Android Security. Device Management and Security. by Stephan Linzner & Benjamin Reimold

Similar documents
Tutorial on Smartphone Security

Chris Boykin VP of Professional Services

BYOD in the Enterprise

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

Feature List for Kaspersky Security for Mobile

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

BYOD: End-to-End Security

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

Guideline on Safe BYOD Management

Kaspersky Security for Mobile

Secure Your Mobile Workplace

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

How to Successfully Roll Out an Android BYOD Program

BYOD Guidance: BlackBerry Secure Work Space

How To Protect Your Mobile Device From Attack

Analysis of advanced issues in mobile security in android operating system

EndUser Protection. Peter Skondro. Sophos

Choosing an MDM Platform

On the Road with SugarCRM. SugarCRM Series by Interlinx Associates, llc

Android vs. Apple ios Security Showdown Tom Eston

Google Identity Services for work

Hands on, field experiences with BYOD. BYOD Seminar

Managing ios Devices. Andrew Wellington Division of Information The Australian National University XW11

CHOOSING AN MDM PLATFORM

ONE Mail Direct for Mobile Devices

Mobile Device Management and Security Glossary

TechnoLabs Software Services Pvt Ltd. Enterprise Mobility - Mobile Device Security

Security and Compliance challenges in Mobile environment

Corporate-level device management for BlackBerry, ios and Android

BlackBerry 10.3 Work and Personal Corporate

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

How To Protect The Agency From Hackers On A Cell Phone Or Tablet Device

1. Introduction Activation of Mobile Device Management How Endpoint Protector MDM Works... 5

BlackBerry Universal Device Service. Demo Access. AUTHOR: System4u

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

Bring Your Own Device. Individual Liable User Policy Considerations

Managing and Securing the Mobile Device Invasion IBM Corporation

Prac%cal A)acks against Mobile Device Management (MDM) Daniel Brodie Senior Security Researcher Lacoon Mobile Security

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS.! Guyton Thorne! Sr. Manager System Engineering!

Practical Attacks against Mobile Device Management (MDM) Michael Shaulov, CEO Daniel Brodie, Security Researcher Lacoon Mobile Security

Securing mobile devices in the business environment

2/23/2013 BY VORAPOJ LOOKMAIPUN CISA, CISM, CRISC, CISSP Agenda. Security Cases What is BYOD Best Practice Case Study

Answers to these questions will determine which mobile device types and operating systems can be allowed to access enterprise data.

Use of tablet devices in NHS environments: Good Practice Guideline

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

The Truth About Enterprise Mobile Security Products

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

Symantec Mobile Management 7.2

IBM Endpoint Manager for Mobile Devices

Tuesday, June 5, 12. Mobile Device Usage

{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com

Mobile applications security Android OS (case study) Maciej Olewiński. Cryptographic Seminar r.

Endpoint protection for physical and virtual desktops

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

SECURING TODAY S MOBILE WORKFORCE

Feature Matrix MOZO CLOUDBASED MOBILE DEVICE MANAGEMENT

Xperia TM. Read about how Xperia TM devices can be administered in a corporate IT environment

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

Guidance End User Devices Security Guidance: Apple ios 7

Embracing BYOD. Without Compromising Security or Compliance. Sheldon Hebert SVP Enterprise Accounts, Fixmo.

Securing Corporate on Personal Mobile Devices

IT Self Service and BYOD Markku A Suistola

SECURITY OF HANDHELD DEVICES TAKE CONTROL OF THE MOBILE DEVICE

BlackBerry Device Software. Protecting BlackBerry Smartphones Against Malware. Security Note

Consumerization. Managing the BYOD trend successfully. Harish Krishnan, General Manager, Wipro Mobility Solutions

Ensuring the security of your mobile business intelligence

User Manual for Version Mobile Device Management (MDM) User Manual

Ibrahim Yusuf Presales Engineer at Sophos Smartphones and BYOD: what are the risks and how do you manage them?

Building Apps for iphone and ipad. Presented by Ryan Hope, Sumeet Singh

GETS AIRWATCH MDM HANDBOOK

The New Workplace: Supporting Bring your own

Smartphone Hacks and Attacks: A Demonstration of Current Threats to Mobile Devices

Secure, Centralized, Simple

Smart Givaudan. From BYOD experience to new mobile opportunities

[BRING YOUR OWN DEVICE POLICY]

Successful Mobile Deployments Require Robust Security

Connections Mobile 4.0 Update Open Mic October 23, 2012

The ForeScout Difference

Kony Mobile Application Management (MAM)

Sophos Mobile Control SaaS startup guide. Product version: 6

HOW HOSTED EXCHANGE COMPARES WITH GOOGLE APPS

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

Xperia TM. Read about how Xperia TM devices can be administered in a corporate IT environment

Enterprise Mobility Report 10/2014. Creation date: Vlastimil Turzík, Edward Plch

Endpoint protection for physical and virtual desktops

IT Best Practices: Mobile Policies and Processes for Employeeowned

Smartphone Security Winners & Losers

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

End User Devices Security Guidance: Apple ios 8

Jim Donaldson, M.S., MPA, CHC, CIPP/US, CISSP. Director of Compliance, Chief Privacy and Information Security Officer. Pensacola, Florida

Bring Your Own Device & the Consumerisation of IT: 2 Case Studies

Mobile Security: Threats and Countermeasures

FileDrawer An Enterprise File Sharing and Synchronization (EFSS) solution.

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

perspective The battle between MDM and MAM: Where MAM fills the gap? Abstract - Payal Patel, Jagdish Vasishtha (Jags)

The Risks and Rewards of Social Media and Mobile Devices

Cisco Mobile Collaboration Management Service

Mobility Trends. Work-life modes. Lessons from the Cisco BYOD program. Thoughts for the CIO. BYOD Players. BYOD Summary. Agenda

Bell Mobile Device Management (MDM)

ForeScout MDM Enterprise

Transcription:

Android Security Device Management and Security by Stephan Linzner & Benjamin Reimold

Introducing Stephan Linzner Benjamin Reimold Consultant, Software Engineer Mobile Developer Founder of Stuttgart GTUG Bachelor-Thesis 2011 (DH Stuttgart) Mobile Developer Member of Stuttgart GTUG Contact: @onlythoughtwork XING, Facebook onlythoughtwork@gmail.com Contact: @elektrojunge XING benjamin.reimold@aformatik.de

Agenda Once upon a time... Attack vectors Security model Best practices 3rd party solutions and they lived happily ever after a conclusion.

BACKGROUND INFORMATION

consumerized IT Inversion of technology adaption Usage of private mobile devices to access corporate infrastructure Consumer market devices used as business devices

Once upon a time Until 2007

Once upon a time Until 2007 Blackberry OS, Windows Mobile OS & Symbian OS In 2007

Once upon a time Until 2007 Blackberry OS, Windows Mobile OS & Symbian OS In 2007 iphone Today Various mobile platforms for businesses

Once upon a time Until 2007 Blackberry OS, Windows Mobile OS & Symbian OS In 2007 iphone Today Various mobile platforms for businesses Future!?

Once upon a time

Why android matters 300,000 activated devices per day (Google 12/2010) Strong growth in the last year and still growing Likely one of the future dominant mobile platforms (Gartner, Nielsen, Comscore) Lots of different devices with different form factors and in different price segments (smartphones, tablets, ruggedized devices) Open source (Apache 2.0) & free

Usage scenarios Mobile interface to enterprise communication backends PIM (Lotus Notes, MS Outlook) CRM (Salesforce, Google Apps) VPN Remote desktop on mobile devices (Parallels mobile for iphone/android) Custom B2B solutions Sales force applications Mobile assistance systems

ATTACK VECTORS

General threats Private/Corperate data stored on the device Log Files stored on the device Continuous data collection (ie. geolocation tracking) Synchronization Contacts Calendar Data theft 3rd party Code

Attack vectors Technical vectors Standard malicious software (viruses, trojans) Unpatched mobile browsers Usage of open wi-fi Rooting the device (jailbreak) Bluetooth, radio vulnerabilities

Attack vectors Social vectors Loosing the device Apps (access to corporate/private data, location) (Your) kids!

Attack vectors Android specific vectors Log-cat output Attack on application messaging framework Sniffing, Fuzzing, Exploiting of Intents, Content providers Steal certificate and roll out malicious update (in theory) NDK code can bypass Android security model!?

ANDROID S SECURITY CONCEPT

Coarse-grained security model Process isolation enforced by underlying linux kernel UID Group ID Sandboxing Ressources can only be accessed by the owner application Each application running in it s own VM Explicitly sharing of resources to relax strict process boundaries (Broadcast-) Intents, Services, Content Providers, AIDL interfaces to exchange data

Fine-grained security model Permissions "A permission is a mechanism that enforces restrictions on the specific operations that a particular process can perform" End-user model

System permissions

Declaring permissions

Enforce permissions

Enforce permissions

Enforce permissions

Criticism of the security model Sandboxing & permissions are nice, but Permissions not granular enough No permission transparency Partial permissions not possible Granted permissions can t be changed (unless re-installation of the app) No approval process in android market Possibility to install apps without android market App certification

BEST PRACTICES

Managing android phones with Google Apps Restrict synchronization (with Google account) Password policies (strength, length, require password) Automatically lock the device Number of invalid passwords allowed before wipe Perform remote wipe

Microsoft Exchange? Very basic Full support with BES All (Windows Mobile) or fewer than ios (Windows Phone 7) Fewer than ios 14 policies Introduction Attack Vectors Security Model Best Practices 3rd Party Solutions Conclusion

The device management API Introduced with Android 2.2 (Froyo) Enforce password policies quality (alphabetic, numeric, alpha-numeric) length reset passwort maximum failed passwords until wipe Lock screen (maximum time to lock device) Lock screen password Wipe phone

New policies in Android 3.0 (Honeycomb) New policies DeviceAdminInfo.USES_ENCRYPTED_STORAGE DeviceAdminInfo.USES_POLICY_FORCE_LOCK DeviceAdminInfo.USES_POLICY_SETS_GLOBAL_PROXY Encrypted storage system getstorageencryptionstatus() setstorageencryption(componentname admin, boolean encrypt)

New policies in Android 3.0 (Honeycomb) Proxy support setglobalproxy(componentname admin, Proxy proxyspec, List<String> exclusionlist) Immediately lock locknow() The password policies were also beefed up, e.g. setpasswordexpirationtimeout()

Techniques Use a custom ROM Use alternative browsers from other vendors (Opera, Firefox, Dolphin) as standard browser will be patched with OS updates only Store your data in the cloud with HTTPS Prevent all logging output Educate your employees! Define policies for usage (application/permission whitelist agreements, usage agreements) Don t allow installation from unknown sources (nonandroid market sources)

Use encryption No encrypted preferences by default No encrypted application data on SD card Encrypt ALL Data Databases Preferences SD card Obfuscate

3rd party solutions Companies start to provide security solutions

and they lived happily ever after - a conclusion.

and they lived happily ever after - a conclusion. Android will be one of the major mobile platforms in the future "Don t take kindness for weakness"- Android s openness might be its biggest drawback but as well as its biggest strength Custom builds are very powerful, you can tailor the platform to your very own business needs Android already has security features but they do not come out of the box, you have to use them in your implementation! Android 3.0 (Honeycomb) is a big improvement Administration and policy management has to be improved Google Apps and 3rd party products to secure the devices are already available

Q & A???? Any Questions?????????? Introduction Attack Vectors Security Model Solutions Best Practices Other Solutions Conclusion

THX!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information