Upload
defconmoscow
View
189
Download
1
Tags:
Embed Size (px)
Citation preview
How to Get Out of an InPrivacy JailBy Yury Chemerkin
June 7, 2014
MULTISKILLED SECURITY RESEARCHER
EXPERIENCED IN : REVERSE ENGINEERING & AV, DEVELOPMENT (IN THE PAST) MOBILE SECURITY, INCL. IAM, MDM, MAM, etc. CYBER SECURITY & CLOUD SECURITY (INCL. IAM) IAM & COMPLIANCE & FORENSICS ON MOBILE & CLOUD SECURITY WRITING (STO BLOG, HAKING, PENTEST, eFORENSICS Magazines)
PARTICIPATION AT CONFERENCES: INFOSECURITY RUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS, HACKERHALTED, DEFCON MOSCOW, HACKTIVITY, HACKFEST, NOTACON, HACKMIAMI; CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL; ICITST, CTICON, ITA, I-SOCIETY;
[ YURY CHEMERKIN ]
linkedin.com/in/yurychemerkin http://sto-strategy.com [email protected]
Wild Animals :: < Mobile Apps >
Wild Tools :: < Forensics Tools, Data/Backup Tools >
Wild Security Concepts :: < Data Protection Concepts, Best Practices >
Wild Environment :: < OS: iOS, Android , BlackBerry >
Wild Security Solutions :: < OS Security, MDM, MAM, MIM Solutions >
State of Facts :: < Mobile Data Application Report - BlackBerry, iOS, Android >
Recommendations :: < MAM, Development Advices, etc. >
Other Salvation Ideas :: < BlackPhone >
WILD ANIMALS: ANIMAL PLANET
AGENDA
Forensics Capabilities on Application Data Access
Data-at-Rest (DAR) protection
Data-in-Use (DIU) protection
Data-in-Transit (DIT) protection
Data-in-motion (DIM) protection (~DIT)
Data-in-action (DIA) protection (~DIU)
App Disablement (similar to DIU & DAR)
Location Masking (similar to DIT/DIM)
Depends on sandbox & FS architecture
More about developer’s imagination
Mix two previous in regards to whole device
Like DIT but depends on app
OS API and developer’s imagination
Rule based policies, out of dev activity
Policies & DIM/DIT characteristics
DATA PROTECTION CONCEPTS
Type Roots
SQLite storage any type of data
Binary cookies depends, usually, credentials, tokens
Keyboard Cache auto correction, word list counts 600
Snapshot Storage any preview info, like email from Banks
File Cache attachments, files from clouds, etc.
Error logs any data, even credentials
iCloud all data backup to cloud, even
credentials
Storing Information on device :: iOS data-in-rest Specifics
Where & What stores :: /data/data/<package>/… App
analytics, dump, misc Cache
up/downloaded files Databases
history, chat, bank info Files
attachments, crypto-keys Shared_prefs
credentials, token, history
How does it store Shared preferences (lightweight XML
format)
Internal storage (/data/data/ + shared docs & media)
External storage (cache, debug, db, maps)
SQLite (DB, discussed earlier)
Network (logs/event, datestamp, credentials)
Storing Information on device :: Android data-in-rest Specifics
BlackBerry Backup What :: app, app data, app config, all
documents, etc. How :: ElcomSoft, any other that works with
BB backupShared folders What :: docs, media, backup with credentials
may happen How :: live access, spyware, rarely encrypted
Remotely accessed data What :: device entirely plus SD-Card How :: BB Link should authorized PC before
gaining accessAndroid application data files What :: cached files, any other like Android
App
Where :: Device/misc/android/Android/data) How :: like a shared folders or remote access
Misc tracks Device/Misc
What :: Misc files, backup like whatsapp,
How:: like a shared folders or remote access
Device/Android except android data What :: any data Android and Android
apps usually store on SD card How :: :: like a shared folders or remote
accessThe rest data protected except you got an access
to backup or find a way how to root/jailbreak OS
Storing Information on device :: BlackBerry data-in-rest Specifics
EMM FEATURES : Vendors
[ EMM FRAMEWORK ]EMM (Enterprise Mobile Management) 3rd Party Solutions to EMM
NAC: Network Access Control (Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-Practices, Guidelines, etc.
MDM: Mobile Device Management
MAM: Mobile Application Management
MEM: Mobile Email Management
MIM: Mobile Information Management
Devices: Smartphones, Tablets
Password protection & reset
Remote & Selective device wipe
Remote lock
Set VPN, Wi-Fi, APN, proxy/gateway settings
Configuration monitoring/auditing
Automated provisioning/enrollment
Disable basic features (camera, Bluetooth, Wi-Fi, NFC, Cellular, etc.)
Manage mobile-attached devices (e.g printers, scanners)
EMM FEATURES
EMM :: MDM
Full-featured enterprise app store
Containerization/sandboxing
App containerization using developer SDK/toolkit, app wrapping
Block copy/paste between apps, from email, etc.
Restrict which apps can open a given file
App inventory tracking / usage monitoring
Remote desktop access to apps and data on desktop from mobile
EMM FEATURESEMM :: MAM
[ EMM FRAMEWORK :: MEM SOLUTIONS ]
NAC: Network Access Control (Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-Practices, Guidelines, etc.
MDM: Mobile Device Management
MAM: Mobile Application Management
MEM: Mobile Email Management
MIM: Mobile Information Management
Devices: Smartphones, Tablets
[ EMM FRAMEWORK :: MIM SOLUTIONS ]
NAC: Network Access Control (Management)
AV: Antiviruses Solution
Mobile SIEM: Log Management Solution
DLP: Data-Leakage Prevention
COMPLIANCE: Standards, Best-Practices, Guidelines, etc.
MDM: Mobile Device Management
MAM: Mobile Application Management
MEM: Mobile Email Management
MIM: Mobile Information Management
Devices: Smartphones, Tablets
SECURE BOOTLOADERSYSTEM SOFTWARE SECURITY (UPDATES)APPLICATION CODE SIGNINGRUNTIME PROCESS SECURITY (SANDBOX,
APIs)HARDWARE SECURITY FEATURESIN-REST PROTECTIONIN-TRANSIT PROTECTION (SSL, TLS, VPN)PASSCODE PROTECTIONCENTRALIZED APPLICATION DISTRIBUTIONSETTINGS DELIVERY (PERMISSIONS,
CONFIGURATIONS)REMOTE MAGAGEMENTLOG COLLECTION
[ MOBILE DEVICE SECURITY ENVIRONMENT ]
SPOT THE DIFFERENCE NO DIFFERENCE, RIGHT
[ KNOW YOUR APPS – 3RD PARTY REPORTS ]
AFFECTED PLATFORMS
APPTHORITY REPORT HIGHLIGHTS App Reputation Report , Winter 2014%
91%
83%
70%
56%
58%
24%
31%22%
91% iOS apps exhibited risky behaviors
83% Android apps exhibited risky behaviors
70% iOS and Android apps allow location tracking
56% iOS and Android apps identify the user’s ID (UDID)
58% free Android apps share data with ad networks
24% paid Android apps share data with ad networks
31% free apps access users’ contact list or address book
22% paid apps access users’ contact list or address book
[ KNOW YOUR APPLICATIONS ]AFFECTED PLATFORMS
[ KNOW YOUR APPLICATIONS ]
Email; 73,00%
Messages; 85,00%
Calendar; 76,00%
Contacts; 95,00%
Notes; 89,00%
Calls; 93,00%
FEATURES VS PRIVACY :: BUILT-IN APP
[ KNOW YOUR APPLICATIONS ]
Kik Messenger; 79,00%
Viber; 87,00%
Whatsapp; 85,00%
Hangouts; 80,00%
Yahoo Messenger; 75,00%
Skout; 76,00%
WeChat; 78,00%
BBM; 86,00%
Facebook Messenger; 87,00%
Lync; 61,00%
FEATURES VS PRIVACY :: IM APP
Account country code, phone number login / tokens Facebook wasn’t revealed ‘Buy me for….$$$’ Avatars :: [email protected] (jfif)
Address book No records of address book were revealed… Check log-file and find these records (!)
Messages Messages
Date & Time content of message ID :: [email protected] Attachments (as is)
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Account country code, phone number Device Hardware Key login / tokens of Twitter & Facebook Calls history Name + internal ID Duration + date and time
Address book Quantity of contacts / viber-contacts Full name / Email / phone numbers
Messages Conversations
Quantity of messages & participants per conversations
Additional participant info (full name, phone)
Messages Date & Time content of message ID Attachments & Preview (as is) VoiceMessages
Media Snapshots (iOS only) Snapshot of active chat
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Account ::: PIN , Names, Status "74afbe19","Yury Chemerkin“, "*fly*“, "@ Holiday Inn (MOSCOW)" Information
Barcode / QR history (when, what) "QR_CODE","bbm:2343678095c7649723436780","1382891450014"
Transferred files "RemotePin“, "Path","ContentType“, "image/jpeg“, "23436780“, "/storage/sdcard0/Android/data/com.skype.raider/cache/photo_1383731771908.jpg“ Transferred as a JFIF file :: FFD8FFE000104A464946 ......JFIF
Invitations: "Pin","Greeting","Timestamp",”LocalPublicKey/PrivateKey","EncryptionKey« Messages (Date, Text,…) :: "1383060689","Gde","Edu k metro esche, probka tut","Park
pobedy”,"Aha","А щас","Belorusskaja","Долго" Logs
Revealing PINs, Email, device information, Applications actions associated with applications modules *.c files, *.so, etc.
It helps to analyze .apk in future
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Contacts Full Name Work Info Phone number (00-country-code-….) Email Is AppName user
App Info App Name (list of app) App Icon
Misc Friends group, Friends requests Members Messages Country Name
FB number ID G+ number ID Twitter numeric ID Foursquare numeric ID FB access token NickName (Device name is like iPhone (Yury)
Media Snapshots Profile photos App icons
Credentials Nothing revealed
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
[ KNOW YOUR APPLICATIONS ]
Vkontakte; 78,00%
Facebook; 83,00%
Instagram; 67,00%
Twitter; 81,00%
Google+; 55,00%LinkedIn; 59,00%
Pinterest; 57,00%
MySpace; 61,00%
Groupon; 68,00%
So.Cl; 42,00%
Scribd; 63,00%SlideShare; 67,00%
FEATURES VS PRIVACY :: SOCIAL APP
Media User images/avatar (first of all, of those
who're on messenger/chat) Snapshot of app screen (iOS only) Pic/avatar URL, Image cache .jfif
Conversation Thread ID, Name , Date & Time Quantity of Messages Message / body ID of sender/recipient Status :: Unread/archived/can reply
Account Tokens, incl. private Lot of configs
Numeric ID of account (100001827345335.plist)
Address book / Synchronized Full Name, Email , Phone number
Users User ID, User Name , User NickName Has a mobile messenger? Is a Friend ? Email
FB Messenger configs User Phone Number Friend avatars
Credentials Nothing revealed
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Media Snapshots
Profile Info Friend profile URL + Full Name + Photo Twitter User name FB Permissions – publish stream FB token key & expiration Login name
Actions Comments & profile name of those who
comment photo Cache of uploaded photos plus date & time Stored on Amazon S3
Credentials Nothing revealed
Network (in-transit) Profile Name + URL Friends’ Name + Url Upload /Download photos Comments Seems everything except credentials
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Media Snapshots
Messages time Conversations Attachment Info, URL Uploading attachments in plaintext Sending messages in plaintext
Friends Full Name Profile URL Avatar Birthday Misc tokens (?)
Credentials Nothing revealed
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
[ KNOW YOUR APPLICATIONS ]
Google Maps; 73,00%
FourSquare; 85,00%
Yandex Maps; 76,00%
Navitel; 64,00%TrackMe; 51,00%
GeoBucket; 54,00%
2GIS; 61,00%
Banjo; 62,00%
Trover; 69,00%
FEATURES VS PRIVACY :: GEO APP
Media Snapshots PNG map shots of friends & check-ins Uploaded photos via app on check-in event
User/Credentials Search request info by name/location/etc. Like, Comments + friend username per
check-ins Badges + description and who unlocked it Credentials weren’t revealed
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
[ KNOW YOUR APPLICATIONS ]
Box; 67,00%Dropbox; 67,00%
OneDrive; 51,00%
Yandex.Disk; 65,00%
Mail.Ru; 65,00%
Amazon Cloud Drive; 67,00%DocsToGo; 71,00%
AdobeReader; 51,00%
QuickOffice; 71,00%
Office Mobile; 51,00%
eFax; 73,00%
AsusWebStorage; 51,00%
Google Disk; 57,00%
FEATURES VS PRIVACY :: OFFICE APP
Logs iOS version as a log-file-name Settings like upload_over_cell or
geofence_state User_id (numeric) Perms like “permission.photos.granted” Extension Connection time – WiFi, Cellular Size Download info (started, finished, failures) Device ID
Uploads Images, resized images Other files as is even (cpp) Cached PDF as separated jpg pages
Media Snapshots (iOS only), profile photo
Credentials Nothing revealed
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
OneDrive + OneDrive for Business
Uploads Images, resized images URL to download (have to login via liveID) Full url to download file Full user name Downloaded files as is Permissions info PDF stored NOT as separated jpg pages
Credentials Nothing revealed
Office Mobile login name (= email) cached files w/o name Images, resized images Sharepoint URL even it's not public
Media Snapshots (iOS only) holiday inn reservation pdf as a jpeg
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
[ KNOW YOUR APPLICATIONS ]
Yelp; 57,00%Hotels.com; 64,00%BlackBerry Travel; 73,00%
Hilton; 78,00%
IHG; 81,00%
Hilton; 73,00%
SPG; 79,00%
Booking.com; 54,00%Marriott; 56,00%Delta; 67,00%British Airways; 23,00%
Aeroflot; 73,00%
United Airlines; 61,00%
American Airlines; 56,00%
JetBlue; 43,00%
HotelByMe; 23,00%Miles & More; 27,00%
Lufthansa; 26,00%KLM; 64,00%
S7; 62,00%AnywayAnyday; 74,00%Taxi (any); 31,00%
FEATURES VS PRIVACY :: TRAVEL APP
AeroExpress Account & Credentials
Email address = login Password Phone Number
Products Tickets number & QR-ticket How to use e-Ticket What time train departs & arrives
Payment Info Full Name Card number Expiration Data CVC/CV2 wasn’t revealed
Repack app and grab any type of data
Aeroflot Account
ID , email, password Other id & tokens
Information Loyalty (bonus) of your membership
all you ever type Date of birth Passport details All PASSPORT INFO (not only travel data) Your work data (address, job, etc.) you have
never typed! (except preparing member card)
Flights tickets Repack app and grab it
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Account ID , email, password
Information Loyalty (bonus) of your membership
all you ever type Date of birth Passport details
Book/order history Routes, Date and time, Bonus earning Full info per each order
Connected cards Encryption?
AES 256 bit On password
anywayanydayanywayanyday Store in plaintext Sizeof(anywayanydayanywayanyday) =
192 bit
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Delta (Fly with Delta) Account
ID , password is seems encrypted on Android& BB, password not found on iOS
Information (android & bb only, nothing found on iOS, seems not precached) Loyalty, Membership 901***** \\ Skymiles Flight
confirmations, depart time, flight #:: GCXXXX || 0467 || 2013-11-07T12:40:00+04:00 || DL90
"checkedIn": "false“, "seatNumber": "09B",
Issued date, ticket # :: "2013-10-26T15:37:00-04:00", 006xxxxxxxxxxx
Aeroports :: SVO/ "Sheremetyevo Arpt, JFK/"John
F Kennedy International“, NYC / "New York-Kennedy“…
British Airways Account
ID , password on Android, BB ID on iOS Loyalty card number & Info Tracked Flights Info (iOS) Full Name (iOS), Email (iOS)
Product Not revealed (tickets, history or else) PassBook Integration (iOS only)
Media Snapshots Cached images with exif (like NY SkyBridge)
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
[ KNOW YOUR APPLICATIONS ]
AlfaBank; 4,00%Raffeisen; 4,00%RSB; 4,00%Sberbank; 6,00%
Citibak; 3,00%Tinkoff; 3,00%
Paypal; 16,00%
Qiwi; 14,00%
Megafon Money; 17,00%
Yandex Money; 17,00%
RBK Money; 22,00%
Mail.Ru Money; 15,00%
A
Account Phone number Password, secret code weren’t revealed
Trace app, find the methods use it Repack app and have a fun No masking of data typed
Information Amount Full info in history section (incl. info about
who receive money)
Connected cards Encryption?
No Bank cards
Masked card number only Qiwi Bank cards
Full & masked number Cvv/cvc All other card info
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Megafon.Money Account Phone number tokens
Other Password wasn’t revealed Rest data wasn’t found RePack app and find everything
Mail.Ru Money Account ID (email = payment ID) Password , salt hash (seems, SHA_X,
not detected which SHA) Payment Info Amount Masked bank card number RePack app and find everything
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Yandex Money Account & Credentials
ID info for Yandex Money ID info for Yandex Bank name per attached card Transaction history
ID , Amount , User comments Status, Time & Date, Favorite or not Login per transaction misc
Other Password and payment password weren’t
revealed RePack app and find everything
RBK Money Account & Credentials
Email = login Password
Payment Info Payment /Transaction History Phone number on SIM payments RePack app and find everything Masked bank card number like xxxx****xxxx
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Bank apps Rarely store anything in-the-rest Obfuscation happens / NDK instead of JDK Alfabank reveals geo data in-the-rest Alfabank reveals the latest phone number in
payments Repack app and grab everything from
memory (credentials too) Tinkoff offers his own input field,
seems protected Other
Password and payment password weren’t revealed
Snapshots are protected (!)
[ APPLICATION EXAMINATION ]ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
[ KNOW YOUR APPLICATIONS ]
In-the-Rest; 57,00%
In-the-Transit; 71,00%
In-the-Memory; 95,00%
PRIVACY LEAKAGE :: % OF DATA LEAKAGE
[ KNOW YOUR APPLICATIONS ]
FORENSICS APPLICATION EXAMINATION :: EXCITING FAILS
App Type/Protection In-Rest In-Memory In-Transit
built-in apps Plain-Text Plain-Text Rarely Encrypted
IM apps Plain-Text Plain-Text Weak Encryption or SSL
Social app Plain-Text & Rarely Store smth Plain-Text Best case - SSL/HTTPS
Geo Apps Plain-Text Plain-Text Best case - SSL/HTTPS
Office Apps Plain-Text Plain-Text SSL/HTTPS
Travel Apps Best case - weak encryption Plain-Text Partially Encrypted
Bank apps Rarely Store smth & Good Encryption Plain-Text Encrypted
PACKAGED/WRAPPED APPLICATIONS
QUANTITY OF APPLICATION CHALLENGE ( OBVIOUSLY > 100 )
COOPERATION WITH APPLICATION VENDOR
SEPARATION OF PERSONAL, WORK, AND SUSPICIOUS APP
SERIOUSLY DIFFERENCE ON APP INTERFACES PER EACH OS WITH THE SAME APP VPN ENCRYPTION ACCESS RESTRICTION (GEO, CREDENTIALS)
EMM FAILS :: MAM
LACK OF TYPE FILES’ MANAGEMENT
LACK OF STORAGE SERVICES’ MANAGEMENT
LACK OF DEVICE FILES’ MANAGEMENT
LACK OF VENDOR SUPPORT
NEED OF A ROOT ACCESS TO DEVICE IN CERTAIN CASES
MOBILE OS INCAPABILITIES TO BE INTEGRATED WITH MIM SOLUTIONS
EMM FAILS :: MIM
EMM :: WHO IS GOOD FOR ?AirWatch an MDM and MAM specialist that helped Lowes deploy and manage iPhones
App47which offers a platform that allows enterprises to deploy their own App stores (hot opportunity alert)
AppBladewhich supports application deployments and management across iPhone iPad BlackBerry and Android platforms.
AppCentral which also helps enterprises to develop app storesBlackBerry (BES/Fusion) is good for MDM partially MIM & MAM. Supports all mobile OSMaaS360 is good with BlackBerry together
Kony which has a platform that allows partners to build enterprise app stores for customers.MobileIron focused heavily on MDMNukona another provider of enterprise app store technology
Partnerpediathe former builder of channel partner communities; now focused on private labeled app stores.
WorkLight now owned by IBM; focused on mobile development tools middleware and managementTerria Mobile which offers a platform for app management.Good Technology supports application deployments and management across modern OS
Call ‘setStorageEncryption’ API for locally stored files (new Android OS v4+)
Encrypt externally stored files on SD Card or Cloud (any OS)
Reduce using of ‘MODE_WORLD_READABLE ’ unless it really needs
Avoid hardcoded and debug tracks as much as possible (it’s easy to decompile)
Add extra protect beyond OS (encryption, wiping, etc.)
ANDROID SPECIFIC REMEDIATION
Never store credentials on the phone file system. Use API or web scheme instead
Define when encryption signature doesn’t matter, else avoid it
Use implemented protection mechanism in iOS…
But … add extra protection layer beyond OS protection in case of jailbreak
Use any API and protection mechanisms properly but never default settings
Don’t forget to encrypt SQL databases
iOS SPECIFIC REMEDIATION
One More Salvation – Black Phone (?)
GeeksPhone – Spanish Hardware StartUp Silent Circle is privately funded (Americans)
Silent Circle is U.S. based company
Zimmermann is cofounder of mobile privacy software firm Silent Circle
GeeksPhone is a Spanish smartphone hardware company/start-up
GeelsPhone sells open Android phones and developer devices of Firefox OS.
SPG Technology is a Switzerland-based join venture
IntelliJ IDEA is used to build applications
Black Phone – Examination of Rumors
Website offers no details on how those extra levels of security will be implemented, but..
How was the idea for the Blackphone conjured up? Large market of folks who didn't want
to build their own car, but they wanted a good car
Why should users want to have a Blackphone? Security Center At $629 is the total package. Lot of security magic to stop leaks out
Who is buying the Blackphone? 45 percent of orders have come from
Europe and 38 percent from North America
Blackphone is gathering as little information as possible on who is buying its product
Who should be buying a Blackphone? There are clearly industries that are
already predisposed to seek privacy, such as stockbrokers, attorneys, senior executives
Why is this phone safer than what's currently out there? It's safer because it's more usable Every bit of information the phone
sends out is encrypted whether it's a call or a text. No one can offers it now
BYOD/Enterprise? Absolutely, even MDM tools
How secure is the Blackphone? Anybody who claims that anything is
hackproof is clearly selling snake oil
Black Phone Software – Examination of Rumors
Computer Retail Week interviews founders and states
Silent Circle Apps Silent Phone Silent Text Silent Contacts
Blackphone-built AppsBlackphone Security Center Blackphone Activation WizardBlackphone Remote Wipe
3rd-party AppsDisconnect Secure Wireless SpiderOak Blackphone Edition Kismet Smart Wi-Fi Manager
Misc PrivatOS International Power Adapter Kit
Black Phone - SoftwareThe Blackphone is an announced smartphone developed by SGP Technologies, that will
provide encryption for phone calls, emails, texts, and internet browsing.
Silent Phone: Encrypted voice andvideo calls on iOS and Android, it canbe used with Wi-Fi, EDGE, 3G or 4Gcellular. Encrypted VoIP fromWindows computers.
Silent Text: Encrypted text messagingand secure cloud content transferwith “burn notice” feature forpermanently deleting messages fromdevices.
Silent Mail: Discontinued August 9,2013. Encrypted e-mail on SilentCircle’s private, secure network andcompatibility with popular e-mailclient software.
Silent Contacts: App is prebuilt with allprevious
Black Phone - ExaminationServers of its custom-built network are located in CanadaAlso Supports iOS, Android, Windows Desktop
Silent Phone/Text/Contact: available for iOS & Android with source code on GitHub
Remote Wipe: Provides no centralized cloud service to manage device
Private OS: Android 4.4 KitKat
International Power Adapter Kit: Android 4.4 KitKat
Disconnect Secure Wireless: its custom-built VPN client
Kismet Smart Wi-Fi Manager: Public Wi-Fi Manager
SpiderOak: Encrypted Cloud Storage
Black Phone - ExaminationThe company's products enable encrypted mobile phone calls, e-mail, text messaging,
and video chat. Servers of its custom-built network are located in Canada
It manages Android phone Wi-Ficonnection by automatically learningwhere you use networks. Wi-Fi is onlyenabled when you are in a locationhave previously used Wi-Fi, increasingbattery life, security, and privacy.
It is a paid app in Google Play but fullyopen source under the GPLv2 license.
It aims to be smart, invisible and willmanage Wi-Fi state in the background.
Airplane mode and Wi-Fi Tetheringmodes are detected and respected
Since Wi-Fi will be turned off, yourphone won't be broadcasting yourhome network name everywhere yougo! It prevents spoof attacks
Successfully installed on BlackBerry 10
Black Phone / Smart Wi-Fi ManagerIs that secured ?
It is US based online backup tool toback up, share, sync, access and storedata using an off-site server.
It is accessible through an app forWindows, Mac and Linux computerplatforms, and Android, N900 Maemoand iOS mobile platforms
It uses encrypted cloud storage andclient-side encryption key creation, soeven employees of SpiderOak cannotaccess users' information
It provides automatic de-duplicationof data
Black Phone / SpiderOakWhy not Box or Mega?
It can be incorporated to the typicalpolicy and management tools in abusiness environment
A web-based console which grants anominated customer administrator“super user” status within his or herown network.
Create, organize and bulk distributevia email to provide team memberswith Silent Phone, Silent Text, andOut-Circle Access.
Create groups and sub-groups toreflect your company’s organizationand allocate encrypted mobile appsaccordingly.
Dynamically manage and control(enable/deny access) for all users
under your administration. Enable outliers, contractors, and third
parties to communicate securely withyour team on the fly.
Black Phone / SCMC (MDM)Oh, God
Encrypted Contacts, splitted for personal & business uses
Encrypted Text, Media Messenger
VoIP for encrypted Calls
Smart WiFi Manager to prevent attacks
Disconnect Secure Wireless VPN
Privat OS is Android 4.4 KitKat
MDM w/o MAM, MIM, MEM
BlackPhone gathers little info on who is buying it
Alike any other app on AppStore or GooglePlay,WorkBalance MDM Solution
TextSecure,CryptoCat, BBM, etc?
VoIP is everywhere for the less price
Gather Geo, Network Data, AutoLearn
VPN is everywhere too
GeeksPhone offers a root access …
Impractical, MAM need at least
Name, Address, Payment method, Personal or Enterprise
Black Phone: Pros & ConsFully protected (no any PoC yet) Impractical & too commercial
Black Phone: Pros & Cons : StoragesSpiderOak Is that only one?
Provider Encrypted storage Personal Encryption2Carbonite + +
Copy + +CrashPlan + +
ElephantDrive + +Handy Backup + +IASO Backup + +Jungle Disk + +KeepVault + +MediaFire + +
MEGA + +Norton Zone + +
OwnDrive + +SpiderOak + +
Sync + +TeamDrive + +
Wuala + +Box (PreBuild on BlackBerry) + +
Black Phone: Pros & ConsPrivatOS Android iOS BlackBerry
PrivatOS Enhancement Android Default BlackBerry iOSSearch Anonymous Trackable Both & Flexible Both
Bundled Apps Few, and all privacy-enabledMany, with privacy disabled
by default Least privilege access control On-Demand Access
Wi-Fi usageSmart disabling of all Wi-Fi
except trusted hotspotsAlways on for geolocation
and user tracking Separate + Per Apps Global + Separate Per App
App permissionsFine-grained control in a
single interface All-or-nothing Fine-Grained Control On-Demand Access
Communication tools
Private calls, texting, video chat, file exchange up to
100MB, browsing and conference calls
Traceable dialer, SMS, MMS, browser. Vulnerable to
spoofed cell networks and Wi-Fi
Both, need VPN configuration
Both, need VPN configuration
UpdatesFrequent secure updates from Blackphone directly
Supplied infrequently after carrier blessing
Frequent secure updates from BlackBerry directly
Frequent secure updates from Apple directly
Remote Wipe & Anti Theft Anonymous (??)Requires use of centralized
cloud account Cloud account Cloud account
Business ModelDelivering privacy as a
premium, valued featurePersonal data mining for tracking and marketing
Delivering secure & privacy as a default valued feature
last 20+ years Music, App, Games :)
Management MDMWeak MDM
Features/Samsung enhanced MDM, MAM, MEM, MIM,… MDM, MAM, MEM, MIM,…
Y.O.B.A. hacking
The end.