The document discusses research conducted by Gregg Ganley and Gavin Black at MITRE in FY13-14 on iOS mobile application security. It describes their work on a tool called iMAS (iOS Mobile Application Security) which aims to provide additional security controls and containment for native iOS applications. iMAS addresses vulnerabilities related to runtime access, device access, application access, data at rest, and threats from app stores/malware. It utilizes techniques like encrypted code modules, forced inlining, secure MDM and more to raise security levels above standard iOS but below a fully customized/rooted mobile device environment. The document outlines the motivation, capabilities and future research directions for the iMAS project.
7. 4 Digit Passcode
Native iOS Application
App Signing
App Store
System components:
RAM and Debugger
Jailbreak / Root
Access
User Auth
App Access
Keychain
Flash Data Storage
SSH / Debugger
iOS Core Services
iOS
Internet
iPhone / iPad Hardware
Vulnerable Areas
Approved for Public Release: Case #13-2148
8. iMAS Secure Application Container
iMAS
Native iOS Application
Secure MDM
Control
AppPassword
Passcode
Check
Security-Check Encrypted Core
Data
Jailbreak / debugger
attach
AppIntegrity
Check
AppSignature Encrypted RAM Memory Check
Check
Disk
Secure Foundation
OpenSSL FIPS
Dynamic App Bundling
ECM
Encrypted Code
Modules
Off Device Trust Check
iOS
iPhone / iPad Hardware
App Store
Malware
SSH / Debugger
iOS Core Services
Enterprise
App Store
Tolerable
Security Risk
Open Source
github.com/project-imas
Approved for Public Release: Case #13-2148
11. 60% (6) iMAS Apply
Approved for Public Release: Case #13-2148
12. Security
Controls
Open Source
iOS w/iMAS
Art of the Possible (2014+)
iMAS
iOS w/iMAS
with or without COTS
iMAS (Sep 2014)
Sept 2013 level
iMAS (Sep 2013)
iOS w/COTS
App
MDM Containers
iOS
iOS v4/5
iOS v6
iMAS
iMAS controls raise security
levels, bringing it closer to the
Art of the Possible
State of the Art (Sep 2013)
Consumer
Unclassified (Internet)
iMAS (Sep 2014)
State of the Art (Sep 2013)
Enterprise
Enterprise+
Sensitive (NIPRNET/MITRE)
Mobile App Classification Level
Approved for Public Release: Case #13-2148
Classified (SIPRNET/JWICS)
14. Run-time:
Device Access:
4 Digit Passcode
RAM and Debugger
Passcode
Check
Jailbreak / Root
Access
App Access:
Security-Check
Jailbreak / debugger
attach
None
Memory
Security
AppPassword
Encrypted RAM
Disk
Data At Rest:
AppStore / Malware:
App Tampering
Forced-inlining
AppIntegrity
Check
Encrypted Code
Modules (ECM)
Data in Transit:
Keychain
CoreData
Encrypted Core
Data
Lightning Connector
iMAS
Secure Foundation
OpenSSL / FIPS
MDM Remote Control
Vulnerable Areas
Future Research
Approved for Public Release: Case #13-2148
25. •
iMAS Possibilities:
Apple Push
Notification Servers
Find limitations
Of MDM
specification
•
•
Single sign on app
Remote App lock
•
•
Remote App password reset
Remote Jailbreak reporting
Understand and test
low level command
structure
iOS Device
iMAS
App
3. JSON formatted commands and acknowledgements
Open Source
MDM Server
0. Device Enrollment (Root Certificate, Enroll.mobileconfig)
Ability to secure
individual apps
Provide scripts
and guidance for
initial setup
Approved for Public Release: Case #13-2148
Maintain and
enhance
open source
MDM server
Maintain and enhance existing open source MDM serverAdditional commands for managed applicationsScripts for autogenerating certificates and needed plist filesUpdating server to handle multiple enrolled devicesUnderstand and test low level command structureJSON formatted commands directly communicated to serverDirect communication with server after initial Apple push requestStill need to test iOS 7 MDM improvements (Application specific configuration dictionaries)Find limitations of MDMMessages sent to a device in standby or off are not receivedMust continually send until receiving an acknowledgmentNo application specific management, besides uninstall, until iOS 7Ability to secure individual applicationsManaged application removal, deletes entire sandbox for appMonitoring application that provides additional security to iMAS enabled apps