Post on 24-Feb-2016
description
Mobile Device Protocol
Sunil Vallamkonda11/19/2012
Previous topics
• Security: AAA RADIUS, IPSec etc.• Virtualization• Cloud Technologies
Contact: sunil_vall@yahoo.com
Discussion
• Introduction• Concepts• Trends• Q&A
Do not cover:• Protocol Specifications• Vendor details• Certificates
Background
• Has existed by vendors: MS update, Sicap• Client-Server based technology.• Application protocol.• Brings features as:
o Updates: remote configuration/provision, backup.oMonitor: license, troubleshoot and diagnose.o Accounting: logging and reportingo Tracking: GPS and bread crumb mapping.
History
Approaches
• Vendor specific: Smart Message text, NOK-ERIC OTA, etc.
• OMA groups: CD, inter-op, DM, etc. • Models: SaaS, On-site, mixed.• BYOD: Hybrid employee/corporate mix.
Vendors• APPLE: APNS• Android: Google: C2DM• Air-watch: ActiveSync• Black berry: Push
Availability:- Specs- APIs- Implementation- Reference deployments
Vendors (contd)
Competition
BYOD
• From recent AT&T survey: “40% of small business employees use smartphones for work and two-thirds use tablets…:
• BYOD survey: (source: Ponemon Institute): 51% of Organizations lose data through mobile devices.
IPCU
Challenges
• Centrally Manage• Security: BYOD identity, access rights, privileges, etc.• Scalability: Apps, Devices, Users.• Complexity: Policies• Vendor Variances: iOS, Android, ActiveSync,
Windows Phone, Black berry etc.• Enterprises: requirements and use case life cycles.• Roles, multi-tenants.• Compliances !
Process
Packet
Check-in
Pkt Trace
Trace (contd)
Push Notification
• Device needs to have match three items in order for a push notification to trigger an MDM response, viz;
• The Device Token (without which the notification will never reach the device), and
• the Push Magic token (without which the MDM client will just discard the notification).
• Finally, the “Subject Name / User ID” field in the push notification certificate used to sign the notification must match the “Topic” field in the MDM profile.
Schema
Device-MDM
Notif (contd)
Command sequence
Commands
First, Device must make persistent connection to APNS Server. Then for every MDM server command:
plist
iOS MDM commands
plist
plist response
Device Lock
iOS security model
iOS Keybag
Example: File key wrapping (iOS)
Sample: Evil Maid attack
Specs
• For PUSH: Apple: gateway.push.apple.com port 2195
• Devices: TCP port 5223• MDM port: defined by MDM profile
MDM limitations• User can terminate MDM relationship.• Multi-user model not supported.• Jailbreak cannot be detected.• Location service not available.• App features very minimal.• Security: command auth optional, accepts any cert with
trusted root, etc.• Malware install attacks: push webclip, etc., DoS Attacks.• Delays and bugs and etc.• MDM profile issues…
References• http://www.openmobilealliance.org/• http://developer.apple.com/• http://zdnet.com• http://www.interpidusgroup.com/• http://developers.google.com/• http://enterpriseios.com• http://ey.com• http://samsung.com• http://google.com• http://microsoft.com• http://shmoocon.org/