UNWRAPPING THE TRUTH: ANALYSIS OF MOBILE APPLICATION WRAPPING SOLUTIONS

Black Hat USA 2014

Presented by: Ron Gutierrez, Stephen Komal
Date: Thursday August 07, 2014
Time: 17:00 - 18:00
Location: South Seas GH

One of the latest trends of BYOD solutions is to employ "Mobile Application Management (MAM)," which allows organizations to wrap existing applications to perform policy enforcement and data/transport security at the application layer rather than at the device level. Today's organizations face a complex choice: there are a plethora of BYOD application wrapping products on the market, each with their own colorful datasheets and hefty security claims. How well do these BYOD application wrapping solutions stand up to their claims? And perhaps just as important, how well do they defend against real-life mobile threats?

In this talk we will analyze the application wrapping solutions offered by some of the major commercial BYOD products on the market today. We'll reverse engineer how these application wrapping solutions work for both iOS and Android; as well as, analyze their authentication, cryptography, interprocess communication (IPC), and client-side security control implementations. Finally, we'll explore the security vulnerabilities we've discovered in major vendor products that could result in the compromise of sensitive information.

Ron Gutierrez

Ron Gutierrez is the technical lead at Gotham Digital Science (GDS).

Stephen Komal

Stephen Komal is a Security Researcher at Gotham Digital Science (GDS). His experience includes web application penetration testing, mobile security, content delivery security analysis, source code review, and secure development. Prior to joining GDS, Steve worked at Citi, helping to manage the vulnerability remediation process for the CTS Trade organization. Steve graduated Summa Cum Laude from NYU Poly with a BS in Computer Science and a concentration in Information Security in 2009.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats