A Hard Pill to Swallow?

Tablets in the Enterprise A Hard Pill to Swallow? Context Information Security whitepapers@contextis.co.uk October 2012 Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 1 / 38

Table of Contents INTRODUCTION... 3 SUMMARY OF FINDINGS... 5 DETAILED FINDINGS... 6 DATA PROTECTION... 7 SOFTWARE INTEGRITY... 11 SOFTWARE UPDATES... 14 ACCESS CONTROL... 16 SECURITY AND CONFIGURATION PROFILES... 20 CONNECTIVITY... 22 DAMAGE LIMITATION... 24 DESKTOP SOFTWARE... 27 BACKUP AND SYNCHRONISATION... 29 ACTIVESYNC... 32 DEVICE-SPECIFIC SECURITY RECOMMENDATIONS... 35 ABOUT CONTEXT... 37 BIBLIOGRAPHY... 38 Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 2 / 38

Introduction It is difficult to ignore the growing presence of tablet computers in schools and workplaces around the world. Tablets are conveniently small, light and powerful, are less expensive than many laptops, yet have excellent storage facilities and connectivity. They are often sold with built-in apps or accompanying desktop software, which provides access to rich multimedia content for entertainment onthe-go and allows the tablet s data to be backed up to a local computer or to a cloud-based service. The device format is perfect for social networking, but also for creating documents, presentations and other content on-the-fly, then, with a few taps and swipes, sharing it with the management team, or the wider world. It is easy to see why growing numbers of people prefer tablets to desktops and laptops: they allow a blend of productivity, connectivity and physical freedom which has never quite been achieved before. But the same characteristics that are seen in such a positive light by tablet users present a tough security challenge for organisations. Traditionally, it has always been possible for IT departments to build servers, desktops and laptops to their own security specifications. Most medium to large organisations have a number of templates to which machines can be built, providing at the very least a baseline level of security. Tablets are different because they are embedded devices and because manufacturers do not want any end-user application to be able to gain control of the entire device. Unrestricted physical access to the device by end users is central to the concept of tablet computing, and this means that no-one is there to ensure that a sneaky attacker doesn t poke around inside the device and insert some other memory store into the boot sequence. To combat this threat, manufacturers build in complex mechanisms to prevent modification of operating systems and proprietary apps an absolutely vital element in building a trusted platform. Some devices are constructed in a way that makes it impossible to read unencrypted memory components, even if chips are carefully removed and analysed. The measures put in place to enhance the security of these devices often make it harder to understand the security threats associated with a new tablet. This lack of visibility and understanding of threats means that manufacturers claims about device security are not challenged as robustly as is necessary. Taking vendor security claims at face value is not good practice if any realistic level of security is to be achieved. In May 2012, Context conducted a research project studying three of the most popular tablet computers: the ipad 2, the BlackBerry PlayBook and the Samsung Galaxy Tab. The goal of the research was to identify areas of security strength and weakness in relation to their suitability for enterprise use. We intended to make the findings available to individuals or organisations in the hope that appropriate countermeasures could be put in place to mitigate any hitherto undiscovered security risks. Many articles, reviews and papers have been published about the merits and failures of specific and generic tablets and how best to deploy them in an Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 3 / 38

enterprise environment. Therefore, this whitepaper is not intended to act either as a deployment guide or as a review of all the security features available on the tablets examined. The purpose of this whitepaper is to present the findings of Context s research. The research plan originally included a Windows 8 tablet. However, the release date for Windows 8 was unknown at the time the research was conducted. Although one option would have been to install the Windows 8 release candidate onto a Windows 7 tablet, there was a risk that one or more significant security changes could have been implemented in Windows 8 between the release candidate and the final version. It was decided that the research and subsequent white paper would focus on the ios, Android and BlackBerry devices only, with Windows 8 to be covered in a future whitepaper, following the selection and testing of a suitable tablet. It is planned that a further whitepaper will examine the security features provided by third-party mobile device management software. The ipad was chosen principally because of its dominance in the marketplace and its already significant presence in corporate environments. Many organisations are developing their own ipad apps to allow the tablets to be seamlessly embedded into workflows. It must already be the case that an enormous amount of sensitive data is now moving around the country on these easily-misplaced devices. The PlayBook was chosen because of the popularity within enterprises of BlackBerry handsets and the associated infrastructure. In that context it would make sense for many organisations to choose to use BlackBerry tablets to complement their existing estate. BlackBerry handsets are usually connected to organisations internal mail and calendar applications and are often used to access internal resources such as intranet sites. The security of the handsets has been examined on numerous occasions and found to be of a high standard, but until now it is has not been known whether the use of an accompanying tablet would represent a marked increase in security risk. Android also has a significant share of the mobile operating system market, so it made sense to examine an Android device. The Samsung Galaxy Tab was chosen because its popularity as a consumer device makes it a likely candidate for the practice of Bring Your Own Device (BYOD). On a technical level it is also a good representative of Android-based devices. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 4 / 38

Summary of Findings From an enterprise security point of view, these three modern tablets including two market leaders were very different in several important respects. All of the tablets had reasonably good support for Exchange ActiveSync, which means that the core security configuration can be managed from a central Exchange server. But there was a significant difference in the security offered by the Galaxy tablet on the one hand and the ipad and PlayBook, which were closely matched in terms of enterprise security, on the other. The Galaxy Tab was shown to suffer from some serious security failings that make it difficult to recommend as a tool for enterprise use. As well as the documented security problems, a lack of enterprise-level management tools beyond ActiveSync means that it is difficult to manage more than a small number of these devices effectively. We discovered that despite high levels of security in the BlackBerry and ipad, their respective accompanying desktop software suites did not encrypt backups by default, although the software did offer the option to encrypt the backups using a password. It was possible for these devices to force the use of encrypted backups through application of security policy. The PlayBook was the only device with a workable solution to the Bring Your Own Device dilemma, in the shape of an architecture that provides very good separation between personal and work data. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 5 / 38

Detailed Findings This section provides the findings of our practical security research. This information should be used as a guide to help determine your organisation s current level of security exposure, and also to help plan your forward strategy for safely handling information which is stored and processed using these types of devices. Context investigated a number of areas on each device, conducting tests wherever possible to establish whether security controls were robust or weak and, ultimately, whether they were suitable for enterprise use. Devices examined: Tablet Manufacturer Tablet Model Operating System Samsung Galaxy Tab 7.0 plus (Wi-Fi-Only Version) Android 3.2 Apple ipad 2 (Wi-Fi Only Version) ios 5.0.1 Research in Motion BlackBerry PlayBook BlackBerry Tablet OS 2.0.1.358 Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 6 / 38

Data Protection One of the greatest risks to corporate data that resides on a tablet is unauthorised access in the event of a tablet being lost or stolen. Most tablets provide disk encryption features to try to reduce this risk, but disk encryption has not always been well implemented. In the past it has sometimes been implemented with more of an emphasis placed on remote wipe than on preventing access to the contents of the disk. The goal of this area of research was to determine as far as possible whether the tablets disk encryption provided much real-world protection. Apple ipad The ipad shares the same internal file system structure as the iphone 4 and 4S, in which the disk is split into two partitions: the system partition and the data partition. The system partition is around 512Mb in size, and contains the ios Operating System. The partition is intended to remain unaltered for the lifetime of the device, with the exceptions of changes written to system logs and updates to IOS. No user or application data is ever written to the system partition; they are always written to the data partition. To protect user data, Apple has implemented a security feature known as Data Protection to encrypt files on the data partition. Data Protection is automatically enabled when a passcode is set on the device. 256-bit AES hardware disk encryption is present even when Data Protection has not been enabled, and encrypts the entire data partition at a block level. Cryptographic operations for this are handled by a coprocessor installed specifically for this purpose. When the device is booted, the disk encryption keys are retrieved from the system secure storage and automatically used to unlock the disk. This disk encryption implementation supports wipe functionality by allowing for the instant erasure of the master file system encryption key, without which, the entire contents of the file system are, in practical terms, irretrievably lost. Although this mechanism protects data should the flash memory chip be lifted from the device, it does not protect data if the device is powered on when no passcode has been configured. When Data Protection is enabled, all files on the data partition are encrypted with individual keys, which are transparently used by the hardware engine as it writes the files to flash memory. The process which governs the handling of the per-file keys is quite involved and is explained by Apple in their ios security paper (1). It is possible, using publicly-documented forensics techniques, to gain access to the encrypted contents of the data partition, even when a passcode has been set on the tablet. This is accomplished by loading a forensic toolkit into memory when the device is booted into Device Firmware Upgrade (DFU) mode (2). With Data Protection enabled, obtaining the file system encryption key first requires that the system keybag be decrypted. This is protected by the user s passcode, among other things. So once a jailbroken kernel is running on the device and the forensic toolkit has been uploaded, an attacker s first task is to perform a bruteforce guessing attack on the passcode. Because the attack occurs at kernel level, Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 7 / 38

it is not subject to the incremental waiting times or potential data-wipe enforced by the SpringBoard user interface. The encryption key protecting the keybag consists of the passcode tangled with two unique hardware-based keys, neither of which can be read by firmware or application software, but which can be read by the AES processor. This means that the brute-force attack must be carried out on the ipad itself: it is not possible to perform the attack offline with a more powerful computer. Apple has introduced many encryption rounds into the passcode verification algorithm, and it takes around 80ms to perform a single verification in native code. Using the forensics toolkit, each attempt takes around 108ms. At this rate, the worst-case times taken to obtain the passcode for varying complexities are shown in the table below. 4 Digits 18 Minutes 8 Digits 125 Days 4 Alphanumeric 50.3 Hours 6 Alphanumeric 7.5 Years 8 Alphanumeric 9,661 Years The times given above show the time taken to carry out a brute-force search of the entire key space. Statistically it is likely that the correct key will be found after 50% of the search space has been covered, although this approach could be refined further. This means, for example, that a passcode of six randomly-chosen alphanumeric characters can be expected to protect the encrypted contents of an ipad 2 running ios 5.0.1 for about 3 years and 8 months. An informal poll by the author of family and friends revealed that all of them protected their ipads with at best a four digit passcode. Samsung Galaxy Tab The Galaxy Tab s disk partitions are, for practical purposes, unencrypted by default. Applications and user data are stored in a partition mounted at /data, although the size of this is only around 2GB: a small portion of the device s rated storage capacity. The rest of the internal flash storage is mounted at /mnt/sdcard and is available to store any data the user sees fit to store: multimedia files, in the majority of cases. External storage can be added to the Tab in the form of a Micro SD card, mounted at /mnt/sdcard/extstorages/sdcard. Samsung states that, as a part of its Samsung Approved for Enterprise (SAFE) programme, the newer Galaxy range of smartphones and tablets feature hardware-based AES-256-bit encryption. Context was unable to locate details for the way in which the hardware encryption has been implemented. However, our investigations suggest that it has been implemented in a similar way to Apple s hardware encryption, in which the disk is encrypted and is transparently decrypted, without user input, on boot. This facilitates a very fast disk wipe capability and protects against chip-off attacks, but provides negligible data protection against attackers who use software-based attacks. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 8 / 38

Given that the secure wipe facility works very quickly, but that when first enabled, encryption takes around an hour, it appears that the Galaxy Tab uses Android s 128-bit software encryption applied on top of the 256-bit hardware encryption in order to provide data confidentiality. This would also account for the slightly extended boot time experienced when encryption is enabled. As Android is built on a Linux kernel, the software encryption is performed using Linux s device mapper (dmcrypt) using 128-bit AES (3). This encryption is not enabled by default, and when enabled is applied to the internal /data and /mnt/sdcard partitions. Disk encryption is enabled through the settings menu and a separate menu item is available to encrypt the external Micro SD card. In a corporate environment, it is possible through ActiveSync policies to enforce the encryption of the device s own internal storage and the Micro SD card. However, on the Micro SD card, encryption takes place on a per-file basis, and if the card is removed, it is still possible to read the unencrypted file names from the file system. When initialising the software encryption, a 128-bit master key is created using 128 bits of entropy from the system s pseudo-random number generator, /dev/urandom. This master key is used by dmcrypt to encrypt the file system. A salt value is also taken from /dev/urandom and used, together with the user s passcode, in the OpenSSL PBKDF2 key derivation function. This creates an encryption key with which the master key is subsequently encrypted. The encrypted master key is then stored, with the copy of the salt and the encryption algorithm details, in the crypto-footer of the partition. At boot time, the user is prompted for the encryption passcode which is required to unlock the master key. Assuming the correct passcode is supplied, the disk can be decrypted and used transparently by the operating system. As the salt is available in plain text, the only unknown variable needed to decrypt the master key is the user s passcode. It would be a feasible attack to take a copy of the crypto-footer and the encrypted file system, and then perform an offline dictionary attack against the encrypted disk image. It is likely that the attack could be carried out relatively quickly, especially if the attacker could distribute the attack across many computers. BlackBerry PlayBook The BlackBerry PlayBook supports both work and personal usage profiles. Work mode is facilitated by the BlackBerry Bridge application, which uses Bluetooth to tether the PlayBook and a BlackBerry smartphone. The Bridge application allows the tablet to access the corporate BlackBerry infrastructure via the access already provided to the phone. The file system is divided into three areas: the base file system, which is read-only and contains system files; the personal file system, which contains applications that run in personal mode together with their data; and the work file system, which contains the applications that run in work mode together with their data (4). Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 9 / 38

When a PlayBook is connected to a BlackBerry smartphone using the Bridge software, the tablet temporarily stores work data in the work file system. The work file system is encrypted using XTS-AES-256, which is an IEEE-approved AES mode for disk encryption and uses 512-bit keys. The encryption module has received FIPS 140-2 certification. The keys that the PlayBook tablet uses to encrypt the work file system are encrypted using the BlackBerry Bridge work key. The tablet stores the Bridge work key in RAM only. When the Bluetooth connection between a tablet and a smartphone closes, the tablet and the smartphone each delete their copy of the Bridge work key. All of the work data stored on the tablet is encrypted with keys encrypted using the Bridge work key, and both copies of the work key are deleted. This data and key encryption means that it is not possible to decrypt the work data after the Bluetooth connection closes and the smartphone and tablet delete their copies of the Bridge work key. No work data can be accessed on the tablet without the presence of a tethered smartphone. However, the PlayBook does not encrypt personal data, and the contents of personal emails and messages are unencrypted on the flash storage of the device. Currently, no working jailbreak is available for the device, and it is possible to disable USB Mass Storage access to the device by disabling the File Sharing option. With this option disabled, it was not possible to gain unauthorised access to the unencrypted file system, although this will change when a working jailbreak becomes available. Summary For protection of corporate data, the BlackBerry tablet has the best security, although this is achieved largely by offloading many of the security requirements to a tethered BlackBerry smartphone. The disadvantage of the tablet is that it does not encrypt personal data. When a jailbreak for the device becomes available, it will become possible for a skilled thief to access the unencrypted files. The ipad also has an excellent disk encryption facility, the weak point of which is the user s passcode. If a centrally-managed password policy of at least 8 alphanumeric characters is enforced, then the ios disk encryption scheme will provide very strong protection against lost or stolen device scenarios. The Galaxy Tab provided software encryption support which was slightly more intrusive to use than the other solutions and would probably not be enabled by the majority of domestic users. However, it was possible to forcibly enable encryption within a corporate environment. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 10 / 38

Software Integrity A key goal of tablet manufacturers is to ensure that only trustworthy software is run on their devices. If applications are forced to behave in a trustworthy manner it is less likely that a piece of malicious software could access data belonging to another application. Because the physical devices are in the hands of the endusers, manufacturers achieve this goal by implementing strict cryptographic checks at key stages of the boot process. This means the operating system, when it is finally running, is guaranteed to be the original vendor s signed code. With this guarantee in place, the devices are in a position to prevent the execution of any apps not signed by a trusted software publisher. This area of testing focused on determining whether it was possible to bypass any of these checks and run unsigned code. Apple ipad Each step of the boot process contains components that are cryptographically signed by Apple to ensure integrity, and proceeds only after verifying the chain of trust. This includes the bootloaders, kernel, kernel extensions, and baseband firmware (1). When an ios device is powered up, its application processor executes code from read-only memory known as the Boot ROM. This is implicitly trusted, immutable code, burned in during chip fabrication. The Boot ROM code contains the Apple Root CA public key, which is used to verify that the Low-Level Bootloader (LLB) is correctly signed by Apple before allowing it to load. This is the first step in a chain of trust in which each step ensures that the next is signed by Apple. When the LLB finishes its tasks, it verifies and runs the next-stage bootloader, iboot, which in turn verifies and runs XNU, the ios kernel. Once the ios kernel has booted, it controls which user processes and apps can be run. ios requires that all executable code be signed using an Apple-issued certificate. Apps provided with the device, like Mail and Safari, are signed by Apple, but third-party apps must also be validated and signed using an Appleissued certificate. Mandatory code signing extends the concept of chain of trust from the OS to apps, and prevents third-party apps from loading unsigned code resources or using self-modifying code. This means that the only way to get code to run on an ios device is to install it though the Apple app store. But businesses and organisations can apply to join the ios Developer Enterprise Program (idep). Members of idep can register to obtain a provisioning profile that permits in-house apps to run on devices that it authorises. Users must have the provisioning profile installed in order to run the in-house apps. This ensures that only the organisation s intended users are able to load the apps onto their ios devices. Security vulnerabilities that allow for arbitrary code execution in a given stage of the boot process allow the attacker to control the subsequent boot processes. Over most versions of IOS, including IOS 6.0, hackers have discovered security vulnerabilities in most stages of the iphone/ipad software stack. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 11 / 38

Security vulnerabilities can be addressed by Apple by means of software updates, but not if they exist in the Boot ROM. Because the Boot ROM is immutable and the contents are set at fabrication time, vulnerabilities in existing devices cannot be patched. The best that Apple can do is fix the vulnerability in future releases of the Boot ROM on new devices. Such security vulnerabilities are the basis of jailbreaking, the practice of modifying ios to allow the running of unsigned code. Jailbreaking tools are freely available for most versions of ios running on all Apple ios hardware. The majority of jailbreaking tools install a replacement XNU kernel, which is modified not to check for signed code, and an application called Cydia, a package management application. Cydia allows the installation of non-approved packages from a nonapproved app store. Whilst there are plenty of useful apps available via Cydia, there are also many malware-ridden apps, created by unscrupulous developers keen to take advantage of the lack of quality control. Samsung Galaxy Tab Like ios, Android normally uses an ostensibly secure boot sequence, in which each stage of the boot process verifies the signature on the next stage prior to loading and handing control to it. Unfortunately, numerous publicly-known security vulnerabilities and recovery features make it possible to gain control of the Android boot process. On the Galaxy Tab under test, it was found that both the native and recovery bootloaders were unlocked, allowing unsigned kernels to be loaded. An attacker who had gained temporary access to the device could power off the tablet and boot into recovery mode. The attacker could then exploit this mode to perform a number of actions such as rooting the device, or apply new software to the tablet. In this state, it would be possible for an attacker to access potentially sensitive information, such as the domain credentials used by ActiveSync on the tablet, or other private application data. This is possible whether or not a password is applied. Apps are deployed from the Google Play app store, and all apps must be signed by their authors before Android devices will install them. But Android will accept any valid signed package and there is no real chain of trust. This is one reason why there is more malware distributed through the Google Play store than through the Apple App store. BlackBerry PlayBook The PlayBook s bootloader is locked, which means it will only boot code that has been signed by Research in Motion (RIM). As with ios, each step of the boot process contains components that are cryptographically signed by RIM to ensure integrity, and proceeds only after verifying the chain of trust. No security vulnerabilities have been found in the bootloader or other elements of version 2.0.1 of the PlayBook OS, and no jailbreak was available as of September 2012. Apps are deployed to the PlayBook via the BlackBerry App World store. The PlayBook OS supports the installation and running of Android apps which, because Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 12 / 38

they have a reputation for lacking a very high degree of security or quality control, are vetted before being made available in the App World store. Android apps are considered to be for Personal mode only; the BlackBerry Runtime for Android prevents Android apps from accessing work data. It was possible to run unsigned code via side-loading: the installation of applications from sources outside the official App World store (5). The side-loading process is not intuitive, and requires entering developer mode. Many people will not realise that the possibility to side-load applications exists. Summary The Blackberry PlayBook was the only tablet on which it was not possible to gain privileged access. Both the ipad and the Galaxy Tab were easily compromised with untethered jailbreaks, although the outcomes were different in terms of the security impact a jailbreak had on the data stored on the devices. If the Galaxy Tab had not had encryption enabled, it would have been possible to access all of the data on the internal /data and /mnt/sdcard partitions. The data on the Micro SD card could be read in plain text, even though SD card encryption had been enabled. Conversely, the data on the data partition of the ipad remained protected. Finally, the Galaxy Tab was the only device with an unlocked bootloader. In an extreme case, this would allow the installation of a completely different operating system even before any exploitation of software vulnerabilities. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 13 / 38

Software Updates Security vulnerabilities in software are discovered every few minutes. Tablet manufacturers need to react to the discovery of security vulnerabilities and release updated versions of their firmware in order to protect the integrity of customers devices. As well as security fixes, software updates are often released in order to add new functionality, or to fix non-security bugs. If the software update process can be subverted, then the integrity of the whole platform should be considered untrustworthy. Apple ipad All software updates for non-jailbroken ipads are distributed by Apple via the app store. This includes updates for ios and Apple apps. Updates for third-party applications are also obtainable only from the app store, in line with Apple s strict policy of allowing only signed code to run on ios devices. ios version 5 introduced the concept of over-the-air operating system updates; previously the only method to update ios was to connect the device to the itunes desktop software via USB and download a complete copy of the updated ios from Apple. ios updates are now incremental and delivered over the air via Wi-Fi or 3G, meaning that updates are much quicker and consume less bandwidth. All software downloads are signed by Apple and delivered over HTTPS connections. Despite significant efforts with DNS and certificate forging during testing, there was no evidence of any improper certificate validation, and software updates from servers other than Apple servers were all rejected with a user-friendly error message. The same applied to software updates which had been altered during download. During an itunes-based software update, itunes requests a signature from Apple for the software it is about to apply to the ipad. itunes first supplies a challenge, which includes the software version and unique device ID. Apple signs the challenge, and if the signature is valid, itunes applies the software update. However, Apple refuses to sign software which is older than the current version. It is possible, through the use of tools such as Tiny Umbrella, to cache these signed responses from Apple and re-use them at a later date to apply out-of-date ios versions to a device. This can allow an ipad to be downgraded to an older version of ios, usually so that the device can then be jailbroken. It should be noted that Apple s signatures are time-bound. Once the expiry date has passed, they cannot be reused. Samsung Galaxy Tab Software updates are delivered to the Samsung Galaxy Tab via the Kies desktop software, then delivered to the device over USB. This process was not fully evaluated during the time available for research. It is very likely that a non-rooted tablet would detect an illegitimately modified firmware during its signature checks, and that it would subsequently reject the update. But there is a strong likelihood that a rooted tablet would accept a maliciously modified software update. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 14 / 38

BlackBerry PlayBook Blackberry PlayBook updates can be applied over USB, via the BlackBerry Desktop software, or over the air. All software updates are delivered over TLS and are digitally signed. It was not possible to update the PlayBook with a new firmware which had been modified illegitimately by subverting either of these methods. A number of offline downgrade attacks have been published, allowing PlayBooks to be downgraded to vulnerable versions of the operating system, subsequently allowing the devices to be rooted. Once rooted, the integrity of the device cannot be assured. Summary Both the ipad and the PlayBook rejected attempts to interfere with online software updates. It is likely that the Galaxy Tab would also reject such attempts, but this could not be confirmed during testing. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 15 / 38

Access Control Although tablets tend to have only one user at a time, many applications are installed simultaneously and many are often running at the same time. The applications are effectively under the control of the application developer, as the user can only see what the application wants them to see. A tablet can potentially contain hundreds of pieces of software, each from a different company or individual developer and it is important to realise that these separate entities have no obligations to each other and there is certainly no trust relationship between them. A tablet s user has an implicit trust relationship with each developer: he has installed that developer s code on his tablet, and he is trusting the developer not to share the small subset of data controlled by the app with the whole world. He doesn t want that developer to be able to access data from other applications, at least, not without explicit consent. This area of research looked at the mechanisms for preventing access to data, either via the user interface, or programmatically, as an application. Apple ipad User-level access control to the device is via a passcode, ranging in configurable complexity from a four-digit PIN to an alphanumeric sequence of arbitrary length. The passcode is required to unlock the device. If a passcode is entered incorrectly, the user is forced to wait until they can make another attempt, and the waiting time between failed attempts rises exponentially. The device can be configured to erase itself after a preset number of failed attempts. The erasure is achieved cryptographically, using the same mechanism used by the remote wipe facility. For applications, access control is imposed in ios through the use of the Apple Sandbox. The Sandbox environment is designed to ensure that applications cannot access areas of the file system or memory to which they should not have access; and cannot make privileged system calls or execute other code which they should not have permission to execute. From the application s point of view, there are very tight restrictions on which areas of the file system are accessible. Non-Apple applications are able to write only to their own dedicated area of the file system. No access control problems were discovered during testing of the device. Samsung Galaxy Tab All applications have read access to all locations under /mnt/sdcard/. This includes both the large internal and the Micro SD card storage areas, meaning that applications which store sensitive data in these areas should encrypt the data before writing them to storage. Examples of sensitive data might include cached credentials, email attachments or personal information in documents created by third-party apps. Only some application data was found to be securely stored on the device under test, and this is likely to be the case across all Android devices. For example, ActiveSync credentials are stored in the clear within a flat-file database, allowing for easy retrieval of domain credentials by applications running as root. An Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 16 / 38

attacker would require root privileges over the device to access this file, as it was stored in the /data partition and therefore subject to file system-based access controls. Once obtained, this information could be used in order to mount a more serious attack against the corporate network. Email content was found to be securely stored within databases in the /data partition, but the same cannot be said for email attachments. Corporate email attachments, even those served from ActiveSync accounts, are downloaded to the tablet s so-called external storage, which is actually the larger internal storage partition. But on all Android devices, even an application with no privileges is permitted to read data from external storage, whilst applications which need to write to the larger internal storage will have been granted the WRITE_EXTERNAL_STORAGE permission, allowing them to overwrite the contents of any file stored in this area. As a result, any application on the phone could potentially read the contents of the attachment from the tablet, and a number of applications would be able to modify the attachments too. If an application had the Internet permission (a permission that nearly all apps request), then it would be possible for the malicious app to send corporate email attachments to a rogue server. In the Android architecture, each app runs in the context of its own User account and Group ID within its own sandboxed Dalvik Virtual Machine (VM). The Dalvik sandbox prohibits communication with other processes, access to data, access to hardware features like GPS or camera and network access and so on. Access to resources must be declared by the application when it is packaged for deployment, and the user must review and accept the access requirements prior to installing the app. Once the app is installed, it can assume that it has been granted all the permissions it requires. It is not possible to hide requirements from the user, as the manifest containing the access requirements is used by the Dalvik VM to grant the access. If a requirement is not requested it is not granted. Technically, this separation works very well, but the reliance on users to determine which permissions are reasonable when they wish to install an app can lead to some poor security choices. Because they know users will typically accept almost any permission requests, this also leads to developers simply requesting more permissions than they need. The cycle continues as users are met with increasingly complex lists of permission requirements for ostensibly simple apps. Faced with a choice of functionality or security, many will choose functionality and install the app anyway. For access via the user interface, various methods exist to secure the device: Unsecure swipe to unlock. Doesn t require pattern, pin or password. Pattern connect at least four dots. PIN minimum four characters. Password minimum four characters. It was also possible to configure the Galaxy Tab to erase its contents after a number of failed login attempts, and this was a feature which could be enforced and configured by ActiveSync. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 17 / 38

During testing Context did not find a direct method to bypass this access control using on-device functionality. But it was possible to unlock the device remotely using the Samsung Dive product. Some investigation of the process used to do this revealed that it would be possible for any application to unlock the screen, change the password or worse. This is covered on more detail in the Damage Limitation section of this white paper. Further access control bypasses were possible when USB debugging was enabled. This is a developer option allowing software development toolkits to push updated applications to the tablet without notification or user intervention. It is possible to access all areas of the file system when in this mode using the Android Debug Bridge (ADB). Using this method, it was possible to read in clear-text the contents of the SD card, even though they we stored in encrypted form on the device. BlackBerry PlayBook The PlayBook uses a sandboxing security architecture in which every application, network stack or device driver runs in memory-protected user space. Each application process runs in its own sandbox, which consists of the memory and file system segments to which the application has access at a specific time. By default, each application stores its private data in its own data directory, to which only it has access. Applications can also store and access data in a shared directory. The user is prompted to permit access when an application first wants to store or access data in the shared area. Access to hardware I/O is controlled through the authorisation manager and capabilities, such as camera and microphone access. When an application starts, the authorisation manager is invoked to set the permissions for the capabilities used by the application. In some cases, the user might be prompted to grant or deny access to a capability by an application. This decision will be remembered by the authorisation manager and applied in future instances. Access to the user interface is controlled by a password, which is not set by default. When a password is set, the device will securely erase all stored data after ten failed login attempts. When file sharing is enabled, it is not protected by the device password; a separate password must be set to protect personal data. The file sharing service uses CIFS over USB and Wi-Fi to enable copying of files to and from the device. A warning is presented to the user when file sharing is enabled with no password set. When the tablet is tethered to a BlackBerry smartphone and enters work mode, the security policy on the phone is also automatically applied to the tablet. So, for example, it will be necessary to enter the phone s password to unlock the tablet. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 18 / 38

Summary The Samsung Galaxy Tab was affected by numerous access control security problems, while the ipad and PlayBook both provided strong access control that could not be bypassed. The PlayBook made it possible to expose files to a network with no protection, while no such facility existed on the ipad. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 19 / 38

Security and Configuration Profiles All three tablets allow the user to configure security settings through the user interface. They also allow security to be managed through the use of configuration profiles, although the implementation of the profiles varies between tablets. This area of research investigated whether it was possible to install a strong security configuration via profiles, and whether these security settings could be removed by users. Apple ipad To assist in the deployment of standard and secured device configurations, Apple provides a configuration file format called mobileconfig. This is an XML file describing a number of security and operational parameters, such as the name of the profile, whether or not it can be removed by the user or whether it requires a PIN for removal. The bulk of the document contains the desired settings to be applied to the ipad. Most of these settings are security-related, and many of them are simply not accessible through the ios User Interface. It is possible to use mobileconfig, for example, to configure VPN connections, set password complexity requirements, force encryption of backups, and restrict the use of certain applications. Mobileconfig files can be signed and published via a web server so that ios devices can install the profiles if their users browse to the mobileconfig location with the Safari browser. Mobileconfig configurations can be created by the graphical iphone Configuration Utility (ICU), which is available at no cost from Apple. As well as configuration via mobileconfig, the ipad supports Microsoft ActiveSync policies. ipad s ActiveSync support, as tested by Context, is detailed later in this document. During testing, all of the supported security configuration parameters were successfully applied to the ipad. Using the User Interface, it was not possible to remove profiles which had been configured as non-user-removable. However, it was possible to remove policies by restoring backups which had been made before the policies had been applied; this would consequently result in the loss of data which had been stored since the non-protected backup was made. Samsung Galaxy Tab Android implements support for enterprise applications via the Android Device Administration (ADA) API. This API provides device administration features at the system level and facilitates the creation of security-aware applications that are useful in enterprise settings, enabling IT professionals to require rich control over employee devices. The Email.apk application shipped with the Galaxy Tab was used to apply ActiveSync policies to the device using the ADA API, and was also the client used to collect email from Exchange using ActiveSync. Because the ADA API can be used by multiple applications to apply restrictions to the device, one possible scenario is that multiple applications could attempt to set differing policy settings. In such conditions, the most constrictive settings are used. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 20 / 38

Removing the ActiveSync account removes the emails that are stored on the device (ie. email content in the databases) and the passwords stored in the accounts database. But it does not remove the ActiveSync policy. Furthermore, because the ActiveSync account has been removed, it is no longer possible to access email or receive further ActiveSync policy updates. In this state, the device is stuck with an ActiveSync policy which cannot be removed easily. One method of removing the ActiveSync policy is to create and install an application which uses the ADA API to relax all of the security settings. Whilst this is non-trivial to create initially, it is the sort of attack which could be packaged up and distributed through the Internet for use by non-technical users. A simple modification can be made to the Email.apk application to prevent the application of ActiveSync policies. Examples of these patches for numerous Android versions can be found on the Internet. BlackBerry PlayBook Blackberry Balance is an architectural feature included in the PlayBook (running OS 2.0) which facilitates the security management and separation of work and personal data on the same device. BES 5.0 is required to manage the policies to be enforced on the PlayBook, and it allows very fine-grained control over the actions that can be performed on the device, to a much greater extent than is enabled by the ActiveSync policies. For example, as well as setting basic security configuration such as password lengths, it is possible to disallow forwarding of work content using personal channels, and also to set very granular application control policies. It was not possible to test whether a user could remove these policies in the time available. However, previous experience with BlackBerry products and the lack of a jailbreak for the current PlayBook suggests that it is unlikely to be achievable. Summary All of the devices supported basic security policy application either via ActiveSync or by vendor-specific means. ipad users are not able to remove security policies themselves and it is expected, though not confirmed, that this is also the case with the PlayBook. The Galaxy Tab showed good support for ActiveSync policies, though it was possible for a user, on a rooted device, to remove ActiveSync policy but retain access to corporate email. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 21 / 38

Connectivity The tablets tested offered a range of connectivity options, including Wi-Fi, USB, Bluetooth and Micro SD cards. Context examined each method of connecting to the device to determine whether it was possible to compromise its security through any poorly implemented services or drivers. Apple ipad The ipad tested supported Wi-Fi and Bluetooth, but not 3G. The only network service available over TCP/IP was the iphone-sync service, on TCP/62078. This service is used internally when the device is synchronising with itunes over USBMUX, and it is also used by icloud to initiate remote operations. No security problems were identified with this service. Bluetooth offered only the services defined in the following table. No security issues were identified in any of these services. Service Name Wireless iap AVRCP Device Audio Source Handsfree Gateway Description Proprietary iphone Accessory Protocol Audio/Video Remote Control Profile A2DP Audio Source Enable Hands-free Use of Audio Services IEEE 802.11G connectivity was as expected, with support for all the major wireless encryption and authentication protocols most notably, WPA2 Enterprise was well supported. Context found that when Wi-Fi was enabled, the ipad attempted to connect to any network it had joined previously. This is a significant security concern for open wireless networks. When it is not yet associated to an Access Point, the ipad issues probe requests for previously-connected networks. An attacker could configure his own computer as an Access Point purporting to be the requested network. The ipad would then, without user intervention, connect to the computer of the attacker, who would be in a position to view and modify any network traffic generated by the ipad. It would be possible, for example, for the attacker to supply maliciously-crafted content which exploited known security vulnerabilities in the ipad and allowed the attacker to access the file system. USB connectivity between the ipad and itunes was encrypted with TLS. Samsung Galaxy Tab The version of the Galaxy Tab under test supported Wi-Fi and Bluetooth, but not 3G. There was also a Micro SD card slot. Like the ipad, the Galaxy Tab issued probe requests seeking previously-used wireless networks. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 22 / 38

One interesting observation was that when the device is connected to the Kies desktop software via USB, then TCP port 1108 is opened and accessible via wireless. The port s intended purpose is not clear. Additional network services were also opened during synchronisation over-the-air. The details can be found in the section on Backup and Synchronisation. USB traffic was found to be unencrypted, potentially allowing an attacker to intercept or modify communications between the Kies desktop software and the tablet. To exploit this, a remote attacker would need a hardware-based USB sniffer, or would need to have installed USB interception software on the desktop machine, an activity which would require administrative privileges. In a scenario where a corporate or BYOD Galaxy Tab was plugged into an infected home computer, it is conceivable that the malware could trigger a backup of the tablet, and could potentially install malware on the tablet over the USB connection. Bluetooth offered only the services defined in the following table. No security issues were identified in any of these services. Service Name Voice Gateway AVRCP TG Audio Source OBEX Object Push Description Enable Use of Audio Services Audio/Video Remote Control Profile A2DP Audio Source File Transfer and Contact Synchronisation BlackBerry PlayBook The PlayBook supported Wi-Fi and Bluetooth, but not 3G. Using Bluetooth OBEX, it was possible to access shared files from the personal partition, and it was also possible to share the device s Wi-Fi connection, typically sharing Internet access. A password was required to access these services, and it was not possible to bypass this access control. USB communication was found to be encrypted with TLS. Summary The ipad and PlayBook provided the most secure interfacing options. The Galaxy Tab was reasonably good, but exposed a serious security vulnerability during overthe-air synchronisation. Further details of this are provided in the Backup and Synchronisation section. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 23 / 38

Damage Limitation In the event of the loss or theft of a tablet, some features can help to locate the device, alert passers-by and let them know how they can return the tablet. In the event of a theft it may be better to simply wipe the contents of the device remotely and write off the value of the hardware. Context examined the implementations of these features for security problems. Apple ipad In the event of the loss or theft of an ipad, Apple provides a number of mechanisms to limit the effects of the loss. The first of these is Data Protection, which was discussed earlier in this section. This can be bypassed fairly easily unless an alphanumeric passcode of reasonable length is set on the device. Apple also provides an online service called Find My ipad, which claims to be able to show on a map the location of a lost or stolen ipad. This assumes that the ipad has the Find My ipad feature enabled and Internet connectivity to the icloud service, but if this is the case it is possible to perform a number of actions to protect the data it carries and hopefully retrieve the device. Firstly, it is possible to display a message on the screen, even if it is locked, and have it play a sound, even if it is in silent mode. The idea is that the message can tell someone who finds it how they can return it. Secondly, it is possible to set a passcode remotely. This will automatically enable Data Protection, and will not require re-encryption of all files on the file system. Instead, just a few class keys will need to be re-encrypted. However, it is only possible to set a four-digit passcode using this service. As a measure of last resort, it is possible to initiate a remote wipe. This is a very quick process once the device has received the request, with the device responding within 10 seconds of the request being sent. Following a remote wipe, the device is restored to a factory-fresh state. These services can only be used if the ipad is registered to Apple s icloud service. Samsung Galaxy Tab The Samsung Dive service is an online service which provides device location and remote control capabilities of a similar nature to those offered by the icloud service. The following features are available through the service, which requires registration with a Samsung account: Find My Mobile My Missing Mobile Tracking Mobile Lock with Message Call Restriction Mobile Wipe Out Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 24 / 38

Unlock the Mobile Screen Context found that it was possible to break ActiveSync policy through this service by removing the device password. It was still possible to access Exchange email, although the device did not receive, and could not send, new email. The remote wipe service allows for selected or all storage areas to be wiped. If the device does not respond to the Samsung Dive service within an hour, the remote wipe request will be dropped, and another request will need to be made. When the tablet receives the remote wipe command, it is a fairly quick process to wipe the storage and return the device to a factory-reset condition. But remote wipe is achieved on unencrypted Micro SD cards by formatting the storage, and the deleted contents could still be recovered afterwards using commonly-available forensic tools. By experimenting with the implementation of these features, Context determined that it would be possible for any app on the device to remove or change the device password, or to wipe the device at will. This vulnerability was found to affect not only the Galaxy Tab but also a number of Samsung Android devices including the Samsung Galaxy Note. On a telephony-enabled device, further actions were possible, such as the redirection of phone calls and the silent forwarding of text messages to arbitrary numbers. The vulnerability could be exploited by creating an arbitrary application that could send broadcast intents such as those listed below: android.intent.action.dsm.dm_factory_reset android.intent.action.dsm.dm_forwarding android.intent.action.dsm.dm_lock_release android.intent.action.dm_lock_my_phone These intents were received and acted upon by the Samsung DSMLawmo application, which is responsible for implementing the remote control functions available via the Samsung Dive service. It should be noted that it is not required for a victim user to have previously signed up for the Samsung Dive service for their device to be vulnerable. Context has notified Samsung of this issue, and the problems have since been reported as having been fixed by Samsung through over-the-air firmware updates. BlackBerry PlayBook Remote wipe is implemented as a feature of BlackBerry Balance. At the time of writing there are no other options to alert users or to display messages on screen. BlackBerry provides an application and online service called BlackBerry Protect, which allows devices to be located on a map, but this is currently only available for BlackBerry smartphones. BlackBerry Balance is administered by a BES server run by corporate IT departments. There seems to be no way for owners of personal devices to remotely wipe their tablets. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 25 / 38

Summary Both the ipad and the Galaxy Tab provide similar damage limitation features. But the Galaxy Tab cannot be relied upon to securely erase external storage, and the Samsung Dive service appears to be slower than the icloud service, in extreme cases taking up to 45 minutes to message a device. In addition, the way the service had been implemented on the phone introduced a significant security vulnerability. By contrast, icloud took around 10 seconds to send a remote wipe instruction to the ipad, with the contents of the ipad then securely erased almost instantly. The BlackBerry remote wipe feature is only available for corporate users. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 26 / 38

Desktop Software Each tablet vendor provides software for managing their devices, allowing media, contact and document synchronisation with desktop or cloud-based services. All desktop software tested also allows users to make and restore backups of the tablets. This area of research investigated vulnerabilities associated with these pieces of desktop software. Apple ipad The iphone, ipod and ipad brands are almost synonymous with the itunes desktop software, as this has for years been the de-facto method for idevice management. Available for Windows and MAC, itunes is primarily a media management and sharing centre for music and video. itunes adds network media discovery and sharing services to the computers on which it is installed, and although the services can be safely disabled, device management via itunes is not a scalable solution. Before ios 5, it was necessary to connect all new ios devices to itunes in order to activate them, but this has since changed. It is now possible to successfully operate an ios 5 device without ever installing itunes. The iphone Configuration Utility (ICU) is a graphical tool, available for Windows and MAC and used for creating device configuration profiles in the.mobileconfig format described above (see p19). When connected the ipad via USB, the ICU can push the configuration to the device immediately. But it is possible to save the newly-created.mobileconfig profile and securely deploy it via a web server to as many ipads as request it. Apple Configurator is a free, MAC-only configuration tool which is not very scalable and suitable for small deployments. It can configure up to 30 devices at a time, updating them to the latest version of ios and installing apps and ios.mobileconfig configuration profiles. It also permits ongoing device management with use of Supervised Mode, in which supervised devices can be organised into groups, each of which have specific configurations applied. Supervised devices can also have a standardised naming convention applied, and can be prevented from syncing with other computers and itunes. But all management is performed over USB, so requires physical access to the device. Samsung Galaxy Tab Samsung provides the free Kies software for management of Galaxy phones and tablets. In general use, Kies feels incomplete, with frequent crashes and inexplicable pauses. Context discovered a buffer overflow vulnerability within the KiesTrayAgent.exe program that could be exploited remotely. As this is a system tray agent, it runs throughout the time a user is logged into the desktop, not just when the main Kies program is running. This vulnerability was reported to Samsung shortly after discovery. All communication between Kies and the Galaxy Tab occurs in clear text. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 27 / 38

BlackBerry PlayBook The PlayBook is accompanied by the BlackBerry Desktop software, which allows synchronisation of media files, OS updates and, of course, data backup and restore. Enterprise integration is provided by the BES5.0 server. All communication between the PlayBook and BlackBerry Desktop or BES is encrypted. Summary The ipad and PlayBook are well supported with robust management software, free of any currently-known security issues. The Galaxy Tab is supported only by Kies, although it is possible to do much of the file synchronisation by using the Tab as a Mass Storage USB device, then using drag and drop to transfer files. Newer firmware versions since Android 4.0 have introduced over-the-air updates, removing the need for Kies to perform software updates. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 28 / 38

Backup and Synchronisation Backup and synchronisation is a vital element of a tablet s lifecycle. Each of the devices tested was shipped with the ability to be backed up to a desktop computer, a cloud service, or some other storage medium. Context examined the backup options available in order to discover any security weaknesses which might allow an attacker to illegitimately access private data, or to gain control over the tablet. Apple ipad For ios 5 and 6 devices, the primary backup mechanism recommended by Apple is icloud. This has significant security implications for enterprise, including the need for direct connectivity and the storage of data in potentially untrusted data centres. In August 2012, malicious hackers took over the icloud account of journalist Mat Honan and performed a remote wipe of all the devices associated with that icloud account. The hackers first compromised his Google account and then his Amazon account, and managed to glean enough information to mount a successful social engineering attack against Apple s icloud support. If an attacker obtains credentials for an icloud account, the backups are vulnerable to unauthorised access, modification or deletion. Local backups are performed by itunes. The default setting is for the backups to be unprotected, so they are unencrypted and readable by any person or process with read access to the file system on which the backup is stored. The backup consists of many files in SQLite and Apple properties list (plist) format, together with any media files such as images, video and music. The files are assigned very long, seemingly random names without file extensions, but it is possible to sort through the files programmatically and view the contents of each. It is possible, for example, to read a list of recently-typed words from the ipad s predictive-text keyboard cache, or to read the data directly from any app s database. It is also possible to obtain the password to Apple accounts associated with the device, something which would allow access to icloud backups if they were also in use. Context found that, by restoring an old backup that did not have the security options set, it was possible to remove security profile settings that had been applied by a.mobileconfig file. This method could be used to remove the device passcode, even though the device had to have been unlocked before being connected to itunes to perform the restore. Security profile settings could also be removed by manually altering backups which had been taken after the policy had been set, and the restoring the altered backups. It is possible to set a passcode to be used to encrypt backups. This does not need to be the same passcode that protects the ipad, and indeed they should be set differently. Context found that there were no complexity requirements: it was even possible to set a passcode of 1 (without the quotes). Software is readily available to purchase which will brute-force the passcode used to encrypt itunes backups. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 29 / 38

It is possible, using a Mobile Device Management solution, to set a security policy on the device which automatically enforces the use of encrypted backups. Samsung Galaxy Tab The Samsung solution for the Galaxy Tab is to use the Kies software for backups and sync. Full backups and restores can only be performed over USB. There is an option for the user to set a passcode to be used to encrypt the backups, but the default is to save backups without encryption. Backups are not tested for integrity and it was possible to make modifications to the backup which could then be restored. For example, it was possible to modify contact details that were later restored to the device overwriting the existing details. Modifying policy and configuration was more difficult as the data files contained binary and potentially encrypted data. It is not possible to perform over the air backup or restore. It is possible to do some synchronisation tasks over the air (contacts, for example). No actual authentication is required, though user interaction is required to synchronise in that a button needs to be clicked within Kies. Following analysis, Context found it was possible to for anyone with network access to perform certain tasks on the Tablet remotely without any requirement for authentication. The vulnerability was found during analysis of the over-the-air synchronisation sequence, which happens as follows: User selects Kies via Wi-Fi in the device s Wireless and Network menu. This issues a trio of M-SEARCH SSDP discovery requests. Kies desktop software replies with an SSDP response in which the location header specifies a HTTP service that the Kies desktop is offering. The tablet makes a HTTP request to the Kies desktop HTTP Service. During this exchange, the tablet advertises a TCP port that will be opened (for example TCP port 32530). The Kies desktop software sends AT commands to the tablet to TCP port 32530. No authentication is required. The behaviour was also confirmed on a Samsung Galaxy Note handset and again, no authentication was required. This vulnerability could be exploited in two ways; By an app on the device that has granted the Internet permission By a network based attacker (only when the tablet is connected to the Kies desktop software via Wi-Fi) An unauthenticated attacker or app could potentially exploit this condition to gain unauthorised read/write access to stored SMS messages, calendar entries, contact list and external storage. Context has been working with Samsung to amend this issue and the problems revealed in the course of our research have since been reported as fixed by Samsung through over-the-air firmware updates. The Galaxy Tab supports mounting as a USB Mass Storage device, permitting access to the internal /mnt/sdcard partition and also the external Micro SD card. This allows for the use of third-party backup tools or manual drag and drop onto another device. Any backups taken by this method will be stored without Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 30 / 38

encryption on the target disk unless the backup destination is an encrypted container. Data saved on the /data partition cannot be backed up in this way, and therefore this backup method is really only suitable application data which has not been stored in this location: media files, for example. BlackBerry PlayBook Backups and synchronisation are performed over USB within a TLS tunnel between the PlayBook and BlackBerry Desktop. The default behaviour is for backups to be stored without encryption, although it is possible for the backups to be encrypted by a password. There is no integrity checking on the backups, so it is possible to alter the backup data without immediate detection. But it is not possible to modify device policy by altering the backups. There is no over-the-air backup or synchronisation capability. The PlayBook allowed for personal data to be backed up using a file sharing service which could be accessed over Wi-Fi. No special software was required for this, as the share was presented by the widely-supported CIFS protocol. Summary All of the tablets have the capability of encrypting backups, but the default setting for each is to store the backups in plain text. The ipad s and the PlayBook s backup, restore and synchronisation processes were robust. In contrast, the Galaxy Tab s backup mechanism through Kies was not so reliable. The Galaxy was the only tablet to offer over-the-air synchronisation, although the manner in which the feature was implemented introduced a serious security vulnerability. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 31 / 38

ActiveSync Security policy can be pushed onto tablets in order to reduce the security risk created when allowing a mobile device access to corporate resources. Policy can be enforced on a device through a number of means. Typically, companies allow access to corporate resources such as email while imposing restrictions and security settings through use of Microsoft ActiveSync or third-party software. ActiveSync offers a number of settings that can be configured through Microsoft Exchange that could potentially be used to increase the security of the tablet. In reality, only a subset of the configuration settings are supported by the various tablets and therefore only limited settings can be applied to the device. Apple ipad Support for ActiveSync was simple to configure, and reasonably well implemented. The credentials for the service are stored in the system keychain, which is protected by strong encryption when Data Protection is enabled using a reasonably strong passphrase. Samsung Galaxy Tab Support for ActiveSync was simple to configure and reasonably well implemented. However, Context found that the ActiveSync credentials were stored without encryption within the accounts table in the /data/system/accounts.db database, and also within the HostAuth table in the /data/data/com.android.email/databases/emailprovider.db database. If these credentials were obtained by an adversary, it is very likely that they could be used with significant impact against the corporate infrastructure. It is possible set SSL transport encryption with ActiveSync, but it is also possible to configure a setting that accepts the use of any SSL certificates, even invalid ones. This would allow an attacker to transparently intercept ActiveSync traffic, and eavesdrop upon emails. BlackBerry PlayBook Version 2.0 of the Tablet OS introduced support for ActiveSync, so it is a relatively new feature to the PlayBook. The vast majority of ActiveSync policies supported by Exchange 2010 were supported. This was the only tablet to support application black- and whitelisting via ActiveSync. Summary of ActiveSync Support The following table details which of the ActiveSync Settings were supported by each of the tablets under test. Notes [1] It is possible to prevent download of attachments to the device through the ActiveSync email account, but not through the consumer email account. [2] During review, it appeared that desktop synchronisation could be prevented over USB, but not Wi-Fi. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 32 / 38

Category Item Galaxy Tab ipad PlayBook Password Require Password N/A Yes Yes Password Require Alphanumeric password Yes Yes Yes Password Minimum number of character sets Yes Yes Yes Password Enable password recovery No No No (Select this check box to enable password recovery for the mobile phone. Users can use Outlook Web App to look up their recovery password and unlock their mobile phone) Password Require encryption on device Yes N/A N/A Password Require encryption on storage card Yes N/A N/A Password Allow simple password No Yes Yes Password Number of failed attempts allowed Yes Yes Yes Password Minimum password length Yes Yes Yes Password Time without user input before password must be re-entered (in minutes) No Yes Yes Password Password expiration (days) Yes Yes Yes Password Enforce password history Yes Yes No Sync Settings Allow HTML-formatted email Yes No Yes Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 33 / 38

Category Item Galaxy Tab ipad PlayBook Sync Settings Allow attachments to be downloaded to device Partial [1] No Yes Device Allow removable storage Yes N/A Yes Device Allow Camera Yes Yes Yes Device Allow Wi-Fi Yes No Yes Device Allow infrared N/A N/A N/A Device Allow internet sharing from device N/A N/A N/A Device Allow remote desktop from device N/A N/A N/A Device Allow desktop synchronisation Partial [2] N/A Yes Device Allow Bluetooth Yes No Yes Device Applications Device Applications Device Applications Device Applications Allow browser Yes Yes Yes Allow consumer mail No No No Allow unsigned applications N/A N/A N/A Allow unsigned installation packages N/A N/A N/A Other Allow applications N/A No Yes Other Blocked applications N/A No Yes Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 34 / 38

Device-Specific Security Recommendations None of the devices had perfect security, and potential users of the tablets should consider the merits and risks of each device before authorising its use in a corporate environment. This section describes some mitigating steps users can take to reduce the risks identified with each type of tablet. Apple ipad Ensure that firmware is kept up to date by enabling over-the-air updates. Enforcing an alphanumeric password of eight characters or more will dramatically increase the strength of the disk encryption. Do not use dictionary words or predictable character sequences. Use mixed-case alphanumerics and special characters. Set a strong password on itunes backups if these are going to be used. This cannot be enforced with ActiveSync, although it can be enforced through other mobile device management solutions such as the iphone Configuration Utility. Use different passwords for backup and device passwords. In corporate environments, disable connection to itunes via device policy. Turn off Wi-Fi and Bluetooth when they are not required. Samsung Galaxy Tab Ensure that the device firmware and the Kies software (if used) are kept upto-date. Ensure that USB Debugging is disabled. Disable the "Kies via Wi-Fi" service. Enforcing an alphanumeric password of eight characters or more will dramatically increase the strength of the disk encryption. Do not use dictionary words or predictable character sequences. Use mixed-case alphanumerics and special characters. Enable disk encryption on all available partitions. Ensure that custom-built applications will encrypt any sensitive data and store it in the app s data directory in the /data partition. Set a strong password on Kies backups. This will require user education as it cannot be enforced with ActiveSync. Use different passwords for backup and device passwords. Turn off Wi-Fi and Bluetooth when they are not required. BlackBerry PlayBook Ensure the firmware is kept up to date by enabling over-the-air updates. Use BlackBerry Balance to manage the device if in a corporate setting. Set a strong password on BlackBerry Desktop backups. This may require user education as it cannot be enforced with ActiveSync. Use different passwords for backup and device passwords. Turn off Wi-Fi and Bluetooth when they are not required. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 35 / 38

Conclusions From an enterprise security point of view, these three tablets were very different in several important respects. There was a significant difference in security levels between the Galaxy tablet and the ipad and PlayBook, which were much more closely matched for enterprise levels of security. The Galaxy Tab was shown to suffer from some serious security failings that make it difficult to recommend as a tool for enterprise use. As well as the documented security problems, a lack of enterprise-level management tools beyond ActiveSync means it is very difficult to manage more than a small number of these devices effectively. The ipad was shown to offer surprisingly good levels of security for what is predominantly a domestic consumer device, including robust data protection and damage limitation facilities. The ipad was not so impressive in some other respects: jailbreaks are produced regularly and disk encryption can still be broken with no prior knowledge of the passcode if a weak passcode has been set. Fortunately, configuring the device with a password that meets typical corporate security policies does greatly improve the security of the disk encryption. In common with the Galaxy Tab, from a management standpoint, the ipad is quite difficult to manage in any quantities using the available Apple tools. The BlackBerry PlayBook was found to be far more advanced in its level of readiness for the Bring Your Own Device era than either of the other two tablets. The Balance architecture, in combination with the Bridge application, appears to provide excellent logical and data separation between work and personal modes. There were also some surprising findings. The ipad showed that although great thought and complexity had been designed into its disk encryption scheme, the default behaviour for itunes backups was still to store the files in clear text. The same issue also applied to the BlackBerry, which was surprising given RIM s reputation for security. The security limitations of the Samsung tablet, in particular the fact it did not ship with a locked bootloader, and the fact that disk encryption was software-based and disabled by default, suggest that Samsung still has some distance to cover in its security thinking before it can challenge the likes of Apple and RIM. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 36 / 38

About Context Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. The company s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Context Information Security 30 Marsh Wall, London, E14 9TP +44 (0) 207 537 7515 www.contextis.com 37 / 38