Transcript MDP - OpenLoop.com

Mobile Device Protocol
Sunil Vallamkonda
11/19/2012
Previous topics
• Security: AAA RADIUS, IPSec etc.
• Virtualization
• Cloud Technologies
Contact: [email protected]
Discussion
•
•
•
•
Introduction
Concepts
Trends
Q&A
Do not cover:
• Protocol Specifications
• Vendor details
• Certificates
Background
•
•
•
•
Has existed by vendors: MS update, Sicap
Client-Server based technology.
Application protocol.
Brings features as:
o Updates: remote configuration/provision, backup.
o Monitor: license, troubleshoot and diagnose.
o Accounting: logging and reporting
o Tracking: GPS and bread crumb mapping.
History
Approaches
• Vendor specific: Smart Message text, NOKERIC OTA, etc.
• OMA groups: CD, inter-op, DM, etc.
• Models: SaaS, On-site, mixed.
• BYOD: Hybrid employee/corporate mix.
Vendors
•
•
•
•
APPLE: APNS
Android: Google: C2DM
Air-watch: ActiveSync
Black berry: Push
Availability:
- Specs
- APIs
- Implementation
- Reference deployments
Vendors (contd)
Competition
BYOD
• From recent AT&T survey: “40% of small
business employees use smartphones for
work and two-thirds use tablets…:
• BYOD survey: (source: Ponemon Institute):
51% of Organizations lose data through
mobile devices.
IPCU
Challenges
•
•
•
•
•
Centrally Manage
Security: BYOD identity, access rights, privileges, etc.
Scalability: Apps, Devices, Users.
Complexity: Policies
Vendor Variances: iOS, Android, ActiveSync, Windows
Phone, Black berry etc.
• Enterprises: requirements and use case life cycles.
• Roles, multi-tenants.
• Compliances !
Process
Packet
Check-in
Pkt Trace
Trace (contd)
Push Notification
• Device needs to have match three items in order
for a push notification to trigger an MDM
response, viz;
• The Device Token (without which the notification
will never reach the device), and
• the Push Magic token (without which the MDM
client will just discard the notification).
• Finally, the “Subject Name / User ID” field in the
push notification certificate used to sign the
notification must match the “Topic” field in the
MDM profile.
Schema
Device-MDM
Notif (contd)
Command sequence
Commands
First, Device must make persistent connection to
APNS Server. Then for every MDM server
command:
plist
iOS MDM commands
plist
plist response
Device Lock
iOS security model
iOS Keybag
Example: File key wrapping (iOS)
Sample: Evil Maid attack
Specs
• For PUSH: Apple: gateway.push.apple.com
port 2195
• Devices: TCP port 5223
• MDM port: defined by MDM profile
MDM limitations
•
•
•
•
•
•
User can terminate MDM relationship.
Multi-user model not supported.
Jailbreak cannot be detected.
Location service not available.
App features very minimal.
Security: command auth optional, accepts any cert
with trusted root, etc.
• Malware install attacks: push webclip, etc., DoS
Attacks.
• Delays and bugs and etc.
• MDM profile issues…
References
•
•
•
•
•
•
•
•
•
•
•
http://www.openmobilealliance.org/
http://developer.apple.com/
http://zdnet.com
http://www.interpidusgroup.com/
http://developers.google.com/
http://enterpriseios.com
http://ey.com
http://samsung.com
http://google.com
http://microsoft.com
http://shmoocon.org/