Project

General

Profile

Android BYOD Security based on Trusted Network Connect

Since version 1.3.0 the popular strongSwan Android VPN Client allows the collection of integrity measurements on Android 4.x devices. A special Android BYOD IMC written in Java communicates via the TNC IF-M 1.0 Measurement protocol with an Operating System IMV and a Port Scanner IMV. The strongSwan Android VPN Client transports the IF-M messages (RFC 5792 PA-TNC) in IF-TNCCS 2.0 Client/Server protocol batches (RFC 5793 PB-TNC) via the IF-T for Tunneled EAP Methods 1.1 Transport protocol protected by IKEv2 EAP-TTLS.

VPN Client Configuration

Android VPN client configuration

The Android VPN client profile BYOD has the following properties:

  • The hostname of the VPN gateway is byod.strongswan.org.
  • The user authentication is based on IKEv2 EAP-MD5.
  • Possible user names are john or jane and the user password is byod-test.
  • The byod.strongswan.org server certificate is issued by the strongSwan 2009 certification authority.

Therefore the strongSwan 2009 CA certificate must be imported into the Android certificate trust store before the first connection can be attempted.

Unrestricted Access (TNC recommendation is allow)

Successful connection

If the BYOD IMC (Integrity Measurement Collector) does not detect and report any security issues to the OS, Scanner and Attestation IMVs (Integrity Measurement Verifiers) via the IF-M message protocol then the TNC Server located in the combinded strongSwan PDP/PEP decides to give the VPN client full access to the corporate network.

01[TNC] received TNCCS batch (132 bytes) for Connection ID 1
01[TNC] PB-TNC state transition from 'Init' to 'Server Working'
01[TNC] processing PB-TNC CDATA batch
01[TNC] processing PB-Language-Preference message (31 bytes)
01[TNC] processing PB-PA message (93 bytes)
01[TNC] setting language preference to 'en'
01[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
01[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1
01[TNC] processing PA-TNC message with ID 0xec41ce1d
01[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
01[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
01[IMV] operating system name is 'Android' from vendor Google
01[IMV] operating system version is '4.2.1'

The BYOD IMC first reports the Android OS version via the IETF Product Information and String Version PA-TNC attributes.
01[TNC] creating PA-TNC message with ID 0xeb4b3b9d
01[TNC] creating PA-TNC attribute type 'IETF/Attribute Request' 0x000000/0x00000001
01[TNC] creating PA-TNC attribute type 'ITA-HSR/Get Settings' 0x00902a/0x00000003

The OS IMV then requests a list of Installed Packages and some Android OS Settings via an IETF Attribute Request and an ITA-HSR Get Settings PA-TNC attribute, respectively.
05[TNC] processing PB-TNC CDATA batch
05[TNC] processing PB-PA message (771 bytes)
05[TNC] processing PB-PA message (64 bytes)
05[TNC] processing PB-PA message (44 bytes)
05[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
05[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1 to IMV 1
05[TNC] processing PA-TNC message with ID 0x89c5af6a
05[TNC] processing PA-TNC attribute type 'IETF/Installed Packages' 0x000000/0x00000007
05[TNC] processing PA-TNC attribute type 'ITA-HSR/Settings' 0x00902a/0x00000004

05[IMV] processing installed 'Android' packages
05[IMV] package 'ch.sbb.mobile.android.b2c' (2.1.2) is ok
05[IMV] package 'ch.scythe.hsr' (0.8.4) not found
05[IMV] package 'com.amazon.kindle' (3.8.2.4) is ok
05[IMV] package 'com.cisco.webex.meetings' (2.5.3) not found
05[IMV] package 'com.endomondo.android' (8.7.0) not found
05[IMV] package 'com.facebook.katana' (2.3) not found
05[IMV] package 'com.farproc.wifi.analyzer' (3.4) not found
05[IMV] package 'com.linkedin.android' (2.5.7) not found
05[IMV] package 'com.linkomnia.ipv6detect' (1.1.0) not found
05[IMV] package 'com.rhmsoft.fm' (1.15.9) not found
05[IMV] package 'com.skype.raider' (3.2.0.6673) not found
05[IMV] package 'com.socialnmobile.dictapps.notepad.color.note' (3.9.17) not found
05[IMV] package 'com.viseca.myaccount' (1.1.0) not found
05[IMV] package 'com.whatsapp' (2.9.5196) not found
05[IMV] package 'com.xing.android' (3.8.1i) not found
05[IMV] package 'de.amazon.mShop.android' (2.3.0) not found
05[IMV] package 'jackpal.androidterm' (1.0.52) not found
05[IMV] package 'la.droid.qr' (5.3.2) is ok
05[IMV] package 'la.droid.wifi' (1.0) not found
05[IMV] package 'me.guillaumin.android.osmtracker' (0.6.4) not found
05[IMV] package 'org.connectbot' (1.7.1) not found
05[IMV] package 'org.strongswan.android' (1.2.0-byod) is ok
05[IMV] package 'tv.funtopia.weatheraustralia' (1.1R3.6) not found
05[IMV] processed 23 packages: 0 not updated, 0 blacklisted, 4 ok, 19 not found

05[IMV] setting 'android_id'
05[IMV]   cf5e4cbcc6e6a2db
05[IMV] setting 'install_non_market_apps'
05[IMV]   0

The Installed Packages are compared against a reference list stored in the database.
04[TNC] received TNCCS batch (8 bytes) for Connection ID 1
04[TNC] PB-TNC state transition from 'Decided' to 'End'
04[TNC] processing PB-TNC CLOSE batch
04[TNC] final recommendation is 'allow' and evaluation is 'compliant'
04[TNC] policy enforced on peer 'john' is 'allow'
04[TNC] policy enforcement point added group membership 'allow'
04[IKE] EAP_TTLS phase2 authentication of 'john' with EAP_TNC successful

The TNC measurements showed compliance and user john is allowed into the corporate network.

Restricted Access (TNC recommendation is isolate)

User John now makes the following changes on his Android phone:

Allow non-market Apps from unknown sources Warn from enabling download from Unknown Sources Download and install Android Web server

  • If the Unknown sources flag is activated in the Settings/Security configuration menu of the Android device then a user might be lured into downloading malicious Apps via manipulated links. Setting this flag therefore poses a grave security risk.
  • The user also decides to download and install an Android Web Server from the official Google play store.

The next time John tries to access his home network, he is granted only restricted access and his VPN Client is directed to a remediation network.


16[IMV] processing installed 'Android' packages
16[IMV] package 'ch.sbb.mobile.android.b2c' (2.1.2) is ok
...
16[IMV] package 'org.xeustechnologies.android.kws' (1.7) is blacklisted
16[IMV] processed 24 packages: 0 not updated, 1 blacklisted, 4 ok, 19 not found

16[IMV] setting 'android_id'
16[IMV]   cf5e4cbcc6e6a2db
16[IMV] setting 'install_non_market_apps'
16[IMV]   1

A blacklisted package is detected and Unknown Sources are enabled in the Android Security Settings
16[TNC] creating PA-TNC message with ID 0xcf753973
16[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
16[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
16[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
16[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
16[TNC] IMV 1 is setting reason string to 'Vulnerable or blacklisted software packages were found
16[TNC]                                    Improper OS settings were detected'
16[TNC] IMV 1 is setting reason language to 'en'
16[TNC] IMV 1 provides recommendation 'isolate' and evaluation 'non-compliant minor'

This causes an IETF Assessment Result and two IETF Remediation Instructions PA-TNC attributes to be sent to the BYOD IMC and a PB-TNC Reason String to the TNC Client.
03[TNC] received TNCCS batch (8 bytes) for Connection ID 2
03[TNC] PB-TNC state transition from 'Decided' to 'End'
03[TNC] processing PB-TNC CLOSE batch
03[TNC] final recommendation is 'isolate' and evaluation is 'non-compliant minor'
03[TNC] policy enforced on peer 'john' is 'isolate'
03[TNC] policy enforcement point added group membership 'isolate'
03[IKE] EAP_TTLS phase2 authentication of 'john' with EAP_TNC successful

The TNC measurements shows minor issues with compliance and user john is relegated into an isolation network.

Blocked Access (TNC recommendation is block)

User John now starts the installed Android Web Server because he wants to manage his phone remotely in a much more comfortable way from his laptop computer. The Web Server is listening on TCP port 8080, potentially allowing a hacker to access the phone and take full control of it:

Start Android Web server listening on TCP port 8080

Since this poses a severe security breach, user John is blocked from accessing the network and the VPN connection setup fails.

Failed Connection Remediation Instructions for Failed Connection Remediation Instruction Details for Failed Connection

01[TNC] handling PB-PA message type 'IETF/VPN' 0x000000/0x00000007
01[IMV] IMV 2 "Scanner" received message for Connection ID 3 from IMC 1 to IMV 2
01[TNC] processing PA-TNC message with ID 0xe1422d55
01[TNC] processing PA-TNC attribute type 'IETF/Port Filter' 0x000000/0x00000006
01[IMV] tcp port  8080 open: fatal

The BYOD IMC detected a server listening on TCP port 8080 and sends this information via an IETF Port Filter PA-TNC attribute to the Scanner IMV.
01[TNC] creating PA-TNC message with ID 0x3411eaf5
01[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
01[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
01[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
01[TNC] creating PB-PA message type 'IETF/VPN' 0x000000/0x00000007
01[TNC] IMV 2 is setting reason string to 'Open server ports were detected'
01[TNC] IMV 2 is setting reason language to 'en'
01[TNC] IMV 2 provides recommendation 'no access' and evaluation 'non-compliant major'
01[TNC] PB-TNC state transition from 'Server Working' to 'Decided'
01[TNC] creating PB-TNC RESULT batch
01[TNC] adding PB-PA message
01[TNC] adding PB-PA message
01[TNC] adding PB-PA message
01[TNC] adding PB-Assessment-Result message
01[TNC] adding PB-Access-Recommendation message
01[TNC] adding PB-Reason-String message
01[TNC] adding PB-Reason-String message
01[TNC] sending PB-TNC RESULT batch (1469 bytes) for Connection ID 3

Remediation Instructions are sent to the BYOD IMC.
16[TNC] received TNCCS batch (8 bytes) for Connection ID 3
16[TNC] PB-TNC state transition from 'Decided' to 'End'
16[TNC] processing PB-TNC CLOSE batch
16[TNC] final recommendation is 'no access' and evaluation is 'non-compliant major'
16[TNC] policy enforced on peer 'john' is 'no access'
16[IKE] EAP_TNC method failed
16[TLS] sending TLS close notify

The TNC measurement shows major issues with compliance due to the open server port and user john is denied network access.

strongswan-config_small.png View - Android VPN client configuration (23.2 KB) Andreas Steffen, 22.02.2013 15:22

connected_small.png View - Successful connection (26.1 KB) Andreas Steffen, 22.02.2013 15:52

restricted-remediation_small.png View (24.7 KB) Andreas Steffen, 22.02.2013 20:04

restricted-remediation-details_small.png View (14.7 KB) Andreas Steffen, 22.02.2013 20:04

restricted_small.png View (27.7 KB) Andreas Steffen, 23.02.2013 15:53

failed_small.png View - Failed Connection (27.3 KB) Andreas Steffen, 23.02.2013 16:15

failed-remediation_small.png View - Remediation Instructions for Failed Connection (29 KB) Andreas Steffen, 23.02.2013 16:15

failed-remediation-details_small.png View - Remediation Instruction Details for Failed Connection (12.1 KB) Andreas Steffen, 23.02.2013 16:15

non-market-apps-setting_small.png View - Allow non-market Apps from unknown sources (34.4 KB) Andreas Steffen, 08.04.2013 15:40

kws-webserver_small.png View - Download and install Android Web server (51.9 KB) Andreas Steffen, 08.04.2013 15:40

webserver-active_small.png View - Start Android Web server listening on TCP port 8080 (18.4 KB) Andreas Steffen, 08.04.2013 16:05

unknown-sources-warning_small.png View - Warn from enabling download from Unknown Sources (39.8 KB) Andreas Steffen, 08.04.2013 16:21