Project

General

Profile

Android BYOD Security based on Trusted Network Connect » History » Version 32

Tobias Brunner, 10.07.2014 18:20

1 1 Andreas Steffen
h1. Android BYOD Security based on Trusted Network Connect
2 1 Andreas Steffen
3 32 Tobias Brunner
Since version 1.3.0 the popular "strongSwan Android VPN Client":https://play.google.com/store/apps/details?id=org.strongswan.android allows the collection of integrity measurements on Android 4.x devices. A special Android BYOD IMC written in Java communicates via the TNC IF-M 1.0 Measurement protocol with an Operating System IMV and a Port Scanner IMV. The strongSwan Android VPN Client transports the IF-M messages (RFC 5792 PA-TNC) in IF-TNCCS 2.0 Client/Server protocol batches (RFC 5793 PB-TNC) via the IF-T for Tunneled EAP Methods 1.1 Transport protocol protected by IKEv2 EAP-TTLS.
4 2 Andreas Steffen
5 25 Andreas Steffen
{{>toc}}
6 25 Andreas Steffen
7 10 Andreas Steffen
h2. VPN Client Configuration
8 9 Andreas Steffen
9 9 Andreas Steffen
!strongswan-config_small.png!:http://www.strongswan.org/byod/strongswan-config.png
10 9 Andreas Steffen
11 18 Andreas Steffen
The Android VPN client profile *BYOD* has the following properties:
12 18 Andreas Steffen
13 18 Andreas Steffen
* The hostname of the VPN gateway is *byod.strongswan.org*.
14 17 Andreas Steffen
15 17 Andreas Steffen
* The user authentication is based on *IKEv2 EAP-MD5*.
16 17 Andreas Steffen
17 17 Andreas Steffen
* Possible user names are *john* or *jane* and the user password is *byod-test*.
18 17 Andreas Steffen
19 17 Andreas Steffen
* The *byod.strongswan.org* server certificate is issued by the *strongSwan 2009* certification authority.
20 17 Andreas Steffen
21 17 Andreas Steffen
Therefore the "strongSwan 2009 CA certificate":http://www.strongswan.org/byod/strongswan-cert.crt must be imported into the Android certificate trust store before the first connection can be attempted.
22 2 Andreas Steffen
23 11 Andreas Steffen
h2. Unrestricted Access (TNC recommendation is allow)
24 2 Andreas Steffen
25 12 Andreas Steffen
!connected_small.png!:http://www.strongswan.org/byod/screenshot-01-connected.png
26 2 Andreas Steffen
27 19 Andreas Steffen
If the BYOD IMC (Integrity Measurement Collector) does not detect and report any security issues to the OS, Scanner and Attestation IMVs (Integrity Measurement Verifiers) via the IF-M message protocol then the TNC Server located in the combinded strongSwan PDP/PEP decides to give the VPN client full access to the corporate network.
28 24 Andreas Steffen
<pre>
29 24 Andreas Steffen
01[TNC] received TNCCS batch (132 bytes) for Connection ID 1
30 24 Andreas Steffen
01[TNC] PB-TNC state transition from 'Init' to 'Server Working'
31 24 Andreas Steffen
01[TNC] processing PB-TNC CDATA batch
32 24 Andreas Steffen
01[TNC] processing PB-Language-Preference message (31 bytes)
33 24 Andreas Steffen
01[TNC] processing PB-PA message (93 bytes)
34 24 Andreas Steffen
01[TNC] setting language preference to 'en'
35 24 Andreas Steffen
01[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
36 24 Andreas Steffen
01[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1
37 24 Andreas Steffen
01[TNC] processing PA-TNC message with ID 0xec41ce1d
38 24 Andreas Steffen
01[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
39 24 Andreas Steffen
01[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
40 24 Andreas Steffen
01[IMV] operating system name is 'Android' from vendor Google
41 24 Andreas Steffen
01[IMV] operating system version is '4.2.1'
42 24 Andreas Steffen
</pre>
43 24 Andreas Steffen
The BYOD IMC first reports the Android OS version via the IETF Product Information and String Version PA-TNC attributes.
44 24 Andreas Steffen
<pre>
45 24 Andreas Steffen
01[TNC] creating PA-TNC message with ID 0xeb4b3b9d
46 24 Andreas Steffen
01[TNC] creating PA-TNC attribute type 'IETF/Attribute Request' 0x000000/0x00000001
47 24 Andreas Steffen
01[TNC] creating PA-TNC attribute type 'ITA-HSR/Get Settings' 0x00902a/0x00000003
48 24 Andreas Steffen
</pre>
49 24 Andreas Steffen
The OS IMV then requests a list of Installed Packages and some Android OS Settings via an IETF Attribute Request and an ITA-HSR Get Settings PA-TNC attribute, respectively.
50 24 Andreas Steffen
<pre>
51 24 Andreas Steffen
05[TNC] processing PB-TNC CDATA batch
52 24 Andreas Steffen
05[TNC] processing PB-PA message (771 bytes)
53 24 Andreas Steffen
05[TNC] processing PB-PA message (64 bytes)
54 24 Andreas Steffen
05[TNC] processing PB-PA message (44 bytes)
55 24 Andreas Steffen
05[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
56 24 Andreas Steffen
05[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1 to IMV 1
57 24 Andreas Steffen
05[TNC] processing PA-TNC message with ID 0x89c5af6a
58 24 Andreas Steffen
05[TNC] processing PA-TNC attribute type 'IETF/Installed Packages' 0x000000/0x00000007
59 24 Andreas Steffen
05[TNC] processing PA-TNC attribute type 'ITA-HSR/Settings' 0x00902a/0x00000004
60 24 Andreas Steffen
61 24 Andreas Steffen
05[IMV] processing installed 'Android' packages
62 24 Andreas Steffen
05[IMV] package 'ch.sbb.mobile.android.b2c' (2.1.2) is ok
63 24 Andreas Steffen
05[IMV] package 'ch.scythe.hsr' (0.8.4) not found
64 24 Andreas Steffen
05[IMV] package 'com.amazon.kindle' (3.8.2.4) is ok
65 24 Andreas Steffen
05[IMV] package 'com.cisco.webex.meetings' (2.5.3) not found
66 24 Andreas Steffen
05[IMV] package 'com.endomondo.android' (8.7.0) not found
67 24 Andreas Steffen
05[IMV] package 'com.facebook.katana' (2.3) not found
68 24 Andreas Steffen
05[IMV] package 'com.farproc.wifi.analyzer' (3.4) not found
69 24 Andreas Steffen
05[IMV] package 'com.linkedin.android' (2.5.7) not found
70 24 Andreas Steffen
05[IMV] package 'com.linkomnia.ipv6detect' (1.1.0) not found
71 24 Andreas Steffen
05[IMV] package 'com.rhmsoft.fm' (1.15.9) not found
72 24 Andreas Steffen
05[IMV] package 'com.skype.raider' (3.2.0.6673) not found
73 24 Andreas Steffen
05[IMV] package 'com.socialnmobile.dictapps.notepad.color.note' (3.9.17) not found
74 24 Andreas Steffen
05[IMV] package 'com.viseca.myaccount' (1.1.0) not found
75 24 Andreas Steffen
05[IMV] package 'com.whatsapp' (2.9.5196) not found
76 24 Andreas Steffen
05[IMV] package 'com.xing.android' (3.8.1i) not found
77 24 Andreas Steffen
05[IMV] package 'de.amazon.mShop.android' (2.3.0) not found
78 24 Andreas Steffen
05[IMV] package 'jackpal.androidterm' (1.0.52) not found
79 24 Andreas Steffen
05[IMV] package 'la.droid.qr' (5.3.2) is ok
80 24 Andreas Steffen
05[IMV] package 'la.droid.wifi' (1.0) not found
81 24 Andreas Steffen
05[IMV] package 'me.guillaumin.android.osmtracker' (0.6.4) not found
82 24 Andreas Steffen
05[IMV] package 'org.connectbot' (1.7.1) not found
83 24 Andreas Steffen
05[IMV] package 'org.strongswan.android' (1.2.0-byod) is ok
84 24 Andreas Steffen
05[IMV] package 'tv.funtopia.weatheraustralia' (1.1R3.6) not found
85 24 Andreas Steffen
05[IMV] processed 23 packages: 0 not updated, 0 blacklisted, 4 ok, 19 not found
86 24 Andreas Steffen
87 24 Andreas Steffen
05[IMV] setting 'android_id'
88 24 Andreas Steffen
05[IMV]   cf5e4cbcc6e6a2db
89 24 Andreas Steffen
05[IMV] setting 'install_non_market_apps'
90 24 Andreas Steffen
05[IMV]   0
91 24 Andreas Steffen
</pre>
92 24 Andreas Steffen
The Installed Packages are compared against a reference list stored in the database.
93 29 Andreas Steffen
<pre>
94 29 Andreas Steffen
04[TNC] received TNCCS batch (8 bytes) for Connection ID 1
95 29 Andreas Steffen
04[TNC] PB-TNC state transition from 'Decided' to 'End'
96 29 Andreas Steffen
04[TNC] processing PB-TNC CLOSE batch
97 29 Andreas Steffen
04[TNC] final recommendation is 'allow' and evaluation is 'compliant'
98 29 Andreas Steffen
04[TNC] policy enforced on peer 'john' is 'allow'
99 29 Andreas Steffen
04[TNC] policy enforcement point added group membership 'allow'
100 29 Andreas Steffen
04[IKE] EAP_TTLS phase2 authentication of 'john' with EAP_TNC successful
101 29 Andreas Steffen
</pre>
102 30 Andreas Steffen
The TNC measurements showed compliance and user *john* is allowed into the corporate network.
103 19 Andreas Steffen
104 11 Andreas Steffen
h2. Restricted Access (TNC recommendation is isolate)
105 2 Andreas Steffen
106 21 Andreas Steffen
User *John* now makes the following changes on his Android phone:
107 1 Andreas Steffen
108 23 Andreas Steffen
!non-market-apps-setting_small.png!:http://www.strongswan.org/byod/screenshot-09-non-market-apps-setting.png !unknown-sources-warning_small.png!:http://www.strongswan.org/byod/screenshot-11-unknown-sources-warning.png !kws-webserver_small.png!:http://www.strongswan.org/byod/screenshot-10-kws-webserver.png
109 20 Andreas Steffen
110 21 Andreas Steffen
* If the *Unknown sources* flag is activated in the *Settings/Security* configuration menu of the Android device then a user might be lured into downloading malicious Apps via manipulated links. Setting this flag therefore poses a grave security risk.
111 20 Andreas Steffen
112 21 Andreas Steffen
* The user also decides to download and install an Android Web Server from the official Google play store.
113 20 Andreas Steffen
114 20 Andreas Steffen
The next time *John* tries to access his home network, he is granted only restricted access and his VPN Client is directed to a remediation network.
115 6 Andreas Steffen
116 14 Andreas Steffen
!restricted_small.png!:http://www.strongswan.org/byod/screenshot-02-restricted.png !restricted-remediation_small.png!:http://www.strongswan.org/byod/screenshot-03-restricted-remediation.png !restricted-remediation-details_small.png!:http://www.strongswan.org/byod/screenshot-04-restricted-remediation-details.png
117 26 Andreas Steffen
<pre>
118 26 Andreas Steffen
16[IMV] processing installed 'Android' packages
119 26 Andreas Steffen
16[IMV] package 'ch.sbb.mobile.android.b2c' (2.1.2) is ok
120 26 Andreas Steffen
...
121 26 Andreas Steffen
16[IMV] package 'org.xeustechnologies.android.kws' (1.7) is blacklisted
122 26 Andreas Steffen
16[IMV] processed 24 packages: 0 not updated, 1 blacklisted, 4 ok, 19 not found
123 2 Andreas Steffen
124 26 Andreas Steffen
16[IMV] setting 'android_id'
125 26 Andreas Steffen
16[IMV]   cf5e4cbcc6e6a2db
126 26 Andreas Steffen
16[IMV] setting 'install_non_market_apps'
127 26 Andreas Steffen
16[IMV]   1
128 26 Andreas Steffen
</pre>
129 26 Andreas Steffen
A blacklisted package is detected and Unknown Sources are enabled in the Android Security Settings
130 26 Andreas Steffen
<pre>
131 26 Andreas Steffen
16[TNC] creating PA-TNC message with ID 0xcf753973
132 26 Andreas Steffen
16[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
133 26 Andreas Steffen
16[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
134 26 Andreas Steffen
16[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
135 26 Andreas Steffen
16[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
136 26 Andreas Steffen
16[TNC] IMV 1 is setting reason string to 'Vulnerable or blacklisted software packages were found
137 26 Andreas Steffen
16[TNC]                                    Improper OS settings were detected'
138 26 Andreas Steffen
16[TNC] IMV 1 is setting reason language to 'en'
139 26 Andreas Steffen
16[TNC] IMV 1 provides recommendation 'isolate' and evaluation 'non-compliant minor'
140 26 Andreas Steffen
</pre>
141 1 Andreas Steffen
This causes an IETF Assessment Result and two IETF Remediation Instructions PA-TNC attributes to be sent to the BYOD IMC and a PB-TNC Reason String to the TNC Client.
142 30 Andreas Steffen
<pre>
143 30 Andreas Steffen
03[TNC] received TNCCS batch (8 bytes) for Connection ID 2
144 30 Andreas Steffen
03[TNC] PB-TNC state transition from 'Decided' to 'End'
145 30 Andreas Steffen
03[TNC] processing PB-TNC CLOSE batch
146 30 Andreas Steffen
03[TNC] final recommendation is 'isolate' and evaluation is 'non-compliant minor'
147 30 Andreas Steffen
03[TNC] policy enforced on peer 'john' is 'isolate'
148 30 Andreas Steffen
03[TNC] policy enforcement point added group membership 'isolate'
149 30 Andreas Steffen
03[IKE] EAP_TTLS phase2 authentication of 'john' with EAP_TNC successful
150 30 Andreas Steffen
</pre>
151 30 Andreas Steffen
The TNC measurements shows minor issues with compliance and user *john* is relegated into an isolation network.
152 27 Andreas Steffen
153 11 Andreas Steffen
h2. Blocked Access (TNC recommendation is block)
154 2 Andreas Steffen
155 22 Andreas Steffen
User *John* now starts the installed Android Web Server because he wants to manage his phone remotely in a much more comfortable way from his laptop computer. The Web Server is listening on TCP port 8080, potentially allowing a hacker to access the phone and take full control of it:
156 22 Andreas Steffen
157 22 Andreas Steffen
!webserver-active_small.png!:http://www.strongswan.org/byod/screenshot-08-webserver-active.png
158 22 Andreas Steffen
159 22 Andreas Steffen
Since this poses a severe security breach, user *John* is blocked from accessing the network and the VPN connection setup fails.
160 4 Andreas Steffen
161 15 Andreas Steffen
!failed_small.png!:http://www.strongswan.org/byod/screenshot-05-failure.png !failed-remediation_small.png!:http://www.strongswan.org/byod/screenshot-06-failure-remediation.png !failed-remediation-details_small.png!:http://www.strongswan.org/byod/screenshot-07-failure-remediation-details.png
162 28 Andreas Steffen
<pre>
163 28 Andreas Steffen
01[TNC] handling PB-PA message type 'IETF/VPN' 0x000000/0x00000007
164 28 Andreas Steffen
01[IMV] IMV 2 "Scanner" received message for Connection ID 3 from IMC 1 to IMV 2
165 28 Andreas Steffen
01[TNC] processing PA-TNC message with ID 0xe1422d55
166 28 Andreas Steffen
01[TNC] processing PA-TNC attribute type 'IETF/Port Filter' 0x000000/0x00000006
167 28 Andreas Steffen
01[IMV] tcp port  8080 open: fatal
168 28 Andreas Steffen
</pre>
169 31 Andreas Steffen
The BYOD IMC detected a server listening on TCP port 8080 and sends this information via an IETF Port Filter PA-TNC attribute to the Scanner IMV.
170 28 Andreas Steffen
<pre>
171 28 Andreas Steffen
01[TNC] creating PA-TNC message with ID 0x3411eaf5
172 28 Andreas Steffen
01[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
173 28 Andreas Steffen
01[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
174 28 Andreas Steffen
01[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
175 28 Andreas Steffen
01[TNC] creating PB-PA message type 'IETF/VPN' 0x000000/0x00000007
176 28 Andreas Steffen
01[TNC] IMV 2 is setting reason string to 'Open server ports were detected'
177 28 Andreas Steffen
01[TNC] IMV 2 is setting reason language to 'en'
178 28 Andreas Steffen
01[TNC] IMV 2 provides recommendation 'no access' and evaluation 'non-compliant major'
179 28 Andreas Steffen
01[TNC] PB-TNC state transition from 'Server Working' to 'Decided'
180 28 Andreas Steffen
01[TNC] creating PB-TNC RESULT batch
181 28 Andreas Steffen
01[TNC] adding PB-PA message
182 28 Andreas Steffen
01[TNC] adding PB-PA message
183 28 Andreas Steffen
01[TNC] adding PB-PA message
184 28 Andreas Steffen
01[TNC] adding PB-Assessment-Result message
185 28 Andreas Steffen
01[TNC] adding PB-Access-Recommendation message
186 28 Andreas Steffen
01[TNC] adding PB-Reason-String message
187 28 Andreas Steffen
01[TNC] adding PB-Reason-String message
188 28 Andreas Steffen
01[TNC] sending PB-TNC RESULT batch (1469 bytes) for Connection ID 3
189 1 Andreas Steffen
</pre>
190 31 Andreas Steffen
Remediation Instructions are sent to the BYOD IMC.
191 31 Andreas Steffen
<pre>
192 31 Andreas Steffen
16[TNC] received TNCCS batch (8 bytes) for Connection ID 3
193 31 Andreas Steffen
16[TNC] PB-TNC state transition from 'Decided' to 'End'
194 31 Andreas Steffen
16[TNC] processing PB-TNC CLOSE batch
195 31 Andreas Steffen
16[TNC] final recommendation is 'no access' and evaluation is 'non-compliant major'
196 31 Andreas Steffen
16[TNC] policy enforced on peer 'john' is 'no access'
197 31 Andreas Steffen
16[IKE] EAP_TNC method failed
198 31 Andreas Steffen
16[TLS] sending TLS close notify
199 31 Andreas Steffen
</pre>
200 31 Andreas Steffen
The TNC measurement shows major issues with compliance due to the open server port and user *john* is denied network access.