Mobile Device Protocol

Sunil Vallamkonda11/19/2012

Previous topics

• Security: AAA RADIUS, IPSec etc.• Virtualization• Cloud Technologies

Contact: sunil_vall@yahoo.com

Discussion

• Introduction• Concepts• Trends• Q&A

Do not cover:• Protocol Specifications• Vendor details• Certificates

Background

• Has existed by vendors: MS update, Sicap• Client-Server based technology.• Application protocol.• Brings features as:

o Updates: remote configuration/provision, backup.oMonitor: license, troubleshoot and diagnose.o Accounting: logging and reportingo Tracking: GPS and bread crumb mapping.

History

Approaches

• Vendor specific: Smart Message text, NOK-ERIC OTA, etc.

• OMA groups: CD, inter-op, DM, etc. • Models: SaaS, On-site, mixed.• BYOD: Hybrid employee/corporate mix.

Vendors

• APPLE: APNS• Android: Google: C2DM• Air-watch: ActiveSync• Black berry: Push

Availability:- Specs- APIs- Implementation- Reference deployments

Vendors (contd)

Competition

BYOD

• From recent AT&T survey: “40% of small business employees use smartphones for work and two-thirds use tablets…:

• BYOD survey: (source: Ponemon Institute): 51% of Organizations lose data through mobile devices.

IPCU

Challenges

• Centrally Manage• Security: BYOD identity, access rights, privileges, etc.• Scalability: Apps, Devices, Users.• Complexity: Policies• Vendor Variances: iOS, Android, ActiveSync,

Windows Phone, Black berry etc.• Enterprises: requirements and use case life cycles.• Roles, multi-tenants.• Compliances !

Process

Packet

Check-in

Pkt Trace

Trace (contd)

Push Notification

• Device needs to have match three items in order for a push notification to trigger an MDM response, viz;

• The Device Token (without which the notification will never reach the device), and

• the Push Magic token (without which the MDM client will just discard the notification).

• Finally, the “Subject Name / User ID” field in the push notification certificate used to sign the notification must match the “Topic” field in the MDM profile.

Schema

Device-MDM

Notif (contd)

Command sequence

Commands

First, Device must make persistent connection to APNS Server. Then for every MDM server command:

plist

iOS MDM commands

plist

plist response

Device Lock

iOS security model

iOS Keybag

Example: File key wrapping (iOS)

Sample: Evil Maid attack

Specs

• For PUSH: Apple: gateway.push.apple.com port 2195

• Devices: TCP port 5223• MDM port: defined by MDM profile

MDM limitations

• User can terminate MDM relationship.• Multi-user model not supported.• Jailbreak cannot be detected.• Location service not available.• App features very minimal.• Security: command auth optional, accepts any cert with

trusted root, etc.• Malware install attacks: push webclip, etc., DoS Attacks.• Delays and bugs and etc.• MDM profile issues…

References

• http://www.openmobilealliance.org/• http://developer.apple.com/• http://zdnet.com• http://www.interpidusgroup.com/• http://developers.google.com/• http://enterpriseios.com• http://ey.com• http://samsung.com• http://google.com• http://microsoft.com• http://shmoocon.org/