Modern mobile security: people or devices? (with Dilbert)

I really like this slide from the IDC presentation for Google’s Enterprise Partner Summit 2019 (available in public access here).

A slide from IDC: The Evolution of Android in the Enterprise (c) IDC

Note that the technical threats begin at position number 7! But the top 6 are dominated by the threats based on the user behaviour (and the lack of proper tools/policies that allow such behaviour)!

Why does that happen? What can be done? Read on to learn more and see some Dilbert!

(more…)
Advertisements

Device Compliance with Identity Manager – the less obvious implementation details

Everyone likes the idea of Device Compliance checks. It allows us to differentiate between Company-issues, BYOD-enrolled, private and totally foreign devices, assess their security posture and execute access decisions based on this vital data, expanding our Conditional Access options. It is also extremely easy to use, just like that (VIDM Admin Console):

Device Compliance can be easily added to any authentication method …yes

Right?

Wrong! Try it yourself and see if it works. In this post we will discuss some of the less obvious, but perfectly logical restrictions that Device Compliance imposes on your selection of authentication methods.

(more…)

Securing work contacts while keeping caller ID 03: iOS with Boxer

I had a week of customer meetings, each (literally!) asking the same question: “How can I prevent WhatsApp from grabbing the corporate contacts on my device?”

In this series of posts we will explore the options of deploying corporate email/contacts/calendars with the goal of maximal work/personal contact separation, while trying to minimally impair the user experience (such as the Caller ID).

Table of contents:

(more…)

Securing work contacts while keeping caller ID 02: Android

I had a week of customer meetings, each (literally!) asking the same question: “How can I prevent WhatsApp from grabbing the corporate contacts on my device?”

In this series of posts we will explore the options of deploying corporate email/contacts/calendars with the goal of maximal work/personal contact separation, while trying to minimally impair the user experience (such as the Caller ID).

Table of contents:

(more…)

Securing work contacts while keeping caller ID 01: Android vs iOS

I had a week of customer meetings, each (literally!) asking the same question: “How can I prevent WhatsApp from grabbing the corporate contacts on my device?” This happens more often than you think – the infamous GetContact collected over 3.5B contacts in just a few months, all of which were officially available for sale! With GDRP in effect, how much could this cost?

Of course, both iOS and Android offer means to securely lock down enterprise data on BYOD devices. But this comes at a price of usability, the most cited problem being the caller it. We know that in the modern day an unhappy and discomforted user is essentially a backdoor waiting to happen. How can we keep this balance between security and productivity?

In this series of posts we will explore the options of deploying corporate email/contacts/calendars with the goal of maximal work/personal contact separation, while trying to minimally impair the user experience (such as the Caller ID).

We will explore several approaches, their limitations and shortcomings for iOS and Android. This post lays the foundations and provides a TL:DR style summary/comparison of my current findings.

Table of contents:

(more…)

iOS Trustjacking protection with EMM

Trustjacking is a new “scary” attack on iOSnew “scary” attack on iOS devices, exploiting user’s lack of understanding or what’s going on. When plugging into an unknown computer or charger user may choose to “trust” it, which allows the remote device quite a degree of access to iPhone/iPad data. Many don’t realize that this trust remains after the device is disconnected and may be exploited, for instance, via Wi-Fi, if Wi-Fi sync is enabled. Many others also think that this trust is necessary for charging.

ios20blog2021-e1524555570975.png
What is really should read: “Your settings and data will be accessible from this computer even after disconnected. You DON’T need this for charging”

Basically, Apple should have looked at how Android 6+ has a “charge only” USB mode by default, fixed the wording and be done with it.

Protecting from this attack is extremely simple on Supervised (DEP) devices via EMM.

Here’s how it’s done via AirWatch, but any other major EMM will have something similar – this is Apple’s standard OS feature.

iOS Trustjacking AW
iOS Trustjacking protection: it only takes one tick

As a bonus, this will prevent not just the Trustjacking attack, but many other threats and leaks, since it blocks everything.

Wondering, how many had this configured before the Trustjacking news?

Bypassing Android security via backups (PSK recovery)

In my recent Android trainings and the Android security talk I gave at AppForum 2014 I was asked to provide a sort of a demo that can be easily replicated to explain the importance of maintaining a proper security posture. So I created a script that ‘recovers’ PSKs from the device and displays them.

Before moving on, a brief disclaimer: Android (or iOS, or Windows) are pretty secure, it is up to the user how much of this security is traded for convenience (or ignorance).

(more…)