As soon as users of mobile devices began to trust “sensitive” information to their smartphones and tablets, curious people appeared who wanted to use it, including for personal gain. At first it was personal information – photos, bank card pin codes, accounts for entering various services, etc.
Corporate Mobile Security
Later, with the beginning of using mobile devices for corporate needs, lovers appeared to take advantage of corporate secrets that users leave in the mail, files viewed and not deleted, browser caches, temporary application files. For their convenience, tools have also been developed to take advantage of what is not protected on mobile devices.
In contrast, they are being developed mobile security. But due to the peculiarities of mobile operating systems, it turned out that simply porting security tools from under Windows and Linux is either impossible or inefficient. For example, an antivirus was forced to work in the same “sandbox” as a regular application. Accordingly, it was almost impossible to scan applications or delete even those to which there was access and in which the malware was detected without the help of the user. And if it was possible for a private user who started scanning on his own to get permission to delete the malware, then with corporate users everything is more complicated. Scanning for them must be started centrally: either by schedule or by administrator command. The likelihood that the device will be in the hands of the user, and he will quickly figure out the answer, is small. Therefore, for full-fledged operation, the device had to be transferred to the access mode of the “superuser” rights. And that in itself was unsafe.
As a result, manufacturers of mobile platforms began to expand the capabilities of their APIs, adding support for security features. There was an understanding that the approach with complete isolation of applications (from each other) does not provide the necessary protection against possible attacks and does not allow the protection tools to get the access they need to the file system and software distributions. In addition, the need to use hundreds and thousands of corporate mobile devices in business has necessitated the development of mobile device management systems and / or related protocols.
Along with the development of mobile device management systems, “mobile” antiviruses have begun to appear, capable of scanning and removing malware. Although, in fairness, it should be noted that system applications were still inaccessible to them. Developing and competing, anti-virus developers began to introduce heuristic search algorithms to detect zero-day attacks, use databases of dangerous sites, check kernel versions, firmware, applications, etc. Also, a detailed analysis of application software distributions for vulnerabilities and certificates used has been developed. Unfortunately, all analysis results obtained in this way cannot be used without the participation of the administrator. And the administrator, knowing that a self-signed certificate is used, can not do anything about it, unless the necessary financial resources are allocated otherwise. Therefore, most of the information obtained as a result of such monitoring remains unclaimed or is used ex post to explain the causes of information leakage.
Mobile threat defense
Preventing corporate users from getting bored and realizing the practical value of various security measures, vendors today compete among themselves in the “steepness” of algorithms for analyzing information about threats to mobile devices. This functionality is called Mobile Threat Defense (MTD).
Due to the peculiarity of mobile devices, information received from MTD often remains in the “note” status, if only because developers of OS for mobile devices very rarely issue updates. The reason is that the production time for a particular device model is about a year. Correcting vulnerabilities and sending updates to devices that will soon be discontinued is not profitable. Due to competition, manufacturers are forced to take a different approach. They release a new device with new firmware, in which they try to take into account the problems identified. At the same time, there will be new vulnerabilities in them, which will also not be fixed until the release of a new device with a new OS.
Development mobile security technologies goes in such a way that gradually all the protection and management functions of mobile devices will be implemented within the framework of mobile device management systems, called Unified Endpoint Management (UEM). This does not seem to be accidental. The most sought-after functionality on mobile devices is security management based on policies and teams, and application distribution. Everything else became part of UEM as the development of MDM as a result of competition between manufacturers. To compete on the basis of the same for all MDM APIs provided by mobile platforms can be very limited within the framework of different approaches of providing them to the system administrator, a set of reports and an interface convenience.
And now, when all this has been exhausted, the implementation of functions that have a weak relation to the practical needs of end consumers begins.
Over the past few years, the Gartner analytic agency, known for its “magic quadrants,” has also turned its attention to MTD systems. We reviewed the 2019 Market Guide for Mobile Threat Defense report. Further in the text – squeezes and analysis of the contents of the report.
At the beginning, it is noted that the validity of the declared MTD functions in terms of protection against attacks requires verification (they so carefully called marketing fantasies):
“Even though MTD vendors express confidence in being able to detect and counter advanced attacks, Gartner has yet to see evidence in the field”
Further, Gartner draws attention to the fact that now MTD functions are offered either by UEM manufacturers, which have historically developed from device management (MDM) to servicing all mobility in the “single window” mode, or manufacturers of mobile antiviruses that can only signal vulnerabilities, but in the absence of functions MDM cannot do anything with them without user intervention.
Not being MDM solutions and not being able to remove malware from the device or remotely reset the device to the factory settings, mobile MTD solutions found an interesting way out. Part of the MTD manufacturers proposes to put their own VPN client on the device, which, if an attack is detected, wraps the traffic addressed to the corporate network back to the device. This technique was called blackholing. In our opinion, the defense is more declarative than real. If access to the Internet is saved on the device, then it will not receive malware access to the corporate network, but it will transmit everything it wants to the attacker’s server.
The functions offered by MTD can be reduced to the following set:
1. Checking versions and builds of Android in public vulnerability databases.
It is more informational in nature, since the general recommendation to regularly update the OS for non-top Android devices is not good – the support period is too short.
2. Tracking insecure network activity – monitoring the availability of certificates with weak encryption or self-signed certificates, monitoring the connection to Wi-Fi networks without encryption or with weak authentication.
In fact, you need to ensure that there is a VPN on the device (then no Wi-Fi ___ 33 is scary) and make sure that the self-signed certificates are only from the internal certification authority. The rest must be deleted or blocked using UEM.
3. Monitoring the presence of malware / grayware. Scanning applications for anti-virus databases with the ability to send the distribution to the server for detailed analysis. Plus behavioral analysis aimed at checking for unsafe or excessive privileges.
Sometimes there is no malware in the application, but it is simply written crookedly. Such applications may request all permissions “in reserve” and then, for example, the Gallery application will request access to the call and SMS log. Such potentially vulnerable applications are called grayware. It’s useful for the UEM admin to have a tool to quickly test applications before distributing them. In the absence of such a tool, applications are not checked in fact.
4. Control of signs of hacking (jailbreak, root).
Everyone understands that a hacked device is a hole in information security. Hacking verification functions are available in almost every UEM solution, often found in client banks. Methods and libraries, including with open source, are enough. MTD solutions do not add anything new to this.
5. Analysis of network traffic. Most often, using traffic redirection to the MTD server for analysis.
Using UEM capabilities, you can enable global HTTP proxies on devices and direct all web traffic to existing corporate gateways without the need to purchase additional MTD analyzers.
6. Protection against phishing links in mail, SMS, instant messengers, QR codes, etc. The main purpose of phishing is to steal user accounts. This is a field of activity for antivirus and MTD, because UEM manufacturers have never done this.
The main conclusion in the report is the assertion that it makes no sense to implement MTD until the basic level of corporate mobility security is ensured, which is ensured by the following rules:
1. Use of current versions of mobile OS.
In fact, this is a requirement for the purchase of new mobile devices with the latest versions of operating systems. There are still new devices with Android 6 on the market.
2. Denying access to “patched” devices with custom recovery, a busy busy box built-in, or the ability to obtain root rights via adb …
This, alas, is sometimes found even on mass-produced smartphones.
3. Permission to install applications only from official stores and corporate storage.
4. Ban jailbreak / root and unlocked bootloader.
5. Application of password policies.
A lost / stolen device without a password is the dream of any hacker.
6. Reset to factory settings when the device is lost / stolen.
It is difficult to disagree with this, especially since the Russian corporate market does not always meet these seemingly obvious requirements. On the public procurement website, there are regularly lots for the supply of devices with irrelevant Android along with VPN and antivirus that can not provide a basic level of protection.
We sincerely hope that over time, the use of UEM on mobile devices in Russia will become as integral an attribute of security as antivirus for Windows. And there, you look, and funds will remain on MTD …