1 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Nokia Lumia Windows Phone 8 security
2 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Nokia Lumia Windows Phone 8 security
Nokia Expert Centre Nokia Lumia WP8 training
3 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
INTRODUCTION TO NOKIA LUMIA WP8 IN THE ENTERPRISE
USING NOKIA LUMIA WP8 PHONES WITH MICROSOFT EXCHANGE
MOBILE DEVICE MANAGEMENT FOR NOKIA LUMIA WP8 PHONES
COMPANY APPS FOR NOKIA LUMIA WP8 PHONES
NOKIA LUMIA WP8 PHONE SECURITY
USING NOKIA LUMIA WP8 PHONES WITH MICROSOFT LYNC
USING NOKIA LUMIA WP8 PHONES WITH MICROSOFT SHAREPOINT
• Overview knowledge of Nokia WP8 phone features
• Knowledge of common security concepts
• Admin skills on Windows Server 2008 R2
Prerequisites
4 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Objectives • Describe the Secure Boot architecture and app platform
security features
• Describe phone security features configurable through Mobile Device Management (MDM) policy
• Manage certificates on the phone
• Describe intranet service access through SSL VPN
Learning time
minutes
60
Security threats addressed with WP8
5 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Trusted boot
Platform security
No browser plug-in support
Store app certification
Lock screen password
ActiveSync & MDM policies
Remote wipe
Device encryption
Information Rights Management
Connection security
Data leakage Malicious software
Contents
6 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Security features configurable through policy
Connection security and certificates
Trusted Boot and platform security
7 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Objectives
• Describe the Secure Boot architecture and app platform security features
Trusted Boot and platform security
Learning time 20 minutes
Chain of trust
8 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Only trusted pre-OS firmware code can execute
The firmware only boots a trusted WP8 OS image
WP8 OS allows only trusted and signed apps to run
Apps can only access phone features they require
Trusted boot
9 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
HARDWARE ONLY LOADS UNMODIFIED
WP8 OS
User knows they are working with genuine
Microsoft WP8 OS
OK
Not loaded Modified WP8 OS
Unmodified WP8 OS
Other OS
Disabling of security controls in WP8
PREVENTS ATTACKS
Malicious OS that looks like WP8
Trusted Boot parts
10 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
WINDOWS PHONE 8 OS
UEFI 2.3.1 FIRMWARE
CHIPSET
OS loader
OS
Keys and settings
UEFI specifications
One-time writable info
Digitally signed
Digitally signed drivers
Chambered security model
11 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Each app runs in its own
chamber
Chambers are isolated from each other
SD
Camera
SD card
Sensors
Each chamber has access to specific phone
capabilities
No difference between C# and C++ code!
Chamber model security benefits
12 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Attack surface reduction
1
User consent and control
3
App isolation
2
SD
Kernel, drivers
WP7 and WP8 chambers
13 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Least Privilege Chamber
Standard Rights Chamber
Elevated Rights Chamber
Trusted Computing Base
OS components, drivers
Pre-installed Microsoft apps
All apps from Marketplace
OS components, most drivers,
all apps
Least Privilege Chamber
Kernel, drivers
Trusted Computing Base
MORE SECURE
App development and publishing
14 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
WP8 Store
Developer specifies required capabilities in a manifest file
Manifest file used in app certification process
App manifest
Publish app
App deployment
15 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
WP8 Store
Download app
Access to only the required capabilities
User sees required capabilities in app details page in Store
Phone creates a new chamber for the app
App manifest
Complete list of supported capabilities
App checks and signing
16 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
WP8 Store
MDM server
.xap
.xap
.xap
Store signed
Enterprise signed
Developer unlocked only
Code checks
Code checks
Windows Phone Store Test Kit
Store requirements
Phone updates
17 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
All updates signed and
distributed by Microsoft
User can postpone - no way to force
updates
Use MDM to track inventory
Key learning points
18 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
• WP8 uses secure boot to validate all pre-OS components
• Digital signatures are used to verify that no untrusted code runs before the OS is loaded
• WP8 OS allows apps to run only in their own isolated chambers
• Each chamber is granted access to only the specific capabilities the app requires to function
• Users are in control of updating their WP8 phone
19 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Objectives
• Describe phone security features configurable through Mobile Device Management (MDM) policy
Security features configurable through policy
Learning time 20 minutes
Managing WP8 security through policy
20 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
DeviceLock CSP
Registry CSP
MDM SERVER
Storage CSP
Access control
Password
Encryption
Disable / enable memory card
Wipe device RemoteWipe CSP
EAS
Access control Password Encryption Wipe device
EXCHANGE
Access control
21 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
DevicePasswordEnabled
FALSE TRUE
MaxInactivityTimeDeviceLock
1 999 ... FALSE (minutes)
Password complexity
22 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
qwerty
1111
12345 TRUE
FALSE
password
4 18 ...
AllowSimpleDevicePassword
MinDevicePasswordLength
AlphanumericDevicePasswordRequired
MinDevicePasswordComplexCharacter
P4?d
.!?
abc
ABC
123
P277w6rd TRUE
FALSE
1 4 ...
DevicePasswordExpiration
1 730 ...
Password rotation
23 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
raspberry
strawberry
blueberry
raspberry
(days) FALSE
DevicePasswordHistory
0 50 ...
Device encryption (HW accelerated)
24 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Encryption/ decryption
“BITLOCKER” TECHNOLOGY
Decrypted content
Keys protected by platform
security
No management
No PIN
Apps USB MTP
Storage
USB MTP AND SYNC APPS
SD card
AES-128 Not readable outside the OS
WINDOWS PHONE 8 OS
To disable, reset phone
Encryption enabled
Not available in all countries
Enabling device encryption
25 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
MDM server
Registry CSP
RequireDeviceEncryption
EAS
Exchange
DeviceEncryption
Device wipe options
26 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
RemoteWipe CSP
Exchange Admin tools
Windowsphone.com
Outlook Web App
Office 365 OWA User
EAS Policy
OS
Office 365 Admin tools
Windows Intune
Failed attempts Phone reset
Admin SCCM SP1
Third-party MDM
Cloud
On-premise
Failed attempts
27 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
MaxDevicePasswordFailedAttempts
1 999 ... FALSE
* n-1
unlo
ck
wip
e
Enabling IRM functionality
28 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
EAS
Exchange
IRMEnabled
Not supported through full MDM
MDM
SD card control
29 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Full MDM Server
Disable memory card
Storage CSP
Exchange
Not supported through EAS
Key learning points
30 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
• Access control policies set a password and automatic lock
• Password complexity and rotation policies prevent passwords that are easy to guess
• Device encryption can be only turned on
• There is one more attempt before phone is wiped after failed attempts
• SD can only be disabled through full MDM policy, IRM can only be enabled through EAS policy
31 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Objectives
• Manage certificates on the phone
• Set up client certificate authentication
• Describe intranet service access through SSL VPN
Connection security and certificates
Learning time 15 minutes
Browsing the web on WP8
32 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Microsoft server 2 Check URL against list of
unsafe web pages
1 Check URL in local whitelist
Check result: Unsafe
Periodic anonymous reporting
3
SMART SCREEN FILTER No plug-ins are
supported
Isolated chamber
WP8 Virtual Private Network (VPN) options
33 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
INTERNET
CORPORATE INTRANET
IPSec VPN
IPSec VPN gateway
HTTP-based services
MOBILE OPERATOR NETWORK
Custom APN Cellular
data
Cellular/Wi-Fi
SSL-VPN GATEWAY
SSL/TLS Basic Authentication Direct IPSec VPN
not supported
SSL-VPN guide
SSL server authentication
34 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Web server
Intermediate CA
One-time warning
GET www.ylearning.net
SSL Server Hello
CA=CA2 CN=www.ylearning.net
CA=CA1 CN=CA2
Root CA
CA1
CA1 CA2
INSTALL SERVER AND INTERMEDIATE CERTS
INSTALL CA ROOT CERT
PREINSTALLED ROOT CERTIFICATES
Client certificate authentication
35 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
GET www.ylearning.net
SSL client response
CA=CA2 [email protected] EKU=Client Authentication (1.3.6.1.5.5.7.3.2)
MAP CERT TO USER
Tom
PHONE SENDS CERTIFICATE IN
CLIENT RESPONSE
SSL Server Hello (server cert)
CERT PROVES USER IDENTITY
Tom
Client certificates are currently supported only by EAS in WP8
NOTE!
CONFIGURING CERTIFICATE AUTHENTICATION FOR EAS
Installing certificates
36 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Web server
SUPPORTED FORMATS
.cer
.p7b
.pem
.pfx
EMAIL ATTACHMENT
Check MIME type
INTERNET EXPLORER
Password protection
No certificate management UI
To remove, reset phone
MDM server
PUSH CERTIFICATE
Key learning points
37 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
• IE10 Smart Screen filter prevents access to sites impersonating as known websites
• WP8 phones can connect to intranet services through a SSL-VPN gateway
• IE10 warns the user about websites with untrusted server certificate
• EAS connections can use SSL client certificate authentication
38 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Summary
Summary of Nokia Lumia WP8 security
39 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
• WP8 platform security establishes a chain of trust from hardware to Store apps
• A Nokia Lumia WP8 phone does not start if the OS has been modified or replaced
• WP8 apps run in isolated chambers with only the needed capabilities
• Most WP8 security features can be managed through both EAS and full MDM
• IE10 provides secure browsing
• WP8 connection security is based on HTTP/SSL and certificates
Let’s continue the discussion online
40 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia
Join the Nokia Expert Centre Community to discuss about Nokia products and business solutions
All registered users can post and share their experiences