LAS VEGAS -- Mobile application management technology is meant to help enterprises deal with the security pitfalls of the BYOD movement, but one researcher has uncovered a number of vulnerabilities in legacy versions of leading MAM products that may allow attackers to compromise sensitive corporate data.
Last week at Black Hat USA 2014, Ron Gutierrez, technical lead for infosec consulting firm Gotham Digital Science LLC, previewed some of the findings from his upcoming white paper on common mobile application management flaws and questioned the effectiveness of MAM products.
Meant as an alternative to mobile device management (MDM) technology, which can be used to manage mobile devices by applying security polices to devices across an enterprise environment, mobile application management (MAM) aims to protect sensitive data by applying security measures only to enterprise-specific apps. This is an approach increasingly favored among organizations that support large, heterogeneous user-owned mobile device environments.
MAM products generally function by injecting wrapping code within an application, Gutierrez explained, which causes the modification of executables and thus needs to be signed with a new security certificate by an enterprise. A vendor's MAM agent is installed on user devices, and the enterprise configures a MAM server, which feeds security policy changes and the like to the protected apps via the agent.
The MAM approach eliminates some of the issues associated with MDM, including privacy concerns and generally poor, restrictive user experiences. Still, Gutierrez said MAM is not without fault because it requires the development of secure containers, which is a complex process.
Leaky MDM containers expose data
According to Gutierrez, the problem is that many MAM containers are incomplete, meaning they fail in at least one of three critical areas: data should be encrypted seamlessly, the encryption key should only be accessible after fully authenticating to the app and the strength of the cryptography should not rely on device-level policies.
"There's got to be some form of authentication to access it, because otherwise you're encrypting data and the data key is going to be stored somewhere on the device," Gutierrez said. "You don't want to rely on any device-level policies because the whole point of these BYOD devices -- and MAM especially -- is you're not setting device-level policies."
During the Black Hat presentation, Gutierrez shared a few particularly common vulnerability patterns his research uncovered across a variety of MAM products.
First, he found some MAM-controlled applications allowed data to be accessible offline, meaning a user that doesn't have Internet access can enter a password and a key will be created to decrypt the data. The obvious problem with this scenario, Gutierrez said, is that because the data can be decrypted offline, the key generation must take place on the device rather than a key being stored on a server.
For instance, one product derived an encryption key by using the iOS keychain, a unique device identifier and perhaps another piece of data. Basically, all of the authentication logic was defined by code, he added, so the product would hash the passcode and then compare it to a stored hash, ultimately opening up a number of avenues for an attacker to generate a key.
"I can literally inject [it] into the application and say whichever password I put in, even if it's wrong, it'll return true, and that will cause the application to start generating the key for me," said Gutierrez. "Another way is doing full-on reverse-engineering, getting all the key pieces of material from the device and deriving the key myself. It can always be bypassed."
One worrying pattern, Gutierrez said, was the decoupling of the password-verification process from the key derivation. In particular, he noticed that some MAM products would use a strong key-derivation function capable of withstanding brute-force attacks, but to extract the key, the password verification would need to pass through a weak hashing function. That means that an attacker could choose to brute force the weak hash in order to generate the key, compromising the data within the application.
Gutierrez added that some MAM applications allow organizations to use Active Directory credentials to hash the offline passphrase, which opens up the possibility of an attacker compromising Active Directory.
"So they did key derivation part correctly, but then the verification part was still weak. You're just doing a simple unsalted hash," Gutierrez said. "Why would an attacker try to brute force the strong key derivation when you have a stored hash here that they can brute force anyway?"
Though he found several instances where MAM controls could be bypassed, Gutierrez said that the vendors he contacted about the issues had been very responsive and most of the aforementioned flaws have since been fixed, making it an imperative that enterprise MDM customers check with their vendors to determine whether a product upgrade is necessary.
In the soon-to-be-released white paper, he also plans to include a checklist of questions that enterprises should ask MAM vendors when evaluating these products.
Learn how to leverage both MDM and MAM tools to secure mobile applications.
Evaluate security policy must-haves for MAM technology.