1. Enterprise Mobility Management (EMM)
This course will refresh participants on current and upcoming threats to financial institutions that target mobile devices. Participants will gain an understanding on how attackers exploit these devices and what controls are available to help mitigate these attacks. The majority of the course will be dedicated to the review and demo of Mobile Device Management (MDM) systems. MDM software secures, monitors, manages and supports mobile devices that access bank's systems from bank-owned and employee-owned devices. Topics to be covered include:
How to make sense of user-owned devices in the workplace
Best practices for managing devices when employees are hired/fired
Discussions on should the bank mandate/purchase mobile devices for employees, and much more!
Josh Stroschein
Oct 2014
@jstrosch

2. About me Josh Stroschein Instructor at Dakota State University (DSU)
Instructor at Dakota State University (DSU)
MSIA from DSU
Doctoral Student in Cyber Operations
SD Air National Guard
Software development consultant

3. Overview What is EMM? The Mobile Ecosystem Current Threat landscape
Understanding iOS and Android
Mobile Device Management (MDM)
Mobile Application Management (MAM)
Mobile Information Management (MIM)
Mobile Strategy/BYOD

4. What is EMM? Enterprise Mobility Management
Centered on devices, operating systems, networks, applications, data and policy
We need to address more than just device management – MDM
This includes managing wireless networks
A fully comprehensive EMM suite will cover devices (MDM), plus applications (MAM) and information (MIM)
Network connections to the enterprise, data that is accessed, shared or generated
Mobile management, data loss protection, mobile virtualization, app wrapping, app signing…
I think you get the point!

5. Mobile VS Legacy PC
Mobile security isn’t as simple as mapping current and familiar PC security measures onto mobile platforms. For example, antivirus, personal firewall and full disk encryption are possible on Android and Windows Phone and Surface, but would mean denying iOS devices access to the network, because iOS does not support all of these legacy control measures at this time. Though with the application vetting Apple performs, there is little need, at least for today for on-device security applications. A security architect tasked with securely allowing iOS devices in the enterprise has to approach the issue from the standpoint of data protection instead.
The Android security architecture is very similar to a Linux PC. Based on Linux, Android has all the advantages and some of the disadvantages of a Linux distribution (distro), as well as security considerations unique to a mobile OS. However, iOS devices differ substantially from a PC from both a usability and security perspective. The iOS architecture even appears to have several security advantages that could potentially remedy some of the security challenges of PCs. Compare the PC security model and mitigations alongside Android and iOS models in a simple example as shown below, and you’ll see that the control measures PCs require may not be necessary for the iOS model. In addition, Windows Phone and Surface improve on the familiar PC model in many ways.

6. Mobile Ecosystem
Globally, 1.8 Billion mobile phones sold in 2013 (up 1.2% from 2012)
Market share
Android %
iOS %
Blackberry – 1.9%
iDevices dominate the enterprise though [Mobility Index Report 2014]
Estimated 1.2 billion app users by end of 2012
Forecast 4.4 billion by end of 2017
Apps by share
Estimated that there is at least 800,000 apps in both the Apple App Store and Google Play, each!
The market for mobile payments will triple in value by 2015, reaching $670 billion [Juniper]
Stats:

7. Mobile OS Market share

8. Mobile Ecosystem Mobile Banking (m-banking) Driven by banks
Estimates between 500 million and 1.1 billion m-banking users globally by 2015
More users of m-banking than mobile commerce
Driven by banks
helps cut costs, provides convenience
Efforts to reach the “unbanked”
70% of employees use personal devices for company data
Is it authorized or not?
Unbanked: adults who do not have their own bank accounts

9. Mobile Attack Vectors User Device Networks
Malicious and risky apps (malware)
Risky behavior
User data leakage: copy/paste, screenshot, open-in
Device
Jailbreak/Root
Theft
Networks
Rogue AP, MiTM

10. Consumer App Risks
47% - Companies with BYOD [strategy] that experience a data or security breach as a result of an employee-owned device accessing the network
65% - Companies with NO BYOD policy
34% - Companies with no app security program
Mobile threat increase: up 614%

11. Threat Landscape Are mobile devices really insecure?
Q – 277 new threat families found
275 run on Android (99.3%)
1 on iOS and 1 on Symbian
91% classified as malware, the rest were classed as potentially unwanted apps
According to Kaspersky:
98.05% of all detected malware targeted Android
0.13% Other – this includes iOS
First half of 2014, 175,442 new unique Android malicious programs were detected
18.3% more than all of 2013
To identify threats, we analyze each app received for malicious code. If we find any, the app is grouped into families based on similarities in the code and behavior. Unique samples in a family are known as variants .
PUA: They could inadvertently introduce risks to the user’s privacy or device security if the app were misused.

12. Threat Landscape Lone hacker is now a common misconception.
Driven by organized crime
What does all of this malware do?
Primarily are Trojans
SMS Sending
File or app downloading
Location Tracking
Fake app scanning
Link Clicking
Banking Fraud
Fee charging
Some are linked to a botnet - ~19%
Most are profit motivated
Silently sending SMS messages to premium numbers (Android 4.2)
Charging ‘fee’ for a free app
Android 4.2 jellybean – notification prompt for premium sms messages, how will it impact?

13. Threat Landscape
Trend in 2013 saw more malware targeting user banking credentials to access their money
Another Android trend, but iOS users should stay alert
423 banking trojans in August of 2013 – 5,967 in July of 2014
More than a 14x increase!
What about iOS?
Trojan: IPHONEOS/ADTHIEF.A
Malware hijacks various advertising modules in installed apps to display it’s own advertisements
Only affects jailbroken phones!
Symbian
Trojan that silently sends SMS messages
Unusual due to focus on OS with very small market share
Users of iOS-based devices should not be complacent, either. Although there has not so far been a spate
of malware designed to steal sensitive data from iPhone and iPad owners, operating system errors making
such malware possible keep appearing. One very recent example is an error found by researchers in late
February 2014, which can enable attackers to record the characters entered by the user on the device’s on-
screen keyboard. Cybercriminals could take advantage of the vulnerability to steal the user’s online banking
credentials, among other sensitive data.

14. Mobile Risk Ecosystem
To understand mobile, we need to understand the risks.
It’s like the PC, only different
What are they?
Physical Risks
Physical access to device is impossible to defend against
Service Risks
Most apps are just clients, accessing data from a server
How secure is the server?
Social Engineering: How is your tech support?
Self-help portal?
App Risks
Primary Attack surface – apps interacting with platform features
But app to app problems are mitigated by the OS

15. Application Threats Sensitive Information Leakage
PII, IP, Pins, passwords
Secure on-device storage
Secrets do not belong on the device
Poor code/Application security risks
Who writes your code?

16. Open VS Closed Platforms
Apple is closed
They control the OS, manufacturing, and the app store
Tougher controls – app signing and vetting
Android is open
Custom OS, distributed app stores, self-signing for apps
Upgrading phones depends on agreement with device manufacturer and mobile network operator (MNO)
I’m still running Android 2.3 
I was until last week anyway…
What drives the app store? Security or Consumerism?

17. A little about iOS Security implemented at every level
Remember, Apple controls it all
Secure startup: bootloaders, kernels, baseband firmware – signed by Apple for integrity
Only one port open out of the box – TCP 62087?
Minimal network profile, no known vulns
Very little to work with for pen tests, vuln scans, etc
But, updates usually come direct from Apple
App signing
Cert comes from Apple
Granular app controls (vs Android manifest)
Code signing your app assures users that it is from a known source and the app hasn’t been modified since it was last signed. Before your Mac app or iOS app can be used with store services, installed on an iOS device for development or testing, or submitted to the App Store, it must be signed with a certificate issued by Apple. For more information on how to request certificates and code sign your apps, review the App Distribution Guide.

18. A little about Android
Android is open source w/ bits of closed-source software
Google Apps are closed (when native on device)
Device manufactures and mobile carriers develop custom software, including drivers and apps – closed source
Push updates, if at all, at different schedules
Results in Fragmentation: The same device on two different carriers can have different software
Permission based
Enforced at kernel
It’s how Android sandboxes
And the application
Apps must declare permissions in their manifest (AndroidManifest.xml)
App signing: Can use a self-signed certificate – very common
AT the kernel, access is based off of users/groups – think Linux because it is. All users have a unique user id, can be finely tuned. This restricts applications/users to access only those resources they have explicit permission to. This is how apps are sandboxed, one app can not access resources of another or access hardware components they have not been given permission to.

19. Android Security Model

20. Secure Use of Android
Only download software from known trusted sources
Google Play, Amazon, internal app store
Only visit trusted websites
Avoid charging from untrusted docking stations
Keep the phone updated – if you can!
Samsung SAFE and KNOX

21. iOS 7 VS Android Security Controls
In comparing iOS to Android, it’s important to note that Android controls will vary based on the actual device, the operating system version and even the carrier. In some cases for example, older versions of Android do not offer device-level encryption.

22. Jailbreaking vs ‘rooting’
Android: root – accessing root account
iOS: Jailbreak – overcome several iOS security measures to accomplish – and get root account
Goal is to gain complete control of device/OS
Install SSH, VNC, custom theme, alternate apps stores (iOS), tether, et cetera
Management Concerns
How did they jailbreak/root? Install a backdoor?
New services enabled (ssh/ftp/etc)
Entire file system is now vulnerable
iOS: Running apps outside of Apple’s control, negating the Sandbox
Still receiving OS updates? Likely not

23. Mobile Device Management (MDM)
Frameworks or solutions designed to control, monitor & manage mobile devices on enterprise network
Ability to perform these tasks remotely, over the air (OTA), for devices enrolled in MDM service
Why MDM?
We can’t control mobile devices the same way we do traditional corporate desktop/laptop assets
Loose control over:
System upgrades (provided by carrier)
Installation/Uninstallation of applications
Data on the device
Device management and provisioning features

24. MDM
Is MDM provided only by a 3rd party vendor? No, mobile platforms provide features for MDM
Android 2.2 and iOS 4 (OTA support)
Vendors create management framework
Combined, this is the MDM Framework
Examples: MobileIron, AirWatch and BlackBerry Enterprise – MDM Solutions
Leverage platform specific MDM frameworks to provide device management capabilities
Some vendors develop MDM solutions w/o using platform specific MDM features
Example is GOOD for Enterprise
GOOD Provides MDM solution w/o leveraging platform framework and support

25. MDM Three broad categories
Device Centric: Use platform MDM features to secure and harden device
MobileIron, AirWatch and Tangoe
Data Centric: Secure data/content, does not focus on entire device (Mobile Application Management)
GOOD For Enterprise
Hybrid: Features from other two categories present in this approach
Data Protection + Device Management
Most Desirable?

26. MDM - Device Provisioning
How the MDM solution is implemented
MDM often uses client apps to:
Enroll mobile device with MDM server
Manage and enforce policies on devices – once enrolled the server can enforce policies and controls remotely
Provide functionality that the MDM features can not
Location information, jailbreak/root detection, the stuff that apps can do!
Provisioning Profiles
Installed on device by MDM client
Often XML or text-based files
Encrypted, signed or both for integrity

27. MDM – Device Provisioning

28. MDM - Device Provisioning
Provisioning Process – iOS-centric
Device is enrolled
Device receives profile – profile is verified, decrypted and parsed
System files are populated with this info
System files are then parsed by system services to enforce/implement settings

29. MDM w/ Apple MDM server generates provisioning profile
Sends to device (Apple Push Notification or MDM app installed)
Device stores profiles at system location
/private/var/mobile/Library/ConfigurationProfiles
XML files (plist) with .stub extensions
Device then parses and installs profiles
Parsed to populate system files

30. MDM – Control!

31. MDM – Managed VS unmanaged apps
Can manage third-party apps from the App Store
Enterprise in-house apps as well
But we can’t stop the user from installing apps – this is the difference between unmanaged and managed apps
Can remove managed apps and their data on- demand
Prevent managed app data from being backed- up to iTunes or iCloud
Managed apps are those installed from the MDM software

32. MDM – Remote Wipe (Apple)
If device is out of policy, lost, stolen or employee termination, through MDM can:
End MDM Relationship – this removes all managed settings (accounts,apps, settings, data)
Keep device managed, remove only specific config profiles
Restore to factory default settings – remote wipe
Remote Lock
Reset passcode remotely

33. MDM - Android Android didn’t support until 2.2
Device Administration API
Same concept as iOS but implemented differently
Conceptually the same, but implementation is different
Does not use a configuration profile
Apps interact with Administration API directly
MDM vendors need to develop an app that interacts with Admin API AND MDM Server
Recall fragmentation – it’s back!
Device manufacturers can add additional management APIs

34. MDM - Android
Androids aren’t always updated, and don’t always ship with the most recent version
Can’t depend on current admin/management APIs
Overall, much more difficult than iOS MDM
Admin API + Core API + OEM API
Best strategy: Define which version of Android, and possible what OEM, has the minimum you need and order/support those devices

35. MDM - Android What does the enrollment process look like?
Install a Device Administration-enabled app
Connects OTA to management server
Users authenticate w/in app
App asks for permission to be device admin
Security changes implemented
Further changes through MDM server
May run in background or receive commands OTA
Push notifications sent via Google Cloud Messaging
No control over unmanaged apps

36. How is MDM Bypassed? Modifying MDM Policy Files
Done on a jailbroken or rooted device
MDM framework will attempt to detect these types of devices
MiTM w/ Network traffic
Detecting MDM tampering
Often done by 3rd party app to monitor state of device
If device in violation, security reaction can occur (remote lock/wipe/location)
Application Patching and Modification Attacks
Airplane mode
Applicatin patching and app logic bypass attacks are platform specific in nature. Android, modify binary and sign, iOS by injecting into running processes.

37. MDM – Jailbreak detection
Often offered as a feature upgrade
Leverage client-side solutions (client app)
How effective depends on how the vendor implements detection:
Do they just monitor for 3rd party app store?
Proprietary
This can be subverted as well – app patching

38. MDM Drawbacks Hard to separate corporate and user data
Added tech support
More restrictive user experience
New phones – will the MDM software keep up?
Is it here to stay???

39. MDM – Mastering MDM
For iOS, start with the iPhone Configuration Utility/Appe Configurator
Perform all of the configs, queries and management actions as any MDM solution
You won’t be able to do it over the air though w/o an MDM server though

41. You can also check out Cisco Meraki
They offer a free service
It works better with Cisco products though 
Uses an agent app
Allows you to work with MDM with a low barrier of entry

42. Mobile Application Management - MAM
Major shortfall of MDM: inability to manage apps at a granular level
MDM is all or nothing on a device, what we really care about is the data/apps
Personal and corporate apps have to live under the same policies on a device
MDM can’t prevent apps from sharing (or leaking) data with other apps on a device

43. MAM – Mobile Application Management
Software and services responsible for provisioning and controlling access to apps
Very similar to MDM but for apps – password policies and encryption, geofencing, etc
Good for company provided devices and BYOD
Less intrusive
Third-Party and OS-Enabled
OS: manage any app, but only specific devices
3rd Party: Special Apps, but run on any device
Goal: Let personal and corporate data live in harmony
Achieve dual-persona

44. MAM – How does it work? Building management features into the app.
Why is this good?
We don’t need to care about MDM concerns on the device
The app is MDM – it’s created in a way to ensure how it interacts with corporate resources won’t compromise the data
Not in control of entire device, less intrusive
Work stuff can be ‘just another app’

45. MAM by 3rd Party
Trick is to let corporate apps share data like personal apps, but not share with personal apps
Develop a suite of corporate apps that work together
+ File Sharing + File Editing + …
There is secure sharing:
Encrypt data before it goes into device’s shared frameworks
Direct app-to-app comms
Use an external service
Combine this functionality into single app…

46. MAM by 3rd party Most of the apps in the stores are not MAM ready
We can’t get between these apps and the device so we can’t add them to any app – we need the unsigned binary
Five basic routes
Directly from MAM vendors
MAM SDKs when building new apps
App wrapping to add MAM
Apps from ISVs that partner with MAM vendors
Apps that have management features but don’t require a MAM solution

47. MAM enabled OSes Virtualization is one solution Samsung and Knox
Android virtualization project
Samsung and Knox
MAM/MDM w/o virtualization
iOS 7: New app management capabilities
Overall limited, but a step in the right direction
iOS 8 expands on those, more later on
Very early in adoption…
A part of BYOD strategy?

48. Mobile Information Management - MIM
Device agnostic
Keep sensitive data encrypted, allow only approved applications to access or transmit
What about app leakage? Is it MAM-enabled? How does the OS handle the data?
Several drawbacks at this time

49. What about iOS 8?
Builds on improvements offered by iOS 7, focus on enterprise
Privacy is critical: HealthKit/Health & HomeKit
What happens if you do a full wipe?
Includes 4,000 new APIs
Extensibility: ability of apps to share data between them
User’s see a seamless experience – we see opportunity for data ‘leakage’
Handoff: Seamless integration between iDevices
Should you disable it?

50. iOS 8 – New MDM New queries, such as last time a device was backed up
Set device name
On supervised devices, always-on VPN
iCloud document control: restrict use of iCloud drive for managed apps

51. iOS 8 – Device Restrictions

52. Policy & Trust

53. Mobile First Strategy
Study by Ponemon Institute, 50 percent of IT professionals in financial services say their company has no mobile strategy
End-user productivity drives growth of mobile devices in the workplace
Budgeting issues continue to plague effective management
Biggest risks are malware infections and end-user negligence
BYOD is viewed favorably by organizations because of productivity.
Written corporate policy is a essential – define everything we’re about to talk about and more

54. Mobile First Strategy
Top workplace tasks for mobile devices (Ponemon)

55. BYOD: Considerations & Strategy
Start with some basic considerations
Biggest barriers to implementing a BYOD program are employees who do not want the company to have control of their personal devices and the difficulty in managing these devices.
We’ll also look at a four part strategy:
I. Prepare your organization
II. Build the program
III. Roll out the program
IV. Sustain BYOD security and performance

56. Eligibility Make clear who can/can’t use personal devices
By role, by demand, by necessity
Determine what they are replacing
Phone, laptop, desktop, etc
Is it critical that they have this replacement
Determine stipend, financial consideration for replacement
Ideal for independent contractors
Usually expected to bring their own device
Address all legal concerns/update AUP

57. Allowed Devices Require the device to be enrolled in EMM/MDM
If not feasible, how will you protect the enterprise?
If installing software on a system, set minimum requirements
Consider virtualization
All the user needs is a browser – typically
Keeps corporate resources separated from personal space, on the same device!
Easier to maintain and provision
Available on mobile devices

58. Service Availability
Determine what services will be made available and how you want to make these services accessible
Is data already going out? Does this change much with a BYOD policy – are you monitoring both inbound AND outbound traffic?
Consider requiring employee to purchase license for software
Provide a discount
Avoid risk or liability issues for violations

59. Rollout
Communicate policies and procedures to all affected individuals
Understanding will by key
Explain how program will work
Reimbursement/stipend
What corporate resources will/won’t be available
Who is eligible
Training/education

60. Cost Sharing Determine the actual numbers of your BYOD program
Does it truly save costs – not all benefits can be measured
Does it save IT hours or cost more
Who supports the devices?
Most likely the owner and where they purchased it from
How does the stipend affect the employee’s income?
Often treated as income for tax purposes – may change the stipend amount

61. User training & support
Do your users understand your BYOD strategy?
Are they focused on self-service?
Training and education will be critical, this is different than the corporate owned desktop
What type of support will you provide? What should your user’s expect?

62. I. Prepare the organization
Determine your risk tolerance
Your industry may drive your tolerance: Financials, healthcare, etc will need to be more defensive
This step helps to:
Focus areas/areas of concern
Range of devices allowed/supported
IT involvement (helpdesk, etc)
Security policies
Result: Will your BYOD program support your company culture and business goals?

63. I. Prepare the organization
Engage stake-holders early
Define program goals
Secure program funding and buy-in
Must meet the needs and expectations of the end-user
Any BYOD program that fails to support end-user needs will likely be rejected
Think through common objections to BYOD to help
Form a steering committee with diverse representation

64. I. Prepare the organization
Survey and Communicate with employees
OS/Devices employees use
Factors that would encourage/discourage BYOD participation
Comfort with self-service support
Perception with work/life balance
Identify mobile IT capabilities
Do you have the correct people and resources?
You can perform a capability assessment to help
Now that you know your BYOD risk tolerance, program goals and user preferences, do you know if you have the right people and resources to build the program your company needs and users want? A capa- bility assessment can help you determine if you have the right people, processes and technology to enable employees to use their preferred devices and apps and securely access business data on any network.
A capability assessment is actually a simple checklist of requirements, the status of completion or availability and where the capability or would include all of the resources needed to implement the program, whether those resources are currently available or not, and who is responsible for bringing those people on board.

65. II. BYOD Infrastructure
Infrastructure is much different than a legacy/traditional desktop environment.
Roles that may be necessary:
Mobile Systems Engineer
hardware, software and networking technologies
Mobile Device Expert
Device and software
Mobile Security Expert
Policies & controls
Mobile Applications Developer
Understand app development, whether in-house or outsourced
Mobile Service and Support Resources

66. III. Program launch Comes after you’ve defined:
Goals, policies, processes and technical infrastructure
Soft launch your program
Or use a phased roll out
Helps with trouble shooting – collect feedback as well
Select a well-represented user group
Monitor feedback for improvement
Company wide roll-out
Phases are still a good idea
Don’t forget training and support

67. IV. Maintaining BYOD
Helpdesk is still important, but a good BYOD program will allow for self-service
Add more apps, devices and systems
Safe and effective device retirement
Make sure corporate data is not left behind
Mobile devices have a short life-span
Measure value
n a BYOD program, the old-school model of helpdesk calls and tickets gives way to a new era of user-based self-service. Although the need for an IT helpdesk will never go away, a core component of BYOD is a comprehensive support service that allows users to resolve the majority of incidents without helpdesk intervention. The self-service model should allow users to:
• Self-register new devices, monitor and manage current devices and wipe or retire devices as needed.
• Self-remediate hardware, software, application and compliance issues compliance.

68. From Blackberry…
"BlackBerry broke its longstanding business model recently by announcing that its BlackBerry Enterprise Service 10 management platform would be able to manage not just BlackBerry devices, but Android and iOS gadgets as well. Now, in a new announcement, the company is also exploring the flipside of that coin, allowing software from other companies to manage BlackBerry phones. The moves acknowledge a world in which fewer and fewer people are interested in a vertical BlackBerry solution — but also seem to kill the last things that make BlackBerry special."

69. Auditing/Compliance
TODO: get specifics

70. Session Wrap-Up Joshua.Stroschein@dsu.edu josh@m9development.com
Questions? Comments?
I’d love to hear from you!

71. Resources
hacking/
are_Evolution_2013#01
_Sheet