6.3. How to get out of an inprivacy jail

How to Get Out of an InPrivacy JailBy Yury Chemerkin

June 7, 2014

MULTISKILLED SECURITY RESEARCHER

EXPERIENCED IN : REVERSE ENGINEERING & AV, DEVELOPMENT (IN THE PAST) MOBILE SECURITY, INCL. IAM, MDM, MAM, etc. CYBER SECURITY & CLOUD SECURITY (INCL. IAM) IAM & COMPLIANCE & FORENSICS ON MOBILE & CLOUD SECURITY WRITING (STO BLOG, HAKING, PENTEST, eFORENSICS Magazines)

PARTICIPATION AT CONFERENCES: INFOSECURITY RUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS, HACKERHALTED, DEFCON MOSCOW, HACKTIVITY, HACKFEST, NOTACON, HACKMIAMI; CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL; ICITST, CTICON, ITA, I-SOCIETY;

[ YURY CHEMERKIN ]

linkedin.com/in/yurychemerkin http://sto-strategy.com [email protected]

http://www.linkedin.com/in/yurychemerkin

http://sto-strategy.com/

mailto:[email protected]







Wild Animals :: < Mobile Apps >

Wild Tools :: < Forensics Tools, Data/Backup Tools >

Wild Security Concepts :: < Data Protection Concepts, Best Practices >

Wild Environment :: < OS: iOS, Android , BlackBerry >

Wild Security Solutions :: < OS Security, MDM, MAM, MIM Solutions >

State of Facts :: < Mobile Data Application Report - BlackBerry, iOS, Android >

Recommendations :: < MAM, Development Advices, etc. >

Other Salvation Ideas :: < BlackPhone >

WILD ANIMALS: ANIMAL PLANET

AGENDA

Forensics Capabilities on Application Data Access

Data-at-Rest (DAR) protection

Data-in-Use (DIU) protection

Data-in-Transit (DIT) protection

Data-in-motion (DIM) protection (~DIT)

Data-in-action (DIA) protection (~DIU)

App Disablement (similar to DIU & DAR)

Location Masking (similar to DIT/DIM)

Depends on sandbox & FS architecture

More about developer’s imagination

Mix two previous in regards to whole device

Like DIT but depends on app

OS API and developer’s imagination

Rule based policies, out of dev activity

Policies & DIM/DIT characteristics

DATA PROTECTION CONCEPTS

Type Roots

SQLite storage any type of data

Binary cookies depends, usually, credentials, tokens

Keyboard Cache auto correction, word list counts 600

Snapshot Storage any preview info, like email from Banks

File Cache attachments, files from clouds, etc.

Error logs any data, even credentials

iCloud all data backup to cloud, even

credentials

Storing Information on device :: iOS data-in-rest Specifics

Where & What stores :: /data/data/<package>/… App

analytics, dump, misc Cache

up/downloaded files Databases

history, chat, bank info Files

attachments, crypto-keys Shared_prefs

credentials, token, history

How does it store Shared preferences (lightweight XML

format)

Internal storage (/data/data/ + shared docs & media)

External storage (cache, debug, db, maps)

SQLite (DB, discussed earlier)

Network (logs/event, datestamp, credentials)

Storing Information on device :: Android data-in-rest Specifics

BlackBerry Backup What :: app, app data, app config, all

documents, etc. How :: ElcomSoft, any other that works with

BB backupShared folders What :: docs, media, backup with credentials

may happen How :: live access, spyware, rarely encrypted

Remotely accessed data What :: device entirely plus SD-Card How :: BB Link should authorized PC before

gaining accessAndroid application data files What :: cached files, any other like Android

App

Where :: Device/misc/android/Android/data) How :: like a shared folders or remote access

Misc tracks Device/Misc

What :: Misc files, backup like whatsapp,

How:: like a shared folders or remote access

Device/Android except android data What :: any data Android and Android

apps usually store on SD card How :: :: like a shared folders or remote

accessThe rest data protected except you got an access

to backup or find a way how to root/jailbreak OS

Storing Information on device :: BlackBerry data-in-rest Specifics

EMM FEATURES : Vendors

[ EMM FRAMEWORK ]EMM (Enterprise Mobile Management) 3rd Party Solutions to EMM

NAC: Network Access Control (Management)

AV: Antiviruses Solution

Mobile SIEM: Log Management Solution

DLP: Data-Leakage Prevention

COMPLIANCE: Standards, Best-Practices, Guidelines, etc.

MDM: Mobile Device Management

MAM: Mobile Application Management

MEM: Mobile Email Management

MIM: Mobile Information Management

Devices: Smartphones, Tablets

Password protection & reset

Remote & Selective device wipe

Remote lock

Set VPN, Wi-Fi, APN, proxy/gateway settings

Configuration monitoring/auditing

Automated provisioning/enrollment

Disable basic features (camera, Bluetooth, Wi-Fi, NFC, Cellular, etc.)

Manage mobile-attached devices (e.g printers, scanners)

EMM FEATURES

EMM :: MDM

Full-featured enterprise app store

Containerization/sandboxing

App containerization using developer SDK/toolkit, app wrapping

Block copy/paste between apps, from email, etc.

Restrict which apps can open a given file

App inventory tracking / usage monitoring

Remote desktop access to apps and data on desktop from mobile

EMM FEATURESEMM :: MAM

[ EMM FRAMEWORK :: MEM SOLUTIONS ]











[ EMM FRAMEWORK :: MIM SOLUTIONS ]











SECURE BOOTLOADERSYSTEM SOFTWARE SECURITY (UPDATES)APPLICATION CODE SIGNINGRUNTIME PROCESS SECURITY (SANDBOX,

APIs)HARDWARE SECURITY FEATURESIN-REST PROTECTIONIN-TRANSIT PROTECTION (SSL, TLS, VPN)PASSCODE PROTECTIONCENTRALIZED APPLICATION DISTRIBUTIONSETTINGS DELIVERY (PERMISSIONS,

CONFIGURATIONS)REMOTE MAGAGEMENTLOG COLLECTION

[ MOBILE DEVICE SECURITY ENVIRONMENT ]

SPOT THE DIFFERENCE NO DIFFERENCE, RIGHT

[ KNOW YOUR APPS – 3RD PARTY REPORTS ]

AFFECTED PLATFORMS

APPTHORITY REPORT HIGHLIGHTS App Reputation Report , Winter 2014%

91%

83%

70%

56%

58%

24%

31%22%

91% iOS apps exhibited risky behaviors

83% Android apps exhibited risky behaviors

70% iOS and Android apps allow location tracking

56% iOS and Android apps identify the user’s ID (UDID)

58% free Android apps share data with ad networks

24% paid Android apps share data with ad networks

31% free apps access users’ contact list or address book

22% paid apps access users’ contact list or address book

[ KNOW YOUR APPLICATIONS ]AFFECTED PLATFORMS

[ KNOW YOUR APPLICATIONS ]

Email; 73,00%

Messages; 85,00%

Calendar; 76,00%

Contacts; 95,00%

Notes; 89,00%

Calls; 93,00%

FEATURES VS PRIVACY :: BUILT-IN APP


Kik Messenger; 79,00%

Viber; 87,00%

Whatsapp; 85,00%

Hangouts; 80,00%

Yahoo Messenger; 75,00%

Skout; 76,00%

WeChat; 78,00%

BBM; 86,00%

Facebook Messenger; 87,00%

Lync; 61,00%

FEATURES VS PRIVACY :: IM APP

Account country code, phone number login / tokens Facebook wasn’t revealed ‘Buy me for….$$$’ Avatars :: [email protected] (jfif)

Address book No records of address book were revealed… Check log-file and find these records (!)

Messages Messages

Date & Time content of message ID :: [email protected] Attachments (as is)

[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

Account country code, phone number Device Hardware Key login / tokens of Twitter & Facebook Calls history Name + internal ID Duration + date and time

Address book Quantity of contacts / viber-contacts Full name / Email / phone numbers

Messages Conversations

Quantity of messages & participants per conversations

Additional participant info (full name, phone)

Messages Date & Time content of message ID Attachments & Preview (as is) VoiceMessages

Media Snapshots (iOS only) Snapshot of active chat

[ APPLICATION EXAMINATION ]

ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION

Account ::: PIN , Names, Status "74afbe19","Yury Chemerkin“, "*fly*“, "@ Holiday Inn (MOSCOW)" Information

Barcode / QR history (when, what) "QR_CODE","bbm:2343678095c7649723436780","1382891450014"

Transferred files "RemotePin“, "Path","ContentType“, "image/jpeg“, "23436780“, "/storage/sdcard0/Android/data/com.skype.raider/cache/photo_1383731771908.jpg“ Transferred as a JFIF file :: FFD8FFE000104A464946 ......JFIF

Invitations: "Pin","Greeting","Timestamp",”LocalPublicKey/PrivateKey","EncryptionKey« Messages (Date, Text,…) :: "1383060689","Gde","Edu k metro esche, probka tut","Park

pobedy”,"Aha","А щас","Belorusskaja","Долго" Logs

Revealing PINs, Email, device information, Applications actions associated with applications modules *.c files, *.so, etc.

It helps to analyze .apk in future


Contacts Full Name Work Info Phone number (00-country-code-….) Email Is AppName user

App Info App Name (list of app) App Icon

Misc Friends group, Friends requests Members Messages Country Name

FB number ID G+ number ID Twitter numeric ID Foursquare numeric ID FB access token NickName (Device name is like iPhone (Yury)

Media Snapshots Profile photos App icons

Credentials Nothing revealed



Vkontakte; 78,00%

Facebook; 83,00%

Instagram; 67,00%

Twitter; 81,00%

Google+; 55,00%LinkedIn; 59,00%

Pinterest; 57,00%

MySpace; 61,00%

Groupon; 68,00%

So.Cl; 42,00%

Scribd; 63,00%SlideShare; 67,00%

FEATURES VS PRIVACY :: SOCIAL APP

Media User images/avatar (first of all, of those

who're on messenger/chat) Snapshot of app screen (iOS only) Pic/avatar URL, Image cache .jfif

Conversation Thread ID, Name , Date & Time Quantity of Messages Message / body ID of sender/recipient Status :: Unread/archived/can reply

Account Tokens, incl. private Lot of configs

Numeric ID of account (100001827345335.plist)

Address book / Synchronized Full Name, Email , Phone number

Users User ID, User Name , User NickName Has a mobile messenger? Is a Friend ? Email

FB Messenger configs User Phone Number Friend avatars



Media Snapshots

Profile Info Friend profile URL + Full Name + Photo Twitter User name FB Permissions – publish stream FB token key & expiration Login name

Actions Comments & profile name of those who

comment photo Cache of uploaded photos plus date & time Stored on Amazon S3


Network (in-transit) Profile Name + URL Friends’ Name + Url Upload /Download photos Comments Seems everything except credentials


Media Snapshots

Messages time Conversations Attachment Info, URL Uploading attachments in plaintext Sending messages in plaintext

Friends Full Name Profile URL Avatar Birthday Misc tokens (?)




Google Maps; 73,00%

FourSquare; 85,00%

Yandex Maps; 76,00%

Navitel; 64,00%TrackMe; 51,00%

GeoBucket; 54,00%

2GIS; 61,00%

Banjo; 62,00%

Trover; 69,00%

FEATURES VS PRIVACY :: GEO APP

Media Snapshots PNG map shots of friends & check-ins Uploaded photos via app on check-in event

User/Credentials Search request info by name/location/etc. Like, Comments + friend username per

check-ins Badges + description and who unlocked it Credentials weren’t revealed



Box; 67,00%Dropbox; 67,00%

OneDrive; 51,00%

Yandex.Disk; 65,00%

Mail.Ru; 65,00%

Amazon Cloud Drive; 67,00%DocsToGo; 71,00%

AdobeReader; 51,00%

QuickOffice; 71,00%

Office Mobile; 51,00%

eFax; 73,00%

AsusWebStorage; 51,00%

Google Disk; 57,00%

FEATURES VS PRIVACY :: OFFICE APP

Logs iOS version as a log-file-name Settings like upload_over_cell or

geofence_state User_id (numeric) Perms like “permission.photos.granted” Extension Connection time – WiFi, Cellular Size Download info (started, finished, failures) Device ID

Uploads Images, resized images Other files as is even (cpp) Cached PDF as separated jpg pages

Media Snapshots (iOS only), profile photo



OneDrive + OneDrive for Business

Uploads Images, resized images URL to download (have to login via liveID) Full url to download file Full user name Downloaded files as is Permissions info PDF stored NOT as separated jpg pages


Office Mobile login name (= email) cached files w/o name Images, resized images Sharepoint URL even it's not public

Media Snapshots (iOS only) holiday inn reservation pdf as a jpeg



Yelp; 57,00%Hotels.com; 64,00%BlackBerry Travel; 73,00%

Hilton; 78,00%

IHG; 81,00%

Hilton; 73,00%

SPG; 79,00%

Booking.com; 54,00%Marriott; 56,00%Delta; 67,00%British Airways; 23,00%

Aeroflot; 73,00%

United Airlines; 61,00%

American Airlines; 56,00%

JetBlue; 43,00%

HotelByMe; 23,00%Miles & More; 27,00%

Lufthansa; 26,00%KLM; 64,00%

S7; 62,00%AnywayAnyday; 74,00%Taxi (any); 31,00%

FEATURES VS PRIVACY :: TRAVEL APP

AeroExpress Account & Credentials

Email address = login Password Phone Number

Products Tickets number & QR-ticket How to use e-Ticket What time train departs & arrives

Payment Info Full Name Card number Expiration Data CVC/CV2 wasn’t revealed

Repack app and grab any type of data

Aeroflot Account

ID , email, password Other id & tokens

Information Loyalty (bonus) of your membership

all you ever type Date of birth Passport details All PASSPORT INFO (not only travel data) Your work data (address, job, etc.) you have

never typed! (except preparing member card)

Flights tickets Repack app and grab it


Account ID , email, password

Information Loyalty (bonus) of your membership

all you ever type Date of birth Passport details

Book/order history Routes, Date and time, Bonus earning Full info per each order

Connected cards Encryption?

AES 256 bit On password

anywayanydayanywayanyday Store in plaintext Sizeof(anywayanydayanywayanyday) =

192 bit


Delta (Fly with Delta) Account

ID , password is seems encrypted on Android& BB, password not found on iOS

Information (android & bb only, nothing found on iOS, seems not precached) Loyalty, Membership 901***** \\ Skymiles Flight

confirmations, depart time, flight #:: GCXXXX || 0467 || 2013-11-07T12:40:00+04:00 || DL90

"checkedIn": "false“, "seatNumber": "09B",

Issued date, ticket # :: "2013-10-26T15:37:00-04:00", 006xxxxxxxxxxx

Aeroports :: SVO/ "Sheremetyevo Arpt, JFK/"John

F Kennedy International“, NYC / "New York-Kennedy“…

British Airways Account

ID , password on Android, BB ID on iOS Loyalty card number & Info Tracked Flights Info (iOS) Full Name (iOS), Email (iOS)

Product Not revealed (tickets, history or else) PassBook Integration (iOS only)

Media Snapshots Cached images with exif (like NY SkyBridge)



AlfaBank; 4,00%Raffeisen; 4,00%RSB; 4,00%Sberbank; 6,00%

Citibak; 3,00%Tinkoff; 3,00%

Paypal; 16,00%

Qiwi; 14,00%

Megafon Money; 17,00%

Yandex Money; 17,00%

RBK Money; 22,00%

Mail.Ru Money; 15,00%

A

Account Phone number Password, secret code weren’t revealed

Trace app, find the methods use it Repack app and have a fun No masking of data typed

Information Amount Full info in history section (incl. info about

who receive money)

Connected cards Encryption?

No Bank cards

Masked card number only Qiwi Bank cards

Full & masked number Cvv/cvc All other card info


Megafon.Money Account Phone number tokens

Other Password wasn’t revealed Rest data wasn’t found RePack app and find everything

Mail.Ru Money Account ID (email = payment ID) Password , salt hash (seems, SHA_X,

not detected which SHA) Payment Info Amount Masked bank card number RePack app and find everything


Yandex Money Account & Credentials

ID info for Yandex Money ID info for Yandex Bank name per attached card Transaction history

ID , Amount , User comments Status, Time & Date, Favorite or not Login per transaction misc

Other Password and payment password weren’t

revealed RePack app and find everything

RBK Money Account & Credentials

Email = login Password

Payment Info Payment /Transaction History Phone number on SIM payments RePack app and find everything Masked bank card number like xxxx****xxxx


Bank apps Rarely store anything in-the-rest Obfuscation happens / NDK instead of JDK Alfabank reveals geo data in-the-rest Alfabank reveals the latest phone number in

payments Repack app and grab everything from

memory (credentials too) Tinkoff offers his own input field,

seems protected Other

Password and payment password weren’t revealed

Snapshots are protected (!)



In-the-Rest; 57,00%

In-the-Transit; 71,00%

In-the-Memory; 95,00%

PRIVACY LEAKAGE :: % OF DATA LEAKAGE


FORENSICS APPLICATION EXAMINATION :: EXCITING FAILS

App Type/Protection In-Rest In-Memory In-Transit

built-in apps Plain-Text Plain-Text Rarely Encrypted

IM apps Plain-Text Plain-Text Weak Encryption or SSL

Social app Plain-Text & Rarely Store smth Plain-Text Best case - SSL/HTTPS

Geo Apps Plain-Text Plain-Text Best case - SSL/HTTPS

Office Apps Plain-Text Plain-Text SSL/HTTPS

Travel Apps Best case - weak encryption Plain-Text Partially Encrypted

Bank apps Rarely Store smth & Good Encryption Plain-Text Encrypted

PACKAGED/WRAPPED APPLICATIONS

QUANTITY OF APPLICATION CHALLENGE ( OBVIOUSLY > 100 )

COOPERATION WITH APPLICATION VENDOR

SEPARATION OF PERSONAL, WORK, AND SUSPICIOUS APP

SERIOUSLY DIFFERENCE ON APP INTERFACES PER EACH OS WITH THE SAME APP VPN ENCRYPTION ACCESS RESTRICTION (GEO, CREDENTIALS)

EMM FAILS :: MAM

LACK OF TYPE FILES’ MANAGEMENT

LACK OF STORAGE SERVICES’ MANAGEMENT

LACK OF DEVICE FILES’ MANAGEMENT

LACK OF VENDOR SUPPORT

NEED OF A ROOT ACCESS TO DEVICE IN CERTAIN CASES

MOBILE OS INCAPABILITIES TO BE INTEGRATED WITH MIM SOLUTIONS

EMM FAILS :: MIM

EMM :: WHO IS GOOD FOR ?AirWatch an MDM and MAM specialist that helped Lowes deploy and manage iPhones

App47which offers a platform that allows enterprises to deploy their own App stores (hot opportunity alert)

AppBladewhich supports application deployments and management across iPhone iPad BlackBerry and Android platforms.

AppCentral which also helps enterprises to develop app storesBlackBerry (BES/Fusion) is good for MDM partially MIM & MAM. Supports all mobile OSMaaS360 is good with BlackBerry together

Kony which has a platform that allows partners to build enterprise app stores for customers.MobileIron focused heavily on MDMNukona another provider of enterprise app store technology

Partnerpediathe former builder of channel partner communities; now focused on private labeled app stores.

WorkLight now owned by IBM; focused on mobile development tools middleware and managementTerria Mobile which offers a platform for app management.Good Technology supports application deployments and management across modern OS

Call ‘setStorageEncryption’ API for locally stored files (new Android OS v4+)

Encrypt externally stored files on SD Card or Cloud (any OS)

Reduce using of ‘MODE_WORLD_READABLE ’ unless it really needs

Avoid hardcoded and debug tracks as much as possible (it’s easy to decompile)

Add extra protect beyond OS (encryption, wiping, etc.)

ANDROID SPECIFIC REMEDIATION

Never store credentials on the phone file system. Use API or web scheme instead

Define when encryption signature doesn’t matter, else avoid it

Use implemented protection mechanism in iOS…

But … add extra protection layer beyond OS protection in case of jailbreak

Use any API and protection mechanisms properly but never default settings

Don’t forget to encrypt SQL databases

iOS SPECIFIC REMEDIATION

One More Salvation – Black Phone (?)

GeeksPhone – Spanish Hardware StartUp Silent Circle is privately funded (Americans)

Silent Circle is U.S. based company

Zimmermann is cofounder of mobile privacy software firm Silent Circle

GeeksPhone is a Spanish smartphone hardware company/start-up

GeelsPhone sells open Android phones and developer devices of Firefox OS.

SPG Technology is a Switzerland-based join venture

IntelliJ IDEA is used to build applications

Black Phone – Examination of Rumors

Website offers no details on how those extra levels of security will be implemented, but..

How was the idea for the Blackphone conjured up? Large market of folks who didn't want

to build their own car, but they wanted a good car

Why should users want to have a Blackphone? Security Center At $629 is the total package. Lot of security magic to stop leaks out

Who is buying the Blackphone? 45 percent of orders have come from

Europe and 38 percent from North America

Blackphone is gathering as little information as possible on who is buying its product

Who should be buying a Blackphone? There are clearly industries that are

already predisposed to seek privacy, such as stockbrokers, attorneys, senior executives

Why is this phone safer than what's currently out there? It's safer because it's more usable Every bit of information the phone

sends out is encrypted whether it's a call or a text. No one can offers it now

BYOD/Enterprise? Absolutely, even MDM tools

How secure is the Blackphone? Anybody who claims that anything is

hackproof is clearly selling snake oil

Black Phone Software – Examination of Rumors

Computer Retail Week interviews founders and states

Silent Circle Apps Silent Phone Silent Text Silent Contacts

Blackphone-built AppsBlackphone Security Center Blackphone Activation WizardBlackphone Remote Wipe

3rd-party AppsDisconnect Secure Wireless SpiderOak Blackphone Edition Kismet Smart Wi-Fi Manager

Misc PrivatOS International Power Adapter Kit

Black Phone - SoftwareThe Blackphone is an announced smartphone developed by SGP Technologies, that will

provide encryption for phone calls, emails, texts, and internet browsing.

Silent Phone: Encrypted voice andvideo calls on iOS and Android, it canbe used with Wi-Fi, EDGE, 3G or 4Gcellular. Encrypted VoIP fromWindows computers.

Silent Text: Encrypted text messagingand secure cloud content transferwith “burn notice” feature forpermanently deleting messages fromdevices.

Silent Mail: Discontinued August 9,2013. Encrypted e-mail on SilentCircle’s private, secure network andcompatibility with popular e-mailclient software.

Silent Contacts: App is prebuilt with allprevious

Black Phone - ExaminationServers of its custom-built network are located in CanadaAlso Supports iOS, Android, Windows Desktop

Silent Phone/Text/Contact: available for iOS & Android with source code on GitHub

Remote Wipe: Provides no centralized cloud service to manage device

Private OS: Android 4.4 KitKat

International Power Adapter Kit: Android 4.4 KitKat

Disconnect Secure Wireless: its custom-built VPN client

Kismet Smart Wi-Fi Manager: Public Wi-Fi Manager

SpiderOak: Encrypted Cloud Storage

Black Phone - ExaminationThe company's products enable encrypted mobile phone calls, e-mail, text messaging,

and video chat. Servers of its custom-built network are located in Canada

It manages Android phone Wi-Ficonnection by automatically learningwhere you use networks. Wi-Fi is onlyenabled when you are in a locationhave previously used Wi-Fi, increasingbattery life, security, and privacy.

It is a paid app in Google Play but fullyopen source under the GPLv2 license.

It aims to be smart, invisible and willmanage Wi-Fi state in the background.

Airplane mode and Wi-Fi Tetheringmodes are detected and respected

Since Wi-Fi will be turned off, yourphone won't be broadcasting yourhome network name everywhere yougo! It prevents spoof attacks

Successfully installed on BlackBerry 10

Black Phone / Smart Wi-Fi ManagerIs that secured ?

It is US based online backup tool toback up, share, sync, access and storedata using an off-site server.

It is accessible through an app forWindows, Mac and Linux computerplatforms, and Android, N900 Maemoand iOS mobile platforms

It uses encrypted cloud storage andclient-side encryption key creation, soeven employees of SpiderOak cannotaccess users' information

It provides automatic de-duplicationof data

Black Phone / SpiderOakWhy not Box or Mega?

It can be incorporated to the typicalpolicy and management tools in abusiness environment

A web-based console which grants anominated customer administrator“super user” status within his or herown network.

Create, organize and bulk distributevia email to provide team memberswith Silent Phone, Silent Text, andOut-Circle Access.

Create groups and sub-groups toreflect your company’s organizationand allocate encrypted mobile appsaccordingly.

Dynamically manage and control(enable/deny access) for all users

under your administration. Enable outliers, contractors, and third

parties to communicate securely withyour team on the fly.

Black Phone / SCMC (MDM)Oh, God

Encrypted Contacts, splitted for personal & business uses

Encrypted Text, Media Messenger

VoIP for encrypted Calls

Smart WiFi Manager to prevent attacks

Disconnect Secure Wireless VPN

Privat OS is Android 4.4 KitKat

MDM w/o MAM, MIM, MEM

BlackPhone gathers little info on who is buying it

Alike any other app on AppStore or GooglePlay,WorkBalance MDM Solution

TextSecure,CryptoCat, BBM, etc?

VoIP is everywhere for the less price

Gather Geo, Network Data, AutoLearn

VPN is everywhere too

GeeksPhone offers a root access …

Impractical, MAM need at least

Name, Address, Payment method, Personal or Enterprise

Black Phone: Pros & ConsFully protected (no any PoC yet) Impractical & too commercial

Black Phone: Pros & Cons : StoragesSpiderOak Is that only one?

Provider Encrypted storage Personal Encryption2Carbonite + +

Copy + +CrashPlan + +

ElephantDrive + +Handy Backup + +IASO Backup + +Jungle Disk + +KeepVault + +MediaFire + +

MEGA + +Norton Zone + +

OwnDrive + +SpiderOak + +

Sync + +TeamDrive + +

Wuala + +Box (PreBuild on BlackBerry) + +

Black Phone: Pros & ConsPrivatOS Android iOS BlackBerry

PrivatOS Enhancement Android Default BlackBerry iOSSearch Anonymous Trackable Both & Flexible Both

Bundled Apps Few, and all privacy-enabledMany, with privacy disabled

by default Least privilege access control On-Demand Access

Wi-Fi usageSmart disabling of all Wi-Fi

except trusted hotspotsAlways on for geolocation

and user tracking Separate + Per Apps Global + Separate Per App

App permissionsFine-grained control in a

single interface All-or-nothing Fine-Grained Control On-Demand Access

Communication tools

Private calls, texting, video chat, file exchange up to

100MB, browsing and conference calls

Traceable dialer, SMS, MMS, browser. Vulnerable to

spoofed cell networks and Wi-Fi

Both, need VPN configuration

Both, need VPN configuration

UpdatesFrequent secure updates from Blackphone directly

Supplied infrequently after carrier blessing

Frequent secure updates from BlackBerry directly

Frequent secure updates from Apple directly

Remote Wipe & Anti Theft Anonymous (??)Requires use of centralized

cloud account Cloud account Cloud account

Business ModelDelivering privacy as a

premium, valued featurePersonal data mining for tracking and marketing

Delivering secure & privacy as a default valued feature

last 20+ years Music, App, Games :)

Management MDMWeak MDM

Features/Samsung enhanced MDM, MAM, MEM, MIM,… MDM, MAM, MEM, MIM,…

Y.O.B.A. hacking

The end.





http://www.slideshare.net/YuryChemerkin/

http://www.slideshare.net/YuryChemerkin/

https://www.facebook.com/yury.chemerkin


http://scribd.com/ychemerkin

http://scribd.com/ychemerkin

https://twitter.com/yury.chemerkin

https://twitter.com/yury.chemerkin

https://twitter.com/sto_blog

https://twitter.com/sto_blog





skype:yury.chemerkin?chat

skype:yury.chemerkin?chat

https://plus.google.com/108216608239392698703

https://plus.google.com/108216608239392698703

https://plus.google.com/b/104433375229608649910





Internet

6.3. How to get out of an inprivacy jail