Windows Phone 8 Security deep dive

Similar documents
Windows Phone 8 Security Overview

Windows Phone 8.1 Mobile Device Management Overview

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Apps. Devices. Users. Data. Deploying and managing applications across platforms is difficult.

Xperia TM. Read about how Xperia TM devices can be administered in a corporate IT environment

Telstra Mobile Device Management (T MDM) Getting Started Guide

Deploying iphone and ipad Security Overview

MDM: Enabling Productivity in the world of mobility. Sudhakar S Peddibhotla Director of Engineering, Good Technology

Advanced Configuration Steps

Feature Matrix MOZO CLOUDBASED MOBILE DEVICE MANAGEMENT

Alexander De Houwer Technology Advisor Devices Win 10 Vincent Dal Technology Advisor Business Productivity

anywhere, anytime expectations Bring Your Own Device goes mainstream enabling mobility critical for success changing security landscape

BlackBerry 10.3 Work and Personal Corporate

Xperia TM. Read about how Xperia TM devices can be administered in a corporate IT environment

AirWatch for Android Devices

Integrating Cisco ISE with GO!Enterprise MDM Quick Start

Salesforce1 Mobile Security Guide

Hi and welcome to the Microsoft Virtual Academy and

Windows Phone 8 devices will be used remotely over 3G, 4G and non-captive Wi-Fi networks to enable a variety of remote working approaches such as

BYOD Guidance: BlackBerry Secure Work Space

Mobile Device Management and Security Glossary

Managing Enterprise Devices and Apps using System Center Configuration Manager

Mobile Device Management Glossary.

Mobile device and application management. Speaker Name Date

SYNCSHIELD FEATURES. Preset a certain task to be executed. specific time.

Deploying iphone and ipad Mobile Device Management

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

Xperia TM and apps

Getting Started Guide: Getting the most out of your Windows Intune cloud

Kaspersky Lab Mobile Device Management Deployment Guide

ipad in Business Security

Good for Enterprise Good Dynamics

iphone in Business Mobile Device Management

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

BlackBerry Universal Device Service. Demo Access. AUTHOR: System4u

Xperia TM and apps

Trustworthy Computing

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Guidance End User Devices Security Guidance: Apple OS X 10.9

Ensuring the security of your mobile business intelligence

iphone in Business Security Overview

Kaspersky Security for Mobile Administrator's Guide

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Cloud Services MDM. ios User Guide

Xperia TM. Read about how Xperia TM devices can be administered in a corporate IT environment

Kony Mobile Application Management (MAM)

ipad in Business Mobile Device Management

End User Devices Security Guidance: Apple OS X 10.10

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

Parallels Mac Management v4.0

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback -

Mobile Application Management

Windows Phone 8: The Right Choice for Business

Operating System Security

Enterprise Mobility Services

IBM Endpoint Manager for Mobile Devices

Introducing. Markus Erlacher Technical Solution Professional Microsoft Switzerland

GO!Enterprise Mobile Device Management Android Release Notes

Ensuring the security of your mobile business intelligence

Windows Embedded Security and Surveillance Solutions

Microsoft Enterprise Mobility Suite

Mobility Manager 9.5. Users Guide

MobileIron and Samsung Value Proposition

Android support for Microsoft Exchange in pure Google devices


Ondřej Výšek Sales Lead, Microsoft MVP.

SIMPLIFY MULTI-PLATFORM ENTERPRISE MOBILITY MANAGEMENT

Kaspersky Security for Mobile

BYOD in the Enterprise

Android Support on Galaxy Nexus, Nexus S, and Motorola Xoom for Microsoft Exchange Policies

How To Use A Microsoft Mobile Security Software For A Corporate Account On A Mobile Device

Mobile App Containers: Product Or Feature?

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

McAfee Enterprise Mobility Management Versus Microsoft Exchange ActiveSync

WIND RIVER SECURE ANDROID CAPABILITY

MDM TOOLKIT ANDREW KNIGHT

AVG Business SSO Partner Getting Started Guide

How To Secure An Rsa Authentication Agent

Secure, Centralized, Simple

How to Obtain an APNs Certificate for CA MDM

Kaspersky Security 10 for Mobile Implementation Guide

Corporate-level device management for BlackBerry, ios and Android

Securing Office 365 with MobileIron

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

How To Manage A Corporate Device Ownership (Byod) On A Corporate Network (For Employees) On An Iphone Or Ipad Or Ipa (For Non-Usenet) On Your Personal Device

In-Depth Look at Capabilities: Samsung KNOX and Android for Work

Transcription:

October 2012 Windows Phone 8 Security deep dive David Hernie Technical Evangelist Microsoft Belux Office Microsoft Corporation

All large screen, dual-core, LTE and NFC Nokia Lumia 920 Nokia Lumia 820 Samsung ATIV S HTC 8X 4.5, PureMotion display, PureView OIS camera 4.3, ClearBlack display, Carl Zeiss lens 4.8, HD super AMOLED display 4.3, Gorilla Glass 2 display, ultra-wide angle camera lens Nokia City lens, Nokia music streaming, Wireless charging Snap on back cover, Wireless charging, Nokia City lens, Nokia music streaming NFC Tap-to-send, Samsung Family Story Built-in Beats Audio, built-in amp

Shared Windows Core A shared core brings enterprise-class computing to mobile devices NT Kernel runs on Windows 8, Windows RT, Windows Phone 8, Windows 8 Embedded, and Windows Server 2012 Running reliably on 1.3 billion computing devices Consumers now have greater choice in form-factor, apps, and experiences Developers can rapidly develop for multiple platforms at a much lower cost due to a high level of code reuse Hardware manufacturers can now innovate and differentiate their offerings while enjoying their fastest time-to-market ever

Three different ecosystems Strategy Platform + Google Services Integrated experiences Integrated software and hardware Ecosystem Open source enabling anything Structured to optimize experience Apple controlled vertical Experience Varies by device Consistent with extensibility Apple defined

Agenda Security goals What is this all about? System integrity prevent malware from taking control App platform security architecture and recommendations Data protection Prevent unauthorized access to data stored Access control & Device Mgmt Provide secure access to device Remediation What if something goes wrong

Security Goals User first Great experiences What s the impact End user safety, not always aware.. Tools to protect Developer trust Business policy compliance

Secure Boot Secure Boot helps ensure the integrity of the entire Operating System Secure Boot implementation is provided by SoC Two phases: pre-uefi boot loaders to initialize the hardware UEFI secure boot helps ensure integrity of UEFI applications and Windows OS Secure Boot helps prevent malware from being installed on the phone

Secure boot process Power On Firmware boot loaders SoC Vendor OEM OEM UEFI applications Windows Phone boot manager Boot to flashing mode Windows Phone 8 OS boot Windows Phone 8 update OS boot MSFT http://www.uefi.org/specs/

Trusted Pre boot loader During manufacturing Provisioning the hash of the public key used to sign the initial boot loaders + numbers of unique keys Blow appropriate fuses read only Provisioning of the UFEI key databases No secure boot bypass for users Secure flashing required

Secure UEFI Boot Loader All about Keys Platform Key Master key PK Once PK is provisioned the UEFI environment is enabled Can be used to sign updates to KEK Allowed and Forbidden Signature Database DB/DBX Controls what images can be loaded Contains forbidden keys Secure Boot Variable Secure Boot Policy SBP controls certain aspects of boot Sequence

Code Signing All Windows Phone 8 binaries must have digital signatures signed by Microsoft to run Microsoft and marketplace apps had digital signatures Different from WP7, OEM binaries will be signed by Microsoft With the control of every layers, it becomes very complicate to integrate a non-certify process or a custom build.

Windows Phone 7 Application security model Chamber Model (Sandbox) Fixed Permissions Chamber Types TBC for the Kernel & Drivers LPC for apps Elevated right for OS component Standard right are created ad-hoc base on capabilities Dynamic Build Capabilities Expressed in application manifest Disclosed on Marketplace Defines app s security boundary on phone

Capabilities Still in the process of identifying capabilities WP7 capabilities Video and Still capture; Video and Still capture ISV; Microphone; Location Services; Sensors; Media Library; Push Notifications; Web Browser Component; Add Ringtone; Place Phone Calls; Owner Identity; Phone Identity; Xbox LIVE; Interop Services; Networking; File Viewer; Appointments; Contacts; Debug; Networking Admin Additional WP8 capabilities capabilities for VxD http://create.msdn.com/en-us/education/documentation

Windows Phone 8 Application security model Dynamic Build (LPC) WP8 chambers are built on the Windows security infrastructure TBC for the kernel LPC for all Apps OS components Drivers It reduces the attack surfaces

Internet Explorer 10 for Windows Phone Faster and safer browsing Run in the Least privilege sandbox One of the fastest HTML5 browsers Locked down and no plug-ins Real time anti-phishing protection with SmartScreen Filter

Device encryption Full internal storage encryption to protect information Build on Windows BitLocker architecture Encryption is available for all phones and is turned on with policy by IT professionals No user experience or pre-boot PIN entry All internal storage is encrypted Removable SD card not encrypted but can be managed

Information Rights Management (IRM) Helps prevent intellectual property from being leaked Protects emails and documents on the phone from unauthorized distribution Easy to deploy on Exchange Server and SharePoint Active Directory Rights Management supports all your Mobile Information Management (MIM) needs

Security takeaways Secure boot turned on Security model for applications All binaries are signed Device encryption on Device access must be controlled!

Security is combination of Technology Process Users

Control access to device and applications Exchange ActiveSync with Exchange Server and Office 365 for email and device management Widely used for mobile email and access policy management App and device management with Mobile Device Management For app distribution and access policy management

EAS MDM Enterprise policies (NA) Simple password Alphanumeric password Minimum password length Minimum password complex characters Password expiration Password history Device wipe threshold Inactivity timeout IRM enabled Remote device wipe Device encryption (new) Disable removable storage card (new) Remote update of business apps (new) Remote or local un-enroll (new) + Reporting Server configured policy values Query installed enterprise app Device name Device ID OS platform type Firmware version OS version Device local time Processor type Device model Device manufacturer Device processor architecture Device language

Simplifying Management Across Platforms Devices & Platforms Single admin console Windows Intune

Enterprise Application Management Across Platforms App Hub IT organization 1. Registration 1. Device Enrollment 2. Signing Tools 3. Cert and Enterprise ID Registration 1. Enterprise registers with App Hub 2. Enterprise downloads app tools 3. Microsoft notifies CA of pending enterprise registration 4. CA checks that vetting is complete, and generates a certificate for enterprise 2. Get apps 1. Develop App 2. Package and sign 3. Private App Catalog 4. Create device Token Windows phone 8 supports multiple organizations tokens

Company Hub as private marketplace

Remediate Remote and local wipe Admin initiated or end user initiated Windowsphone.live.com (Demo) Windows update OTA only Application revocation Marketplace and enterprise apps

Robust security helps to protect information Secure boot Code signing App sandboxing Device encryption

5 6 7 MARCH 2013 Kinepolis Antwerp 3 days full of fascinating technical sessions for developers and IT professionals. www.techdays.be

The information herein is for informational purposes only an represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information