App Wrapping: What does that even mean
Show transcript [en]
gentlemen named David Dewey Dave and I have been friends for what did we just say it's been 10 years now um David is one of my mentors so uh when I when I meet to understand what's going on in the Windows operating system apis root kits how how are these these cooking processes work to any of these really operating system getting into the kernel kind of stuff David is the guy that I will go to David and Jake Williams is another guy that I go to with these kinds of questions so David's one of the guys I want to be when I grow up he's he's an awesome smart guy and we are really fortunate to have this your first
time well you've been to Augusta speaking before at some of our B-side stocks but this will be the first time that had a Visa so please join me in welcoming daily Dewey [Applause] [Music]
how it works uh and you'll find the slides that the slide material is going to be a little bit lean because I'm coming right up to the point of the Blue Box secret sauce so um there's going to be a little bit a little bit dislikely a little bit lean but please feel free to ask questions and I'll answer just about as much as I can uh in addition to that it's it's also meant to cover sort of how app wrapping Works uh for other vendors as well and that's really kind of the intent of this office to understand what it's meant by app wrapping and how different folks are doing it um a couple of points of order
um marking these uh handouts I'm supposed to give out as part of the presentation I just went through my slides
um also another sort of point of order Mark uh asked me a few months ago if I would come speak it besides and I said I'd be glad to uh he didn't mention the fact he was going to put me right between Tim who is an incredible presenter and lunch and so uh I'm kind of at a disadvantage here in terms of you know keeping everyone's attention so I will do what I can to make this enjoyable and get your all right so first things first uh right what is that wrap right it kind of occurred to me when I was putting this talk here not everybody in the world might know uh what app wrapping is and
so um the best way I think to explain this is to kind of tell the story of how blue box came through to me um about three years ago a good friend of mine uh entrepreneur called me up and said hey uh I've got this idea for a new company and I think you could probably do it uh I'm curious what your thoughts are what he wants to do is pull apps out of the Apple App Store and check code into those apps so that you can control the behavior of those apps so the reason you would want to do this as an Enterprise to say if I'm bringing if my employees are bringing mobile devices to
work they've got a whole bunch of apps installed on that on that device realistically what's happening is Corporate information is getting in and out of those in and out of those apps storage is stored out in the file things like that and I as a Security administrator want to control the behavior of those apps so I can control the flow of my corporate data control flow of my sensitive information so bring that back around the idea is we want to inject code into these third-party apps that are already installed on a on a mobile device and controller Behavior three years ago that was impossible right Apple would have told you flat out right to your face that is impossible
and uh and so now that has changed a little bit there's a lot of vendors out there that are planning to do this there's a lot of folks that are saying different things in this regard and that's again kind of what I want to clear up in terms of you know what exactly is app wrapping how does it work and most importantly how do you do it on a non-fail rookie device right because uh if you're if you're an Enterprise Security administrator and you're trying to secure data information that exists on your user's devices you can't tell them yeah you know you can use your phone here at work we just need to jailbreak first so we think so we can
secure it and try this that's not going to uh so a quick uh introduction if you do a Google search for apps and you're going to find a couple dozen vendors that you're trying to do this uh you'll find a few research papers uh on the topic um and it's a lot of conflicting information uh lots of different folks using the same word same phrase to mean lots of different things lots of pros and cons to come along with everything that uh that they're saying when when they say that they do this and I want to cover all of those pros and cons in depth so that if you are actually evaluating an app wrapping solution
um you know you you have the ability to write the ask the right question to determine you know whether that solution is exactly what you're looking for or not um also if you're interested in doing research into app wrapping uh this presentation will kind of give you uh indication as to where the open research problems are where are the gaps in current aircrafting Solutions and uh maybe you can go go do the research to fill those to build those gaps all right so the methodology that's used for app routing and the end goal of the app wrapping vendor is where this confusion comes from so there's lots of folks that do what they call app
wrapping and they provide their solution through SDK so that either plugs into your Android development environment uh plugs into xcode uh something like that and it provides a set of libraries or other tools that allow you to inject code into an app as you're developing it uh the other thing you'll hear people talk about is Enterprise after ethics what this means is apps that are being developed for Enterprise use only okay so these are apps that would never be put out into a public App Store the the rules of the game change quite a bit when you're dealing with Enterprise app development you don't have to make you don't have to get through Apple's uh app
verification or uh Android uh bouncer you don't have to get through any of that stuff you can use private apis you can you can sort of Break The Rules right and so because you can break the rules there's lots of things that you can do from an app wrapping perspective that you couldn't do if that app was going to have to ever end up in a public app store and then there's third-party app wrapping and this is where you want to take an app out of the public App Store and inject your code into it as it's installed on the device um the reasons for doing these different things also change right some folks just
want to do this for App Management there's actually a huge Market out there for controlling the application life cycle of apps that are internally distributed in terms of app updates making sure you know if you get your patches out to it to those apps uh understanding how many devices that app is installed on through the use of that FR that sort of thing and so so a lot of app wrapping vendors that's that's all they're sort of achieving with their their solution uh many folks are looking at security right uh ensuring that corporate data is secure in terms of disk ensuring that the network communication uh that goes to and from those apps is secure ensuring that the
app is not being tampered with by some uh attacker or adversary of some kind I'm sure that the app is only running on a non-geo broken device things like that another integration there's a lot of folks that are providing other Enterprise solutions that they want to be able to integrate with consider an Enterprise dtn solution for example Juniper provides an SDK that allows you when you're building your app to tie directly into the to a junior for VPN so you can distribute an Enterprise app that ties into that VPN and access internal resources right so understanding sort of the mix and match here of what techniques are being used what the end goal of the
different vendors are is sort of important because if you don't ask the right questions if you're evaluating it an approaching vendor you could end up with an SDK for app management and what you were trying to do was to encrypt data is so um this slide is the slide that if we don't spend about 15 minutes on the slide I'm doing it wrong um this is the slide that I'm going to put up while I talk about right up to the secret sauce that I talked about okay um so first I want to talk a little bit about sort of the different platforms that you would have to interface with if you wanted to do app wrapping
um realistically this is going to happen on IOS and Android and that's pretty much it um you could try to do it on Windows phone or you know Blackberry if you wanted to um I don't know why you would want to but you could try to do that um so on iOS sort of a breakdown of the way that it works is there's um on your iOS device there is an SMU kernel that that um you know is Victor kernel for iOS um you really don't have any interface into the kernel uh through from any sort of app level controller then you have your core OS you have IOS itself and then with from IOS there's some core
services that are exposed so these are things like being able to access the GPS being able to access um address book a camera you know these sorts of things that are provided by the operating system itself this is um typically accessed through What's called the foundation framework which is a set of libraries that are distributed with iOS that allow you to like I said gain access to um you know the GPS camera things like that and then on top of that core services this is where you start to see the various sandboxes that exist within iOS each app that is installed on an iOS device is installed in a randomly selected directory structure you have
zero permission you cannot get outside of that directory structure to try to access files that are outside your directory structure you can't cross the boundaries between that directory structure to access other apps that are running on the same device uh or anything or anything like that um and then within a Sandbox you have your various apps the apps themselves uh the the code that runs that that makes up those apps is typically written in object to C or Swift nowadays uh you might see that start to come out uh and then so within each app sandbox you have an instance of the eject to see runtime and what that is is that's the uh that's
the code that runs that allows the interpretation of The Objective C code to happen so Objective C is a compiled language but it requires a runtime for some reasons that we're going to talk about here in just a second and so if I want to hook into an app and control Its Behavior I can't touch anything at the kernel level iOS isn't going to permit that I can't touch anything at the operating system level iOS isn't going to allow that either I can't mess with the core services at all I can't cross the sandbox so I can't install an app that's going to go out and touch other apps and so what you do what you want to do is insert a shim
that sits between the app and The Objective C runtime itself and so we're going to talk about exactly how that works here in just a second so kind of a little bit of a back back up a little bit um in terms of what Objective C is as a language of how it works so Objective C is an object-oriented language that allows you to instantiate objects very similar to the way that you would see with C plus the major difference between Objective C and C plus plus is that Objective C is what's called a late binding language whereas uh object uh C plus plus is an early binding language and what that means is as you're writing your code
every function has a name a string name right my function with some parameters if you can pass to it in C plus plus when you compile that code that function just becomes an address in your code and any reference to that function is just a call to an address it's also a function pointer okay the name is no longer important and in most cases can be completely stripped out of code altogether it's no longer ever needed Objective C is late modeling and what that means is the string name of the function is retained through population and called to that function are made by calling the string name of the function okay select JavaScript I mean I think
people intuitively kind of know that that's how JavaScript Works Objective C is the same way and so what happens is any function call that happens in Objective C runs through a dispatcher where you pass the string name of the function that you're trying to solve and it goes and it looks that function up in a table to say okay in this instance that function by this string name exists at this address and it goes into reset call okay so you can kind of probably see where this is this is going right if I wanted to intercept a function call inside an app to go all to the behavior so again we talk about accessing the GPS
so there's a core location services manager location method say give me my GPS requirements if I want to override that location method right I could go to that table that says the location string name points to this points this other function so now I can just update that function pointer to say I want location to form to my code instead of their code right this sounds slightly complicated except in Objective C it's built into the language for you they use a process that's called swizzling which is the dumbest name in the world or a pretty neat technology because anytime you ever write a research paper that's whizzling every editor in the world thinks you've misspelled it
um because they don't understand that word yeah so imagine Switzerland what that allows you to do is do exactly what I said where it replaces the string name of the function to the function pointer that you want as opposed to the one that it previously wanted to right um that's great if you're intercepting The Objective C calls right um by total rough estimate um when people are writing Objective C only about a third of the code that they're actually writing is objective c the other two thirds is actually C code um nobody writes pure Objective C there's kind of no reason to write periodicacy and so how do you how do you hook um secret well as I mentioned C and C
plus plus is an early binding language so what happens is that string name of the function is optimized out of the code during compilation and replace with a function point that function pointer is stored in a table called the import address table and what that does is anytime you're importing a function from some third-party Library like the foundation framework to get your GPS coordinates it's going to store the address the loaders to store the address of the function pointer that that points to that function that you're trying to call at runtime you go in and modify that table say no It'll point back to my function again that sounds pretty difficult right but I'm going to come back to how that's
actually not that difficult here in a second so now we know at a language level right how we can hook into the code itself now where do we point the code right uh if I pull an app bundle out of the App Store it's going to come with a core executable some images that gets displayed on the screen and that's about it apple does not support the user Dynamic libraries so there is no way that you can include a dynamic library in your app bundle all you did is executable and some images and that's all changing in iOS 8 but I'm going to come back to that as well and so we went and did a bunch of research into
what that means like when Apple says Dynamic libraries are not supported what does that actually mean it turns out what it means is that when you're building an amp in xcode if you try to include a dynamic Library it fails xcode tells you you can't do that if you try to build an app outside of xcode just using the command line utilities and include a dynamic Library it works just fine so the only way that it's prevented from happening is you can't build it in xcode okay is if you try to include a dynamic library in your app and submit it to the App Store they'll reject it so you have some sort of checks and
balances there however I mentioned that our goal is to inject this Library into an app that's been pulled out of the app store and then redistruted to a user right so it's already past the verification on the App Store we inject the library into the app and then distribute it to the user and apple doesn't see it at that point so now how would you how would you do this um how would you inject a library into an app uh when you're in a sandbox so that's part of the problem the first thing is you do is you take the app bundle and you tear it apart and then you inject though if you put the
copy the library into your app bundle and you rebuild the bundle back together right that part's pretty simple now you've got to tell the app to go load your library just like it would load any of those core Services libraries at runtime so you can use What's called the LA load Library command uh in the locker header to go tell it to go load your library problem is you don't know where your library is because you're in this randomly selected directory right as part of the sandbox you don't know where to look for your own Library um through some interesting reasons there's there's actually the loader that exists on iOS is almost a direct copy of
a loader that was used in OSS and there is a super old little trick that was used for OS X where there's some variables that are understood by the loader that tell you various things one of those variables is called executable tab and you can probably imagine what that is it tells you the path to your randomly selected directory now so just directly that you're not supposed to ever be able to guess you can just query the loader and say hey what's the path to my library and it will tell you uh we're going to come back to just how friendly the iOS loader is here in a second as well and so now you can query the loader you
can find the executable path to your binary that tells you the path to your own Library you pass that path to the LD load Library command you're in business right so now you um now you've run the swizzling or you run that iot address IAT booking and Now function call will be redirected into your library this this is great right uh success sort of right um the problem with that is that um that only works for the executable that was bundled in that Designer as I mentioned these apps are going to call into the core Services Library quite a bit apps aren't particularly useful unless they're doing interacting with the phone so now getting GPS coordinates getting
access to your address book getting access to your camera uh things like that so how do you book those uh core libraries well again the loader the iOS loader has this great little feature for you where you can register for a callback anytime it loads an additional Library so if you make sure that your library gets loaded first by the by the SQL any additional library that it loads it will your able to send you a call back to say hey I just loaded this other library and you can operate on that library before the execute whoever does anything with it if you'd like and so you register your own callback and that library is
loaded you run your quiz link code you run your IAT hooking code and now you booked the foundation framework libraries as well you've literally hooked the libraries that allow you to intercept GPS coordinates you've hooked the libraries that allow you to access the address book but only the instance of those libraries for that app okay so you're not crossing boundaries across apps yes there's some some other emerging research that along those lines you can probably see where that's that's going okay and so we built all this and this is just kind of an interesting anecdotal story that audiences only like we built all this not everything I've explained to you like I said three years
ago was impossible in fact if you were accounting there's six things that we did there that according to Apple were impossible and we were going to build a business on this right and it's kind of shaking around to go build a business on things that are impossible or not permitted by the vendor that you're you're active interfacing with so we went and met with apple and said you know hey guys here's what we're doing and uh we knew how this presentation was going to go so the day of our presentation very similar to this one with a little bit more detail uh in terms of how the things work and we just left it at PowerPoint and we
pretended like that was the end of the presentation and you know there's an Apple Guide you know one of the top architect security Architects said you know great presentation and all but everything just said is impossible and uh he said well that's cool uh because there's a demo part of this presentation too and we pulled an iPhone out that was completely un jailbroken we went to the Apple App Store and at that in that time everything that I described to you we were able to do as a SSL man in the middle between the device and the Apple App Store so we asked him to pick a nap went to the app hold it down
uh as the app is being downloaded from the App Store it was intercepted using Esco and middle attack the our library was injected into the app and it was finally installing the device he opened up the app and you know presented screen to him saying this app has been booked so we did this job back up off the floor we need to talk more about how to do it interestingly um a lot of what I just described to you is Now supported in iOS 8. so Apple has really backed off on this whole not possible sort of thing um I I don't really know why they were so um why they drunk or he wasn't saying so
bad on earlier on uh and why they're opening it up now so much but for whatever reason they've decided to support just about everything that I described to you uh in iOS 8 and all those little tricks the little things were hitting the loader are now publicly documented and they're out there there's still one thing that I described this presentation that is still theoretically impossible um that I've been doing a lot of detailing because that's like I said still the sort of the blue box to see yourself all right so that's cool we've got high of us right uh now we gotta do Android and in total pull this photographs but I can talk a little bit about what
happens here yeah very similar um layout from the from a hardware perspective the way the kernel the toross and your core Services exist within within Android you'll notice that the major missing piece there is a Sandbox and um if you believe that Android has a Sandbox uh you and I can arm wrestle without that uh after the presentation it really does not have a Sandbox um it's uh it basically is just using Linux permissions to subdivide processes which we know doesn't work uh on a desktop or laptop so why would it work on a mobile device but for some reason people are telling me to hope they don't apply them and then of course Android runs Java
apps and so instead of having a difficulty runtime you have your dollar VM or JDM or in the universe you'll have part the Android Android runtime um you'll see some correlations between what I described in Objective C and Java Java is not a late binding language the way object to C is it's just in time to compiled right so once you get down to the device is for all intents and purposes the source code of the ad obviously it's compiled in a Java byte code but if you've ever looked at Java by code the the Somali code is almost worth it um what you're seeing there and so it makes for the process of code injection
much easier than what I described with Memphis Grizzly and IIT booking there's several different techniques you can use you can use Simple class multiplication where because you have access to what is effectively the source code you can rewrite it and say instead of calling for location services location call Blue Box location right and and then when it goes through the just-in-time compiler it says okay I'm going to call the blue box location function there are some problems that come along with that um that are sort of outside the scope of this presentation but it's uh it's not 100 solution there are things you can do to work around that like aspect oriented programming or even just modifying the
DVM director um that's uh something that we actually do at blue box is uh from a from a say that app in the middle of the slide or in the middle of the diagram you can actually reach out to the other apps EDM and modify the way the way that it works and so you can reach out into that DVM and when it starts loading alternate class files into that app you can tell if you go load your class file instead of one of the things that's supposed to load right there at the evm layer and and that that is the basis of why I think we already know that there is because one app can reach out and modify
the EDM with another app that's not a sandbox um in fact my speakers sandbox yeah right all right so that is the principle of third-party app Rapids right so hopefully everybody sort of has at least a higher level understanding of how you can pull an app out of a third-party App Store whether it's the Apple App Store or the Android App Store and as you're installing that app on the device you can inject your own library on on iOS you can adjust inject your own class file on Android and at runtime how it is to be able to shim in and get access to to those um functions so I keep saying things like hooking functions or
intercept the calls location right well what what does that mean what what does that translate to now that you can redirect the function call actually what do you do with that right and so we talked a little bit about the average goals um for for third-party math wrapping an interesting one is data encryption right so if an app itself is calling read or write right so in my executive C code I wrote I wrote it up right the disk right we're right there to disk I'm going to use that library that I injected in at any time that developer now calls it right it's not going to call them right it's going to call into my library which
is the blue box right and what blue box right does and again this isn't a vendor pitch and just as an example we um encrypted it let me get rid of this right and then when the vendor when the app developer calls read to read that data from this instead of calling read it calls my read and then I D trip the data for you and the app never knows that it even happened right as far as the app developer knew that data under the disk I rented it doesn't have any idea what happened in between app Network tunnels right this one is awesome so what you can do here is when that developer wrote you know booted up
send or instead HTTP post whatever it is however they're sending network data you intercept that and say no we're not calling sin we're going to send the inner the injected version of sin and what you can do with that is if you've got something like say the Dropbox app that's going to post data up into the cloud and it's just going to go directly after the cloud from your device over your 3G network or 4G network whatever it is instead you say no no we're not gonna we're not going to call send we're going to call the injected version of send and we're going to reroute that traffic back to your Enterprise so that all that data runs through your network
DLP solution right so you can actually reroute the whole number screen and again from the app perspective it has no idea that that even happened right it just it's called send the data got sent that's all it comes um app Integrity right this one is a really nice thing you can do with looking you inject food right in before the app ever runs to say perhaps run out of a checksum on the app to see whether it was modified before the last since last time you ran it you run a check to see whether the device has been jailbroken before the app runs um you run a check to make sure that um all of the uh you know as I mentioned
the app will consist of the executable and all the images there's a lot of translation files that are just in there to make sure you know past all those translation files make sure that all of that is uh exactly the way that it should be so that you know the user goes to open an app and it's been tampered with uh they can stop that uh data sharing this is another great one um the API call to say you know when I want to open data in from one app to another app so I'm in Adobe Reader and I'll say I want to open it in Dropbox right you can intercept that file that allows that to happen and prevent it if
you want to so you can say you know no data is going to go from this wrapped and secured version of Adobe Reader into Facebook right it seems like a reasonable thing you can do and by all you have to do is intercept is open in books and instead of calling open in it calls your library your library just says I don't even know if this is no you know and then prevents it from happening all right so what are the pro what are the pros and cons of uh doing this um you can use any apps right this is a huge Pro um uh you can literally pull any apps out of the public IOS app store run this
process and it works and you can put it on any device and it works um we we give ridiculous demos to kind of prove this point where we'll wrap apps like
you can like design fashionable hats and stuff right which of course has nothing to do with Enterprise security but it really proves the point right that if you can wrap that out I mean you can wrap uh just about anything you can react it doesn't matter if they're free or paid
um
yeah yep we um we have done immense amount of research into deck start specifically and then on iOS there's a similar uh protection immense amount of research and um we have about a 60 to 70 success rate with those matches there are ones we just can't do right all right um it's very rare uh as you see the iOS version of that in the public App Store on Enterprise apps it's very common uh on Android it's hit or miss
all right um so the cons on that is it requires the app to be resigned right so we didn't talk a lot about the signing process of apps uh Apple App Store or Android apps but every app that ever makes it out into a public app store is signed by the original developer and signed by the the App Store itself okay and uh the signature verification is used as an Integrity check to make sure the app hasn't been tampered with since you downloaded so everything I described is tampering with the app right and so you have to resign there are ways that you can get around this for from an Enterprise security perspective there are really good ways
to get around this if you were trying to say attack just a a general user from an Enterprise security perspective Apple supports the use and so does Android uh or Google they support the use of what what we call Enterprise app stores where you can go fetch apps out of public App Store to make them available for your Enterprise users when that happens you're allowed to re-sign the apps that are distributed through those Enterprise app stores and so if you register for an Enterprise signing key you resign the app and then as you download it what you're getting is an Enterprise signed version of the app as opposed to a public App Store signed version of the
app this is a very minor con it's not a big deal it's not particularly hard to get a um an Enterprise signing key and all you have to you have to have a duns number uh and the United like I said three years ago before there was a blue box we got a dumps number we got our sign key we got this working uh so it's not a huge huge problem there is a significant maintenance overhead that comes with this as you can imagine developers do things in a zillion different ways and we typically categorize these into amazingly brilliant ways of doing things and amazingly stupid ways of doing things and there isn't a whole lot in between
and so when you're wrapping apps you have to predict for both uh ends of that Spectrum instead of developer just call them send and receive and clicking send and receive they might do something entirely different something they think is really creative and it might be or it might be something that is ridiculously dumb but from an app wrapping perspective you've got to support both and so it takes a significant amount of QA to be able to test those apps make sure your app wrapping isn't causing uh adverse effects to the assets you've that you've done all right so moving forward um Enterprise app wrapping this is the idea that you want to wrap an app that's
only distributed internally to your Enterprise um so like I said earlier you can break some of the rules because it doesn't have to go up to the public afterwards for verification it's often uses um third-party um apparatic techniques like I described and that one big slide that we sat on for 15 minutes it oftentimes uses that exact same technique it doesn't require the app to be re-signed you're only signing it using the process that you use to sign your internally developed apps and there's a couple of different ways you can do that that Apple supports if you if you're only intending to distribute your app internally you just have to go through that process again or you don't have to
go through the research process um the uh these apps these Enterprise apps that are developed are typically deployed using an MDM a mobile device management software or an internally developed Enterprise app or anything internally deploys Enterprise app store it's not always the case it doesn't it doesn't have to be that way I mean you can email someone an app and they can install it on their device but the majority of the time these apps are distributed using the NDM whatever Plus app store and it allows for the use of private apis okay so this is like this is massively important um on iOS there's all kinds of stuff exposed through what they call private apis and the only thing that makes them
private is that there's no documentation element and if they see you using them um when you submit your app for verification in the App Store dollars at this okay think back to what I said about efficacy though that all function calls happen by passing the string name of the function to the dispatcher okay so any any function that's available on iOS is available there by string name you can go find them you can just go read them an object to see function names for whatever reason they're always about 90 feet long with a huge description of what the function does and so finding these private apis is is very very easy and there's some amazingly dangerous
things you can do uh with those APS so I leave that as an exercise to the reader to go take a look at the tool class built if you're taking notes right down the classroom and go use that tool and you'll figure out how everybody's writing and uh and go figure out what you can do with that tool because there's some pretty amazing things you can do on iOS especially if you start thinking about what you could do with an app wrapping from an app wrapping perspective accessing private apis inside an Enterprise okay you can get let me put it this way uh it's public knowledge or RSA 2000 13. our CTO Jeff Forrestal demonstrated an app that recorded phone
calls off an iOS device which is impossible okay class number on iOS um okay so like I said it's very similar nature to what you saw with third-party app wrapping except you can break the rules okay the breaking the rules is a good thing and so um what would you want to do with Enterprise app wrapping um your goals are going to be pretty similar to what we saw with third-party app bracket because you're just deploying it internally except now you get a few extra things that you can do application management right so you cannot take your app and you can insert an MDM Library into an insert an MDM interface into it so that app can now be configured by
your MDM software so you're an MDM solution this is very commonly what people mean by after effects one of our biggest competitors out there you'll see versions of their app in the app store you'll see things like Dropbox for the given providers right this is what they're doing this will have to app wrapping to them this is what it means is that now if you go and install that app if you install Dropbox instead of you having to put in your username and password it comes all pre-configured from your mdn right that's a pretty nice feature a nice way to use to use a app wrap that's built in it you can now insert SSL pinning into an app do not
clear what a self-inning is it's a technique that's used uh really popularly in mobile apps and and again in some other places where uh effectively you take the half of the certificate that you're going to be presented back from the cell site and if you get a certificate of any other hash value you don't accept it you don't send a network traffic um uh this prevents management attacks um and so now you can insert that self-inning into your apps you couldn't do this if you were if you were rap and say the Dropbox app because Dropbox might change to a server there uh hosting you know what what a public back-end API this morning and might change the server
that's on they might rotate certificates things like that if you're not in sync with them if you try to inject SL Penny into that third party app you you would break it however since you're if you're dealing with Enterprise apps you do not do this because you control both ends of that communication if you want to roll certificates you can roll it in your app and Roll It on the server side and get a heck of a lot of uh then again sort of your your your uh the rest of your goals are the same as what you said so pros and cons of Enterprise app wrapping um a major Pro in Enterprise app wrapping over third cardiac wrapping is
now you integrated through the QA life cycle right so instead of grabbing Dropbox off the public App Store and hoping that the app wrapping work instead you're submitting a map internally to yourself to go get wrapped and then you run through your QA and it's the app wrapping throws something hopefully it'll be caught in your QA cycle um it's a a huge reduced development cost um I just described SSL painting and I can tell some folks in the audience uh hadn't heard of it or didn't know how know what it was and I can tell you if you're developers have no idea what it is and even if they do they do it wrong and so being able to provide Excel
things through an app wrapping interface uh creates a scenario where you don't have to train your developers on what SL painting is and how to do it correctly you just take a wrap run through the app wrapper and everything's fine again it allows to use the project apis um you're starting with an app that knows it's going to be wrapped okay Dropbox in the public app store has no idea that it's going to be wrapped you know and so the developers are doing aren't planning for that ahead of time and like I said they might be do something that's really amazingly intelligent or amazingly stupid and it makes rapping difficult if you know that you're going to get wrapped as you're
developing the code you can avoid those of those creative options right and we'll make sure that it's going to work it's also easier to debug because it's part of your process as a developer you can get integrated yeah I figure what's going on and on the client side it's only useful for internal apps this may not be the top uh the you may only be interested in the internet development apps for your for what you're trying to secure there are plenty of people that that's their own use case sdka-based app wrapping um basically sometimes it works just like third-party app wrapping it's just built into the compilation process so it's not really an sqk because developer
is not like interface two with it it's just built into the develop process and sometimes this distributor doesn't have development framework which is just a framework that you can include in in uh xcode and start you know interfacing with those apis that's not really wrapping that's just you know development right and what that would look like you know I'd use the example of uh right read and write so you would just train your developers instead of calling read and write you call you know read and write out of a secure SDK and you get a secure version um the SDK wrapping goals again same sort of thing that you would see uh with third-party app wrapping but this time
is completely built into your app it's not bolted onto the app after the fact it's built into your app um and so again if you get all the benefits of integrating the QA process it's easier to debug things like that um it's the only process that's applicable for apps that you want to wrap and then distribute through the public app stores okay so think about that um when we when we wrap pass you inject the library into the app you cannot send that up to the public App Store anymore don't reject it so if you want to wrap an app and send it to public App Store so if you are some big bank and you are
in your bank app you know the banking app that you sent out to your to the general public can get tens of millions of users if you want wrapping technology that I have you have to use an sdk-based approach to send it to the ad lab store this may change with iOS 8 because of their relaxed approach to um to uh diameter libraries we don't really know for sure yet um the cons uh there's there's some maintenance overhead a lot of folks that we talk who don't want to train their developers on how to use an SDK right their developers are already being bombarded with nine different sdks that they're told to use and they forget to
use eight of them and this is just a 10. so it's it's uh somewhat somewhat difficult and uh you cannot use again you can't use prime apis for any apps that are distributed to the public um there's a major con that's sort of missing off this list as well that I'm going to cover is like a um at times on Slide Can we talked a little bit about in third-party app wrapping that when you inject a library and it's only applicable to the actual base executable itself that's also true for sdk-based applications right when you import a secured version of read and write it's only being held from your library you're not controlling how this
Foundation framework libraries so truly the real approach this is a hybrid technique where you'll see folks allow for the integration of a framework and the development Supply cycle and then using some sort of dynamic Library injection for the Frameworks that exist uh that they're calling to all right any questions stuck is that your first legal issues have you guys run into um modifying third-party application red button you earn a long-range Wi-Fi adapter courtesy of alpha Network I'll just put it up here so that is uh the first question we always get legally what what's the importance here or what how does it how does is very specific that um if you're acting in their language if you're
acting as an agent on behalf of another Enterprise customer to download an app you're allowed to do that you can go download an app on behalf of them and put it in an Enterprise App Store and resize it and distribute it to them so so the retrieval and distribution of apps is totally within the Apple flights agreement where things get a little fuzzy is when you start injecting code into the app app will completely uh removes themselves from that equation altogether they say that that's between us and the app vendor okay so uh app vendors of course we'll use the software template utilities that you've seen before no reverse engineering or modification which basically means that every
antivirus post entry prevention system that's ever been invented is in violation of you know thousands and thousands of viewers and so we're in exactly the same boat right where you've got all these apps and applications that run on your desktop laptop say you can't inject code into us but every antivirus and host nutrition prevention system in the world does it and you know so there's kind of Precedence it says that from from security point of view you know there's a lot of gray area in terms of how that's going to be enforced or not we um we don't hide what we do in our craft dumps or in our debug logs or any sort of Stack trace the developer
that we've inject our library into we made it very plain today that we are there we have had some phone calls so hey guys please stop doing this and in some cases we hit stop in some cases we told them to apply tight uh just kind of depending on the nature of what's going on there um but uh but generally speaking um uh people aren't too worried about what you're doing once you actually explain the process um could you use that SSL injection to uh I've got a third-party app to say man in the middle pathway special yeah that's going out yeah um you could have um in iOS 7 they started SLK in the App
Store and we'll take credit for that uh yeah they uh they thought they were still getting the app store um in iOS five and six and they worked and so now they are they're very very strict about about it and so so you know you know yeah have you guys do software security code views on your wrappers like a big concern I would have would be if you were going to modify the data that would be passed around if you put for something for example if the app didn't do infants yeah and you guys put in the value for a big use for the value of beyond that you're bypassing they're they're checking if they're reviewing it
right um you could craft something on the back is there any concerned about um that you guys do any sort of I guess
great question um uh we do we do a lot of internal auditing um everyone at Blue Box comes from a security background our um our CTO is Jeff worth it all also known as rainforest puppy uh literally invented SQL injections so we've got some pretty good staff on hand for those audits but we also know that that's not good enough for most customers so we've actually the blue box has been through three external uh pen tests and code Audits and they haven't found stuff right um and so that's all been corrected and uh it's an ongoing processing it's extremely seriously our background Heritage because for exactly the reasons foreign
Related talks
51:37
30:27
55:35
51:32
51:33
41:33