremployerliabilityforidentitytheftonacompany-owneddevicecanraiseseriousconcerns.Securityprofessionalsmustbeevenmoreintouchwithwhattheircompany’spoliciesareonprotectingthecompany’sbestinterests,whilestillallowingenduserstobeproductiveandenjoyfulluseofthe“perk”thataniOSdevicemightprovide.LuckilymanyaspectsoftheiOSsecuritymodelallowustoletthedeviceroamuntethered,andwecaninformtheenduserhowmuchdatatheirdeviceexposeswhenitisusednormallyandforeverythingapolicydoesn’tcover.Privacyalsocomesintoplay,sowe’lltouchonthataswell.
Tobreakitdown,we’lldiscussthefollowingtopicsinthischapter:
RevisitingOSinitializationPassbookandTouchIDforApplePayIntroductiontoiOSnetworkcommunicationPrivacyconcernswiththeHealthApp,HIPAA,anddiagnosticsConfigurationProfileEncryption
www.it-ebooks.info
SecurebootandactivatingiOSInaconceptnotunlikethatofhowChromeOSensuresboththeintegrityofitsfirmwareandthatitskernelhasn’tbeentamperedwith,fieldupgradescansimilarlyproceedinasecuredfashionwithafeaturecalledverifiedboot.WhenaniOSdevicestartsup,itverifiesthekernelandtherestoftheread-onlyOSpartitiontoconfirmthatitmatchesaparticularsignature.TheprocesswouldbehaltedandthedevicewouldgobacktoDeviceFirmwareUpgrademodeorDFU(whichwouldalsobeaccompaniedbythe‘ConnecttoiTunes’screen)ifthemainOSpartitionisfoundtobenonfunctional.ThiscanalsobeinitiatedifawipeandreinstallisinterruptedwheninitiatedbyiTunes,AppleConfigurator,ortheuserthemselvesbygoingintotheGeneralsectionofSettingsandnavigatingtoReset|EraseAllContentandSettings.
Theprocessfromthetimeyoupoweronthedevicetowhenyoulandinuserspaceisreferredtoasthesecurebootchain.Alow-levelbootloaderperformsverificationtoconfirmwhethertheOSpartitionhasnotbeentamperedwith,andasawhole,whetherithasbeensignedbyApple.Ituseson-boardkeys(whichincludesarootkey,device-specifickey,andgroupkeytoestablishthechainoftrustforcryptographicoperations)thatareincludedinthefactoryattimeofmanufacture.Thislow-levelbootloaderprocessfinishes,andthen,theiBootprocessstarts,whichinturnstartstheOSkernel.
OncellulardevicesthatincludetheA7orgreaterAMDarchitectureprocessor(whichisinuseindevicessincetheiPhone5s),thereisaregionontheCPUthatisresponsibleforcryptographicoperationsandthisisreferredtoinmarketingastheSecureEnclave.Whileitisnotphysicallydistinct,thehighestimportanceisplacedonmakingitsfunctionalitylogicallywalledofffromtheprocessor’smainfunction.TheSecureEnclaveinteractswiththebootprocessbybeingcalledupontostartthecellularbasebandthroughaseparatebutsimilarsequence,whichisalsoresponsibleforcheckingthesystemsoftwareauthorization.
Specifically,uponreactivationthatisinitiatedbyamanualeraseoranOSrestore,avalidationprocessreferredtoasSystemSoftwareAuthorizationisperformed,whichrequiresInternetaccess.AcomputerrunningiTunesorAppleConfiguratorcanprovidethatconduit,orsinceiOS5anditsPCFreefeaturescamealong,youcanconnecttoaWi-Fiorcellularnetworktoactivatethedevice.AsdocumentedbyAppleforsometimeinitsiOSSecurity–WhitePaper,thereisaspecific,cryptographicallysecuredprocessthroughwhichanindividualdeviceidentifiesitselftoApplewhilerequestingactivationtocontinue.SinceAppleistheclearinghousethroughwhichdevicesareallowedtorunaspecificOSversion,previousOSeswithanyknownsecurityflawsaredisallowedfrombeingreappliedtoanupgradeddevicethatiscapableofrunningit.
Aswe’lldiscussinthenextchapter,restoringabackupcanskipthisactivationsteponsuperviseddevices,butthatisaconcernseparatefromtheOSitself.AdevicerunninganolderiOSversioncanthereforebeerasedwithoutupgradingit,assumingthatithasnotbeentamperedwithtofailverification.
Tip
www.it-ebooks.info
NotethatwhenanactivationisrequiredafteraniOSinstallationonacellular-capabledevice,aSIMcardmustbepresent.AppleusesthistogenerateavalidECIDtoidentifythedevice,soevenwhenthedeviceispreparedwithiTunesorAppleConfiguratorbuthasnoSIMcard,thiswillresultinanerrorandcauseittofail.
Onemayask,ofthemanydevicesstillbeingsoldbyApplewiththeolderprocessorarchitecture,howdoesitperformthecryptographicoperationsthatarenecessarytofunction?WhilethiswasnotpreviouslyoutlinedbyApple,acommontechniquethatisusedistogatherentropy(orunpredictableresults)fromthemanysensorsonthedevicesuchasitsgyroscope,accelerometer,orcompass.Theneedforrandomnumbersisobvioustoanyonewhoistryingtomakeasecuresystem,sincemanyimplementationsofakeygenerationprocessstartbygettingsomethingdistinctandsufficientlyrandomtobaseitsidentityon.
www.it-ebooks.info
www.it-ebooks.info
PassbookandTouchIDforApplePayWebrieflytouchedonTouchIDinChapter1,iOSSecurityOverview,butmoreimplementationdetailsaroundtimeoutsandotherkey-relatedinteractionsarebetterdescribeApple’sowniOSSecurity–WhitePaper(astheygotogreatlengthstomakethingsasunderstandableaspossible).Atthetimeofwriting,themostrecentPDFwasfromOctober2014anditcanbefoundathttps://www.apple.com/privacy/docs/iOS_Security_Guide_Oct_2014.pdf.
AsTouchIDshouldstilljustbeconsideredanaddedconvenience,sufficientlycomplexpasscodesare,asalways,recommendedinallthingsthataresecurity-related.
TipIfyourcustomersorusersarelikeours,theywillforgettheirdevices’passcodesaftergettingusedtousingTouchID.Therefore,makesurethatyoudonotleaveyourcustomersinasituationwithoutMDMmanagement(orbackups,ifyourorganizationencouragesit),especiallyiftheActiveSync-based“failedpasswordattempt”limitisconfigured.Oncethethresholdisreached,itwillcausetheirdevicetobewiped.Thishappenswithoutadequatetimetogetassistancemoreoftenthanwewouldlike.
IntheWhitePapermentionedearlier,theimportanceandutilityoftheSecureEnclaveisdetailed.ItmayhavecomeintoexistenceinparttomaketheTouchIDfingerprintfunctionalityasquickandseamlessaspossible,sothattherewouldbenobottleneckfortherequiredcomputation.OnemaythinkfromApple’smarketingoftheSecureEnclavethatitisdedicatedhardware,butjustlikethejailingofpartsofthefilesystem,thisismostlyimplementedasatechniquetoensurethatthesoftwareoperationsarewhollydistinctandcannotruninthesamememoryorprocessorspacewhencarryingoutitsfunctions.
HowdoesthisrelatetoPassbook?Andhowdoesafeaturethatmostfolksuseforplanetickets(ifever)comeintoadiscussionaboutsecurity?Well,aswediscussedpreviously,identitytheftonacompany-owneddevicecouldaffectthecompanythatprovidesthedevicetotheemployee,asevidencedbynetworkequipmentandmailsystemsthatdetectdangerousbehaviorlikesocialsecuritynumbersbeingsentinplaintexte-mailcorrespondence.Withitsearlypopularityandprobablesuccessof,ApplePay,whichisApple’ssolutionforNFC-basedpaymentsakintoGoogleWallet,becameanattractivetarget.SincePassbookiswhereApplePaystoresthedetailsofitscreditanddebitcards,securingitisimportant.Luckily,thereareafewallowedvectorstogetintoPassbook,includingthemuch-malignedQRcode,andeventhen,thereislimitedfunctionalityonceapassisinstalled.
TipThePassbookapplicationhasabuilt-inscannerthatyoucanaccessbytappingonScanCodefromitssplashscreen,orbytappingtheplusbuttoninthetop-rightcorner(ifthere’sonlyonepass;otherwise,you’llseetheplusbuttonatthetop,anditcanbescrolledwheninthelistview).Thisisthesameprocessthroughwhichyouwouldaddpaymentcards.
www.it-ebooks.info
Forsecurityreasons,neitheradditionstorestheimagetotheCameraRollonthedevice.
APassbookpassandoneprocessbywhichpassesorcardscanbeadded
Amongotherrestrictions,youcannot,forinstance,haveanactivehyperlinkonthefrontofapass.Youcan,however,sendanotificationtoadevicewiththepassinstalled,andpushupdatestothepasssothatitwilldynamicallychangeitscontent.Passbookpasseswithanactivestate(suchastheleaduptoboardingaplane)canbeaccessedwhenthedeviceislocked,butupdatestoitcanoptionallybedisabledinthepassitself,orbothaccesstoandnotificationsforPassbookcanbedisabledintheTouchIDandPasscodesectionoftheSettingsapporviaamanagementsystem,alongthelinesoftherestrictionsthatwe’lldemonstrateinChapter5,MobileDeviceManagement.
TheattackvectorsforApplePayhaven’tbeenexercisedtothepointthatanyworkingproof-of-conceptshavebeendisclosed,butanotherquirkisthatapasscanrespondtolocationinformation.ThiscouldtriggerapushnotificationwhenitisintheproximityofaniBeacon,Apple’sbrandingforBluetoothlowenergytransmitters,whichcanachievesomethingalongthelinesofasupplementaltechnologytoGPS.WhileiBeaconsthemselvesdon’tcollectanyinformation,Passbookwillcontinuetoevolveasanareaofthephonetoremaininterestedin.NeitherNFC-basedApplePaynorPassbookisyetavailableontheiPad;however,in-apporbrowser-basedApplePaypurchasesworkwith
www.it-ebooks.info
thenewestiPadhardwarethathasTouchID.
Finally,oneothernoteaboutpurchasesonthedeviceisthatwhencheckingoutfromawebstore,itmay(whenthesiteisavalidHTTPSoneandcertainfieldsaredetectedwithintheform)triggeraprompttousethecameratotakeapictureofthecardthatyou’dliketomakethepurchasewithandfillinthedetectedinformation.
CardpaymentsystemsandfraudingeneralintheU.S.hasalwaysbeenasorespotwhencomparedtoothercountries,inparticularthingslikeATMtransactionsthatarethepoorestversionoftwo-factorauthentication:somethingyouhave(thephysicalcard)andsomethingyouknow(PIN).Whileit’snotparticularlyrelevanttousaswearenotasconcernedfromapaymentprocessingperspective,butthisseemstorequirethesameamountofvigilance.Theoretically,onecouldtakeaphotoofsomeoneelse’scard,andthroughacoordinatedattackinvolvingsocialengineering,useittoauthorizepurchases.Applecanpolicethisprocess,butasmanyconcernsasthereareaboutidentitytheftingeneral,therewillalwaysbethattradeoffbetweeneaseofuseandprotectingthesystemfromabuse.
www.it-ebooks.info
IntroductiontoiOSnetworkcommunicationWediscussedSafariandthepredictivesearchfeaturesthatareenabledbydefaultasthemostobviousnetworktraffic,besidese-mailandapplicationslikeTwitterandFacebookthatcanbeaccessedfrommoreplacesonthedeviceduetohavingaccountinformationbuiltintotheOS.Weather,Stocks,andSiri’sdataproviders,arealsoallowedtousethenetworkbydefaultalthoughyoucandisablejustcellularaccessgranularly.Speakingofwhich,dependingonthecarrier,swappingSIMcards(iftheslotisunlockedonthatparticularcellular-capableiOSmodel)canbeusedtosupplantinternationalroamingplansbyprovidinganumberthatislocaltothatplace,orevenjustthedataserviceasdesired.
Besidesthisgrabbagofoverarching,networking-relatedconcerns,we’llzoominonAirdropusingwiredconnectionsoniOS,VPN,proxying,andfiltering.
www.it-ebooks.info
AirDropApeer-to-peerwaytosharefilesondemandoveranadhocWi-FinetworkwithlittleornosetuphasbeenpresentintheMacOSforsometimeanditwasaddedtoiOS7.AirDropisthisfeature’sbrandinganditnowdoestheinitialdetectionofnearbydevicesbasedonBluetoothproximityandidentifiesinformationwithApple,againasthebackendclearinghousethroughwhichAppleIDidentitiesareprocessed.Thisaddsanonymitytotheprocessofcheckingwhetherweknowthepersontowhomwearesendingthefile,andcanpopulatetheroundiconrepresentingtheotherdevicewiththecontact’slocallyassignedimage.
AsofiOS8andOSX10.10,Yosemite,computerscanalsoperformthishandshakeandtransferofdata.Duetoitseaseofuseandlackofauthenticationbeforeallowingthesendingendtotransmit(amongotherreasons),manyITdepartmentsdisabledtheearlyimplementationsofAirDropontheMac.Multicasttrafficislessofanetwork-relatedconcernwhenitispeer-to-peerandrestrictedtoWi-Fi,butidentityverificationwithitsassociatedmetadataamongmanyothercryptographicprocessesthatdohitthenetwork,requiresasignificantamountoftrustinApple.
TipNotethatthisisoneofthebiggerissuesthatpeoplewithprivacyandsecurityconcernsexpressaboutvendorswhohavemadechoicessimilartoApple.ThisisalsocommonlydiscussedinrelationtotheiriMessageservice;partoftheconditionofusingtheserviceisthatyoumustimplicitlytrustthatAppleisproperlysecuringandrestrictingaccesstothekeysthattheparticipantsuse.
Dependingonthetypeoffilethatisbeingtransferred,compatibleapplicationsaredisplayedonthereceivingendtothentakeaction.ThefollowingscreenshotshowsadevicethathasreceivedafileoverAirDrop:
www.it-ebooks.info
Abugorafeature?WelongagomadetheassertionthatApplecheatsbybeingabletosynchronizeitssoftwarewithitsownhardware.AnothermaximofAppleITisthatingeneral,Appledoesn’tcareaboutthedevelopercommunity,Appledoesn’tcareaboutus.Theirprioritiescouldreasonablybearrangedasfollows:
ThecustomersThemselvesandtheirsideoftheoverlapbetweenpartnersandtheirplatformsLastly,anybodyelsewhowouldwishthemwellalongthewaytoimprovetheexperienceofthefirsttwo
Thisisnotnew,norshouldanyoneexpectthemtochangeinthelightoftheirsuccess.However,theysometimesmakeiteasierforallthepartiesinvolvedbyhavinganextensivelysharedcodebasebetweeniOSdevices.Thisincludesanotherproduct,theAppleTV,whichisoftenoverlookedordiscardedasnotaseriousendeavor,butwhichweinITgetasurprisebenefit:itincludesEthernetdriverstosupportitshardware,whichinturnispresentacrossalliOSinstallationseversinceitssmaller,hockeypuckformfactorwasintroduced.
Anunintentionalbitoffunctionalitythatwegainfromthisisthroughatechniquethatinvolvesthefollowingthings:
ApoweredUSBhubTheLightningtoUSBCameraAdapter(intendedtoconnectacamerawithaniOSdevicetoimportphotosintoiPhotoorotheriOSapplications)AnAppleUSBEthernetAdapter
ByconnectingtheLightningtoUSBCameraAdaptertotheupstreamportoftheUSBhubandtheEthernetAdapterinanydownstreamport,adeviceshouldbeabletousethisconfigurationtogetonthewirednetwork.Whilethispartofthenetworkingstackdoesn’tseemparticularlyoptimized,forensiccapturethroughmoretraditionalmeans(mirroringports,andsoon)ispossiblewithouttheinvolvementofanycomputer.(Wewill,however,coverApple’ssupportedprocessestoaccomplishiOSpackettracinginChapter6,DebuggingandConclusion.)AnillustrationofthissetupisdocumentedintermsofpasscoderemovalviaMDMathttps://www.afp548.com/2014/05/07/mdm-passcode-removal-from-an-offline-ios-device/.
TipCommonhumaninputdevicessuchasbarcodescannersorkeyboardscanbeusedwiththeLightningtoUSBCameraAdapterforeaseofinputandtheyareagreatwaytopreventfolksfromhavingtousetheirthumbsfordataentryenmasse.WhiletheiOSdevicemaybarkthattheaccessoryisnotsupported,youmayaddahiddenfunctionalityandsignificantlystreamlineinteractionsifallthehardwareiscompliantanditallgoeswell.
www.it-ebooks.info
VPN(Always-On,APN,Per-App,On-Demand)Sinceveryearlyon,youhavebeenabletoconfigureandinitiateaVPNconnectionintheSettingsofaniOSdevice,whichstartedwiththemoreprevalentgatewaysinuse(includingflavorsofCiscoIPSec,andtheraccoon-basedL2TPorPPTPprojectswhichOSXServerrelieson).Now,therearemorewaystotunneltrafficthanyoucanfigurativelyshakeametaphoricalstickat.AsthedemandtoenablemorefunctionalityoniOSiseverincreasing,ApplehasaddedsupportforRSASecurIDtwo-factortokensinthebuilt-inconfigurationsettingsaswell.
Aswithothercomplexsettings,youcouldalsouseaconfigurationprofiletosimplifythesetupforendusers,whichwewilltouchoninChapter5,MobileDeviceManagement.
Anewerfeature,alsoavailableforusewhenconfiguredwithaprofileormanually,istheabilitytolockthedeviceintotunnelingallitstrafficthroughaVPNtunnelwithanAlwaysOnconfiguration.ThisisexposedtoenduserswithaSendAllTrafficsliderwhenoptional.ForittobemanagedsothatitislockedintotheONposition,theappropriateconfigurationprofileneedstobeinplaceandthedeviceneedstobeinastatecalledSupervision,whichwewilldescribeindetailinthenextchapter.
ThefollowingscreenshotshowsaVPNconnection,withoptionsforRSASecurID,SendAllTraffic,andsoon:
www.it-ebooks.info
AVPNconnectionwithoptionsforRSASecurIDtokensandSendAllTraffic
Anolder,moreobscuremethodofsecuringdataserviceaccesswiththecooperationofyourcellularproviderisviaanAccessPointNameconfiguration,butit’snotsomethingthattheauthorsofthisbookcomeacrossveryoftenanymoreintherealworld.YoumayforgivethecomparisonofAPNtoanextensionofthecorporateLAN,althoughwiththepopularityandtoolsetaroundVPNsbecomingsocommonplace,it’sunderstandablethatthiscellular-onlytechniquewouldfallbythewayside.
WhenpairedwithpropercertificatesandaconfigurationprofiletodefinethedomainsthatrequireaVPNconnection,VPNOnDemandenableson-the-flyconnectionstobemadewhenadevicetriestoconnecttoagivendomain.Manyelaboratechecksarealsopossibleonanetworkstatechange,includingSSID,reachableserverdetection,andDNSserversettingssothatOnDemandcanbeturnedoffwhenit’s‘on-network’.Thisisespeciallyusefulinsplit-domainDNSconfigurations.
www.it-ebooks.info
Per-Appisbyfarthemostattractiveapp,aswhenanorganizationhasprovidedanapptheycommonlyalsowanttosecureallthetrafficthattheappwillgenerate.Asalways,however,thedevilisinthedetails.AfewVPNgatewaysandfewerappsaresettoenablethisbehavior.Organizationsmayfindanyofthemoreadvancedimplementationstricky,asyouneedamoresophisticatedgatewaysetupwithcompatiblehardwareandsoftware,whichcanalsorequiresignificantpreparationfromacertificateinfrastructureperspective.
ThemostsimpleandpossiblyhardesttomanagearethespecificappsontheAppStorefromVPNgatewayvendors,someofwhichmerelyembedawebbrowserthatallowsyoutoconnecttositesonaremotenetworkoncetheconnectionisestablished.
Otherwise,youcanjustbuildallyourworkflowsintoanappsuchasGood,enablesorwrapthemintoacontainerappthatdoesallthenetworktrafficandbusinessinteractionsforyou.Evenmoreattractiveissecuringthetransportanddataatrestwheninteractingwithyourorganization’sapplicationsandsidesteppingallofthistomfoolery.ConjuretomindthememeofthecharacterBoromirfromTheLordoftheRingssayingthatonedoesnotsimplywalkintoMordor,thetwistbeingthatonedoesnotsimplytrustanyclientaccessingyourdatatobeproperlysecuredeveniftheyhaveprovidedvalidcredentials.Butwecanonlygosocrazyuntilitbecomesprohibitivetorestrictaccessthatfolksneedtodotheirjobs.
GlobalHTTPProxy,caching,andthewebcontentfilterDuetoconcernsoverandregulationofthenetworktrafficofiOSdevicesinschoolenvironments,ApplestartedwithaGlobalHTTPProxyfeaturetoenablethecachingandproxyingoftraffic,withtheadditionalbenefitofworkingoff-campusandoncellulardevices.Vendorsthatspecializeinensuringtheuptimeoftheservice’sgatewayareimportanttopartnerwith,andcommonlynetworksecurityapplianceshavetakenonthisroleamongtheirotherservices.AsthisisonlyHTTP,itdoesn’taddressmanymandatedregulationsforprotectingstudentsincertainjurisdictions,butitwasastartatalleviatingsomenetworkinspectionandcachingneeds.
AppleincludedaCachingServiceinthe2.2releaseofitsServerapplication,whichisdistributedasanadd-ontoregularOSX.YoucansetthisupandcachecontentforaNAT’slocalnetworkinordertoimproveperformanceduringOSupdatesorwhenotherfrequentlyaccesseddataisrequestedbymanydevices.Wedonotgetmanyfeatureswiththissolutionthough,asyoucannotpoisonthecachetoensurethatcertainapplicationsorcontentaremadeunavailableonyournetwork.SomehaveresortedtohijackingDNSrequestsonport80tomesu.apple.com,forexample,sothatOSupdatescannottakeplacewhileon-network.OthercontentthatisenabledbydefaultwiththisserviceisiTunes,iOSAppStore,MacAppStore,andiBooksStorepurchasesalongwithMacandiOSUpdates.
Thisisall,ofcourse,onlyHTTPanditismoreaboutrelievingnetworkloadthanlimitingthetypeofcontentthatisaccessibleonthedevices.OnlyrecentlydidAppleaddtheabilitytosubscribetocontentfilterupdatesforHTTPSsites,orgranularlywhitelistorblacklistsites.Asdiscussedearlier,areliablepartnerwhounderstandsyourorganization’spoliciesiscriticaltoimplementafilterthatdoesn’tbecomeahindranceorablocktoyourcustomers’productivity.
www.it-ebooks.info
AsdiscussedwiththelockingofAlwaysOnVPNsettings,devicesmustbeinthesupervisedstatetouseeitherGlobalHTTPProxyorthewebcontentfilter.(Thismakessenseasasuperviseddevicecanhavesettingslockedthatenduserscannotdisableatwill.)
www.it-ebooks.info
www.it-ebooks.info
Privacy-relatedconcernsJustasearlierwhenwediscussedApplePay,youmayfinditoddtoseeasectiononprivacy,butaswesaid,thesedayswithidentitytheftandotherwayscustomerscanleakdatathroughsocialengineering,theconcernsfororganizationsaremorepressing.Practicallyspeaking,it’sjustalotofoverheadwhendirectoryharvestattackscatchtheless-astuteemployeeswhofallfortricksthatcausethemtohandovertheircredentials,andthenadministratorsneedtogothroughtheprocessoflockingthemoutandfixingtheirmailboxes.
TipAdministrativeoverheadistheleastoftheconcernsforlarger,well-knowninternetcompaniesthatwouldbeveryembarrassed,attheveryleast,iftheiremployeeswerephishedorwereclumsywiththeircredentials.Itbecamepublicthatonecompanyinparticularhaddeployedaplug-intothewebbrowserthattheydevelopedwhosepurposewastodetectwhennetworkcredentialswerebeingenteredinaninsecureorbogusform,therebyeffectivelypreventingthatmethodofexposure.TheMacadmincommunitygetsalotoftheirideasandbestpracticesfromthiscompany,whichrhymeswith“froogle”.
Justasthereareregulationsaroundprocessingcreditcards—themostcommonlyknownisPCI(shortforthePaymentCardIndustry)SecurityStandardsCouncil—therearehealthcareindustrystandardsaroundprivacywhichareincludedaspartofHIPAA(ortheHealthInsurancePortabilityandAccountabilityAct).Partofthisstatuteclassifiescertainpiecesofhealth-relatedinformationtobeprotected,whichincludesasurprisinglybroadrangeofdata—evensomethingassimpleasnames,whenattachedtodatainaparticularcontextbecomesensitiveandimportanttocontrolaccessto.
We’llcovertwoexamplesofnewwaysthedataiscollectedoniOSdevices(andtheiPhoneinparticular)todemonstratehowthisisaconstantlyevolvingtopicthatrequiresappropriateattentionbasedonyourdealingswiththehealthcareindustry.Evencollegesaretryingtoreducetheriskoflawsuitsduetoinformationinstudentrecordsgettingintothewronghands,sohopefullyyoucanworkwiththepolicymakersatyourinstitutiontocraftappropriatepolicies.
www.it-ebooks.info
Lesser-knownwaysforAppletogatherdiagnosticsFirst,youmaynotrealizehoweasyitisforAppletobeinvitedintothegoings-onoftheirdevices.JustrecentlywecameacrossaniOSdevicethatneededtobeserviced.IfyougotoApple’ssiteandsaythatyouwouldliketosetupaGeniusBar,in-storetechnicalsupportappointment,theycanpromptyoutosendinidentificationanddiagnosticdatarightthereonthespot(presumablytodeliverabetter,moreefficientexperience).Further,toproveownershipoverthephone,ApplecansendapushnotificationwithaPINtoadeviceloggedintotheiCloudaccountifyouprovideotheridentificationinformationaboutthedevice.
Now,inthescenariothatwejustdescribedforcollectingidentificationanddiagnosticdata,youmaythinkthattherewouldbeahighbartohaveaccesstothemechanismthatcollectsthisdata.However,thereareself-servicingorganizationstatusesthatcanbegrantedtolargecompaniesandinstitutionsthatdonotwanttogetservicethroughthird-partyserviceprovidersortheAppleStore’sGeniusBar.Whileimprovingtherepairexperienceforthecustomersofanorganization,thedevicesthatdiagnosticscanberunonarenot,toourknowledge,limitedtotheonespurchasedbytheorganization.
Onewouldthinkthebindingagreementsplacedonthosewithaccesstoself-serviceorganizationstatusthroughaserviceprovidedbyApplecalledGlobalServiceExchangewouldpreventfoulplay.Throughconversationswiththosewhodohaveaccesstothesediagnostics,wecanreportthattherearelittledifferencesinwhatcanbeseenindiagnosticlogsonthedevice.Thisservicehasabitmorehardwarerepair-relatedinformationthatwouldbehelpfulforparticipatinginrecallorwarrantyupgradeprogramsthatAppleisforcedtodofromtimetotime.Forexample,inthecaseofcertainmodelsofiPhone5,therewasaknownissuewherethehomebuttonlostfunctionalityafterbeinginuseforacertainperiodoftime,whichwasthereforemadeeligibleforexchange.
AswewilldrivehomeinChapter6,DebuggingandConclusionregardingtheattackvectorsadeviceisexposedtooncepairingtoacomputerisallowed,onemayconsiderthisanacceptabletrade-offforabetterexperiencewhentheaverageconsumerneedstheirdevicefixed.Thedatagatheredandcollectableislimited,butApplewillcontinuetodancethislinebetweenthingslikenotshowingtheirthird-partydevelopersmuchinthewayoffeedbackfromcustomers,topreventingtoomuchexposurelikethewell-publicizeddeletionofthedevicesofaprominentjournalistforWiredwhoseiCloudaccountwashackedinto.
www.it-ebooks.info
HealthappAnotherclassofdatathatmanywouldconsiderprivateistheiractivity.iOS8introducedframeworkstohelpthevarioushealthcarecompaniesthatdevelophardwareaccessoriestointeractwithhealthdata.
NoteGlaringlymissingatlaunch,however,wasaclassofperiodtrackingdataforwomen.Asthird-partyiOSappshavebeenbuilttotrackthisfromthebeginningoftheexistenceoftheAppStore,withrecentstandoutscoveringnarrowly-targetedtasksrelatingtobreastfeeding,thisisratherodd.Developerscouldn’tevensubmitappsleveragingtheframeworkuntilseveralrevisionsofiOS8,andstill,NikeFuelisanotablethird-partythatisabletoleverageitsdatawithanamedinclusionintheHealthapp.
AsofthelaunchoftheiPhone5s,asensorwhichfunctionsasapedometerisincludedinalliPhones.Apple’smarketingteambrandedthehardwarethatmanagesthecachingandprocessingofhealthsensor-specificdatatheM7motioncoprocessor,withversionnumberinginsyncwithitsin-houseARMlineofprocessors,whichiscurrentlyA8.Thisremovestheneedforasmanyexternalsensorsondevices,likethoseleftoutofthedesignoftheAppleWatch(thatwasproposedatthetimeofwriting).Additionally,asoftheHealthappbundledwithiOS8,stepandrunningdataistrackedanddisplayedbydefault,whetheryouexplicitlyenableitornot.
YoucanseethiscombinationofGPSandaccelerometersensorsinactionforyourselfbynoticingthestepdataloggedintheHealthappwithoutanyopt-inonyourpart.Thereare,infact,nosettingsfortheappwhatsoever.Onlyprivacysettingscanbemanagedtodisallowappsthathaverequestedaccesstothewarehouseofdatastoredwithin,whetherthephone’sownsensorsloggeditoranaccessorywastheoriginalsource.Inthefollowingscreenshot,youwillgettoseeautomaticallyloggedstepanddistancedata:
www.it-ebooks.info
Automaticallyloggedstepanddistancedata
Oneotherthingthatyoucaninteractwithcouldbeapotentialsourceofinformationleakage,butisimplementedasanopt-infeature:an“incaseofemergency”function.
NoteAstoryfromapopularsitebyDavePelltitled‘MyHeadisintheCloud’recountshowhisbabysitterdoesn’thaveherboyfriend’scellphonenumbermemorized,andwhenshewasinjuredandhercellphonewaswrecked,theyhadnowaytocontacthim.It’sasifthisfeaturewasdesignedwiththisscenario(minusthedestroyedphone)inmind.
YoucanaddyourinformationseparatelytowhatisthenaccessiblebyappsthattieintotheHealthapp(andtheHealthKitframeworktherein)sothatfromthelockscreen’semergencycallfunction(whichhasbeentheresincethefirstiPhone,asfederally
www.it-ebooks.info
mandatedintheUS)therewillbeanewtextlabelinthelowerleft-handcorner:MedicalID.Thefollowingscreenshotshowsthescreenthatshowstheinformationtoaidfirstrespondersincaseofemergencies:
Informationtoaidfirstrespondersincaseofemergencies
Thistellssomevitalstatistics,andmostimportantly,incasethephone’sownerisunabletocommunicate,whomtocontact(ortobecompletelymaudlin,thenextofkin)withahandycallbuttonnexttoitsothattheyaremorelikelytopickupthecall.
www.it-ebooks.info
www.it-ebooks.info
ConfigurationprofilesIfyouhaveanyfamiliaritywithhowOSXstoresitsconfigurationfiles,itwouldnotbetoomuchofasurprisetohearthataprofilethatwasimplementedforiOSmanagementisalsoaspecificflavorofXML.InsteadofacentralregistrylikeyouhaveonWindows,there’sdifferent,oftengranularlysetfilesor(oftensqlite3)databaseswithwhichanapplicationortheoperatingenvironmentitselfiscustomized.However,thisisnotasimportantastheframeworkwithwhichchangesareenforcedonthesystem,andso,atripbacktoOSXwouldactuallybeuseful,asthatwaswhatinspiredmuchofthearchitectureofiOS.
Withoutmanagement,changescanstillbeappliedbytouchingkey-valuepairsintheseXMLfilesinwhatarecalledpreferencedomains.Thefilesthemselvesarereferredtoaspropertylistsandcarrythe.plistfileextension.Acommonbinaryusedtointeractwiththese.plistfilesatthecommandlineisthedefaultscommand,althoughsystemframeworksareexposedtoscriptinglanguagestodirectlyinteractwiththeunderlyingAPI.
Aswithatraditionaldirectoryservice,however,settingscanbeinheritedfromanetwork-basedcentraldatabase,thepayloadforwhichonWindowsiscommonlygrouppolicyobjectsorGPOs.MacshaveaframeworkthatisreferredtoasManagedClientforOSXorMCX.ByapplyingMCXsettingstoacomputerorcomputergroup,theywouldallhavethesamesettingsenforcednomatterwhousedthedevice,butuserorgroup-levelsettingswoulddependuponwho’sloggedin.Justaswithnon-networkawarepreferencedomains,MCX-enforcedpropertylistfilesarestorednearthelocaluserandgroupdatabaseonthefilesystem,whereitiscachedtomaintainthesettingsoffnetwork.Adminuserscouldoptionallyoverrideanysettingswhenloggingin,forquicktroubleshootingofconfigurations.
InsteadofMCXasthedeliverymethod,profilescametotheMacasanadditionalwaytomanagesettingsinOSX10.7andbecamemorepowerful;now,aconfigurationprofilecanaffectchangesthatMCXhadnotpreviouslybeenabletosuchasnetworking-relatedsettingsamongothers.TheideawastogobacktotheMacandallowmanagementsystemstousethesameformat,XMLfileswiththemobileconfigextension,inmanycasesapplyingthesamesettings.So,torecap,configurationscanbesetontheMacthroughthefollowingways:
Simple.plistfilesresidingatthesamelocationwherethey’dbefoundinadefaultinstallationandcanbeinteractedwithviathedefaultscommandThe.plistfileswithspecificMCXstanzas,whichwasthepreviouswayinwhichyoucouldimplementmanagementfromacentraluser/group/computerdatabaselikeLDAPConfigurationprofiles,whichisthenewer,cross-platform(betweeniOSandMac)methodofapplyingmanagementsettings
Withconfigurationprofiles,justlikeMCX,youcangroupcomputersandusersormanagethemindividually.AswewilldemonstrateinChapter5,MobileDeviceManagement,the
www.it-ebooks.info
terminologyusedwiththeServerapplication’sProfileManagerserviceistouseadevicetorefertoaniOSdeviceoraMac,andyoucaneveninheritusersandgroupsfromActiveDirectory.ThedevicelevelofmanagementwithinaprofileiscalledtheSystemscope,whereasanythingthatwouldapplygranularlytoaUseriscalledjustthat.ThefollowingscreenshotshowsanexampleofanApple-flavoredXMLfile,withtheSystemPayloadscope,whichmeansthatitwilltakeeffectdevice-wide,insteadofbeingscopedtoaparticularuser:
AnexampleofanApple-flavoredXMLfile,withtheSystemPayloadscope,meaningitistotakeeffectdevice-wideinsteadofbeingscopedtoaparticularuser
NoticethattheDOCTYPEintheprecedingscreenshotspecificallycallsoutApple,andsettingsarestructuredwithnoparticularorderingsinceithasahashordict(shortfordictionary)asthebasetype.Thefollowingscreenshothasmoredetailsonthis802.1x-specificconfiguration:
www.it-ebooks.info
AWi-Ficonfigurationprofile,whichwouldtelltheradiuscontrollerthatActiveDirectorycredentialswillbeusedfor802.1xauthentication
Thereis,however,noconceptofbindinganiOSdevicetoadirectoryservice,norofdifferentusershavingcustomizedsettings,whereasMacscantakebothintoaccount.ProductsevenexisttomanagesettingsforMacswithinthesameinterfaceasGPOforPCs.ForiOSthough,theMDMserviceitselfneedstobeawareofthegroupingsandmanagementsettingswhichitcanthenactupontohanddownconfigurationstodevices.ThisisincontrasttoMacs,whichcanevenbetoldtoprovideauthenticationtoradiuscontrollersoverWi-FiwithActiveDirectorycredentialsattheloginwindow,asshownintheprecedingscreenshot.IfyoudeployedtheprofilepicturedpreviouslytoaniOSdevice,itmayverywellignoretheunusedoptionsorfailaltogether.
Nowthatwehaveseenmoreabouttheformatandhowit’sscopedtodevices,let’slookintothehistoryofthismanagementformat.Apple’scanonicalreferenceofaninterfacewithwhichtoconstructthesettingsavailableformanagingiOSdevicesfirstappearedinatoolforWindowsandMaccallediPhoneConfigurationUtility(oriPCUforshort,whichmakesitsoundlikeoneofthoseplacesyoucangetanassociate’sdegreeontheinternet).ItwasoriginallyreleasedbackwhentheOSwascallediPhoneOS2.(Really,itwasOS/2Warp.NowthatwasanOS!)Whenconstructingaconfigurationprofile,youwouldseemanagementoptionsgroupedintosectionsinasidebarontheleft,andyouwouldinteractwithvariousfieldsontheright.Thefollowingscreenshotshowstheconfigurationprofilecreation/editingintheiPCUinterface:
www.it-ebooks.info
Configurationprofilecreation/editingintheiPCUinterface
Youcouldevenviewlogs(unlikethemerediagnosticreportswedidearlier),whichcameinhandywhileyouappliedaprofiletoseewherethingswentoffthetrackwhenaconfigurationwasn’tvalid.Thefollowingscreenshotshowstheloggedoutput(essentiallysyslogoutputinaconsolerunningonthedevice)displayedwhileapplyingaprofile:
www.it-ebooks.info
Loggedoutput(essentiallysyslogoutputinaconsolerunningonthedevice)displayedwhileapplyingaprofile
iPCUhasbeendiscontinued.ItcannolongerviewlogsoniOS8devicesanditisnolongeravailabletodownloadforWindowsorMac.Thisisprobablyagoodthingasithadn’tbeenupdatedsinceiOS6.ItlaunchedtheinterfaceparadigmformanyconfigurationprofileinterfacesandnoAppletoolhasyetreplacedtheease-of-useofitsconsolefeature.SeeChapter6,DebuggingandConclusion,fordetailsonlibimobiledevice,whichmayhaveasimilarfunctionality.
TipForessentiallyopeningaconsoleonaniOSdeviceandviewinglogs(aslongasthedevicehasbeenpaired),oneofourexcellenttechnicalreviewers,JeremyAgostino,recommendsiOSConsole,whichisavailableathttp://lemonjar.com/iosconsole.
www.it-ebooks.info
Signing,encryption,anddeliveryWhenaproperlyconfiguredandsecureMDMpushesaconfigurationprofiletoadevice,itwillbesignedasanypieceofcodeshouldbethatwantstoproveitsidentityandbetrustedbydevices.Itshouldalsoencryptitspayloadtoprotectanysensitivedatacontainedwithin.However,theusualdeliverymethod,pulledover-the-airbythedeviceoncetoldtocheckinbyApple’sPushNotificationService,isnottheonlytransportmechanism.
WheniPCUwastheonlywaytoconstructaprofile,youcouldeitherapplyitlocallyoverUSB,oryoucoulduseoneofthefollowingoptions:
E-mailittoeachapplicabledevicebywayoftheassociatedenduserPutitonaproperlyconfiguredwebserver(whichwouldtreatthemimetypeaccordinglyforaccessfrommobilesafariondevices)Senditbyatextmessage(remember,thispredatediMessage)
Now,thereareafewothertoolsthatcanapplyaprofiletoadevice,butotherwise,thenon-MDMdeliverymechanismsareunchanged.
Tobreakdowntheformatofconfigurationprofilesthatareavailable,youcanleavetheprofileinplaintextwithnosignatureandedititatwill.Thismayberejectedorjustnotappliediffolksrefusetocontinueafterbeingpresentedwithwarningpromptswhenaskedtoinstallit.
Youcouldsignbutnotencrypttheprofile,leavingthepayloadandothercontentsabletobeinspectedinplaintext.Abarelyrecognizabletextblobwouldprecedeandclosetheprofile’smaintext,whichisitssignature,ensuringthatitwasnottamperedwith.Ifitwasalteredaftersigning,anysubsequentinstallationswouldberefused.
Finally,theentireprofilecouldbeencrypted,makingitrelyonaworking,compatiblePKIrelationshipthatisnormallybasedonaRemoteManagementprofilebeinginstalledonthedevice,whichanMDMservicewouldputonatenrollmenttime.
NoteConfigurationprofilesignaturesusetheCryptographicMessageSyntax(CMS)standard.Whilenotexactlysimple,onecoulduseopensslonvariousoperatingsystemsintandemwitharootcertificatefromatrustedcertificateauthoritytoapplysignaturestoconfigurationprofiles,whichdeviceswillthenseeastrusted.
www.it-ebooks.info
www.it-ebooks.info
SummaryThischapterwasabitofagrabbagofthemorefundamentalconceptsofhowthedevicehandlesencryption.InsteadofbeingacompletederivativeofApple’siOSSecurityWhitePaper,wepresentedthenewerquirksandreal-worldapplicationofsomeofthetopicsaroundencryptingthemainfunctionsofthedevice.Wediscussedhowthesystemispreparedatthefactorywithsecurityinmindthroughitssecurebootprocess.TheadditionofNFCpaymentsviaApplePayledustoinvestigatePassbookanditsintegrationwithTouchID.Networking-relatedconcernslikeVPN,AirDrop,Proxies,andFilterswerealsodiscussedalongwithawayofutilizingawirednetworkconnection.TheHealthappandMedicalIDweretouredbriefly.Finally,wepreparedforapplyingmanagementbydetailingwhattheactualfilesandformatsarethatmanagesettingsonbothiOSandMac.
BringYourOwnDevice(BYOD)programsoftenoverlapwithhowregularconsumerswanttousewhatis,infact,theirdevice.Whilekeepingthatinmind,asprofessionalsweneedtobalancecontroloverourdatawithtakingfulladvantageoftheutilityofthedevice.Hopefully,thisalsogetsyouthinkingaboutprivacyasatopicthatgoeshand-in-handwithsecurity,andlaysthegroundworkfortheapplicationofmanagementsettingstobringaboutproductivityinemployees,whichwe’llbecoveringoverthenexttwochapters.
www.it-ebooks.info
www.it-ebooks.info
Chapter4.OrganizationalControlsNow,we’llmoveontoexploretheconceptsinvolvedinmanagingiOSdevicesfromacentrallocationon-premises.Thisincludesdevicesupervision,ActivationLock,SingleAppMode,andmorebasicoptionspresentedbytheoldstalwart,ActiveSync.Formostofthetime,wewillbelookingatatoolcalledAppleConfiguratorthatisdevelopedbyApple.Weconsiderittobeoneoftheeasiesttoolstorecommendforenvironmentsthatneedmorehands-oncontrolwhenofficiallysupportingiOS,eitherwhenmigratingtoaBYOD(shortformforbringyourowndevice)environmentorinconjunctionwithanMDM.Itfitsacoupleofspecificworkflowsverywellandhassomefeaturesthatarevitalforhardeningdevices.
BesidesAppleConfigurator,whichattheveryleastcanprovideagoodreferenceforshowingApple’sacknowledgedusecasesforstartingwithdevicemanagement,wewillalsointroduceApple’sDeviceEnrollmentProgramorDEP.ActivationLockisathorniertopicnow,sowe’lltouchonthisaswell.JusttotransitionfromGuidedAccess,whichwascoveredinChapter2,IntroducingAppSecurity,we’llalsodiscussAppLockwhenweexplainthedifferencebetweenitinteractingwithGuidedAccessandSingleAppMode.And,beforewegetintofull-blownMDMinthefollowingchapter,wewilldiscussActiveSyncasoneoftheoriginalover-the-airmanagementframeworks.
Inbrief,thischapter’stopicsareasfollows:
AppleConfiguratorPreparation,supervision,andassignmentofiOSdevicesThedistributionofappswithAppleConfiguratorandtheVolumePurchaseProgramActivationLockandFindMyiPhoneTheDeviceEnrollmentProgramversusAppleConfiguratorAppLockandSingleAppModeincontrasttoGuidedAccessRefresheronwhatActiveSyncprovidesoniOS
www.it-ebooks.info
AppleConfiguratorBeforethereleaseofAppleConfiguratorontheMacAppStore,therewerethreeothersanctionedapplicationsforinteractionwithiOSdevices:iTunes,Xcode,andiPhoneConfigurationUtility(iPCU).Xcodehadthecapabilitytoconnectmultipledevicessimultaneously,buteventhatfunctionalitywaslimitedforrunningtestsondevicesorforrestoringaversionofiOS.Still,wewerewithoutanyconceptofefficient,directlyconnectedmanagementtools,noreventhehintofintegrationwithadirectoryservice.
WhentheiPadwasreleased,itdidnotcomewithamanuallikealawnmower,whichshowsyouwhatitsintendedusageisandhowtosharpentheblades.Applejustaboutsaidthesamethingtoitscustomersthatitsaystoitsdevelopers,somethingtotheeffectof“wecan’twaittoseewhatYOUdowithit”,asifitwasstillanopenquestionastowhatitsmostpopularusewouldbe.Appleproductshave,however,historicallybeenusedextensivelyineducationandthepricewascommonlyahalftoathirdoftheleastexpensivelaptopMac.ThisledtoaninfluxofiPadsinenvironmentsthatmightnothavebeenparticularlypreparedtohavesomanycomputingdevicesonWi-Fi.Thisleadsusbacktothelackofapplicationsthatallowtetheredpreparationandmaintenanceofmanydevicesatonce.
Perhaps,ifcustomersthatusedAppleproductsforeducationalpurposesinparticularwereaskedwhattheywanted,astheparaphrasedsayingattributedtoHenryFordgoes,theywouldhavesaidafasterhorse;insteadtheygotAppleConfigurator.Wedonotwanttoberepetitive,butwemustrecallthatApple’sprioritiesareitscustomersfirstandforemost,andtheysellanastoundingamountofproductstoregularconsumers.Onemaybeinclinedtocutthem,andcompanieslikeAmazonwhoaresellingtothegeneralpublicwithsuccess,someslack,whichishard.Amazon’snottryingtobeCDWandApplecan’tbeeverythingtoeveryone;(althoughithasneverstoppedthesprawlofiTunes,whichtheAppleTVAssistantbuiltintoAppleConfiguratorwhichhasafaintwhiffof.)
BackinChapter2,IntroducingAppSecurity,wementionedabouttheVolumePurchaseProgram(VPP)thatAppleoffers.ThiswasanintegralpartofwhatwasconsideredgoingintodesigningAppleConfigurator,alongwiththeSupervisionconceptthatwe’vebeenhintingatthroughoutthebooksofar.However,beforewegetintothat,let’sdiscussworkflows.
www.it-ebooks.info
IntendedworkflowsOfalltheiOSformfactors,at9.6”,theoriginalandcanonicaliPadscreeniscomparablysizedto8.5”x11”oranA4sheetofpaper,ifyoulosethemarginsandenjoyedstaringatalightbulballthetime.(What?youdon’tpreferemissivescreens?)Ifatelecomfieldworkerhasvisitedyourhomeorbusinessrecently,youmighthavenoticedthattheynowalmostexclusivelyusetablets.Similarly,airlineshavebeengivingtheirstaffhandhelddevicesforsometime.Whentakingthisrapidadoptionofmobiledevicesintoaccount,andrecallingwhoAppleusuallycaresaboutwhendesigningsolutions,itmaymakemoresenseastohowAppleConfiguratorcameintobeing.
AniPadcanconceivablyreplaceautilityworker’sclipboardorastudent’sthree-ringbindersandstreamlineprocessesalongtheway.AirlinepilotsbegandemandingiPadstoreplacetheirungainlyandheavybindersofairportandroutemaps,whichactuallysavedfuelduetothedropinweight.Wecanstarttoseethatdeviceswillbeusedinamultitudeofways,butaparticularlyaptcaseishigh-serviceandquick-turnaroundenvironments,loadedwiththeappsanddatapeopleneedtogettheirworkdone.
AppleConfigurator’sreleasewasgroundbreakinginthatitwasaseriesoffirsts:
ApplicationscouldbehandedoutinbulkwithoutMDM,andtheseappscouldthenbereclaimedBackupscouldbecreatedandrestoredwithoutiTunesandrestoredorrefreshedenmasseNew,morelocked-downrestrictionscouldbeenabled
Educationalinstitutionssegmenttimeintoclassesandtheyoftengatherdevicesinlabsorcarts.Hospitalsandutilityworkershaveshiftsandcanmakeastationaroundatimeclockoragatheringplacefordevices,fromwheretheycanbecheckedinandoutfrom.ItiswidelyreportedthatAppledoesnothaveacolossalR&Dfootprint,sowhentheymakeatooltheyhavetopleaseasmanyendusersaspossible.Theydon’thavetheresourcestoqualityassureanddevelopfeaturesthatcanserveeverymarket.PleasekeepallofthisinmindaswediscusswhatAppleConfiguratorcando,withatleastanunderstandingofwhyitdoesn’tmakeFrenchfriesfourdifferentways.
ThefollowingscreenshotshowsthesplashscreenonstartingAppleConfiguratorforthefirsttime,whichgraphicallyintroducesitsthreemodes:
www.it-ebooks.info
ThesplashscreenonstartingAppleConfiguratorforthefirsttimegraphicallyintroducesitsthreemodes
www.it-ebooks.info
Theinteractionmodes–Prepare,Supervise,andAssignAfteracquiringAppleConfiguratorfromtheMacAppStore(itisfree,butrequiresaMacatthistime),you’regreetedwithanimagethatbreaksdownitsthreecumulativemodesofoperation.First,therearethecapabilitiesofthePreparemode,whichareasfollows:
Namingthedevice(thisincludestheoptionofsequential,numericnamingifyouarepreparingmultipledevicesatonce,asitcanhandleupto30devicesconcurrently)Creatinga(unsupervised)backupApplyingasoftwareupdate(whichcachesthatversion)andoptionally,wipingthedeviceintheprocessImporting,creating,exportingand/orapplyingconfigurationprofiles
Finally,flippingaswitchtomovethedevicetothenextmode,Supervision.
FlippingthisswitchtomakethedevicebecomesupervisedchangesthebehaviorofAppleConfigurator’soptions.Therefore,youmustthenwipethedeviceandapplythemostrecentiOSupdate.
Onemightsaythatthesedistinctionshelptoprovethatthedeviceisindeedownedandunderthecontroloftheinstitutionmanagingthesedevices,asitisassumedthatregularpeoplewouldn’tletITseizetheirpropertyandremoveallpersonalizationorcustomization.(Iftheyarelikeourcustomersatleast.)However,AppleConfiguratorcaneasilybeusedinPreparemodetolightlyrunanOSupdate,installaconfigurationprofile,orevenperformabackupandrestoration.
NoteOurtechnicaleditorpointsoutthatthedevicemusttrustthecomputerrunningAppleConfiguratorfirsttoevendotheselighttasks,aswe’llexploitinChapter6,DebuggingandConclusion.
Thishelpsustoclearlydefinethedistinctionbetweenpreparationandsupervision,asthesecondlayer’spowerfulfunctionalityrestsontopofthefirst.Thelastmode,Assign,hasjusttwoadditions:
First,youcanleveragealocalornetwork-baseddirectoryserviceSecond,thedatacreatedbyauserfromthedirectorycanbestoredonthecomputerrunningAppleConfigurator
Thisallowstheusertocheckinorcheckoutofdataaswellassetsofapps,anditcanalsoaidinthedistributionofdocumentstodevicesthathavecompatibleappsinstalledonthem.Itmayseemlikewe’rejumpingaheadtodiscusstheAssignmode,butthat’sreallytheonlyadditionalfeature.
Otherthanthat,aswhiz-bangfeaturesgo,ifusersfromthedirectoryservicehaveimagesassociatedwiththeirLDAPrecords,thereisapreferencetoshowtheseimagesonthelockscreenwhenassigningdevices.YouwillaccessitfromtheAppleConfiguratormenuin
www.it-ebooks.info
thetopleft-handcornerofthescreen,underPreferences.However,thestarshaveneveralignedtothepointthatwe’veseenthatinuseintherealworld.Thefollowingscreenshotshows,inPreferences,whereanassigneddevicecanbeconfiguredtouseanimagefromLDAP:
InPreferences,whereanassigneddevicecanbeconfiguredtouseanimagefromLDAP
www.it-ebooks.info
TheimportanceofsupervisionOncethedevicehasbeenwipedandupdatedbybeingtetheredtoacomputerrunningAppleConfigurator,youcantakeadvantageofseveraloptions.Theseinclude:
Customizingthelockscreenimage,asshownintheprecedingimage,optionallywiththedevice’snameorsomeotherstatictextEnablingvariousnetwork-relatedfeaturesincludingAlways-OnVPN,Contentfilters,GlobalHTTPproxy(asdiscussedinthepreviouschapter),andcellulardatamodificationsRestrictingvariousfeaturessuchasthemanualinstallationofconfigurationprofiles,AirDrop,accountmodificationsincludingFindMyFriends,enablingotheron-devicerestrictions,education-specificconcernslikeSiri’sprofanityfilter,andwhitelistingdestinationsorpresettingpasscodesforAirPlayHide(bywhichwemeandisable,tobringabouttheeffectthattheappisnotshown)built-inapplicationslikeGameCenter,iTunesStore,iMessage,Podcasts,orstorecomponentslikeIn-AppPurchaseortheiBooksStoreStoptheremovalofanyotherapps,includingtheonesthatAppleConfiguratormayhaveinstalled,orpreventtheadditionofanyso-calledInternetaccounts(suchasFacebook,Twitter,andsoon)ore-mailaccounts
NoteRestrictingSafaridoesnotrequiresupervision,butitisacommonerrortobelievethatyou’llallowallthewebfunctionalityyouwantbyusingaWebClippayloadinaconfigurationprofile.Forexample,foraccessingyourintranetonly.IfyourestrictSafari,theappwillberemovedandWebClipswillnotevenlaunchifpresent.
Abiggerpointthaneventhesesettings,whichwereadvocatedbysomanyofApple’scustomersinlargeinstitutions,istheabilitytoinstallprofileswithzerotaps.IfthedeviceisstillinPreparemode,you’llneedtorespondtothepromptsonthescreentoacceptcertificatenotifications,learnaboutwhattheprofilewilldotothedevice,andeventually,install,andthentapondone,perprofile.Loadingaprofileontoasuperviseddeviceissilent.Infact,whenrestoringthebackuptosuperviseddevices,youdon’tevenneedtogothroughanysetuporactivationsteps.(MorerecentversionsofAppleConfiguratorcanallowsimilarbehaviorwithoutrestoringabackup,byselectingwhichpromptstoskip.)
Ifthiswasn’tasecuritybook,wecouldprobablystophere.However,byfarthebiggestpointfromasecurityperspectiveisthefactthat,bydefault,asuperviseddevicecanbedisabledfromconnectingtoanyothercomputerrunningAppleConfigurator.AnattackercannotpiggybackoniTunestotargetanotherdevicetoo.Thismitigatesmanyofthepairing-basedcomplicationsthatwe’llbediscussinginChapter6,DebuggingandConclusion.Infact,ifitwasdesirabletoallowmovinganycontenttothedevicefromanothercomputer,thedevicemustbedesignatedattimeofsupervisiontoAllowdevicestoconnecttootherMacs(bywhichtheyimplyPCsaswell).
Further,ifaspecificconfigurationprofilewitharestrictionpayloadisapplied,Allow
www.it-ebooks.info
pairingwithnon-Configuratorhostsmustalsobeselected.Ifyouwantto,thiscanallowyoutooptionallydisablepairinglaterviaMDM,incaseitisnotclearwhetheryourenduserswillneeditatthetimeofsupervision,butifyouareusingAppleConfiguratortosupervisethedevice,thenitmustbeconnectedtothecomputeragain.Youcanseeeachofthesesettingsinthefollowingscreenshot:
Thetwosettingsthatmustalignfordevicestobeallowedtopairwithanycomputer
Whendiscussingworkflows,wesaidAppleConfiguratorisagoodfitforhigh-service,fast-turnaroundusecases,whichleadstoanotherbigfeatureofsupervision:theabilitytorefreshthedevicetoastoredstateuponreconnection.Ifthisincludestherestorationofalargerbackupwithmanyapps,thiscanbeamorelengthyprocess,butinanycase,alloftheingredientsarecachedlocallyinAppleConfigurator’ssupportdirectories.(AppssuchasiMovieandKeynoterunintohundredsofMBsandflashstorageingeneralisoptimizedforreadingandnotwriting,soit’sgoodtomeasureifthecycletimemeetsyourexpectations.)ThiscanessentiallyreimagetheiOSdeviceifAppleConfiguratorisopenonthecomputertowhichthedeviceisattached.
Optionally,intheeventyouarenotrestoringabackup,youcanalsohaveappsandprofilesthatmayhavebeenaddedtothedeleteddevice,sousertrainingregardingsuperviseddevicesisveryimportant.Ifthisbehaviorisnotdesiredforanyreason,youmustatleasttemporarilyturnoffthesesettingsinAppleConfigurator’sPreferences,asshowninthefollowingscreenshot:
www.it-ebooks.info
InPreferenceswheresuperviseddevicesareconfiguredtoautomaticallyrefreshwhentheyareconnected
www.it-ebooks.info
Apps,VPP,andAppleConfiguratorWhentheusagemodelisonecustomerforonedevice,anMDMcanpromptanenduserfortheirAppleID.AppleConfiguratordoesn’trequireauserthatreceivesadevicepreparedbyittopluganythingin,allowingsharedusagemodelsthatjustweren’tpossiblebefore.
IfanAppleIDisauthorizedforuseonthecomputerrunningAppleConfigurator,evenifitisnotassociatedwithVPP,youcangoaheadandimportanddistributefreeapplications.Therecommendedwaytogoaboutobtainingthe.ipafiles(thearchivedbundlesthatareiOSapplications,asdiscussedinChapter2,IntroducingAppSecurity)istodownloadthemfromtheAppStoresectioniniTunes.However,nomatterwhatIDtheappwasdownloadedwith(forexample,ifaniOSdevicealreadysynchedwiththecomputerandbackedupitspurchaseswithiTunes),theDRMcanberemovedfromtheappbundleandimportedwithwhateverAppleIDAppleConfiguratorwantstouse.However,ifyouforgettoauthorizethecomputeriniTunes,you’dseethefollowingerror:
WhenanapptobeinstalledonadeviceisimportedwithouttheassociatedAppleIDauthorizediniTunes
NoteKeepinmindthattheupdatesforanyapplicationinstalledwithAppleConfiguratoraretiedtotheAppleIDitwasimportedwith,whichmayhaveunintendedconsequenceswhenitpromptsforupdatesoneverydevice.
ThisisespeciallytruewhentheAppleIDhasane-mailaddressfortheusernamethatisnotassociatedwithyourinstitution,becauseendusersseeitwhenprompted.We’renotsayingthatthishashappenedtoanyofourcustomers.
Ifyouhavedifferentgroupsthataresharingthesamesetofsuperviseddevices,appscangooutandcomebackinifanothersetupisrequiredwheretheseappsshouldn’tbepresent.AppleConfiguratorcangroupdevicesarbitrarilyasyouchooseandapplysettingsasneeded,andappsareoneofthethingsthatcancomealongfortheride.
TheseprocessesarejustthesameforpaidappsthathavebeenpurchasedundertheVPP.Itbecomesveryimportant,however,tofollowApple’sguidanceastowhatversionofVPPpurchasesshouldbechosenbasedonyourusecase.Also,youshouldbecarefultonotapplyanapptoadeviceifithasnotbeenfirstputintotheSupervisemode,asthiswillnotallowyoutoreclaimtheappcodeifyou’rerelyingonthismethodofappdistribution.
www.it-ebooks.info
Whilethisisnotnecessarilypertinentforasecuritydiscussion,theonlineVPPportalfromAppleprovidesaninterfacetodownloadredemptioncodesforusewithAppleConfigurator,anditinquiresinternallyhowmanyofthesehaveeverbeenappliedtodevices.TheAppleConfiguratorinterfacehelpfullyprovidesfeedbackabouthowmanyhavebeenredeemedperproductanditprovidesaspreadsheetofcodesaswell.Itmayseemobvious,butdonotusethesamespreadsheetofcodeswithanMDMorotherdistributionmethods.
www.it-ebooks.info
MassrestoringandnamingofdevicesFromabrandingorsupportstandpoint,havingtheiconsconsistentlyarrangedwithastandardhomescreenbackgroundisdesirable.AlthoughMDMsaresupposedlygainingthisfunctionality,theoriginalwaytodothesecustomizations,whetherinthePrepareorSupervisemodes,istocreateabackup.(BackupsmadefromadeviceinonemodecannotberestoredtoanotherwithAppleConfigurator.)ThisoftenrequiresmanualinteractionandifyouhaveanMDM,itwouldmakesensetoallowittoperformanyapplicableconfigurations.It’sverystraightforwardintheinterfacewhereyouwouldinitiatethecreationofabackupwhenyouareineithermode,andyoucanevenaccessthestoredbackups.
AppleConfiguratoralsoprotectsthethroughputoftheUSBbusbylimitingconcurrentoperationstosomewhereintherangeofthreeatatime.
NoteNotethattheapplicationislimitedto30concurrentUSBconnectionsoverapoweredhub,whichisobviouslynotthemaximumfortheprotocol.
Also,keepinmindthatexceptwithveryrecent,specializedhardware,USBhubscanpracticallybeconsideredaddresslessexceptforphysicalidentification.Themostreliablewaytobeconfidentthatdevicesonalargehubarebeingnamedorotherwisepreparedinaparticularorderistoattacheachcabletothedeviceinthesequencethatyoulike.
Notethatifyousupervisedadeviceanditislost,stolen,orbrokentothepointthatitcannotreconnecttoAppleConfigurator,youwillloseanyapplicableappcodesifyouareusingVPP.(Whichistosaytheoriginal“redemptioncodes”versionincomparisontothelicensesmodelreferredtointheVPPportalas“manageddistribution”,forusewithMDM.)Toreclaimthepreviouslysuperviseddevice’snametokeepyourinventoryneat,youcanselectitfromthelistinAppleConfiguratorandundertheDevicesmenu,holddowntheOptionkey.UnsupervisewillchangetoRemoveandyoucanprepareanewdevicetotakethatslotinthesequence.Thesamegoeswhenadeviceisrepairedandreplacedwithadevicethathasadifferentserialnumber,ifyouwerenotabletounsupervisethepreviousdevicebeforeitleftyourpossession.
www.it-ebooks.info
BackupconcernsWhenthereisasupervisionrelationshipbetweenmanyofyourdevicesandyourealizethatonlysmallworkgroupsorsetsofdevicesfitintheAppleConfiguratorusagemodel,backupsbecomecrucial,andalternativestopreventover-relianceoranabundanceofhackyworkaroundsbecomeattractive.Takingbackupsasthefirsttopic,Appleshipsbuilt-inbackupsoftwarecalledTimeMachinethatcanbeusedtoprotectthecomputerthatrunsAppleConfigurator,butitislimitedinitscapabilities.Youcaneitherdirectlyconnectaharddrive(whichcanbeencrypted),orsendthebackupoverthelocalnetworktoamachinerunningacompatibleendpoint.Itisnotoptimizedforover-the-WANoffsitebackup,amongothershortcomings.
Toseparatelyunderstandthefilesinuse,firstwe’llrepriseourtalkaboutsandboxing.Inararereversalofthe“doasIsay,notasIdo”maxim,AppleisfollowingitsownruleswithAppleConfiguratorbyusingthecontainermodelforitsdatastorage,whichputsthefilesitoperateswithawayfromtheviewoftheuser.Itisliterallydeepwithinahiddenfolder.YoucanreachitbynavigatingtoUsers|CurrentUser(thecurrentuser’sname)|Library|Containers|com.apple.configurator|Data|Library.Yes,therepetitionisintentional.
SimilartoTimeMachine,AppleConfiguratorleverageslinkstorefertofilesoutsideofitssandboxforwhichitdoesn’tneedwriteaccess.(TimeMachineuseshardlinkstostubunchangedfilesfrompreviousbackups,whichletsitpresentacompletesetwhenyoubrowsethemostcurrentfolderstructureinitsstoragedestination.)
AnotherrepeatedpatternistheuseofSQLiteasthestoragemechanismforthedatabaseofsuperviseddevicesandotherinventory-relatedinformation.ThisislocatedinasubdirectoryofthepathlistedearlierandyoucangotoitbynavigatingtoApplicationSupport|com.apple.configurator|AppleConfigurator.storedata.iOSsoftwareupdatesthatareoftenfullOSinstallationsgetcachedwithinFirmwareunderCachesandappsimportedintotheprogramgetstoredinResources,whichyoucanreachbynavigatingtoApplicationSupport|com.apple.configurator.
www.it-ebooks.info
ConfiguratoraschaperoneItisacommontroubleshootingtiptoturnuptheverbosityofaprocess,lookthroughthelogs,andcheckanysettingsorconfigurationfiles.MacfolkshavelonggatheredcommandsthatenablehiddensettingsinpreferencefilesthatareApple-flavoredXMLfiles,justaswesaidwerethecaseforconfigurationprofiles.Ifyourundefaultswritecom.apple.configuratorLogLevelALL(withthepreferencedomainmappingtothepathofcom.apple.configurator.plistatPreferencesbynavigatingtoUsers|CurrentUser(thecurrentuser’sname)|Library|Containers|com.apple.configurator|Data|Library),youwillcauseinformationaltextbuiltintothedebugoutputoftheapplicationtobewrittentologs.Youcanthensiftthroughthisinformationbyviewingsystem.logintheConsoleapplicationinsidetheUtilitiesfolderinApplications,ifyou’rerunningasanadminuseronMac.(Otherwise,youcantailthesystem.logfilebynavigatingtovar|logifyoucanelevateyourselftoanadminuserfromashell.)
Sometimes,oldcodenamesforapps,devices,orfeaturesstickaroundintheinnerworkingsofapplications,andifyourundefaultsreadontheprecedingfile(oropenitinabinaryplistcompatibletexteditorsuchasXcode),you’llnoticetheChaperoneCertificateIssuerandChaperoneCertificateSerialkey/valuepairs.SupervisionmayverywellhaveusedthisChaperonenaminginternallyatAppleduringdevelopment.Similarly,thenameoftheprofilethatAppleConfiguratorinstallswhensupervisingthedeviceisreferredtoascom.apple.configurator.chaperoneprofile.Thefollowingscreenshotshowsthesettingsonasuperviseddevice;thisisanexampleofAppleConfigurator’sinstalledprofile:
InSettingsonasuperviseddevice,thisisanexampleofwhatAppleConfigurator’s
www.it-ebooks.info
installedprofilelookslike
InpastversionsofAppleConfigurator,youwouldseethattheconsoleoutputalsomentionstheBoolean(true/false)valueforthe“chaperoned”propertyofadevicethatisbeinginteractedwith.ThisconceptofahosthavingaresponsibilityrelationshipwiththedevicehelpsfurtherstresstheimportanceofguardingthecomputerthatisrunningAppleConfigurator.Ifthismachineisevercompromised,(orperhapsevenworse,experiencesdataloss)youwouldbeinquiteapickleindeed.
www.it-ebooks.info
www.it-ebooks.info
ActivationLockandFindMyiPhoneAboonfortheftprevention(orabustfortheiOSdeviceresalemarket),istheimplementationofanewfeature,asofiOS7,byApplecalledActivationLock,whichisanextensionofiCloud’spreviousFindMyiPhonefeature.IfyouhadaniCloudaccountconfiguredwiththesettingonaniOS7deviceanditneededtobereactivatedfromscratchafterarestore,theprocesswouldnothavebeenabletoproceeduntilthataccount’spasswordwasentered.Thiswasfelttobeaburdenandamanagementheadacheforthosewholentoutdevicesregularly,butbysomemunicipality’sstatistics,thisalonereducedtheftofiOSdevicesastheybecamepracticallyuseless.
NoteAfewlinkstonote
Thecitationfortheclaimthatthefts(andtheiPhoneresalemarket)areimpactedbythisfeaturecanbefoundathttp://arstechnica.com/apple/2014/06/ios-7-activation-lock-cutting-iphone-theft-damages-resale-market/.
Apple’sCheckActivationLockStatuspageathttps://www.icloud.com/activationlock/forusebeforeyoubuyorreceiveaphone.
LookatApple’sguidanceonhowtodealwithadevicethatisstilllocked(http://support.apple.com/en-us/HT201441)orpreparingyourowndeviceforsale(http://support.apple.com/en-us/HT201351).
Apple,asthecentralclearinghouseofdevicesthatmustcomeontothenetworkandcheckinbeforebeingallowedtobeactivated,cantheoreticallyensurethatdevicescanonlybeactivatedbytheirrightfulowners.
Toaddresstheproblemofinstitutionsthatwantcontroloverwhethercustomerscanenablethisfeatureanddonotfinditdesirablewhenthey’dliketoreprovisionthedevicetoanotheruser,twotechniquesexist.ThefirstoneisthatanMDMcanblockActivationLockuntilabypasscodecanbegeneratedforthedeviceandsenttotheserviceforacertainwindowoftimeafteranenrollmentthatisakintoafulldiskencryptionkeyescrow,whichprovidesadistinct,non-identifying“getoutofjailfree”cardsothatyoucanreactivatethedevicewithoutthepresenceofthepreviousiCloud-identifieduser.Youcanfindmoredetailsathttp://support.apple.com/en-us/HT202804inApple’sdocumentationabouthowtheyrecommendfolksmixtoolssuchasanMDMorAppleConfiguratorintotheirsupportproceduresaroundActivationLock.
ThereferenceimplementationofMDMforApple,theProfileManagerserviceintheirOSXServerapp,hasspecificdocumentationontheActivationLockbypasscodeat:
http://help.apple.com/profilemanager/mac/4.0/#/apd94BD5B2E-6448-450D-B76F-605AEEEEC9D7.
TheothertechniquetodealwithActivationLockisthatbydefaultsupervisiondoesnotallowthisfeaturetobeenabledinthefirstplace.AreyougettingtheideathatApple
www.it-ebooks.info
reallywantsyoutosuperviseyourdevices?OnlyifyouthenuseanMDMthatenablesthefeature(viaescrowingabypasscodeorotherwise)candevicesusethefeature.EveniftheenduserenablesActivationLockonasuperviseddevice,puttingthedeviceintoRecoverymodewillallowyoutowipe(orprepareorrefresh)itasyouseefit.Ifyou’regivenadevicethatwasnotsupervisedbeforeActivationLockwasenabled,youwillgetanerrormessagethatsaysthatitis“UnabletocheckiOS”.
RecoverymodeisastatewherethedevicehasbootedtoitsfirmwareandhasbeentoldthatitneedsafreshOSinstallation.ItpreviouslyshowedaConnecttoiTunesmessagewithaUSBconnector,butnowitshowsanarrowfromalightningconnectortothenewrediTunesicon(http://support.apple.com/en-us/HT1212).YoucanalsouseautilitylikeRecBootorothersifyouoftenfindyourselfrecoveringaforgottenpassword,butbesuretocarefullyevaluateandinspectapplicationsthatpurporttodocoolthingstoiOSdevices,astheyarenotofficiallysanctionedbyAppleandmaybefromcompromisedsources(http://jaxov.com/2010/05/recboot-iphone-recovery-mode/).ThefollowingscreenshotshowsapromptthatdisplaystheerrorencounteredwhenyoutrytoprepareadevicewithActivationLockenabled:
TheerrorpresentedwhenyoutrytoprepareadevicewithActivationLockenabled
www.it-ebooks.info
AddressingtheroughspotsForyears,Applesaidyoucouldtryastick-and-carrotapproach,usingHRpolicyandenticementstostopendusersfromremovingMDMorsupervisionprofiles,withtheultimatecaveatbeingthatenduserscouldalwayswipethedevice.iOS8finallydeliveredamorecomprehensivewaytoensurethatthedevicesaremanagedafterbeinggiventoendusers.Now,thereisarestrictiononaccesstothesettingthaterasesalldataandsettingsifthedeviceissupervised,butonlyDEP,whichwe’lldiscusslater,trulykeepsthedevicelockedtoyourMDM.Youcanalsorestricttheremovalofprofilesbysettingpasswordsasneededforremovalinanadhocmanner.
Betweenthesmall(intended)workgroupscale,inflexibilityregardinginteractionwiththingslikebackups,andthesingular,fatclient-basedpointoffailure,manyhavehopedthattherewereotheroptions.GroundControlisanewproductthatcanprovidesomeofthepowerfulfeaturesandfunctionalityofConfiguratorwithoutitslimitations.(Disclaimer:oneofourtechnicaleditorsistheleaddeveloperonthisproject.)Thiscloud-basedsolutionaimstoputtightcontrolofthedeploymentprocessinthehandsofthestakeholders.Youcanlearnmoreaboutthisathttps://www.groundctl.com.
www.it-ebooks.info
DEPversusAppleConfiguratorTheDeviceEnrollmentProgram(DEP)isprovidedbyAppletoalterthesetupassistantsothatdevicescanbeunboxedbyendusers,buttheyarethenforcedtoenrollintotheMDM.DEPcanalsoenablesupervisionwithoutAppleConfigurator.Infact,ApplerecommendsthatyouarenotsupposedtousedevicesthathaveDEPwithAppleConfigurator,atleastwhiletheyareassignedtoanMDM.JustasActivationLockwouldcausetroublewithAppleConfigurator;DEPwouldliketokickinwhenthedeviceisbeingactivated,andthisisnotcurrentlyengineeredintotheproduct.Apple’sdocumentationregardingtheexampleusecaseswhereDEPcanbeusedwithAppleConfiguratorisfoundathttp://support.apple.com/en-us/HT201092.
TogetgoingwithDEP,asignificantamountofpaperworkisrequiredsuchasassociatingAppleIDs,trackingdownpurchases,gettingaD-U-N-Snumberifyoudon’talreadyhaveoneforyourAppleEnterpriseDeveloperaccount,andthenconnectingtheDEPportaltoyourMDM.Andevenbeforeallthat,itmaynotbeavailableinyourcountry.ThecompletelistofcountriesthathaveDEPcanbefoundathttps://deploy.apple.com.
TheactualmovingpartsforsettingupDEPwithyourMDMaremostlyconcernedwithwhatyouwanttoseeaspartofthesetupassistant.ThereisalsotheoptiontolocktheMDMprofileandenablesupervision.
Keepinmindthatthingssuchassupervisionandlockingdowndevicesshouldn’tbeaconcernwhenyou’reonlysupportingaBYODprogram.However,therearecertainlymanyimportantconsiderationstokeepinmindwhenyoutransitionfrompreviouslydeployedandsuperviseddevicestoDEP.Justlikesupervision,youmustwipethedevicesothatitalwayspointstoyourMDMduringsetup.Thisbringsustoabitofashow-stopperformany,andthatisthefactthatyouarenotsupposedtorestorethebackuptakenfromthesamedevicethatisnowbeingassociatedwithDEP.
Thismakesitsoundlikethereisn’tarealmigrationpathforpre-existingmanageddevices.Wearenotmakingthisup.Formoreinformation,youcanrefertohttp://support.apple.com/en-us/HT202977.YouareevenexpectedtoMDM-wipeorAppleConfigurator-unsupervisedevicesbeforetheycanbeconsideredactivewithinDEP.Formovingdata,thefollowingchoicequoteisincludedunderAppleConfigurator:TransitioningtoAppleDeploymentPrograms:
WhenaniCloudbackupisrestoredtothesamedevice,allsupervisionandprofilescomefromthebackupregardlessofhowitwasconfiguredintheDeviceEnrollmentProgram.Forthisreason,whenrestoringbackupseachusershouldtransitiontoanewordifferentdevicetoensureDeviceEnrollmentProgramsupervisionandMDMenrollmentareenforced.
Whenwefiledaradar(bugreport)onthisbehavior,theresponsereceived“worksasintended”.
www.it-ebooks.info
GuidedAccessversusAppLockversusSingleAppModeTheprevioussectiononGuidedAccessinChapter2,IntroducingAppSecurity,introducedustotheconceptofputtingthedeviceintoamodewhereverylittlecangowrongwithit,butthisalsolimitsittoasinglepurpose—lockingthedevicetorunonlyoneapp.Notethatthiswouldonlybeapplicableforsuperviseddevices.AppleConfiguratorcanbetoldwhichapptorunandthedevicewillbypassthehomescreenafterthedeviceiswokenfromsleep.ThepreviousguidanceappliesformakingsurethatyoucangetaccesstotheAppleConfiguratorstationincaseitneedsmaintenance,ortomakesurethatthenetworkaccessisreliableifusingSingleAppModewithMDM.Inaddition,ensurethatthepowersettingsareapplied,asenduserswouldneedtoputthescreentosleepmanuallysincetheydon’thaveaccesstosettings.
AsSingleAppModeallowsadhoc,over-the-airapplicationoftheprofiletomakethedeviceenterthislocked-to-appmode,youcanfirstallowenduserstosetapasscodeonthedevicebeforethehomescreenbecomesinaccessible.Whilethisallowsittoremainlockedwhenunattended,makesureyouconsiderappsthatpromptforauthenticationandallowyoutologoutifsensitivedataorsystemsaretobeused.
www.it-ebooks.info
www.it-ebooks.info
ActiveSyncYoumaygetalongverywellwithoutanyofthesetoolsthatwe’vediscussedsofar.Inaddition,MDMisnotparticularlynecessaryiftheActiveSyncprotocoldeliverstherestrictionsandsecurityfeaturesthatyouneed.TheprotocolwasalsoadoptedbypaidversionsoftheGoogleAppsproductanditisnativelysupportedwhenyouconfigureanExchangee-mailaccountoniOS.
ManyaspectsoftheserverandOutlookWebAccessinterfaceworkinexactlythesamemannerwithiOSastheywouldwithBlackberry,Symbian,WindowsMobile,WindowsPhone,oranAndroiddevice.However,whilethe14.0versionofthespecificationshouldbesupported,theactualapplicablesettingshaveremainedsomewhatunchangedforyears.Recently,Microsofthasbeenpromotingvariousnewproductstomanagemobiledevices,whichsupportthenativemanagementframeworksofeachofthepopularplatforms.
Asarefresher,managementsettingsenforceableviatheActiveSyncprotocolareasfollows:
Wipingthedevice(ifthedeviceislostorstolen)Enforcingadevicepasscode,withcomplexity,expiration,history,timeoutbeforeprompt,andfailedattemptthresholdsAllowinguseofthecamera(whichwasoriginallyfocusedaroundcourtsorgovernment-relatedbuildingsandcontractors)Disablingsyncwhilethedeviceisroamingtohelpwithdatausagewhileyouareoutsidenormalcellularcoverage
Further,viaaconfigurationprofile,youcanlimithowfarinthepastyourmailissynced,alongwithotheraccount-specificsettingslikecertificates.
www.it-ebooks.info
www.it-ebooks.info
SummaryOverthecourseofthischapter,wespentalotoftimeinvestigatingAppleConfigurator.WediscussedthePreparemode,whichcanmakelightweight,one-offchangesasperyourneed.Supervisionandusercheckoutorassignmentsetsuplong-termmanagement“chaperone”relationshipswithiOSdevices.WewentoverhowAppleConfiguratordistributestheolderversionofVPPappcodesandhowitcanlockthedeviceintoanapp.AsActivationLockhelpedtomakeadevice’stheftbecomelesseffective,supervisionalsoprovidedasafetynetforinstitutionsbyallowingthemtoreclaimdevicesviatheRecoverymode.WealsoremindedyouthatbeforeevaluatinganMDM,manyrestriction-relatedfeaturesareactuallyavailabletoActiveSyncasanalternative.
Forsecurityprofessionals,itmayseemlikeAppleiscluelessabouttheneedsoflargeenterprises,andAppleConfiguratormaynothelpwiththatimpression.Butbyprovidingbestpracticeswe’releftwiththemostsupportablemanagement,whichworkswiththeplatforminsteadofagainstit.Applehaspushedtheideaof“tierzero”or“thenewIT”asahands-off,infinitelyscalablesolutionwhereITletsendusersperformmaintenancetasksanditdoesn’tneedtobuildwallsbetweenworkandpersonaldataineveryone’sdevices.Wecandoourbestworkwhenweareprotectingdevicesbyconcentratingonhowlittleofthedeviceneedstobemanaged,eveniftheyareownedbyinstitutions.Evenwhenitseemsthatthecontrolsthatareavailablearen’tofindustrialstrength,practicalconcernsaregoingtotrumpatightlylocked-downexperience.Apple,itscustomers,anditsdevelopersstillneedroomtoexperimentandbringrealinnovationandproductivitytomobiledevices.
www.it-ebooks.info
www.it-ebooks.info
Chapter5.MobileDeviceManagementMobileDeviceManagement(MDM)referstothetechnologythatallowsthecentralizedmanagementofmobiledevices,includingthosethatrunApple’siOS.CentrallycontrollingiOSdevicesisanabsoluterequirementformanylargeorganizations.Centralizedmanagementisalsobecominganecessityinsmallerenvironments.Therearealotofproductsthatcanbeusedtomanagedevices.TheserangefromtoolssuchastheinexpensiveProfileManagerbuiltintotheMacOSXServerapplicationtothird-partytoolssuchasAirWatch,MaaS360(byIBM),MobileIronJAMF’sCasperSuite,andBushel.
NoteIntheinterestoffulldisclosure,Bushelisbeingdevelopedbyoneoftheauthorsofthisbook.Bushelisrepresentedherebecauseofthedepthofknowledgethattheauthorshaveoftheproduct.
Inthischapter,wewillcoverthefollowingtopics:
IntroducingMDMUsingconfiguratorversusmobiledevicemanagementProfileManagerIntroducingBushel
Thesearemeanttoshowcasethetechnologyandarenotanendorsementofanysinglesolution.Thereasonthatit’shardtoendorseanysinglesolutionisthateachhasspecificstrengthsandweaknesses,andeachshouldbeconsideredindependentlyaccordingtotheenvironment.
www.it-ebooks.info
IntroducingMDMAsmentioned,MDMisatechnologythatempowersyoutocentrallymanagemobiledevices.MDM’sframeworkisdevelopedbyAppleandworksusingtheApplePushNotificationservice(APNs)tosendmessagesfromApple.ThenotificationsbytheAPNsdonotactuallycontaincommandsorsettings,butinsteadnotifythedevicetolookbackatanMDMserver,topullcommandsthatarewaitingontheserver.
MDMcommandscanwipe,lock,andperformothertasksondevices.MDMcommandscanalsoleverageprofilestoconfiguresettingsondevices,similartohowweconfiguredsettingsusingAppleConfiguratorinthischapter.However,whenconfiguringsettingsviaanMDMsolution,theprofilesareinstalledovertheair.Thisallowsyoutochangesettingsdailyorbasedonadevicemeetingaspecificrequirement.Forexample,withsomethird-partytools,youcanwipeadevicebasedonthegeographiclocationofthedevice.MDMreferstothemyriadoftechnologiesthatgointofacilitatingthesetransactions.
www.it-ebooks.info
www.it-ebooks.info
ConfiguratorversusMDMInChapter4,OrganizationalControls,welookedatmanagingdeviceslocallyusingtheAppleConfigurator.TheAppleConfiguratorworksbyinstallingprofilesondevicesusingtheUSBconnectionfromthecomputertothedevices.Thisworksgreatincertainenvironments,suchaswhenyoujustwanttoloadsettingsontoadevicepriortogivingitouttoauser.However,foranumberofscenarios,youwillwanttoupdatedevicesovertheair.And,foranumberofotherscenarios,youneedtouseAppleConfiguratororacombinationofAppleConfiguratorandanMDMsolution.
Asmentioned,thereareanumberoftasksthatcannotbemanagedusinganMDMsolution.Theseincludethefollowing:
RestoringdatatodevicesSettingthebackgroundimageofdevicesUpgradingdevicesEnablingsupervision,withtheexceptionofDeviceEnrollmentProgram(DEP)devices(DEPallowsAppledevicestobetiedtoanMDMsolution)
AppleConfigurator,ontheotherhand,canbeusedforalloftheprecedingpoints,aswellasenrollingintoanMDMsolution.ItcanalsobeusedtosupervisedeviceswithoutanMDM,thebenefitsofwhichwediscussedinthepreviouschapter.ThismakesusingAppleConfiguratoraviableusecaseforthetasksitcanperform;italsohelpstoautomatethesetupofalotofdevices.
www.it-ebooks.info
www.it-ebooks.info
TheProfileManagerTherearealotofproviderswithMDMsolutions,suchasSymantec,IBM,Sophos,JAMFSoftware,andothers.We’regoingtouseProfileManagerinthischapter,notbecauseit’sthebestofthem,butbecauseit’sanAppleproduct.ThefeaturesofeachMDMsolutioncanbequicklyandeasilycomparedathttp://www.enterpriseios.com/wiki/Comparison_MDM_Providers.
Inthischapter,wewilllookattwosolutions.ThefirstisApple’sProfileManager.ThisisaserviceincludedaspartoftheServerapplication,whichrunsonMacOSXandisbuiltbyApple.TheServerappcanbepurchasedfromtheMacAppStoreforaround20dollars(USD).However,theProfileManagerisnotacompletesolutionformany;itlackssomescalabilityandeaseofusethatothervendorshavebuiltintotheirproducts.ThesecondisanewcomercalledBushel.TheProfileManagerrequiresanOSXServer,whereasBushelisaSaaSsolution.
www.it-ebooks.info
PreparingtheProfileManagerServerAsmentioned,ProfileManagerrequiresaMacrunningOSXServer.Inmanycases,thisserverisasimpleMacminiserver.BeforewegetstartedwithinstallingtheServerapplicationandshowinghowtouseProfileManager,preparethecomputerthatwillbeusedastheserver.
TipFortesting,theservercanbeavirtualmachinewhenrunningonApplehardware.
SettinguptheProfileManagerinvolvespreparingtheserverbyconfiguringastaticIPaddressontheOSXServer.OnceyouhaveinstalledtheServerappfromtheMacAppStore,configureastaticIPaddressusingtheNetworkSystemPreferencespane.Oncedone,youwillneedtoproperlyconfigureahostname.
ThehostnameinthisexamplewillbeYosemiteserver.krypted.com.Wheninitiallysetup,aself-signedcertificateisinstalled.It’ssimpletogenerateaCSRandinstallacertificatefromaCertificateAuthority(CA);however,doingsoisbeyondthescopeofthisexample.Performthefollowingsteps:
1. First,elevateyourprivilegesbyinvokingbashwithsudo:
sudobash
2. Next,configurethehostnameusingthescutilcommand:
sudoscutil--setHostNameYosemiteserver.krypted.com
3. Then,configurethecomputernameusingtheComputerNameoptionwiththescutilcommand:
sudoscutil--setComputerNameYosemiteserver
4. Finally,configurethelocalhostnameusingtheLocalHostNameoptionwithscutil:
sudoscutil--setLocalHostNameYosemiteserver
NoteTheprecedingComputerNameandLocalHostNameoperationscanbeperformedusingtheSharingSystemPreferencepane;however,wearedoingitheresincewearealreadyinthecommandlineanditsonelessscreenshottotakeuphalfapage.
Oncethenamesareproperlyconfigured,checkwhethertheyfunctionproperlyusingthechangeipcommand:
sudochangeip-checkhostname
Theoutputofthechangeipcommandshouldappearsimilartothefollowingexample:
Primaryaddress=192.168.210.201
CurrentHostName=Yosemiteserver.krypted.com
DNSHostName=Yosemiteserver.krypted.com
www.it-ebooks.info
Thenamesmatch.Thereisnothingtochange.
dirserv:success="success"
Ifyou’reunsuccessfulanddon’tseesuccess,youmayneedtodosomeworktoresolvethedomainnames:
1. WhenhostingyourownDNSfromwithintheServerappontheProfileManagerserver,verifythattheDNSserverissetusingtheIPaddressusedontheserver.
2. WhenhostingaDNSonanActiveDirectory-basedDNSserverorothernon-localDNSserver,verifythatyouhaveproperlyworking,forwardandreverserecordsforthehostnameandIPaddresscombinationinuseontheOSXServerortheActiveDirectoryintegratedserver.
3. FromtheServerappontheProfileManagerserverorotherMac,clickontheWebsitesserviceandthenontheONbutton(whichwouldsayOFFtostartwith).Don’tconfigureanythingelseforthewebserver.
4. Whentheservicestarts,youwillseethepathtothedefaultwebsites(/Library/Server/Web/Data/Sites/Default)andaViewServerWebsitelinkwillbedisplayedonthescreen,asshowninthefollowingfigure:
Thesetupofthewebservice
ClickontheViewServerWebsitelinkatthebottomoftheServerapp.ThenverifythattheWelcometoOSXServerpageloads.Doingsoverifiesthatthewebservice(Apache)startsproperlyandisaccessible.
www.it-ebooks.info
PreparingProfileManagerOnceyouseetheWelcometoOSXServerpage,clickonProfileManagerintheServerappsidebar.Then,clickontheConfigurebutton,showninthefollowingscreenshot:
TheProfileManagerService
TheConfigureDeviceManagementassistantappears.ClickontheNextbutton.
ManyenvironmentswillhaveanexistingdirectoryservicethattheProfileManagerserverconnectsto.IfyouconnecttoActiveDirectory,thenProfileManagerwillrequireanOpenDirectorymasterorreplicatobeaccessible.Ifthereisnone,thenclickontheCreateaNewOpenDirectorydomainintheConfigureNetworkUsersandGroupsscreen(orgoontocreatetheDirectoryAdministratoraccountifpromptedtodosoinstead).ThisdirectoryservicewillbeusedforProfileManager.Ifyouhaveanexistingdirectoryservice,thentheexistingservicewillbeusedforusernamesandpasswordsandthisoneyoujustcreatedwillonlybeusedforProfileManager.
Ifyou’recreatinganOpenDirectorydomain,clickontheNextbutton.Then,provideanadministrativeusernameandpasswordforOpenDirectory.Thedefaultusernameisdiradmin.ClickontheNextbutton.
WhenpromptedontheOrganizationInformationscreen,providethenameofyourorganizationandanadministrator’se-mailaddress(thee-mailaddresstoputoncertificates),asinthefollowingscreenshot,andthenclickontheNextbutton.
www.it-ebooks.info
Providinganorganization’sinformation
ThesettingsyouusedarethendisplayedontheConfirmSettingsscreen.
ClickontheSetUpbutton.Ifpromptedtodoso,chooseacertificate(thenextscreenshot)andthenclickonNext.
www.it-ebooks.info
ConfiguringanSSLCertificate
Forthisexample,wewillusetheself-signedcertificatecreatedbyOpenDirectoryandclickonNext.
TheAPNscertificateestablishesatrustrelationshipbetweenAppleandyourProfileManagerserversothatpushnotificationscanbesenttodevices.YoushoulduseaninstitutionalAppleIDforyourorganization(forexample,<[email protected]>)ratherthanaprivateone(forexample,<[email protected]>).OnceyouhaveenteredthecredentialsforavalidAppleID,clickontheNextbutton.
ProvidedtheAppleIDauthenticatesandeverythingworksasintended,clickontheFinishbuttontocompleteandexittheconfigurationassistant.TheConfigurebuttonshouldthenbegone.OncebackattheProfileManagersettingsinServer,selectSignConfigurationProfiles,displayedinthefollowingscreenshot:
www.it-ebooks.info
Signingupyourconfigurationprofile
FromtheCodeSigningCertificatesheet,choosetheappropriatecertificate,andclickontheOKbutton:
www.it-ebooks.info
Choosingacodesigningcertificate
NoteYoucanalsoimportacertificatehereifyouhavepurchasedacode-signingcertificate.
CompletingPostConfigurationtasksEnabletheIncludeconfigurationforservicesoptiontoautomaticallybuildyourconfigurationprofilesettingsforserviceshostedontheserver(Mail,Calendars,VPN,andsoon).IfyouusetheProfileManagerserverforotherservices,leavethisoptionenabled;otherwise,disableitasseeninthefollowingscreenshot.
www.it-ebooks.info
Enablingconfigurationforservicesrunningontheserver
Apple’sVolumePurchaseProgram(VPP)allowsyoutobuyappsontheMacAppStoreoriOSAppStoreinbulkanddistributethemtousers.Youcanalsorevokeappswhenemployeesleaveyourorganization.VPPalsoallowsyoutomanageiBooksaswell.ProfileManagercanhelpyoudistributetheseappsandiBooks.
ToenabletheVPPfeaturesofProfileManager,youwillfirstneedaVPPaccount,whichcanbeobtainedfromdeploy.apple.com.Onceyouhavecreatedthisaccount,downloadyouruniquetokenfile.Then,backinProfileManager,enablethecheckboxforDistributeappsandbooksfromtheVolumePurchaseProgram.ClickontheChoosebuttonandselectthetokenfileyoudownloadedearlierfromApple.
Oncetheseappsareadded,clickontheONslider(whichwouldsayOFFuntilclicked).DoingsostartstheProfileManagerservice.OnceyouseetheURLtoaccessyourwebinterface,youcanstartmanagingdevicesusingProfileManager:
www.it-ebooks.info
AccessingtheProfileManagerservice
OncetheProfileManagerserviceisstarted,clickonOpenProfileManageratthebottomoftheProfileManagersettingsscreen.AuthenticateyourselfontheloginpagetomanageyouriOSandOSXdevices.
UsingProfileManagerOnceyoulogin,thereisatonofoptions.Youcanconfigurepoliciesfordevicesandplaceholdersandgetlostprettyquickly.Hence,we’regoingtoprovideaprimeronconfiguringprofilesandmanagingdevices.TheeasiestwaytogetstartedistousetheEveryoneprofile.Thisprofileallowsyoutoconfigureprofilesforservicesrunningontheservertodeploysettingstoallusersenrolledontheserver.
TheEveryonegrouphasaRestrictionssection,whichallowsadministratorstorestrictaccesstovariousProfileManageroptions.TheseincluderestrictingaccesstotheMyDevicesportal(we’llcoverusingMyDevicesforenrollmentlaterinthischapter),lockingfordevices(anoptionwithinMyDevices),andtheabilityforuserstowipetheirownAppledevice.
TipTheDEPisasystemthatautomaticallyconfiguresAppledevicestojoinanMDMuponsetup,whichbeginsaprocessthatuserscancomplete.YoucanallowyouruserstoautomaticallyenrollviaDEPhere.
www.it-ebooks.info
ActivationLockisafeatureiniOSthatrestrictsadevicefrombeingerasedandreactivatedwithouttheAppleIDthatwasusedtooriginallysetuptheActivationLockfeatures.Thiscanbechallengingifusersdonotactuallyowntheirdevices.Whenrunningsuperviseddevices,youcandisableActivationLockorgenerateabypasscodetounlockadevicethathasbeenlockedthroughActivationLock,asshowninthefollowingscreenshot:
LoggingintoProfileManagerforthefirsttime
EnrollingintoProfileManagerTomanageadevice,youmustfirstenrollthedeviceinProfileManager.Enrollmentisanopt-inprocedure,unlessthedeviceisassignedtoanMDMserverviaDEP.UsetheURLoftheserverfollowedbyMyDevicestoaccesstheMyDevicesportal,whichishowuserscanenrolltheirowndevicesintoProfileManager.Thisbringsupalistofprofilesthatcanbeinstalledmanually.
www.it-ebooks.info
EnrollingdevicesinProfileManager
TapontheEnrollbuttontoenrolladevice.Whenprompted,taponContinue:
www.it-ebooks.info
Installingprofiles
Youwillreceiveanerrorifyouareinstallingacertificatethathasn’tyetbeentrustedbyathird-partyCertificateAuthority(CA).Ascanbeseeninthefollowingscreenshot,clickontheInstallbutton:
www.it-ebooks.info
AcceptingunverifiedProfiles
Onceyou’reenrolled,clickonProfileintheProfilessectionoftheSettingsapptoseewhatsettingsaredeployedandoptionallyunenrolldevices.UserscanwipeorlocktheirowndevicesfromtheMyDevicesportaloradministratorscanmanagedevicesfromtheadministrativeportal.
DevicemanagementAsmentioned,youcanthenmanageiOSdevicesfromProfileManager.Thefirsttaskwe’llcoverhereisenforcingapasscodepolicyforagroupofdevices.Todoso,clickonDeviceGroupsinProfileManagerandselectagroupofdevices.
Acriticalaspectofanymanagementsolutionistoseetheinventoryinformation.TheinformationshownincludescertificatesinstalledbytheMDMsolution,UDID,LastCheckinTime,Wi-FiMAC,EthernetMACaddresses,DeviceModel,andwhetherthepersonalhotspotisenabled.YoucanalsoseetheappsthattheMDMsolutionhasinstalledandtherestrictionsthathavebeenenforcedbytheMDMsolution.
www.it-ebooks.info
PasscodepoliciesReal-timemanagementofdevicesisdoneusingtheDevicesscreen.Here,wecanaccessmachine-specificinformationandsettingsusingtheSettings(cog)button,aswellaswipeandlockdevices.Trytoalwaysusegroupstodeploypolicies,aswedohere.FromDeviceGroups,selectyourgroupandthenclickontheSettingstab.ClickontheEditbuttonshowninthenextscreenshot:
DeviceGroups
Sincewe’reconfiguringapasscodepolicy,clickonPasscode.Theitemsintheleftcolumnareknownaspayloads.ClickonConfiguretosetupthepasscodepayload.ChecktheboxandenableAllowsimplevalue,asshowninthefollowingscreenshot.Then,settheMinimumpasscodelengthoptiontoanumber.Wereallylikeusingfourcharacters.Then,clickontheOKbuttontosaveyourchanges.
www.it-ebooks.info
Configuringpasscoderequirements
Okay!Thatdidn’tsaveyourchangestotheprofile,onlytothatpayloadwithintheprofile.ClickontheSavebuttonontheSaveChanges?screentofinishtheprocess.You’llknoweverythingworkedwhenthedevicepromptsyouforanewpasscodeifoneisalreadyconfigured.
Wipingadeviceisanothercommonadministrativetask.Makesureyou’reusingadevicewhereyoudon’tmindlosingeverythingbeforeyoufollowalongwiththisexample.Towipeadevice,selectthedevicefromProfileManagerandthenclickontheSettings(cog)button,asyoudidearlier.Thistime,clickonWipe:
www.it-ebooks.info
Wipingadevice
WhentheWipescreencomesup,clickonWipe.Becausethisisdestructivetodataonthedevice,you’llbepromptedtoclickonWipeasecondtime.Ifyoulookatyourdevice,notethatitshouldinstantlygoblack,andthen,rebootthedevice.
TipIfthedeviceisDEP-enabled,itwillautomaticallybegintheenrollmentprocessagainonceitjoinsaWi-Finetworkforthefirsttime.
www.it-ebooks.info
www.it-ebooks.info
IntroducingBushelIntheinterestoffulldisclosure,oneoftheauthorsofthisbookworksatJAMFSoftware,thecompanythatmakesBushel.Itisaverysimple,easy-to-useMDMthatallowsustoshowcase,usingathird-partysolution,tomakechangesondevicesusingthefewestnumberofscreenshotssowecanfitthemintothisbook.
www.it-ebooks.info
SetupYoucansetupaBushelaccountfromsignup.bushel.com.Whenpromptedforyourcompanyname,provideitasubdomainnameaswell,asshowninthefollowingscreenshot:
ConfiguringyourorganizationinBushel
Whentheformisfilledout,clickonNext.
Ontheinitialscreen,provideyourname,e-mailaddress,andapassword,asshowninthenextscreenshot.Theadministrativeusernamefortheaccountwillthenbethise-mailaddress.ClickontheCreateAccountbutton:
www.it-ebooks.info
ConfiguringyourBushelaccountsettings
Youwillreceiveane-mailfromBushel.ClickontheActivatebuttoninthee-mail.ClickonGetStartedandthenprovidethemailsettingsforyourdomainorclickontheSkipbuttontoprovidetheAPNscertificatesothatyoucanenrolliOSdevicesintoyourBushelaccount,asshownbelowinthefollowingscreenshot:
www.it-ebooks.info
TheenrollmentprocessTheenrollmentprocessissimilartoProfileManagerandotherthird-partyMDMtools.LogintoyourBushelaccount,clickonEnrollment,andwhenpromptedtoEnrollThisDevice,clickontheEnrollbutton.WhenpromptedWhowillthisdevicebelongto?entertheusername(thatistheuser’snameinfrontoftheire-mailaddress,mostlikely,ortheusernameforyoure-mailsystem).
Providethee-mailaddressaswell,andthenclickonEnrollThisDevice.Toenrollthedevice,usethedefaultsettingsateachscreen.Youcanalsosavethemobileconfigfiledownloaded(ifusingaMac)ande-mailortextittoallowausertoenrollwithoutvisitingawebsite.Youwillneedtoleavetheusernamefieldblankifyou’redistributingaprofiletomultiplepeople.
www.it-ebooks.info
RestrictionsApplebuiltafeaturecalledopeninmanagementiniOS.Thisfeatureprotectscompanydatainmailaccounts,apps,andevenSafarilinksdistributedbyanMDM.
OneexampleofopeninmanagementisifyoudownloadNumbersandBoxusingBushelandthenpurchaseDropboxusingyourpersonalAppleIDonthesamedevice,youcanthenopenadocumentthatcameinthroughNumbersusingBox.However,youcan’topenthatsamedocumentusingDropbox,becauseitwasnotsuppliedviatheMDMservice.
Bushelenablesopeninmanagementbydefaultonallaccounts.ThebuttonsaysProtectcorporatedataoniOSdevices.Toverifythatopeninmanagementisenabled,clickontheSetuptab.Then,clickonSecurityinthesidebarandlookforProtectcorporatedataoniOSdevices,asseeninthefollowingscreenshot:
Configurecorporatedataprotection
MakesureyouareusingVPPtodeployyourappsandverifythattheiOSdeviceisusingthemailaccountdeployedviayourMDM,ratherthanamanuallyconfiguredaccount.Tocheckthemailaccount,openSettings,taponMail,andverifythatthesettingsfoundtherecannotbechanged.WewillcovertheVolumePurchasingPrograminthenextsection.
www.it-ebooks.info
VolumePurchasingProgramandMDMVPPisaserviceprovidedbyApplethatallowsorganizationstopurchaseappsinvolume.AppspurchasedinVPPanddeployedthroughanMDMsolutioncanalsocontainerizedatatoonlyexchangedatawithappsdeployedbythatMDMsolution.Todeployanapp,simplyclickonAppsinthesidebar.Ifyouhavea.vpptokenfile(afileyougetfromtheAppleVPPportal),thenyouwillseetheappspurchasedusingtheAppleVPPportalinyourLibrary,asshownhere:
InstallationofAppsusingVPP
ClickonanappandthenclickontheInstallbuttontodeploytheapptoalldevicesenrolledinyourBushelaccount.ThentrytocopydataoutofthatappintotheonemanuallyinstalledfromtheAppStore.Providedthecopyfails,youhavesuccessfullybuiltawalledgardenforyourapp-baseddata.
www.it-ebooks.info
www.it-ebooks.info
SummaryWedidalotinthischapter,whichisgreat.InChapter1,iOSSecurityOverview,welookedatconfiguringpasscodes,andinChapter2,IntroducingAppSecurity,welookedatappdata.Here,wemanagedbothwithverybasicpolicies,deployedbyinexpensiveandeasy-to-useMDMs.YoucangetalotofcomplicatedfunctionalitieswithyourMDM,ifyouchoose.Youcanalsodomuchmorewiththetoolsweprovidedinthischapter,sowehopeyouwillexploreeverythingthesetools(andtheotherthird-partyMDMsuites)havetooffer.
Inthenextchapter,we’llconcludethebookbyturningourattentiontotheinsidesofthedevice,divingintodebuggingtoolssoyoucandiveevendeeperintotheabyss,thatis,reverseengineeringhowthesethingswork.
www.it-ebooks.info
www.it-ebooks.info
Chapter6.DebuggingandConclusionEveryenvironmentisdifferent.UnderstandingtheinternalworkingsofaniOSdeviceenablesyoutoisolateitemsthatyoumightconsidertobeasecuritythreatforyourparticularenvironmentthatwehaven’tidentifiedinthisbook.Inaddition,learningmoreaboutthesedevicesisjustplaincool!Inthischapter,we’regoingtolookatdebuggingandforensicdatacollection.Thesebothshowcasewhatkindofdatacanbepulledofffromdevicesandteachesyoumoreaboutthedevicesthatyou’resecuring.
Aswe’veshowcasedthroughoutthisbook,Appledoesagoodjobofprotectingsensitivedataondevices.Inaddition,applicationvendorshavealotoftoolstokeepyourdatasecureaswell.However,computersbeingwhattheyare,somedatacanbeobtainedfromthem.Inthischapter,we’regoingtocoverthefollowingtopics:
XcodeDivingdeeperintolibimobiledeviceAppcommunicationssuchasidentifyingdevicesandnetworkcommunicationsAppleIDsandApps
We’llbegoingthroughthecommontoolsfordebuggingiOS,reverseengineertoseehowthingsrununderthehood,andleveragethatdataforvarioususecases.ThisprocessstartswiththetoolthatAppleprovidesforwritingappsandthisiscalledXcode.
www.it-ebooks.info
XcodeXcodeiswrittenanddistributedforOSXbyApple.XcodeisusedtowriteappsforbothOSXandiOSanditcanbeusedtowritescriptsinvariouslanguages.Xcodealsocomeswithasuiteoftoolsthatcanbeusedtodebugtheappsthatyou’rewriting.Thesetoolscanalsobeusedtoviewlogsandwatchwhathappensondeviceswhenyou’reusingthem.
XcodeisavailableontheMacAppStoreathttps://itunes.apple.com/us/app/xcode/id497799835?mt=12,asyoucanseeinthefollowingscreenshot:
InstallXcodefromtheMacAppStore
InordertoinstallXcodefromtheMacAppStore,performthefollowingsteps:
1. ClickonInstallandwaitfortheinstallationtocompletetogetXcodeinstalledonyourcomputer.
2. Onceinstalled,openXcodefromthe/Applicationsdirectory.3. ChooseDevicesfromtheWindowmenutoseealistofdevicesthatthecomputer
canconnectto.4. Pluginthedevice.5. Clickonyourdevicetoseebasicinformationaboutthedeviceandthenclickonthe
ViewDeviceLogsbuttontoviewthedevicelogs,asshowninthefollowingscreenshot.
www.it-ebooks.info
TheXcodeDEVICESscreen
NoteNotethatatthebottomleftoftheDeviceInformationpaneisaShow/Hidebutton.Clickingonthisdisplaystheconsoleoftheconnecteddeviceinrealtime.
6. Thelogsarethendisplayed.Whentheyarereviewed,theselogsprovideawealthofinformationaboutdevices,asyoucanseeinthenextscreenshot.
7. Right-clickonalogandyoucandeleteitfromthedevicewithinXcode.Whenyouunplugthedevice,thelogwindowcloses.
TipNotethatyoucanalsoobtainXcodefromtheDeveloperportalofAppleifyouwouldrathernotusetheMacAppStoretodoso.
www.it-ebooks.info
iOSDeviceLogs
ManyofthesamelogscanbeviewedfromdifferentAppledevicesbyopeningtheSettingsappfromthehomescreen,taponPrivacy,tappingonDiagnostics&Usage,andthentaponDiagnostics&UsageData.Fromhere,youcantaponentriestoseethesamedebugginginformationthatisavailableinXcode,asshowninthefollowingscreenshot:
www.it-ebooks.info
www.it-ebooks.info
DivedeeperwithlibimobiledeviceXcodeandothertoolscanbeusedtoviewlogsoniOSdevices.Anothertoolthatisusedtodebugdevicesiscalledlibimobiledevice.Thisisanopensourceprojectthatismeanttohelpsecurityresearchers,developers,andadministratorstrackthegoings-onofiOSdevices.Thelibimobiledevicelibraryisavailableathttp://www.libimobiledevice.org
www.it-ebooks.info
InstallinglibimobiledeviceusingHomebrewIusuallyinstalllibimobiledeviceusingHomebrew,asthereareafewdependenciesthatcanbealittleannoyingtoinstallotherwise.
ToinstallHomebrewifyouhaven’talreadydoneso,performthefollowingsteps:
1. Elevateyourprivilegesbyrunningsudoandinvokingabashshell:
sudobash
2. Runthefollowingcommand:
ruby-e"$(curl-fsSL
https://raw.githubusercontent.com/Homebrew/install/master/install)"
3. Oncethecommandisexecuted,followthepromptstocompletetheinstallation.OnceHomebrewisinstalled,runthefollowingbrewcommandtodownloadtherequiredcomponentsandthenlibimobiledevice:
brewinstall-v--freshautomakeautoconflibtoolwgetlibimobiledevice
4. Then,runideviceinstaller:
brewinstall-v--HEAD--fresh--build-from-sourceideviceinstaller
UsingidevicesyslogandidevicepairOncethesepairoftoolsareinstalled,youcanpluginapaireddevice,unlockit,andusethefollowingcommandtoviewthelogsonthescreen:
Idevicesyslog
Thisisakintorunningatailagainstthedevice.Again,thedevicemustbepaired.Youcanusethecommandline(forexample,ifyou’rerunningthisonLinux)toviewthelogs,butifyou’renotpaired,you’llneedtouseidevicepairtopairyourdevice,followedbythepairverb(whichisverydifferentfromthepearverb):
idevicepairpair
Youcanalsounpairadeviceusingtheunpaircommand:
idevicepairunpair
Whenpairingandunpairing,youshouldseetheappropriateentriesin/var/db/lockdown.
UsingidevicedateandideviceinstallerThenextoptionisdate(veryusefulwhenscriptingunittestsusingthissuite).Toobtainthis,usetheidevicedatecommand;youdonotneedanyoperatorsorverbs:
idevicedate
Next,let’schecktheappsinstalledonadevice.Wecandothiswiththeideviceinstallercommand(thatisalsopartoftheilibmobiledevicesuiteoftools).Here,we’llusethe-l
www.it-ebooks.info
optiontojustlistwhat’sinstalled:
/usr/local/bin/ideviceinstaller-l
Theoutputwouldshowtheappalongwiththeversionoftheappcurrentlyinstalledonthedevice:
com.apple.Pages-Pages1716
Touninstalloneofthelistedapps,usethe--uninstalloption:
ideviceinstaller--uninstallcom.protogeo.Moves
Youcanalsoinstallapps,providedyou’vecachedtheIPAfile(forexample,viaiTunes):
ideviceinstaller--install/Users/charlesedge/Music/iTunes/iTunes\Media/
Mobile\Applications/Box\3.3.0.ipa
NoteNotethattheprecedingfoldermaychangebasedontheoperatingsystemonwhichyourlibrarybeganwith.
Theprecedingcommandreturnsthefollowingoutput:
Copying'/Users/charlesedge/Music/iTunes/iTunesMedia/Mobile
Applications/Box3.3.0.ipa'todevice…DONE.
Installing'net.box.BoxNet'
Install-CreatingStagingDirectory(5%)
Install-ExtractingPackage(15%)
Install-InspectingPackage(20%)
Install-TakingInstallLock(20%)
Install-PreflightingApplication(30%)
Install-VerifyingApplication(40%)
Install-CreatingContainer(50%)
Install-InstallingApplication(60%)
Install-PostflightingApplication(70%)
Install-SandboxingApplication(80%)
Install-GeneratingApplicationMap(90%)
Install-Complete
Whenitisrunagainstadevice,theappcanthenopenotherapps,providedtheusertheAppleIDownstheapp.
Aprovisioningprofileisaprofilethatisusedtoinstallapps.TheseappsareusuallylocatedonamailserverthatsupportstheipaMIMEtypeandtheprofiledefinesthelocationtoobtaintheapp.ThisformsthebasisoftheWirelurkerattack,whereattackersreplaceanappbyspoofingthedomainoftheapp.There’salsoacommandforideviceprovisionthatcanbeusedtoviewinstalledprovisioningprofileswhentheyarerunwiththelistverb:
/usr/local/bin/ideviceprovisionlist
Asmentionedearlier,theideviceprovisioncommandcanalsoinstallaprovisioningprofile;thereforeitcanactuallymakethedeviceinstallanapp.Thisisdoneusingtheideviceprovisioncommandfollowedbytheinstallverbandthename(andpathifthe
www.it-ebooks.info
.mobileprovisionfileisn’tintheworkingdirectoryfromwhereyou’rerunningthecommand)ofthefilethatisbeinginstalled:
/usr/local/bin/ideviceprovisioninstallangrybirds.mobileprovision
YoucanalsoremovethepathoftheworkingdirectorybyfeedingintheUUIDoftheprovisioningprofilethatisobtainedbyusingthelistverbandreplacingMYUUIDfromthefollowingcodeblock:
/usr/local/bin/ideviceprovisionremoveMYUUID
YoucanalsoputadeviceinrecoverymodesothatitwouldneedtobepluggedintoacomputerthatisrunningiTunesandgetanewipswfileinstalled,whichisassimpleasfeedingtheUDIDintoideviceenterrecovery:
/usr/local/bin/ideviceenterrecovery
af36e5d7065d4ad666bf047b6e4de26dd144578c
Thisbringsupaninterestingquestion.HowwouldyougettheUDID?Youcanuseideviceinfotogetthis:
ideviceinfo
TheprecedingideviceinfooutputshowsmoreinformationaboutadevicethanwhatIknewyoucouldactuallygetpreviously.YoucanusegrepforUniqueDeviceIDasfollows:
ideviceinfo|grepUniqueDeviceID|awk'{print$2}'
ThiswouldjustreturntheUDID.Sincethisisblankwhennodeviceisconnectedtothesystem,youcanrunaloopthatwaitsforafewsecondswhentheUDIDisemptyandthenusesthatUDIDasa$1insomescripts.Ofcourse,it’smucheasiertouseacommandthatwasbuiltforthis,whichiscalledidevice_id:
idevice_id-l
Next,youcanuseidevicediagnosticstoobtainsomeinformationaboutthecurrentstateofthedevice:
idevicediagnosticsdiagnosticsAll-u
af36e5d7065d4ad666bf047b6e4de26dd1445789
TheidevicediagnosticscommandhasanXMLoutputwithinformationaboutthedevice,suchashowmuchbatterylifeisstillthere.Youcanalsoquerytheioregfileofthedevice,whichshowswhat’spluggedintothedevice:
idevicediagnosticsioregIODeviceTree-u
af36e5d7065d4ad666bf047b6e4de26dd1445789
Theidevicediagnosticscommandcanalsodosomebasictasks(whereeachtaskissentasaverbwithouttherequiredUDID)suchasrestart,sleep,andshutdown:
idevicediagnosticsrestart
Thecrashreportsonadevice(whichincludereportsofuninstalledappsthatforensicallyprovideaglimpseintowhatappswereremovedfromadeviceandwhentheywere
www.it-ebooks.info
removed)canbeextractedfromapaireddeviceaswell,usingidevicecrashreport:
idevicecrashreport-e/test
NoteTheprecedingdirectorymustexistpriortoexecutingthecommandandthecurrentusermusthavepermissiontowrite.
Youcanthenviewthelogsorgrepthroughthemforspecificpiecesofinformation:
cat/Test/Baseband/log-bb-2014-08-06-stats.plist
Thelastcommandthatwe’regoingtocoverinthissectionisidevicebackup2,whichisusedtobackupdevices.Here,we’regoingtofeedtheUDIDtoit.I’mlazilyusingtheidevice_idcommandfromearlier,inbackticks,tograbtheUDIDandbackitupinthat/testdirectorywhenthedeviceisunlocked.
idevicebackup2-u`idevice_id-l`backup/test
Here,we’vebackedupwhateverdeviceispluggedintothe/testdirectory.Thesubsequentbackupswillbeincremental.
Asyoucansee,thereareanumberoftasksthatcanbeperformedonadevicewhenthedevicehasbeenpairedtoacomputer.Thisfurtheremphasizesthefactthatyoushouldneverpairyourdevicetoanuntrustedcomputer.
YoucanalsousetheinformationobtainedfromthesecommandstotroubleshootandresearchawidevarietyofthingswithregardstodevicesbasedoniOS.Havingabackup,crashreports,andreal-timelogs,andmakingchangessuchasinstallingappsondevicesallowsyoutodoregressiontesting,vulnerabilityresearch,andalotmoreingeneralthatyouwouldn’tbeabletodootherwise.
www.it-ebooks.info
www.it-ebooks.info
AppcommunicationsUpuntilnow,thischapterfocusedonviewingdataondevices,obtaininglogs,andmakingchangestodevicesthemselves.Sincelisteningtonetworktrafficisthebasisofmostofthereconnaissancethatisdoneondevices,we’lllookathowtoobtainmoreinformationaboutdevicesthatarebasedonwhatgoesoverthenetworkmedium.ThisisdonebyfirstidentifyingtheiOSdevicesonanetworkandthenlisteningtorawnetworktrafficusingcommontoolssuchasWireshark.
www.it-ebooks.info
IdentifyingdevicesForstarters,youcanidentifyalliOSdeviceseasilyastheylistenonport62078,whichisauniqueport.ToverifythataniOSdeviceisoccupyinganIPonanetwork,scantheIPaddressforthatport.Forexample,hereweusethebuilt-inportscannerinOSXtoscananIPaddressonthenetworkwithaniPhone:
/System/Library/CoreServices/Applications/Network\
Utility.app/Contents/Resources/stroke192.168.0.126207862078
www.it-ebooks.info
ListeningtonetworkcommunicationsOSXhasacommandcalledrvictlthatcanbeusedtoproxynetworkcommunicationsfromiOSdevicesthroughacomputeroverwhat’sknownasaRemoteVirtualInterface(RVI).TosetupanRVI,you’llneedtheUDIDofadeviceandthedevicewillneedtobepluggedintoaMacandhavethedevicepairedtotheMac.Thismayseemlikealot,butifyou’vefollowedwhatwehavebeendoinguntilnow,thisshouldbeprettysimple.
TosetupanRVI,we’llperformthefollowingsteps:
1. First,we’llpairadeviceusingthefollowingcommand:
idevicepairpair
2. Then,we’lltaponTrustonthedeviceitself.Then,we’llgrabthatUDIDwithidevice_id:
idevice_id-l
3. Next,we’llsetupanRVIwithrvictlandthe-soption(hereI’mjustgoingtograbtheUDIDsinceIonlyhaveonedevicepluggedintomycomputer):
rvictl-s`idevice_id-l`
4. Then,wecanlisttheconnectionsusingrvictlwiththe-loption:
rvictl-l
5. Next,we’llrunatcpdumpcommandusingthisnewlyconstructedrvi0:
tcpdump-n-irvi0
6. Next,we’llgetalotoflogs.Let’sfireuptheNikeFuelBandappandrefreshourstatus.Whilewatchingtheresultanttraffic,we’llseealinelikethis:
22:42:29.485691IP192.168.0.12.57850>54.241.32.20.443:Flags[S],
seq3936380112,win65535,options[mss1460,nop,wscale5,nop,nop,TS
val706439445ecr0,sackOK,eol],length0
There’sanIPinthisline—54.241.32.20.Wecanlookthisupandwe’llbeabletoseethattheserversaresittingonAmazonWebServices,andonverifyingit,wecometoknowthatit’sNike.Bywatchingthetrafficwithtcpdump,wecanobtainGET,POST,andotherinformationthatissentandreceived.UsingWireshark,wecangetevenmoredetaileddata.
Overall,thisbookismeanttofocusontheiOSsideofinformationsecurityandnotondebuggingandrefiningtheapproachtousingtcpdump/wireshark.ThervictltoolisagreattoolintheiOSdevelopmentcycleandforsecurityresearcherswhoarelookingintothenumberoftheappsoniOSdevicesthatexchangedata.
TipWhileI’vefoundthatrvictlisabletoshowmeprettymuchanythingIneedaccessto,if
www.it-ebooks.info
youfindanyissueswithit,gotohttps://github.com/libimobiledevice/usbmuxd.Thisisanopensourceprojectthatisbeingdevelopedmoreaggressivelyandcanbeusedtodosimilartasks.
www.it-ebooks.info
www.it-ebooks.info
AppleIDsandAppsOneitemthatisnotoftencoveredwhenconsideringiOSsecurityistheAppleIDthatisusedtomanageadevice.TheAppleIDcanpotentiallybeusedtowipeadevice(forexample,viatheFindMyiPhoneapp),restoreadevice’sbackup,orevenviewthepurchasedmedia(songs,movies,iBooks,andapps)thatmaynotbeavailableonadevice.
Whenyouuninstallanapp,theappisstillinyourpurchasehistory.Asyoucanseeinthefollowingscreenshot,youcangetafairamountofinformationaboutwhatsomeoneusesadevicefor:
AppleIDsandPurchasedHistory
www.it-ebooks.info
TheonlywaytopreventsomeonefromlookingatsuchinformationistosecuretheAppleID.Usestrongpasswordsfortheseandchangethemfromtimetotime.Whenanemployeeleavesanorganization,youmightalsobeabletoresettheirpasswordusingane-mailaddressiftheAppleIDusesacorporatee-mailaddress.
www.it-ebooks.info
www.it-ebooks.info
ForensicsSofar,we’vediscussedlookingatdataondevices.Whenyouuseadevice,unlessyoumadeaforensicimageofthedevicepriortousingit,youaretaintingevidence.Thisisnotabookonforensics,butwecanletyouknowaboutsometoolsthatwillallowyoutoacquireaforensicallysoundimageofadevicewithoutmuchfanfare.
NoteManyofthesetoolsareonlyavailabletolawenforcementprofessionals.Applehasrecentlygonetogreatlengthstomaketheirdevices“leak”lessdata,eventolawenforcement.SinceiOS7,it’sbeenpracticallyimpossibletobruteforcepasscodesandafterApplefixedthebootroomexploitsofiPhone4/iPad2,it’snolongerpossibletoobtainanimageofthedevice’sflashstorageforofflineanalysis.
ThefollowinglinksareavailabletohelpyouproperlyacquireevidencefromiOSdevicesandcomputersthataccessiOSdevices:
iOSForensicToolkit:http://www.elcomsoft.com/eift.htmlMobilyze:https://www.blackbagtech.com/mobilyze.htmlAccessDataForensicToolkit:http://www.elcomsoft.com/ios-forensic-toolkit.htmlLantern:https://katanaforensics.com/products/Blacklight:https://www.blackbagtech.com/forensics/blacklight/blacklight.htmliPhoneBackupAnalyzer:http://ipbackupanalyzer.com/Oxygen:http://www.oxygen-forensic.com/en/ForensicHardware:http://www.cellebrite.com/iXAM:http://www.ixam-forensics.com/devices.aspSecureView:http://mobileforensics.susteen.com/
TipManyofthesetoolscanalsobruteforcepasswordsthatareusedondevices.However,thismightbealengthyprocess.
Abasictoolthatdoesn’trequiretobepurchasedthroughlawenforcementbutcaninteractdirectlywithadeviceisiExplorerfromMacroplant.Thistooldoesnotexposeitemsthatareinsecureenclavesonthedevice,butitallowsyoutohavealotmoreaccessthanwhatyouwouldotherwisehave.iExplorerallowsyoutoviewContacts,Messages,Notes,Safari’shistory,backups,andsomeappdata.Asyoucanseeinthefollowingscreenshot,onceitisinstalled,youcanviewSafari’sbrowsinghistory:
www.it-ebooks.info
Macroplant’siExplorer
Asyoucanseeinthefollowingscreenshot,youcanalsoviewbooksandotherformsofmediainthefoldersinwhichtheseitemsarestoredonthedevice.Ausercanaccessthesefolderswithoutjailbreakingadevice.
ViewingiBooksData
Togofurtherintoadeviceandviewpreferences,operatingsystemfiles,andsoon,youwillneedtojailbreakitanduseatoolsuchasiFunBoxoriFileviaCydia,whichisanappstoreforjail-brokendevices.iFunBoxisaMac/Windowstoolforexaminingthedevice’sfilesystemandiFileisanappthatyoucaninstallonjail-brokendevices.SinceiOS7,
www.it-ebooks.info
you’llneedtoinstallahackedAppleFileConduit(AFC2)fromCydiaonajail-brokendevicetoaccessanythingoutsidethenormalsandboxedAFCareasofthedevice.(Seehttps://cydia.saurik.com/info/com.saurik.afc2d/formoreinformationonthis.)
TipFormoreinformationonjailbreakingdevices,searchforthetermJailbreakandalsoprovidethemodelofdeviceyouhaveonGoogle.Alotofsitesonjailbreakingcomeandgo,sowe’renotgoingtoincludealinkhere,butit’sworthcheckingouthowpeoplegoaboutsuchthingsandthelimitationsondevicesoncethey’rejail-broken.
www.it-ebooks.info
www.it-ebooks.info
ApplicationsecurityEarlierinthischapter,wecoveredhowtoobtainmoreinformationabouthowapplicationscommunicatewithservers.Here,we’regoingtotakeabrieflookathowyoucanobtainmoreinformationaboutthedataand/orbinarieswithinanapp.Inapps,theseareusuallycompiled,soyouwillnottypicallyseerawsourcecode.Mostapplicationvendorswillnotprovideyouwithaccesstotheirsourcecodeeither.
IPAfilesarezippedapplicationbundles.Youcanunzipthembeforeattemptingtodisassemblethebinary.Todoso,youcanright-clickonanIPAfileandopenitwithArchiveUtilitytoquicklyunzipanappbundle.Insidetheresultingfolder,you’llseeaPayloadfolderthatcontainstheappitself.Onceyoucanseetheapp,youcanviewthepackagecontentsontheappbundleandlocatethebinaryfilewithin.Unfortunately,inmanycasesalthoughyoucanviewthestrings,attemptingtodisassembleaniOSappbinarywithatoollikeHoppercanbefruitlessbecauseappsfromtheAppStoreareusuallyencrypted.
Adhocandenterprisedistributionappscanbeexaminedwiththesetools;however,manyenterpriseappdevelopersuseobfuscationtechniquesorwrapperstoreducetheusefulnessofdisassemblyontheirproductionbinaries.
Insummary,thesedisassemblytechniquesprobablyaren’tusefultothereaderinanymeaningfulway.Unlessyouareanexperienceddeveloperwithsomeassemblylanguageknowledge,disassemblyofevenasimpleunencryptedbinaryofanysortisn’tlikelytohelpyoulearnanything.
www.it-ebooks.info
www.it-ebooks.info
ViewinganAppThereareanumberoftoolsthatcanhelpyoutoobtainmoreinformationaboutanapp.Youcanuseacommandlinetoviewthecontentsofafile,andwhenitiscompiled,there’sstillafairamountofinformationthatcanbederivedfromaniOSapplicationfile(anIPAfile).Todothis,simplyusethecatcommandforafilefromyourapplibrary:
Cat/Users/charlesedge/Music/iTunes/iTunes\Media/Mobile\Applications/
Amex\4.6.0.ipa
Youcanalsoviewdatainthefilewithoutallthespecialcharactersusingthestringscommand:
Strings/Users/charlesedge/Music/iTunes/iTunes\Media/Mobile\
Applications/Amex\4.6.0.ipa
Therearealsodisassemblersthathavedifferentlevelsofluckinobtaininginformationaboutafile.Forexample,HopperDisassemblerthatcanbepurchasedfromtheMacAppStoreathttps://itunes.apple.com/us/app/hopper-disassembler/id422856039?mt=12.ThefollowingscreenshotshowstheHopperDisassembler:
HopperDisassembler
There’salsoatoolcalledClutch,whichisavailableonGitHubathttps://github.com/KJCracks/Clutch.Clutchmustberunfromajail-brokendevice,soitrequiresasomewhatthought-outmethodtodecompilecode;however,itisabletoobtainmoredatathananyothertoolthatwe’veseen.
Therearemanybooksthatareavailableonlinethatcanhelpyoutounderstandnativeprogramminglanguagesifyouaren’talreadyawareofthem.
www.it-ebooks.info
www.it-ebooks.info
SummaryThereareanumberofplaceswherewestoppedourselvesfromwritingmoreinthischapter.Thischapterdoesnotprovidein-depthinformationaboutpacketcapturing,forensicacquisition,applicationdevelopment,oriOSsystemsinternals.Instead,similartotherestofthebook,wearepointingyoutowardsthenecessarycontenttodomoreifyouchoose.
Theauthorsofthisbookarestrongproponentsofthehackermentality.Therereallyisn’tmoresecurityinformationaboutdevicesthatareavailablewithoutjailbreakingdevicesoraccessingApple’sDeveloperportalathttp://developer.apple.com.Wedohopethatyouwilldothembothatsomepoint.Wedon’tbelievethatyoucanfullysecureajailbrokendevice,soyoushould,therefore,refrainfromputtingthemintoproduction.However,wealsobelieveinlearningasmuchaswecan,whichmeanseventuallyjailbreakingadeviceandseeingwhatreallymakesthoselittleSpeak-and-Spellappstick.
www.it-ebooks.info
IndexA
AccessDataForensicToolkitURL/Forensics
ActivationLockabout/ActivationLockandFindMyiPhonereferences/ActivationLockandFindMyiPhone
ActiveSyncabout/ActiveSyncmanagementsettings/ActiveSync
advancedoptions,SafariWebsiteData/Safariandbuilt-inAppprotectionsJavaScript/Safariandbuilt-inAppprotectionsWebInspector/Safariandbuilt-inAppprotections
AirDropabout/AirDrop
Always-Onabout/VPN(Always-On,APN,Per-App,On-Demand)
appsignatureverificationprocess/Installingappscommunication/AppcommunicationHandoffandContinuity/HandoffandContinuitydatastorage/SandboxingandAppdatastorageviewing/ViewinganApp
appcommunicationsabout/Appcommunicationsdevices,identifying/Identifyingdevicesnetworkcommunications/Listeningtonetworkcommunications
AppleURL,fordocumentation/ActivationLockandFindMyiPhone
AppleConfiguratorabout/AppleConfigurator,Apps,VPP,andAppleConfigurator,IntroducingMDMintendedworkflows/Intendedworkflowsinteractionmodes/Theinteractionmodes–Prepare,Supervise,andAssignsupervision,significance/Theimportanceofsupervisionmassrestoring/Massrestoringandnamingofdevicesdevices,naming/Massrestoringandnamingofdevicesbackupconcerns/Backupconcernsaschaperone/ConfiguratoraschaperoneversusDEP/DEPversusAppleConfiguratorversusMDM/ConfiguratorversusMDM
www.it-ebooks.info
AppleFileConduit(AFC2)about/Forensics
AppleIDsabout/AppleIDsandApps
ApplePushNotificationservice(APNs)about/IntroducingMDM
AppleTVabout/Abugorafeature?
applicationsecurityabout/Applicationsecurity
AppLockabout/SingleAppmode,AppLock,andGuidedAccessversusSingleAppMode/GuidedAccessversusAppLockversusSingleAppModeversusGuidedAccess/GuidedAccessversusAppLockversusSingleAppMode
appsinstalling/Installingappsstoreaccess,blocking/BlockingaccesstotheAppStoreabout/Apps,VPP,andAppleConfigurator,AppleIDsandApps
www.it-ebooks.info
BBackupkeybag/ViewingiOSdatainiTunesbackups
taking,iTunesused/TakingbackupsusingiTunesBlacklight
URL/Forensicsbuilt-inAppprotections
andSafari/Safariandbuilt-inAppprotectionsBushel
about/IntroducingBushelaccount,settingup/Setupenrollmentprocess/Theenrollmentprocessrestrictions/Restrictions
www.it-ebooks.info
Ccaching
about/GlobalHTTPProxy,caching,andthewebcontentfilterCertificateAuthority(CA)/PreparingtheProfileManagerServer,EnrollingintoProfileManagerCertificationAuthority(CA)/InstallingappsChaperoneCertificateIssuer/ConfiguratoraschaperoneChaperoneCertificateSerial/ConfiguratoraschaperoneClutch
about/ViewinganAppconfigurationfiles
about/ConfigurationprofilesContinuity
andHandoff/HandoffandContinuityCryptographicMessageSyntax(CMS)standard/Signing,encryption,anddelivery
www.it-ebooks.info
Ddelivery
about/Signing,encryption,anddeliveryDEP
about/DEPversusAppleConfiguratorversusAppleConfigurator/DEPversusAppleConfiguratorreferences/DEPversusAppleConfigurator
DEPusecases,AppleConfiguratorURL/DEPversusAppleConfigurator
devicebackingup/Backingupyourdevice
DeviceCertificateabout/Pairing
diagnosticsgathering/Lesser-knownwaysforAppletogatherdiagnostics
DigitalRightsManagement(DRM)/Installingapps
www.it-ebooks.info
Eencryption
about/Signing,encryption,anddeliveryEscrowBag
about/Pairingextensions
andkeyboards/Keyboardsandextensionsaccess,securing/Securingwhatextensionscanaccess
www.it-ebooks.info
FFindMyiPhonefeature/ActivationLockandFindMyiPhoneForensicHardward
URL/Forensicsforensics
about/Forensics
www.it-ebooks.info
GGlobalHTTPProxy
about/GlobalHTTPProxy,caching,andthewebcontentfilterGlobalServiceExchange/Lesser-knownwaysforAppletogatherdiagnosticsGroundControl
about/AddressingtheroughspotsURL/Addressingtheroughspots
GuidedAccessabout/SingleAppmode,AppLock,andGuidedAccessURL/SingleAppmode,AppLock,andGuidedAccessversusAppLock/GuidedAccessversusAppLockversusSingleAppModeversusSingleAppMode/GuidedAccessversusAppLockversusSingleAppMode
www.it-ebooks.info
HHandoff
andContinuity/HandoffandContinuityHealthapp/HealthappHomebrew
used,forinstallinglibimobiledevice/InstallinglibimobiledeviceusingHomebrew
Homebrew,forinstallinglibimobiledeviceidevicesyslog,usedfor/Usingidevicesyslogandidevicepairidevicepair,usedfor/Usingidevicesyslogandidevicepairidevicedate,usedfor/Usingidevicedateandideviceinstallerideviceinstaller,usedfor/Usingidevicedateandideviceinstaller
HostCertificateabout/Pairing
HostIDabout/Pairing
HostPrivateKeyabout/Pairing
www.it-ebooks.info
IiBackupExtractor/ViewingiOSdatainiTunesiCloudbackups
about/iCloudbackupsidevicediagnosticscommand/Usingidevicedateandideviceinstallerin-houseappdevelopment
about/Introductiontoin-houseAppdevelopmentinitialsecuritychecklist
about/Initialsecuritychecklistpasscode,configuring/Configuringapasscodeprivacysettings,configuring/Configuringprivacysettings
IntegratedDevelopmentEnvironment(IDE)/Installingappsinteractionmodes,AppleConfigurator
Prepare/Theinteractionmodes–Prepare,Supervise,andAssignSupervise/Theinteractionmodes–Prepare,Supervise,andAssignAssign/Theinteractionmodes–Prepare,Supervise,andAssign
iOSactivating/SecurebootandactivatingiOS
iOSConsoleURL/Configurationprofiles
iOSdataviewing,iniTunes/ViewingiOSdatainiTunes
iOSForensicToolkitURL/Forensics
iOSnetworkcommunicationabout/IntroductiontoiOSnetworkcommunication
iPhoneBackupAnalyzerURL/Forensics
iPhoneConfigurationUtility(iPCU)about/Configurationprofiles,AppleConfigurator
iTunesused,fortakingbackups/TakingbackupsusingiTunesiOSdata,viewingin/ViewingiOSdatainiTunes
iXAMURL/Forensics
www.it-ebooks.info
Kkeybag
about/Keybagsandkeychainskeyboards
andextensions/Keyboardsandextensionskeychains
about/Appcommunication,Keybagsandkeychains
www.it-ebooks.info
LLantern
URL/Forensicslibimobiledevice
about/DivedeeperwithlibimobiledeviceURL/Divedeeperwithlibimobiledeviceinstalling,Homebrewused/InstallinglibimobiledeviceusingHomebrew
www.it-ebooks.info
MMDM
URL/Abugorafeature?about/IntroducingMDMversusAppleConfigurator/ConfiguratorversusMDMandVPP/VolumePurchasingProgramandMDM
MDMProviders,comparisonreferencelink/TheProfileManager
MobileDeviceManagement(MDM)/SingleAppmode,AppLock,andGuidedAccessMobilyze
URL/Forensics
www.it-ebooks.info
OOnDemand
about/VPN(Always-On,APN,Per-App,On-Demand)openinmanagementfeature,iOS/RestrictionsOxygen
URL/Forensics
www.it-ebooks.info
Ppairing
about/PairingPassbook
about/PassbookandTouchIDforApplePaypasscode
configuring/ConfiguringapasscodeTodayoption/ConfiguringapasscodeNotificationsViewoption/ConfiguringapasscodeSirioption/ConfiguringapasscodePassbooktool/ConfiguringapasscodeReplywithMessagetool/Configuringapasscode
passcodepoliciesabout/Passcodepolicies
PaymentCardIndustry(PCI)about/Privacy-relatedconcerns
Per-Appabout/VPN(Always-On,APN,Per-App,On-Demand)
PINabout/PassbookandTouchIDforApplePay
predictivesearch/Predictivesearchandspotlightpreferencedomains
about/ConfigurationprofilesPrivacy&Securityoptions,Safari
DoNotTrack/Safariandbuilt-inAppprotectionsBlockCookies/Safariandbuilt-inAppprotectionsFraudulentWebsiteWarning/Safariandbuilt-inAppprotectionsClearHistoryandWebsiteData/Safariandbuilt-inAppprotectionsUseCellularData/Safariandbuilt-inAppprotections
privacy-relatedconcernsabout/Privacy-relatedconcerns
ProfileManagerabout/TheProfileManagerpreparing/PreparingProfileManagerPostConfigurationtasks,completing/CompletingPostConfigurationtasksusing/UsingProfileManagerenrollinginto/EnrollingintoProfileManagerdevicemanagement/Devicemanagementpasscodepolicies/Passcodepolicies
ProfileManagerServerpreparing/PreparingtheProfileManagerServer
www.it-ebooks.info
RRecBoot/ActivationLockandFindMyiPhonerecoverymode/ActivationLockandFindMyiPhonereflector
URL/SingleAppmode,AppLock,andGuidedAccessRemoteVirtualInterface(RVI)
about/Listeningtonetworkcommunicationssettingup/Listeningtonetworkcommunications
RootCertificateabout/Pairing
RootPrivateKeyabout/Pairing
www.it-ebooks.info
SSafari
andbuilt-inAppprotections/Safariandbuilt-inAppprotectionsSafaripreferences,forsecuringiOSdevices
Passwords&AutoFill/Safariandbuilt-inAppprotectionsFavorites/Safariandbuilt-inAppprotectionsOpenLinks/Safariandbuilt-inAppprotectionsBlockPop-ups/Safariandbuilt-inAppprotections
sandboxingabout/SandboxingandAppdatastorage
securebootchainabout/SecurebootandactivatingiOS
SecureEnclaveabout/SecurebootandactivatingiOS
SecureViewURL/Forensics
signingabout/Signing,encryption,anddelivery
SingleAppModeversusGuidedAccess/GuidedAccessversusAppLockversusSingleAppModeversusAppLock/GuidedAccessversusAppLockversusSingleAppMode
SingleAppmodeabout/SingleAppmode,AppLock,andGuidedAccess
spotlight/PredictivesearchandspotlightSupervision
about/VPN(Always-On,APN,Per-App,On-Demand)SystemBUID
about/Pairingsystemscope/ConfigurationprofilesSystemSoftwareAuthorization
about/SecurebootandactivatingiOS
www.it-ebooks.info
Vverifiedboot
about/SecurebootandactivatingiOSVPNOnDemand
about/VPN(Always-On,APN,Per-App,On-Demand)VPP
about/AppleConfigurator,Apps,VPP,andAppleConfigurator,CompletingPostConfigurationtasks,VolumePurchasingProgramandMDMandMDM/VolumePurchasingProgramandMDM
www.it-ebooks.info
Wwebcontentfilter
about/GlobalHTTPProxy,caching,andthewebcontentfilterWiFiMACAddress
about/Pairing
www.it-ebooks.info
XXcode
about/XcodeURL/Xcodeinstalling/Xcode
XPC/Securingwhatextensionscanaccess
www.it-ebooks.info