Mobile Device Protocol

idleheadedceleryMobile - Wireless

Dec 10, 2013 (3 years and 10 months ago)

81 views

Mobile Device Protocol

Sunil Vallamkonda

11/19/2012

Previous topics


Security: AAA RADIUS,
IPSec

etc.


Virtualization


Cloud Technologies



Contact: sunil_vall@yahoo.com


Discussion


Introduction


Concepts


Trends


Q&A


Do not cover:


Protocol Specifications


Vendor details


Certificates

Background


Has existed by vendors: MS update,
Sicap


Client
-
Server based technology.


Application protocol.


Brings features as:

o
Updates: remote configuration/provision, backup.

o
Monitor: license, troubleshoot and diagnose.

o
Accounting: logging and reporting

o
Tracking: GPS and bread crumb mapping.




History

Approaches


Vendor specific: Smart Message text, NOK
-
ERIC OTA, etc.


OMA groups: CD, inter
-
op, DM, etc.


Models:
SaaS
, On
-
site, mixed.


BYOD: Hybrid employee/corporate mix.



Vendors


APPLE: APNS


Android: Google: C2DM


Air
-
watch: ActiveSync


Black berry: Push


Availability:

-
Specs

-
APIs

-
Implementation

-
Reference deployments

Vendors (
contd
)



Competition

BYOD


From recent AT&T survey: “40% of small
business employees use smartphones for
work and two
-
thirds use tablets…:


BYOD survey: (source:
Ponemon

Institute):
51% of Organizations lose data through
mobile devices.

IPCU

Challenges


Centrally Manage


Security: BYOD identity, access rights, privileges, etc.


Scalability: Apps, Devices, Users.


Complexity: Policies


Vendor Variances:
iOS
, Android, ActiveSync, Windows
Phone, Black berry etc.


Enterprises: requirements and use case life cycles.


Roles, multi
-
tenants.


Compliances !

Process

Packet

Check
-
in

Pkt

Trace

Trace (
contd
)

Push Notification


Device
needs to have match three items in order
for a
push notification
to trigger an MDM
response,
viz
;


The
Device Token (
without which
the notification
will never reach the device), and


the Push Magic
token (without which the MDM
client will just discard
the notification
).


Finally
, the “Subject Name / User ID” field in the
push notification
certificate used to sign the
notification must match
the “Topic
” field in the
MDM profile.

S
chema

Device
-
MDM

Notif

(
contd
)

Command sequence

Commands

First, Device must make persistent connection to
APNS Server. Then for every MDM server
command:




plist




iOS

MDM commands

plist

p
list

response

Device Lock

iOS

security model

iOS

Keybag

Example: File key wrapping (
iOS
)

Sample: Evil Maid attack

Specs


For PUSH: Apple: gateway.push.apple.com
port 2195


Devices: TCP port 5223


MDM port: defined by MDM profile


MDM limitations


User can terminate MDM relationship.


Multi
-
user model not supported.


Jailbreak cannot be detected.


Location service not available.


App features very minimal.


Security: command
auth

optional, accepts any cert
with trusted root, etc.



Malware install attacks: push
webclip
, etc.,
DoS

Attacks.


Delays and bugs and etc.


MDM profile issues…

References


http://www.openmobilealliance.org/


http://developer.apple.com/


http://zdnet.com


http://www.interpidusgroup.com/


http://developers.google.com/


http://enterpriseios.com


http://ey.com


http://samsung.com


http://google.com


http://microsoft.com


http://shmoocon.org/