Bring Your Own Risky Apps

sure hey guys I think we're going to go ahead and get started just a quick volume check not too loud good okay so uh my name's Mike Rego um and with me uh is Domingo um I'll let him introduce himself in a second um but we're going to do a presentation on uh uh bring your own risky apps and talk about um some of the threats that come about from the apps that we use each and every day especially from an Enterprise perspective and we're going to give you a lot of good examples little bit of code reviews and things like that as well and um yeah I think we'll go ahead and get started did you want to add

anything demingo or just our contact info is on the first slide feel free to shoot us a tweet or an email and uh we'll take questions I guess towards the end so we can get through the content so I don't really want to spend too much time talking about myself but we will have some other uh presentation at some other shows throughout the week uh around uh data hiding and steganography and things like that which is something I do a lot of research in um also do uh a presentation around the iOS attachment vulnerability and giving some examples of that uh and then also mobile network forensics for those of you guys on the forensic side uh so look

for us at some of the other shows uh as well as bsides of course and uh with that I'll turn it back over to Domingo and most of my men and interest are around mobile applications so security privacy both protecting corporate data but also protecting consumer data personal data both of those worlds are now intermingled so we publish quite a bit of research on what we find from popular apps perspective we work with developers and we also work with the Enterprise and with the app stores as well how can we increase the level of security and privacy that affect us all when we're using mobile devices great so I think most people are familiar with mobile iron just one quick

slide on who we are and what we do uh we certainly um kind of stemmed from the mobile device management world and now I've gotten into securing and managing apps and content so uh in the theme of you old school folks and Dan farmer and and people like that um you know really getting a good understanding of the behaviors in this case uh that stem from a lot of the apps that we use each and every day to understand what type of EX filtrations may be happening what type of uh data loss um vectors may be occurring uh what kind of pii information uh is being accessed or exposed uh from an Enterprise perspective uh and how that impacts the

devices that you're using uh in the Enterprise Network in the Enterprise environment cloud services and so forth so in terms of what we do is a monitoring a lot of that type of activity analyzing that activity verse engineering that activity to better fortify the networks that our customers are using dayto day so it's it's a lot more than just the device it's definitely around web apps and content so in terms of some of the things that we analyze we're going to hit a few Rock layers here and dig deeper and deeper you know I think you're going to hear Domingo talk a lot about not only malicious apps but uh ideally even perhaps more important uh risky apps for

those apps again that we use on a day-to-day basis um we'll we'll both kind of do a breakdown of some examples of some popular apps uh Domingo has some really good examples I'll just kind of review a little bit about uh some of the own analysis that you guys can do with some free and available tools and then we'll talk about some of the deeper analysis that appthority does as well in terms of jailbreak and root I'm sure we're all familiar with that and IOS and Android um I'll talk a little bit later on about some of the analysis and detections we do around that to not only detect those threats but also mitigate them as well I think what's really

important is that um many times if a device goes lost or stolen and it contains some sensitive data on it what happens if that device falls off the network it's great that you can do a detection around a jailbreak or a route but if that doesn't get notified back to the console how does it perform a selective or a full white we'll talk about that we'll talk about some uh additional techniques that we use at mobile iron for handling that situation um and then uh certainly some of the other mobile attacks and again this is very much related to apps uh as well as the device are those device and app intents so while although the mobile

operating systems tend to be very sandboxed in terms of some isolation amongst the apps there's still those intents those capabilities that allow you to copy paste open in file upload and things like that and then we also take a close look on an ongoing basis at from a network perspective in terms of hey you know we know that users are going to travel and when they travel they're going to probably connect to open wi-fi it's difficult to lock that down and protect against that right so we use a lot of mitigating techniques to basically thwart various types of attacks that may stem from interception Mana the middle attacks and things like that too which we'll recap at the end so

at the end of the day we're looking at the user the device and the network

just as Michael mentioned we focus a lot on malware analysis and finding out overall risk but we found that in the Enterprise specifically after analyzing over two and a half million apps we found less than half a% of apps have malware so really what's the risk what's the impact it's apps we use every day apps in the top 100 app in the top 200 free and paid apps on IOS and Android that are just not built correctly or are over permissioned over collecting information and oversharing information with third parties so I'll focus on a little bit of both both of those examples um in addition the other thing that we commonly see is a lot of Administrators

that certainly understand the threats that come about by performing um a jailbreak or a rout of the device in that you're kind of breaking that application sandboxing you're kind of breaking down that security that is built into the device I think what some of the users um don't always realize is that you know not only you know is the device vulnerable but it can be vulnerable on the network on which it's connected so if you are allowing jailbroken or rooted devices um and that user is traveling and they connect to an open wi-fi you know what's the default login on an iOS device if it's jailbroken okay it's root with a password of Alpine so if the user hasn't

gone ahead and actually changed the password and they simply jailbroke their device and downloaded some additional plugins and things like that that sitting on an open wi-fi network somebody could easily secure shell into their iOS device and log in with the default username and password of root and a password of Alpine so I think that's something that a lot of Administrators are not always aware of and certainly just lends Credence to the fact that you know certainly represents a a threat on the network so let's dig a little bit deeper in terms of analyzing apps there's certainly a plethora of different tools available out there uh anytime I do presentations on Forensic and data hiding and Analysis and so forth I

always try to focus on free and available tools so if you're using ad if you're using some of those other tools that are freely available uh that you can use for uh andro to uh uh connect in uh through the debugger you can actually leverage a free tool called APK tool to actually um dig a little bit deeper into a specific APK um or a specific uh um app that you want to analyze in this case on Android this will allow you to expose the Android manifest and look at it in more detail to see what kind of permissions is that app using and is that really correlate to you know the intentions of the actual app so for example this one

is kind of a a a wallpaper app and if you take a look at some of the analysis here you know it's actually collecting location information that stems from an algorithm that is a combination of uh either the cell tower and or the Wi-Fi information so as you start to take a look a deeper look at some of these you know free and available apps that are out there uh on Google play it kind of makes you wonder you know what kind of information might be exposed from this because unquestionably if you go by n you know in the special publication 800-53 it references pii information that is pii information okay and that's an app that freely available

and available in Google Play If I actually uh root my Android device you know what are the details in terms of what's occurring with that root certainly there are a lot of different rooting techniques on Android um in contrast to iOS in terms of jailbreak but what exactly what kind of information stems from rooting the device and by using APK tool to break down that app to break down that APK and reveal the Android manifest indicates here that it can write to the external storage your SD card additionally uh it can open a socket and network connectivity which could lead to a plethora of attacks right anything from remote command and control exfiltration back doors and then in addition to that

the actual Network State and that could be quite revealing if you're using a VPN um or a per appvpn to connect back to the corporate network but it's more than static analysis it also includes Dynamic analysis so if I'm analyzing the behavior of the app from a network perspective and I'm running wire shark or something else I can engage the app for a variety of behaviors to determine is it encrypting the traffic is it encrypting the data that it's transmitting is it providing a secure tunnel what other information may be exposed so in this particular app I selected hey you know I I forgot my passcode for the app itself uh would you kindly send that to me and sure enough

not only did it send it to me but it sent it to me in clear text didn't provide a way to reset it it simply just sent me that that passcode so who's monitoring the airwaves did you do that on an open wi-fi did somebody else capture that information as well so if you look more broadly at all of the Android manifest permissions you'll clearly see that there's certainly a lot that overlap with pii and sensitive information that you obviously from an Enterprise perspective would not want to expose and so these are the many things that we look at from uh an app perspective I'll do a quick introduction on appthority uh we started the company

in early 2011 really to be able to identify hidden risks in mobile apps early on WE focused on malware analysis and realized that the Enterprise didn't have a big malware problem mostly because they were heavy on iOS and as a result we added more engines to our software to also automate the analys is from a static Dynamic and behavioral perspective to look at other types of risks we let our customers dictate what behaviors are allowed or not in their protocols or in their environments and they can set policy to say let my Engineers access anything but for my finance folks make sure there's no apps that communicate without encryption for my Executives I don't want them location

track when they're traveling things like that so we automate the workflow we hook in directly to the MDM in this case mobile iron and we're able to see the apps that are discovered on the device and this next slide will show really how we can work together to provide an end to-end solution so from mobile iron we can see all the apps installed on the mobile devices then from our database of over two and a half million analyzed apps we can match those apps to apps we've already analyzed or collect those apps for analysis so go purchase them from the App Store automatically download them install them do a disassembly do static analysis run them

on an emulator or on a hardware device and do runtime Dynamic analysis as well we then create a policy on our portal where again it can be by user or by device type and then do the enforcement through mobile iron and the remediation through a collaboration of mobile iron and Authority so it's a way for our both of our companies to collaborate to solve this problem of privacy and security of apps especially thirdparty apps in the Enterprise so we promised a short demo wanted to see any iPhone users here Android jailbroken Android uh jailbroken iOS I guess rooted I don jailbroken iOS um anyone play Flappy Birds so flappy birds was pretty popular for a while and then the developers

pulled it from the App Store so we wanted to see what can happen with a targeted version of flappy birds on the left we have the target device we're able to see that it has some accounts there on the right we have the Hacker's device or the Clone device empty so we'll go in and there's no settings there there's nothing in there the accounts so my friend missed flappy birds so I emailed him a copy of Flappy Bird saying hey don't worry it's not in the App Store but here's an APK because he trusts me shouldn't have he's going to install uh the APK directly to his phone so again it's not going from the

official App Store the app was no longer available um I checked the Gmail's account they have an account on the left side the right side of this phone is native so there's no account there and I'm going to send in the email saying don't worry here's a version of angry of Flappy Birds download it play it you you'll you'll have fun so he was going to scroll down apologize for the view but it's a small window but scroll down read my message recommending the app uh install the APK and he doesn't know that it's a trojanized version of the APK so it asks the same permissions it looks the same it has the same Dynamic size

the same package uh just not the official version when he installs it we'll have a little sub bullets of as the app is doing something again it's a research app so we wanted to show what we're stealing but we're targeting Google specifically Gmail and we're targeting bypassing the Dual authentication of the two-step verification um we're running the app again it takes a little bit to load but as soon as it loads we're going to see in the bottom the information as I'm getting it so I got his Tinder profile because he had the Tinder app uh I got his Gmail I got his GitHub profile ER trade anything that's set under accounts or set under the the user

statistics we're able to get and transmitting it to our server I'm not very good at Flappy Birds but I managed to get farther than I've ever gotten when I was recording the demo uh it's actually a lot harder than it looked at first uh case so keep holding your breath I'm almost there I think I made it around four or five yeah okay so that was Flappy Birds played it done with it cool meantime the data has already been harvested it's been sent to a third party Network we're going to go to the Clone device and run our Harvester app which downloads that profile and downloads all the Account Details now it's going to take a while

so I'm fast forwarding through part of the demo because it takes a while to load and I have to reboot the device to load that profile but it's downloading again the Google uh two-step authentication tokens the account credential and from there I can access not just the Gmail but the calendar anything on the device that the other person had again fast forward through this I think we have a few more seconds but we start seeing now the background's loaded um keep fast forwarding a little bit more again importing uh we've done this not just with Gmail but with GitHub so source code from the company uh Salesforce information uh dating apps profile social networking social hacks

as well but uh wanted to show Gmail since that's kind of an app that a lot of us use and it's something we could all understand uh reboots the device now loading those tokens uh they're still within the window where they haven't expired so you're able to go directly into Gmail not have to authenticate not have to do the two Factor because it's keeping all those credentials and this clone device doesn't realize that it's a clone device it thinks it's the real account it thinks it's still the real device um here we go uh have Gmail now um when we go into settings we'll be able to see that now there is a settings an account set for Google there wasn't

one before it's a little bit slow but it's getting there scroll down a bit so we see a Gmail account has been imported onto the device now and then when we go back home to the home screen and open the Gmail app we'll be able to see read the users's emails be able to send emails from there as well it's not a very fast uh emulator but it's working and again most of the the use case around here is on a targeted attack if you know what attack accounts you're looking for you can program it like here for Gmail but on the non targeted attack you can just import all the accounts and then do it twice first see which

accounts came in and then pre-load those apps so that when you reboot the device those accounts will be imported correctly we're able to see now Kevin's email already loaded up I was able to access then his email directly from this clone uh device so that's great that's malware that we wrote or that's kind of spyware or malware but when and that's mostly what it professionals since professionals worry about when they think about mobile security but then when we look back to the hard data again been in business since 2011 analyzed over two and a half million apps less than half a percent of the apps in corporate environments have malware but about 81% of apps had issues security

issues and concerns it's not bad people making bad apps with like with malware it's good people making bad apps they're either insecure programming practices they're using bad third party tools and sdks or they're trying to monetize too aggressively they're Harvest harvesting too much data trying to sell it to different third parties like advertising networks analytics Frameworks even social networking sites and then profiting off the users less than 20% of apps we look at in general would pass a traditional NR price gr security test so just released this week we announced our app reputation report which we publish every six months we looked at the top 400 IOS and Android apps both free and paid so we'll do a side by side of IOS

and Android for free and then for paid in terms of what data was being collected location tracking is something that's been common for a while more than half more than 50% of the apps now location track whether they need to for function or not because the ad networks will pay more money if you give them localized data on users than if you just give them user data next ad Network sorry access address books that's something that we've seen increase quite a bit sometimes it's just read on the device but sometimes it includes exporting the address books as well in the Enterprise side we've seen a big increase in corporate spam as Mobility has increased because users are sharing

not just their personal addressbook but their whole company address book if they sync without look for example so now you're giving away phone numbers emails and mailing addresses of folks in the company and it leads to more phone calls into people's desks calendars has actually is the only thing that decreased year-over-year from last year we saw LinkedIn get in trouble for accessing calendars without notifying users on iOS and when they remove calendars they were taking meeting minutes call-in information any attachments that were there could be confidential information and data mining it now ios7 requires permission to use a calendar but still a lot of our users in the Enterprise will give permission to anything right they just click okay okay

okay there goes our calendars as well IMEI is interesting in the sense that it's especially with udid it's a cookie that you can never delete so even if you're using different logins to different for different apps if it's tied to the ud ID they know it's you across all your app traffic and now if you marry that with the the next slide who is receiving the data if you marry that with the analytic Frameworks even if it's just IMEI or even if it's a temporary device ID now that apple offers that they can still identify who the user is based on their traffic across multiple applications so it's not just one developer getting your information or your user's information

is now a pool of developers that have access to these analytics Frameworks and do data sharing with them advertising networks expected on free apps if you don't pay for the app you are the product or your data is the product social networking especially with now single sign on with Facebook you can sign in to any app or over 70% of the apps on Android using Facebook but that's just increases the number of third parties that are collecting user data and sharing user data and device data and then Cloud implies sorry cloud and foul storage has been growing a lot a lot of our customers worry about Dropbox they're trying to prevent roguey where folks come in and and save

corporate documents directly on Dropbox so using an MDM or using the firewall they might block dropbox.com or they might drop block the Dropbox app but there's thousands of apps that have a backend connection an SDK or an API connection to Dropbox directly from the app so if they just focus on the Dropbox app they're going to miss a lot of it I'll speed up a little bit but just to show on the paid side we were surprised again the behaviors are still found pretty often in app purchases still pretty big on free and paid I know there's a lot of controversy in Europe where the government wants uh Apple and Google to not call the apps free if they

have an app purchases because it ends up not always being free but also ad networks on paid apps almost 50% sorry uh here we go for ad networks uh almost 40% are still using ad networks even though the app is paid so you might not see an ad surface you might not see a popup but there's still an ad Network in the background that's collecting information harvesting the data and then selling it to data Brokers so from this perspective paid apps were a little bit safer than free apps but they're still leaking a lot of information next I wanted to just say okay what are the top five failures that developers are making in general again

these are good people making bad apps it's not malicious intent it's not malware there's other solutions that we were doing to help combat malware but this is a bigger issue because it impacts every app not just malicious apps but using poor or bad third party sdks and I'll show some examples permission abuse which we see a lot improper handling of private data terrible cryptology cryptography and then airing Dirty Laundry a lot of developers keep personal or development information on the app I'll show some examples as well so a lot of times we find a risky app we publish it and the developer contacts us and says hey no we're not doing that and we show them

the analysis in fact they are but they did through an SDK they didn't even know the SDK was doing that so this is a very popular SDK for adware it's very aggressive and it violates Copa which is a children's online privacy protection act a lot of developers can get in trouble for this directly with the government that's starting to find folks for this even without their knowledge so if any developers out there just keep an eye out for this um quick example of just the amount of data that this SDK was collecting he taking your sip code your phone number your app ID app key iei okay maybe fine but now if you go down to the bottom it's getting the

user's age which now is pii if it's anyone under 13 uh and you don't have a privacy policy you could get fined for this for something your ad Network did not even the developer did themselves the the city the state the latitude longitude to location of the user again the more information the developer collects the more they get paid so there's kind of a reverse incentive towards privacy and security but as users we need to raise awareness that we shouldn't just accept all permissions and push back we have seen some Improv ments on calendar access as users push back on that so if we push back on the other behaviors we might see some improvement there other issues with

permissions sometimes there's an underprivileged application that tries to Sid step the permission I'll show an example of a big bank that does that on the next page uh over overprivileged applications some developers they're lazy and they say okay give me every permission and that way if I ever need it I'll have it or if I need it in a future functionality I won't have to add it again and the problem with the confused Deputy that says you're you have you also have to guard your application from other apps that might try to leverage your permissions so if your application has permission to send text messages for example and another application doesn't but you can communicate with that application

specifically on Android that application could submit a request through your app to send a text message so which app really did the send me the messaging and which one had the permission so that's something we look for on Android as well but more on under permissioning a lot of applications don't have permission for location tracking because to use GPS now both Apple and Google require you to let the user know but they found a lot of ways to do location tracking based on goip or Wi-Fi cell phone triangulation so in the example of vrade for both IOS and Android even if you don't give permission for location tracking they can still know where you are based on

your IP address based on your on your mobile IP address so no permission given behavior is still there and then another quick example of permission abuse this is not the game for Grand Theft Auto but it's the walkthrough so it teaches you all the cheats and how to play the game over 10,000 downloads before it was pulled from the market but it requested over 50 permissions I mean it was just ridiculous out there this next example is pretty fun anyone use Tinder so popular dating app no no one has to admit to using it but uh terrible from a privacy perspective it was transmitting exact geolocation over the network in the clear and complete details on the user so when we pulled

the the back end or what the API was sharing over the air in the clear is sharing the birth date the full birth date so month year date the full ID the Facebook ID of the user and the exact latitude longitude so now I know okay this user Amanda this is her Facebook profile hello Amanda I can go find her uh information on on Facebook I know exactly where she has logged in from so from a stalker perspective this is pretty scary from a user perspective Ive I feel like it's a huge invasion of privacy um so we made this public we worked with Tinder told them about it wrote an article on it and they said

they fixed it but the fix was still a fail let's see if we see why instead of giving exact geoc coordinates now they gave exact relative distance to 13 significant digits um what's the problem there well if I Brute Forces I can take one step to the left did I get closer or farther okay one step to the right and then eventually find the person but with a few lines of code I can just do the shortest path and find the exact distance to or the exact location of that person just by knowing the relative distance as well so it wasn't really a fix we went back with them and they fixed it now again uh but from a

developer perspective if you need location you can use Aus cation you can you don't need location that precise uh for anything let alone for a dating app um fail number four using bad or no crypto postagram app lets you take pictures and create your own postcards great you can send post postcards directly from your phone any mailing address in the world pretty cool but it's sending all the sending and storing all the private photos in unprotected open networks so you can go in and just start surfing people's pictures PE pictures people's postcards on their website um again not not very good job there and then sign easy which you can sign any document directly from your iPhone or your iPad

um sending passwords in clear text storing files directly to Dropbox so again if your corporate users are signing corporate documents or confidential files on their iPhone or iPad since the password is being sent in the clear then anyone can log into their account and see all the documents that were signed and that's so that's data in motion without encryption data at rest without encryption the Starbucks coffee app you can use to order coffee and you can have your credit card there for autoload it stores username and password and clear text on the device so again if you lose your device someone some could easily get that information for your Starbucks app maybe order some coffee on

your behalf but worse a lot of folks use the same password for their email than they do for other apps so weak password in one app could propagate to other applications as well final review for the cryptography the three main things are not using encryption for data uh transfer not storing passwords correctly uh and then also not expiring off tokens uh this was finally fixed by Facebook but originally Facebook was said to never expire so if your a token was compromised you would lose access to Facebook and you would lose access to every app that you can log into Facebook with so that's a big issue there with especially with single sign on the final fail uh dirty laundry just

a lot of developers have their design notes maybe the meeting notes in the application itself debug information and forget to remove it when they publish the app to the App Store so for Pandora we were able to find hey this Casey dude is we know everything about his workplace environment where all the file structures are we're able to find him on LinkedIn as well and we send him a nice note to let him know and blacked out his face just to not embarrass him too much but as developers as well make sure that you don't dare air any dirty laundry especially from an internal corporate app that you build um that can give an attacker an insight into how to maybe

get into your app or where how the app was built as well um so again we talked about this slide earlier but just a quick summary malware is l half a percent of the apps out there yes it's growing exponentially as a lot of the AVS like to say but so are good apps apps in general the whole app ecosystem is growing exponentially malware as a percentage of the overall app market is not really growing that much so while we do monitor it and we do keep an eye on it's our responsibility to raise awareness of just apps in general not just malware so in terms of countermeasures we take a look at Pro active and reactive countermeasures and

while many of the Enterprises are clearly aware of the threats that stem from jailbreak and rooting of devices as Domingo stated you know there's just another layer of exposure another layer for potential exfiltration uh as it stems from apps so when we take a look at a holistic mobile security strategy of both proactive and reactive countermeasures and we take a look at for example uh jail break and rooting which you from a malicious app could you know stem you know from that causing a jailbreak or a root uh one of the the common things that we see is that a lot of Enterprises want to detect uh jailbreak or rooted devices uh and then do some type of quarantine which might

selectively wipe the Enterprise data or do a full wipe of the actual device the drawback to that is that traditionally that requires a phone home so so you might have an MDM client that's running on the iOS or the Android device looking for the jailbreak or the rooting activity and once it identifies that uh phones home to the MDM console to say hey I found a jailbroken device I found found a rooted device uh I need to go ahead and send a selective wipe or a full wipe back to the device but what happens when that network connectivity is severed in the case of Lost are stolen devices it's quite possible that that device may fall off the network and

when it does it can't phone home anymore and thus you can't perform the selective uh or the full wipe on the device so one of the things that we've added to our product is the ability for offline jailbreak and rot detection so in the event that the device is lost or stolen and falls off the network or someone um more nefarious takes that chucks it in a faraday bag connects it to their laptop and tries to sideload something we now have added the ability for offline jailbreak and root detection without the need to phone home and then as a result we can still perform that selective or full wipe of the device if that's what

the Enterprise desires so that's something that we've added and I think we've gotten really good feedback from customers around that uh how that relates back to what we're talking about in terms of apps well when we start to get down to the app level we leverage um what app Authority does in terms of their research and intelligence and leverage that to also trigger things as well within our console so if you decide that you've got um a threshold that if the app is above a certain risk level if it is identified as malicious things like that and trying to be a little bit more proactive that can cause various types of quarantine triggers within the

console as well um and then getting back to kind of where we started back at the beginning um also on the topic of apps um is related to something that came out in iOS 7 which is the ability to do a Pera VPN um we at mobile iron had been previously doing what we call app tunnel uh for both iOS uh and Android um to allow you to alternatively use kind of a per appvpn instead of a full-blown VPN obviously one of the arguable drawbacks to a VPN is the fact that that you know you inadvertently at least by default are allowing everything on that device to access the corporate Network when it vpns in so all those risky apps we

talked about any kind of malicious apps and so forth might also have access to the corporate Network and obviously that's a bad thing so by leveraging a per appvpn like in the case of iOS 7 and terminating that using some kind of secure Mobile Gateway instead of uh your VPN uh provides you that ability to say no I'm only going to allow the apps that I permit only the apps that I've permitted for the Enterprise and only if the device is in compliance meaning it's not rooted jailbroken or otherwise and thus provide a little bit better um security around you know fortifying that secure access to the corporate

network uh some of the other things are related uh to apps where we talked about earlier in terms of some of the functionality so controlling some of the intents as well maybe not on the entire device but only for that portion or that secure Persona on the device so while you might have personal data as well as Enterprise data on the same device create some kind of Separation with that data and those apps separate from the personal data such that if they want to perform a copy paste screenshot upload open in all those other types of behaviors or intensive if you will control that but not limit that for their personal stuff you know if they

want to do that for the personal stuff fine but on the Enterprise side turn off some of that functionality so they can't share data outside of that secure Persona so that's exactly what we do here so in terms of the device securing a little bubble for the corporate content apps and web access and then provide that secure access for Via per appvpn so when we take a look at then um kind of a holistic strategy in terms of proactive and reactive countermeasures um you know if we've got an attacker that's trying to Target the network or the device leveraging certificates to basically thwart man in the- Middle attacks so if you're using sign certificates including Mutual

authentication where you have a client CT on the device itself doing that Mutual authentication to basically thwart man of the midle attacks if people are going to be connected open wi-fi which we know they're going to do right then some enforcement policies and lockdowns and restrictions maybe not for the entire device but at least for the Enterprise data in the separated portion of the device and in the event that the device does become compromised falls out of compliance or is infected with malware ensure that we've got some method of detection and closed loop compliance Act if we identify a malicious app alert on it if we see a subsequent jailbreak or route quarantine the device that

includes that offline jailbreak and ruing activity we talked about earlier and then from there we can either remove the corporate at and or the data to basically mitigate that data exposure

so yeah in general from a takeaway perspective there's a lot of talk about BYOD and bring your own device in the Enterprise but really the devices part has been that Beast I think has been tamed or at least there's technology around that but the new question is what do we do about bring your own apps bring your own risky apps as well uh when apps are being created by developers all over the world it's incredibly fragmented 5 years ago most of the software in the Enterprise came from Oracle sap Microsoft Adobe at least some names maybe not trusted but names that the companies were familiar with now apps are coming from OMG pop and Zinga and

king.com and all kinds of uh developers so these developers might not have the same expertise in building software yet we're using them in a corporate environment and we're accessing accessing corporate networks and corporate uh Frameworks uh there's majority there's more risk than just malware so part of that is just education from a user perspective um we forget that these are computers as well in our pockets with laptops and desktops at least some of our users learn not to open executables not to open email attachments from folks that don't know that with applications we just download anything except any permission just click yes yes yes give me the app um that requires a little bit of

re-education from a user perspective but also from our Security Professionals perspective of what we can do about it uh boa really leaves a threat to not just the users data but also the corporate data so it's not US US versus them it versus the users it's our calendars have personal data we care if they get leaked out it has corporate data as well our address books as well so how can we with education and and app analysis automatically provide these kind of reports to users so they make better decisions and it's more than just a user it's posing a risk to the device and to the network as well just yeah just to add to that you

know a lot of our Enterprise customers including the government do have a lot of concerns around the uh data leakage or data loss around pii information uh and are revising their policies to incorporate that so uh when we take a look at all the layers of defense that we provide both in terms of proactive and reactive countermeasures you know it's it's really kind of understanding a lot of those threats that stem from apps um if you want to do your own testing I outlined a few you know simple uh tools and techniques at the beginning but certainly you're not going be able to do that across the Enterprise and therefore that's kind of you know in terms of what

appthority does in all their analysis of 2.5 million plus apps across Google Play and uh the App Store is really kind of leveraging that intelligence to provide yet another layer of Defense in that layered security model um and then at the end of the day uh by combining those really providing those proactive and reactive countermeasures didn't have a lot of time to get into that one slide where I kind of out lined a lot of proactive and reactive countermeasures but we did kind of uh show that more from a flow diagram in terms of some of the threats and then a lot of the different countermeasures that you could use so with that we have a few minutes

for questions and again sharing our inform our information in case there's questions after the fact as well anyone have any questions

my company's most likely going to deploy mobile iron uh probably first quarter next year for approximately 3,000 devices are you familiar with canvas fingerprinting um sorry it's hard to hear canas canvas fingerprinting uh yeah a little bit what kind of questions did you have so my question was when you're traversing the internet for those of you don't know what it is it's a technology that when you go to a website with a device whether it be a computer or a mobile device your device creates uh a picture it's the same picture for it's the same picture but every device that accesses that particular website makes the picture a little bit differently than another device that allows them to

identify you it creates a an identifier for you and then therefore they know who you are so my question is is there is there any plans or maybe not at this point but um to basically mask your identity when you're traversing the internet on a mobile iron platform because for a company or even for an individual the more that they learn where you're traversing they're sharing data it's no more than like having a cookie on your computer right your on your phone yeah it's a great question and there's there's not you know not always a silver bullet for all of it um for those paranoid customers that would rather not share that kind of information um we we kind of use

techniques that are a little bit different in iOS versus Android so um for example um if you're going to use uh um some kind of kiosk mode or uh Samsung nox which is now morphing with Android L and all that um there there's certainly some steps that you could take um and the other question I would ask is you know are they just on the Wi-Fi or are they you know cellular based devices as well so you know on the corporate Network we do find that some organizations are are leveraging filters for things as as Domingo mentioned for Dropbox and things like that but also you know some other uploads so again kind of a layered defense I don't think

that there's at least I'm not aware of that we have a silver bullet for something like that today um that's something I could definitely ask our engineering to see if it's something that they're already uh testing Andor developing inhouse the short answer is I don't know if that's something that that we have as sort of a silver bullet but I know in terms of um data loss you know we've kind of got a number of techniques we can do to kind of thwart some of that activity so someone else had a question too yeah that genten yeah I was just asking a question about the the demo that you did what actual xplit were you using was it

the Defcon one from last year that stole Google creds or cuz I noticed you only demonstrated the Google account but not you mentioned you also got you know all the other ones is there something else it wasn't Google specific so it was from the device getting those accounts getting the tokens uh so the full string for the for the login if you're doing within a quick window those haven't expired yet so even from another device that same token is going through so it was simpler than the than the hack from last year that affected Google it's just taking those credentials uh from the leveraging as if you were back on the device just logging clicking the Google app again it's

thinking it's the same communication Port was the original app rooted uh it can be rooted it doesn't have to be rooted for some of the accounts for Google it has to be rooted yes for the other gentleman's question um one other thing came to mind um what some of our customers are doing is taking one of two techniques for that so if they're looking to further filter that or control that um traditionally people like in the case of iOS for example would use some of the proxying redirect capabilities so although uh that may be a device you know maybe a phone that's on a cell network it may sometimes be on the corporate Wi-Fi but

many times is not um they're redirecting that traffic in to the corporate Network before then goes out to its you know Final Destination um in terms of what we do on our secure Mobile Gateway um is uh with the the per VPN capabilities or the tunnel capabilities um some of our customers are also redirecting the traffic via that mechanism into the internal Network so they can then filter it outbound as well so that might provide an additional layer of Defense you could use for that and some of our financial services customers um are definitely using it and have found it really really valuable so probably have time for one more

question we're not thank you everybody we've got some really cool blogs on the mobile iron.com site around some man- inth the-middle attacks and uh the iOS attachment vulnerability and some of the other stuff that um we kind of touched on today so definitely check that out at mobile iron.com if you like some of that hacker demo type stuff and uh thanks for your time today and authority.com we have some blogs as well on the application side um including a faulty thirdparty SDK for an advertising perspective that can be used as a command and control bot uh over unsuspecting Android users so check that out thank you cool thanks guys