Remediate the Pixel4 and Galaxy S10 biometric security flaws with Workspace ONE

I am pretty sure you’ve heard already about the issues with Samsung Galaxy S10 fingerprint sensor and Google Pixel 4 Face Unlock. Both companies have acknowledged the issues and committed to releasing the patches “soon” (Samsung is said to be testing fixes in certain countries already). What can you in the meantime? With Workspace ONE and Android Enterprise is it easy!

(more…)

Hidden TCPdump and ETHtool on VMware UAG

VMware UAG (Unified Access Gateway) is a cool little security appliance, deployable on vSphere, AWS, Azure etc that hosts a lot of Workspace ONE edge services: Horizon Proxy, Web Reverse Proxy, Tunnel VPN Gateway, Content Gateway and (since 3.6) the Secure Email Gateway. The challenge is that the thing was built to be headless and super-secure, which means it is almost bare inside. And this is not helpful when troubleshooting.

While watching a VMworld 2019 Session (links at the bottom) I’ve found out that there is actually a hidden tcpdump and ethtool installer, which was first made for our own support services, but is generally available for everyone now.

All you need to do is invoke /etc/vmware/gss-support/install.sh command from the UAG CLI. Of course, it is highly advisable to remove the tools once the troubleshooting is done via /etc/vmware/gss-support/uninstall.sh !

ADV1798BU – Unified Access Gateway Securing Virtual Desktop and App Access

In case you need a refreshed on TCPdump and ETHtool:

With TCPdump I usually prefer capturing everything into a PCAP file and then loading in WireShark for analysis. Now we only need NetCat to be able to stream it conveniently to a remote host.

That is it for today – enjoy, and let me know if it was helpful!

On Apple, Security by Obscurity and WS1 Trust Network.

In the last several weeks a number of bugs were found in Apple’s iOS, MacOS and protocols. This had coincided with a partner workshop last Friday, where the decisive argument was “Have you ever heard of an Antivirus for an iPhone“.

Apple is well known for refusing to publish any details behind the inner workings of its solutions, locking everything that may be locked down and suing all those who try to work around those limitations..

Despite all that, flaws are being found, iOS was jailbroken again (because Apple unpatched a fix they implemented in 12.3) and malware on App Store is just as common as everywhere else.

Security Researchers about Apple’s Security Through Obscurity
(more…)

Apple iOS User Enrollment vs Android Enterprise and the real MDM needs #WWDC2019

Every WWDC has a session called What’s New in Managing Apple Devices. This year’s one was no exception. During this session Apple presented they new take on BYOD called User Enrollment. Here’s my brief analysis and comparison with Android Enterprise. Links to the source video, slide deck and some other useful resources are below.
TL:DR : Good stuff, but fell short.

iOS 13 User Enrollment. This and other pictures form the original slide deck linked below.
(more…)

Interesting stats on Android Security and AER Program [2019 Android Enterprise Summit]

During the Android Enterprise Partner Summit 2019 London (watch the link for the presentation decks when they come out) Google had shown some interesting graphs and charts based on their own stats and the research that HMD Global (Nokia) did in 2018. You can read the research for full details, and the rest of the pics are below. Sorry for the quality – those are photos from a fairly weird projection screen.

I don’t have much time to write long posts so will stick to the shorter format for the time being.

(more…)

Modern mobile security: people or devices? (with Dilbert)

I really like this slide from the IDC presentation for Google’s Enterprise Partner Summit 2019 (available in public access here).

A slide from IDC: The Evolution of Android in the Enterprise (c) IDC

Note that the technical threats begin at position number 7! But the top 6 are dominated by the threats based on the user behaviour (and the lack of proper tools/policies that allow such behaviour)!

Why does that happen? What can be done? Read on to learn more and see some Dilbert!

(more…)

Device Compliance with Identity Manager – the less obvious implementation details

Everyone likes the idea of Device Compliance checks. It allows us to differentiate between Company-issues, BYOD-enrolled, private and totally foreign devices, assess their security posture and execute access decisions based on this vital data, expanding our Conditional Access options. It is also extremely easy to use, just like that (VIDM Admin Console):

Device Compliance can be easily added to any authentication method …yes

Right?

Wrong! Try it yourself and see if it works. In this post we will discuss some of the less obvious, but perfectly logical restrictions that Device Compliance imposes on your selection of authentication methods.

(more…)