Hello guys,
Finally, I decided to post my question here because I couldn't find any useful information online. What is the problem?
We are looking for a management solution for our Android devices, which can support deploying AD-based user e-mail certificate. We are obligated to deploy a solution for signing and encrypting e-mails. We have AD CA in our windows domain which works ok. The user has to logon, open Outlook, Open the settings and the certificate is there, ready to use. Which for most of the users is ok. The problem is with the mobile devices (Android). We've tested TrendMicro Mobile Security (it is more antivirus as management tool), Sophos Mobile (looks pretty ok, containers etc.) but still can't deploy automatically the user e-mail certificate, We've checked as well XenMobile but there is as well an option only for device certificate. In most cases (solutions), the user should open the AD CA page, generate certificate, download it, deploy it, and then use, which is very difficult for most of the non-technical users and it is as well a security issue. Is there a solution to do this automatically?
I see that there are a lot of management tools for Android but it will be enormous work to test all of them.
So, does someone already did such thing and which tool was used?
Thanks in advance
Related
Hi all,
I would like to discuss about the use of Universal with Windows Mobile 6 in professional life...
Could be the base system compliant with general security policy for firms?
Let me know what's your point of view...
mamiware said:
Hi all,
I would like to discuss about the use of Universal with Windows Mobile 6 in professional life...
Could be the base system compliant with general security policy for firms?
Let me know what's your point of view...
Click to expand...
Click to collapse
All of the Windows Mobile 6 ROM's I have used fully support the security policy stuff that is enforced by Exchange when using the device for "Direct Push" email (for what its worth).
I have also found that if you add Blackberry software it works well enough with there policy software if that is your enterprises ‘thing’.
As for your unique company policy, only you and your IT guys can judge that. Just about EVERY company has a different view on what is important.
Support for Exchange policies, a few custom CABs and support for our device management tool mean that using Mobile 6 (or 5) in our enterprise is a non issue. Our only issue with the Universal is the fact that strictly speaking Mobile 6 is a licence violation on the device . Not the case with the Vox’s, TyTN2’s and other native Mobile 6 devices we have.
Your biggest hurdle is that most IT departments in any sizeable company are not going to let non company kit onto there networks, and for a lot of company’s that will extend to non approved software/ROM images etc. being banned.
I guess security enhancements with WM6 are not so... "strong".
As IT Security Integrator, i'm very waiting for Exchange 2007 SP1, that should enforce AS Policies even more than non-sp1 release.
I advise you and your IT Admin (i think they already did, though) to have a look to Exchange SP1 release notes.
There are literally hundreds of enterprise applications out there for management of mobile devices that support everything from symbian phones, to pda's, to windows mobile phone devices.
Some of the better ones are SOTI, Afaria, and Pointsec.
They give remote access to handle remote package management, as well as locking the device and access to applications by user, or user group too.
I thought he was talking about Activesync security policy.
Thank you for all replies...
But does Exchange 2003 store any information about your device? I'm thinking about Windows Mobile 6 Universal issue... And what about contacting Microsoft to buy a license upgrade (without any software delivery from them)?
I'm confused: what do you mean with "But does Exchange 2003 store any information about your device? I'm thinking about Windows Mobile 6 Universal issue... "
If you're talking about ROM Upgrades to Crossbow and license issue, well it's just a lack of support from Manufacturers. Afaik microsoft is providing WM6 license upgrade for free, but providing customers with WM6 rom on old devices would mean no market for new devices. Microsoft ships upgrades to OEM only however.. Not to final customers.
However Exchange 2003/2007 should not store any information regarding devices. I mean, any information relevant. It recognize the device assigning it a unique Idetifier at first synch (SID). I could have a deep look about that with exchange 2007, though. Just tell me what you're looking for.
Ok... If Microsoft is providing WM6 license upgrade for free... why cooked ROM are not so... "legal"?
My problem is: I would like to use my device in my professional life... and I would like to use it the best way I can! This means I need WM6... The problem is that HTC does not provide an official upgrade, but we know that we can develop our ROM... So... How can I legally install my WM6 cooked ROM on Universal? Should I buy some license from someone? Or I can simply flash my device with my ROM and run it without caring about Microsoft license because the upgrade is free?
What about the SD-card encoding "thing"? It should be compliant with any security policy, provided you only lose the card, not the whole device, since in that case, the card can't be read, right?
Yeah... The SD encoding it's fine for policies but... the question is... the encryption key is store in the device (and is deleted with an hardreset) or is created from some device hardcode data? To answer this question we can only try to encode-hardreset-access data... and see if we can still read sd files... (i'll try next weekend)
Anyway... another issue is... how encrypt all data store in device memory? is there any good (light and clean) plugin (driver or application) that can encrypt all the contacts and calendar and, above all, exchange login details?
new symantec mobile suite 5 should do that and make device super-compliat to most (all?) enterprise policy... i'd like to buy it but I do not find any way to place order through the internet!
mamiware said:
Yeah... The SD encoding it's fine for policies but... the question is... the encryption key is store in the device (and is deleted with an hardreset) or is created from some device hardcode data? To answer this question we can only try to encode-hardreset-access data... and see if we can still read sd files... (i'll try next weekend)
Anyway... another issue is... how encrypt all data store in device memory? is there any good (light and clean) plugin (driver or application) that can encrypt all the contacts and calendar and, above all, exchange login details?
new symantec mobile suite 5 should do that and make device super-compliat to most (all?) enterprise policy... i'd like to buy it but I do not find any way to place order through the internet!
Click to expand...
Click to collapse
Hi,
You could change shell paths so that all user data is stored on the SD.
Although I have not tried it, I believe it's simple enough to move all databases to the SD Card.
Cheers,
Beasty
Hi !
I have my own server at home, in order to have access to my files outside my home. This is very convenient.
I would like to have an online database (with forms like you can have with MS Access, but Online) so that I can organize my information (foreign language vocabulary, DVD list, todo list, ...). I can install it on my server, and I would like it to be easily accessible from my PocketPC (via Internet, or even better via an specific application on the PocketPC ).
Do you have some suggest for an existing application offering this ?
I have good knowledge (I have already worked with .NET at work).
Regards, Chris
This is very interesting to me. Are you familiar with SQL Server mobile?
I know SQL Server 2005/2008 good.
I have never really used SQL Server Mobile, but I have read about it. Why ?
Hello everyone,
I am an IT-student in Germany working on my bachelor thesis. The topic is about securing end devices in a corporate environment. Since the company deployed the '07 version of Exchange Server, ActiveSync and PushMail are available. Also there is a plan to introduce WinMo-based phones.
As far as I am aware of, I can mainly manage WinMo devices through the polices on the Exchange server. I can enforce password protecting (which I wish to do) and prohibed features like bluetooth, wifi or camera.
My question is now, how secure are the devices?
Password Protection
Are there any pulbic documents available describing how it works? Is there a way to circumvent? (I do not want a guide, how to do it!!!) Is the recovery mechanism provided by Exchange adequate secured?
Storage Card Encryption
There is the possibility to enforce encryption of storage cards. Are there details about the used algorithm available? Does a desaster recovery mechanism exist?
Third party applications
Can I manage, what applications can be installed on a mobile device?
I am looking forward to an interesting discussion with you.
Hello,
I am a student of Computer Sciene at the University of Udine, Italy.
And recently I have received a AT&T HTC Surround with Windows Phone 7.5.
The problem is always the same. We need to INTEROP-UNLOCK a HTC device.
People greater than me have tried and I do not want to compare to them (I am a noob as stated in the introductory video) but I came up with a sort of idea on trying to develop a new method of interop unlocking.
Since as stated by Heathcliff74 the INTERP-UNLOCK is related to the number of MaxUnsignedApps and the number of max unsigned apps is determined when the Developer Phone Registration program communicates with the server I thought that it could be possible to analyze the behaviour of this app when it communicates with the server and, instead of sending to the phone 3 or 10 send the max number available.
Modifying an exe is a pain so could it be possible to create an emulated server that communicates with Developer Phone registration program by sniffing the connections between the program and the server (I do not know how to do it either since I have just started the network course )?
Maybe it has been already tried but I wanted to tell you anyway since you're great hackers and I am not.
It's a good idea, but I wouldn't hold my breath. This is how the original ChevronWP7 Unlocker hack worked, essentially - you installed a certificate on the phone for a server (normally it uses Microsoft's server and certificate). You then sent the unlock command to the phone and it would try to communicate with the server, but would get the ChevronWP7 server instead, which always said "yes, unlock!"
The catch in your idea is that the fix for ChevronWP7 was to change which certs the unlock process will use - in particular, you can't use user-installed certs anymore - and that means that a user probably can't catch the communication between the phone and the server anymore (which is, I'm sure, where the "value for MaxUnsignedApp" command comes from).
So is the phone that communicates with the server to get the number of apps, not the developer registration program?
Sorry to disappoint you, but it won't work. First of all, it is not the registration-program that communicates with the microsoft server. The registration-program simply send a command to the phone to start the registration process. The phone will contact the Microsoft registration server. The original ChevronWP7 tool spoofed the registration server. Since NoDo this is not possible anymore, because the phone only accepts ssl connections with certified servers (ie servers which have a certificate that roots to a certified authority). The maxunsignedapp is sent over the ssl connection between the phone and the microsoft server, which can't be spoofed or changed with a man-in-the-middle-attack.
Ciao,
Heathcliff74
---------- Post added at 12:57 PM ---------- Previous post was at 12:20 PM ----------
And by the way, Chevron already announced they will release a new Chevron tool, which will do a legit unlock for just a couple of bucks. Just a little more patience.
I have read they launched this now. However how many max unsigned apps till they release and since I have a legit student account on AppHub (I'm a dev) it won't invalidate my account. Just increase the max unsinged apps i think.
Wait for other methods of INTEROP-UNLOCKING.
And thanks to everybody.
What is the best way to watch HTTPS traffic from apps now? I will collect what I have found so far, but hoping someone more knowledgeable will add some points. Feel free to correct or point out other ways of accomplishing this. It feels like regardless of the options, the root of the problems are how to get around certificate pinning.
Emulator vs Phone
This is the first question and probably the most dependent on what you want to achieve. Working on a real device gives more space between your device and the proxy which makes things easier. The extra space is costly in other ways. For example, I would prefer to have a single instance running on the computer to collect information, but using a phone is easier but has the physical requirement of a device connected to the network.
Phone
Physical separation allows for clearer testing. Fully functional device means your input and output work as expected.
Emulator - Waydroid
Emulator running on the same computer causes more complicated networking to ensure you don't block your own traffic. Troubleshooting is trickier as it's more difficult to easily access parts of the emulator that a phone is easy to access. For example, I spent much more time than I would have expected to move a VPN configuration file from my computer to the virtual machine emulator than I would have ever expected. Adding the same configuration to the phone was a simple QR code scan.
Emulator running in a virtual machine allows for a future use case of running the whole thing in the cloud without a physical device.
Proxies
As far as I know, the only way to capture the HTTPS traffic is to use a proxy. This is in the form of an application running on a separate (virtual or physical as mentioned above) device. The hardest part here is the Certificate Authority which signs the HTTPS traffic when it leaves the app. More sophisticated apps, to prevent fraud, do a variety of actions to prevent the user or 3rd parties from capturing the data in each HTTPS request.
mitmproxy
open source, link
I tried this first as it comes with Python library which would make capturing data for later analysis much easier. Mitmproxy has a few different modes, and ultimately I found that `mitmproxy --mode wireguard` which runs via VPN captured a good amount of traffic, but still had target SDK traffic unable to be opened. Mitmproxy has a built in tool to help installing the certificate in Android as a user certificate. This will capture some HTTPs traffic, but for some apps and many SDKs this does not capture their traffic. Traffic can be captured in several ways: CLI tool for analysis of live traffic in memory, CLI dump to file and in memory live in browser of choice.
Charles Proxy
free for 30 days, shareware, link
I first used Charles nearly 10 years ago, and it doesn't feel like it's changed much, but is actively maintained. When I first started using Charles it was a breeze to use, CA was less of a problem. But as Android changed it also now has the problems of CA needing to be installed, and helps the user by providing it's own signed certificate which can be installed as a user certificate. Charles is a standalone program that you run and as such it does have a fair amount of issues on my linux environment related to it's display sizes. .
Burp Suite - Community Edition
paid/free, link
Community edition that is free to use. Runs in browser and comes with it's own CA tool.
Android Certificate Authority
These are the certificates used to sign HTTPS traffic to keep it secure. In Android there are three levels: User, System (root) and App Pinned Certificates. In Android settings you can add a CA which will be considered "user". Apps can choose whether to ignore this certificate. System CAs can only be set by a root user. While a user can install user CA's, apps do not have to use these. CAs can be set by users as root certificates. I believe this must be set regardless of device or VM. The majority of the certificates provided by the proxies don't seem to open a lot of HTTPS traffic. This is likely because Android N (API level 24) certificate pinning was introduced in 2016 and at this point most SDKs and Apps use this for transferring traffic.
JustTrustMe
open source, link
This is installed on a device or emulator. An Xposed addon that can be installed to force apps to use root authorities and prevent them from pinning their own CA.
apk-mitm
open source, link
This can be installed in a separate linux environment and is used to modify an app's apk before being installed into a VM emultator or phone. It attempts to get around the app's certificate pinning by patching the APK to disable certificate pinning.
This is just my notes on what I'm looking into. I figured I'd post here to see if anyone has some advice or pointers. Please feel free to correct / add to this! Meanwhile I'll also keep my notes here if it helps anyone.
To anyone later who is interested in this topic, I was able to finally get a working solution using Magisk + LSPosed and two certificate modules which unpinned certificates and set my user certificate to system. I wrote my detailed steps here if anyone needs the help.