Offensive Mobile Forensics Joey Peloquin Security BSides Boston 2014

with guidepoint he's been in infosec i.t for 15 plus years and one thing about joy if you need somebody to do a deep dive for you this is the guy he's a certified dive master okay

thanks for joining us today um forgive me but i can talk for about two hours on this stuff and i've got 30 minutes if i'm going to save time for questions so i'm going to go extremely fast i'm also going to do a live pin cracking demo for you and based on the passcode i've selected it should take about 28 minutes to complete that so we're going to go ahead and get started so my name is joey pelican i'm the director of professional services at guidepoint security i've been doing mobile security research for about five years now uh i created the offensive molten forensics methodology for two reasons number one at the time everybody was

doing mobile application pen testing on simulators and you cannot look for data leakage when you're pin testing on a simulator and i wanted to show based on my research we absolutely have to include that in a mobile application assessment the second reason i did this is to quantify the risk of a person of interest losing their advice loss or theft is the number one risk to these devices and to byod in general so we needed a way to be able to quantify risk if our ceo cio somebody with access to sensitive data that's storing that sense of data on their mobile device loses it they're targeted it gets stolen whatever the case may be so that's what omf is all about i will

say that i'm only going to do this talk one more time that's an rba second in june i'm going to retire this because people have caught on and now if you look at all the automated penetration testing tools that exist for mobile they take data leakage the from the mobile top 10 very very seriously and it's part of everybody's assessment now so mission accomplished the message is out there uh i'm also going to release a tool at rva sec i wanted to release it at b-sides today but it's not ready i'm writing a python tool to automate the data acquisition process that i'm going to talk to you guys about today oh let's see takeaways uh so you'll be

able to there's a number of things that are included in the deck the deck will be available for download i've already done all the research for ios version 4 through 7.0.6 and android 233 through 422 and i've got research for 4 3 and 4 4 as well but i kind of tabled that so that i could do some knox research so i'll get this thing updated with all of that stuff and obviously the tool that gets released in june will have support for all of those versions okay uh i'll save some time for questions at the end i'm gonna go really fast here uh actually let's get started with the demo sorry for the gentleman that's

trying to take pictures here so i'm going to do a live pin cracking demo for you guys uh it is no secret that four digits simple passcodes are ridiculously easy to crack there's free and open source software out there that we can use to do it unfortunately ios has broken all of that stuff so it really only works up to 5.1.1 now we can do some limited things with scalpel and some other mobile forensics things on version 6 of ios but these tools really don't work anymore so now we have to look at commercial tools lcomsoft is probably the best known commercial tool that you can use for cracking simple passcodes there's not anything out there that i'm

aware of that can uh crack uh complex passcodes on later versions of ios okay so real quickly this is what we're gonna go through i'll make this slide deck available as well if you want it or you can just go out to the iphone data protection wiki and get this stuff yourself but essentially what i'm going to do is i've got a iphone here so the requirements for this it has to be a jail breakable device uh we have to be able to crack the bootloader which means iphone 4 is the last device that you'll be able to test on okay it doesn't have to be jailbroken to perform this experiment but it does have to be

jailbreakable okay so what i've done is i've put a passcode on here normally i allow the audience to just pick a passcode so that i don't know it but uh we don't really have time for that so 9371 is the passcode that i've put on here okay the reason that i chose 9371 is i know for a fact it tastes a long time to crack okay so uh here's some stats go ahead and have a look at that while i get this thing set up

okay you're not gonna be able to look at that but you can see me setting up the actual experiment here so the first thing that i'm going to do is i'm going to use a everybody knows what red snow is i would imagine it's a tool that we use for jailbreaking these devices as you may know with red snow we can load custom images on the device okay so that's what we're doing uh years back when the guys uh when the kids from france uh crack the keychain in the device this is the same type of process that they use so that they could load their own image crack the keychain on the device and then send the secrets off

the device so the first thing i'm going to do is execute red snow red snow is going to complain because my device is on so i'm going to have to turn this off i'm plugged in

red snow is going to detect that the device is off and then it will let me proceed

there we go

and you're gonna see the lime rain boot exploit go here in just a second there we go so i did a bunch of work up front for this obviously i created a new kernel kernel image and all that sort of thing all the instructions are out there for you on the iphone data protection wiki if you want to do this type of experiment yourself so the device is rebooting now you can see the pineapple there

all right now the rest of this is going to happen on the device so the next thing that i'm going to do i'm doing this over usb so i'm just going to open up a connection ford some ports

now i have two options here i can actually crack on the device if you look at the lower shell window there that is the actual device yes alpine is the password because this is a test device and it's in airplane mode anyway so good luck and what i'm going to do is i'm actually going to crack this on the mac and this is going to count down so he said enter the passcode or if you want to brute force the passcode just go ahead and let it go so we're going to let that run while i'm talking it should take roughly 28 minutes or so to actually crack so real quickly before we get into the

omf talk itself i wanted to share some of these statistics real quickly with you guys hopefully you got a chance to look at this this tells you the cracking time for the passcode so uh there's a bunch of different documentation out there i put some links and things in here again i'll make this slide today available for you guys again lcomsoft is the commercial tool generally that people are using there's various commercial forensic products as well that have varying levels of support for mobile this is a study that's pretty interesting with four digit pins i'm not going to go into it because i don't have time but again you can peruse the slides at your leisure okay

so let's get down with that and let's do this so we're at three percent estimated time of cracking 27 minutes here's some uh google stats i'm gonna actually skip these because i like to talk about the cooler stuff more but essentially uh we don't need these statistics to tell us that mobile is here to stay right byod is here to stay everybody's dealing with threats of mobile devices and their environments they're looking at mobile device management solutions mobile application management solutions mobile information management solutions the problem with mdm mem etc so this is kind of an evolution that has occurred you know we've been saying for years the end result is we need to protect our

data so all of these things these inefficient not quite their technologies and point solutions like mdm was an attempt to protect our data unfortunately they pretty much fail so ma'am is the closest that we can get protecting our data today because we can apply specific policies to each application we can do per application vpn tunnels and some other really cool stuff the next wave is a bunch of vendors that are in stealth today they're making point of origin encryption solutions where you can encrypt data that you create in your browser you can encrypt data that you create in microsoft office for example and then the encryption follows the document wherever it goes and you can put custom policies on it

that says hey anybody can open this for six hours after that nova or anybody can rewrite this for six hours after that only read it's unlimited as far as the policies so some of the tools offensive mobile forensics is about using hacker tools and techniques to explore these devices determine exactly what data is out there what kind of data leakage is possible in the event of loss of theft of the device so these are some of the commercial tools that are available for forensics uh we've got in case and celebrity up here which are the you know two of the most popular ones if you're here to learn about incase and celebrate you're in the wrong talk

because we're not going to talk about those we're going to talk about hacker tools this is a list of some of the tools that we use we don't necessarily use all of these for every engagement or every assessment of the device or every experiment but there's a bunch of different things in here obviously you can do most of this stuff on command line after you have analyzed thousands of applications command line is particularly painful especially when we're talking about sql lite uh shell commands and that type of thing so i like to work smarter not harder so i went out and found gui applications as well for large scale assessment that i can use so i've got our browser that i

use for sftp to the devices so that i can pull information over in the python program that i'm writing i'm using scp thank you david bressler to pull that stuff over and then i use base as my favorite sqlite client it actually has the capability to read blobs i used to use razer sql for that it doesn't really interpret blobs very well and unfortunately since ios 6 most of the interesting stuff is stored in blocks so you're going to have to be able to get in there to actually see what's up some of the tools obviously we have to jailbreak the device that is a requirement and will continue to be a requirement there is no public

jailbreak available for 7-1 and i will go on record as saying there will not be okay because these guys are looking ahead to ios 8 and there's no way they're going to burn any exploits on 7-1 when ios 8 is around okay uh this is uh very um i don't know this this caused a lot of political stuff in the jailbreaking community essentially when ocm is uh is a very famous guy he's been working on jailbreaks he burned an exploit for 616. that was a major exploit and then he found what he thought was another bootron exploit for a5 devices uh he has declined to share that with anybody including bless you the rest of the

jailbreak community so it remains to be seen if one ocm is actually going to share this and make it possible for us to be able to jailbreak and do the kind of analysis on these devices that we need to i think jailbreaking should be allowed because it keeps apple honest it's provides projects and balances uh look at the fact that we just found out since ios 7 came out email attachments are not encrypted for example how are we going to know that if we don't have researchers that have root access to these devices that keep those guys on right so it's an important thing lots of tools out there iphone explorer is pretty cool tool enables you to

explore your file system on your device you do not have to be jailbroken phone view is another interesting tool i've done forensic reviews of applications where they don't allow those applications to be installed on a jailbroken device if you look here this is on at an application level this is where all the really interesting stuff is so the sqlite databases where data is being stored uh you'll find those typically in the library here in preferences you'll find key list files that are like ini files in the old windows days they're config files you'll find credentials stored in there very commonly under caches is typically where you'll find your sqlite databases that contain the information for the

application there's some really weird stuff going on we've been doing some mobile app assessments at guidepoint on phonegap applications that are written in html5 css3 and js so that they're cross-platform the develop at once and then distribute to many different platforms um i find those to be really insecure for example an app we just finished an assessment of it stored we were able to figure out which encryption library they were using from local storage because they were storing all of their responses to local storage we found their iv we found their key we found their salt and we found the ciphertext and the password that was used to encrypt it all in local storage so if you're developing html5 mobile

applications definitely be aware of storing stuff in local stores that's when we talked to the devs they had no clue that was happening so it was the framework that put that stuff in there so what we're looking at right here this is arm browser it's a gui sftp client what i'm telling you here is pull that stuff over to your host computer because you can do much quicker analysis there you can certainly do analysis on the mobile device itself using the sqli3 client etc but again it's very painful trust me i've been doing this for five years and uh it's better to work smarter not hard so android there's a bunch of different tools that we use for android

same principle although you don't need to put open ssh on the device because we can use the android debug bridge to get remote access and then obviously we've rooted that device so we can ask you to root and then we have unfettered access to the file system uh i typically i had one incident where uh android debug bridge would i don't know what happened it just exploded it wouldn't work i couldn't get remote access to the device so what i do with my android devices now is i go ahead and put open sshd on there there's a a cool ssh server that's available in play that you can do so what we're looking at right here uh

this is adb tells me the devices uh i've seen the route i can see all the file system dumpsys is a uh debug utility that's provided with android which has ridiculous amount of data leakage developers have to be really careful about debug information on the android platform what we can see right here is i've got my account names for a couple of accounts we can see i used to have an exchange account on here but i removed it but there's still remnants of it that's something that's very critical for you guys to take away from this just because you delete something on your mobile phone don't think that it's gone forever particularly iphone users uh you know

you'll fill up your voicemail and then you have to delete them do you think they really get deleted new so i've been using the same device for about two years now my keyboard cache is 18 months old my keyboard cache on that device has not rolled for 18 months so there's 18 months worth of key logged data in that and i'll talk a little bit about that later uh so these are a couple of tools this one i wanted to put this up here because it's really cool samsung screw you i'm done with you i used to do all of my research on samsung devices nox has killed that okay uh so i don't like

samsung anymore uh now i like the nexus devices there's this really cool nexus root kit right here that we can use that makes rooting i mean a two-year-old could root a google nexus device so i really like it this is quick sshd the back door that i typically put on my android devices and then this is the sexy gui for android debug bridge that i absolutely love love love and david won't use it because he's a command-line guy here's a bunch of other tools that we use root checker obviously we have to make sure that we have root you're going to need a file system browser of some type there's a bunch of them out there

uh i like iexplorer and there's one other that i like that i can't remember the name of it uh you're gonna obviously need a custom recovery on there if you want to load roms and things of that nature generally i usually keep the stock image on the device and i just root it because i'm interested in what the vendors are doing you know a lot of modders will they can't wait to get cyanogen on there i want to see what samsung and google and asus and all these cats are doing with our data so i like to leave it stock so i can wire it up to mallory and look at the traffic and see what kind of

information is getting sent off to you know the manufacturers of our boats okay so again i've already done all the research for you and i've mapped out all the physical locations of all the interesting data on these devices okay this will be all built into the tool that i'm going to release in june uh but obviously it's here as well in the deck so you can use that if you want to play in your own lab and do some experimentation of your own and as you can see i've covered every major ios version since four so let's look at some findings this is the keyboard cache i like to call this apple's native key law facility

so keyboard cache is actually a function of autocorrect so everything that you type that is not a numeric digit or in a secure field that is a field that's marked secure gets logged to your keyboard cache on your device you can reset this if you go into general settings uh reset and then there's a place down there where you can reset it as you can see you can take the words out of there and formulate complete sentences so these are complete sentences from a risk assessment that i did quite some time ago but it's it's just it tells the story perfectly omit will have coordinate that through health tests just need to make sure that

case available imagine if this had sensitive information right complete sensitive information you could be talking maybe it's an hr person talking about you know some kind of performance stuff or disciplinary stuff it could be financial stuff in here i've uncovered financial information in here i've uncovered you know deals that sales people were working on and all kinds of interesting things snapshots so snapshots are a little piece of data leakage that people you know didn't take seriously for a long time but essentially what happens here is when the iphone when you hit the home button and you close an application they take a screenshot so that they can do that animation so every single application on here when

you hit the home key takes a snapshot of that there's a big snapshots directory that has all of them and then you'll find this also in each application's directory okay on the device uh let's see this is uh i've done a number of application assessments many people have heard me say before i don't install a mobile application on my device and use it until i've performed an assessment of it obviously i don't look at the back end because i'm not authorized to perform a pen test but if i find that that application is storing my data locally and it is not encrypted then i don't use that application and typically i will go on to play or the

app store and i'll leave a nice nasty comment for the developer about storing my information so that everybody else can see it this was an application that was for expense management it's wired up to multiple cloud apis including evernote google docs uh a bunch of others you can fax and do all this other stuff so here's my evernote password stored in clear my username and obviously i reject that's my personal gmail stuff so i rejected all of that uh social applications are absolutely terrible chat applications they used to be i've done assessments on all of these applications again and they fixed all the problems typically i will alert the developer when there is an issue and

and i don't generally disclose details publicly i will shame them in the place or in the app store but then i'll send them an email and say hey guy you know here's what you're doing wrong this is how you fix it you can use sql cipher to encrypt your rescue law databases etc chat social applications just some more examples all in the clear uh contacts address book um all in the clear the really disturbing thing about this is virtually any application can gain access to your address book you just have to give it permission right uh mail mail is something that is really disturbing on these devices particularly on android devices where we can find not

just your credits but all of your messages stored in your own device every single one of them and it's gotten worse with ios uh now that uh icloud is out so they actually have two different places where they store it they store it locally in an sqlite database that's called envelope space index but they also have mobile mail mobile notes and mobile calendar where they replicate all your other stuff and uh yeah so this is actually a screenshot of some of that so this is from mobile mail so you can see it stores the entire message okay the thing that really shocked me though is this right here so i started really kind of digging in here and looking you

can see the protected index as we know now the researcher disclosed that's not really protected it's not encrypted anymore and this is what we want to look at so exchange active sync the way that ios is replicating information is it's taking stuff that's stored in the local file system and then it's putting in a spot here that's dynamic so it changes over time this is the disturbing thing so this is off my production device that i use is my daily driver and you can see if somebody stole my device uh where is it this would probably be an interesting customers can you see that so there you can get my entire customer list if you were able to steal my device

or break into it or whatever demo time all right uh how we doing on the crack haven't cracked it yet i don't think no i haven't cracked it yet okay so listen to this demo real quick this is a voicemail that i recovered off my own phone

yeah so financial conversation all of the voicemails i've ever had on this device are stored in there you can see them by date range and they're stored in the clear in an sqlite database right here so the amr files right there those are your voicemails and then there's a separate table that shows the uh caller so who was actually calling and left the message you know you put all that stuff together with the contacts that you can get off the device etc and you can really put a huge profile together for a person of interest that you know a state-sponsored attacker or criminal attacker or somebody like that wants to target this is com.apple.network.identification.plist this is a configuration file that shows

every single network i've ever connected to with this device and it just continually appends to this file and the only way that you can reset this is to do the forget the network thing uh in general settings uh wi-fi this shows all the wi-fi networks that i've ever connected to and then this is a keychain so i actually went back to razer sql for this on the key chain on 7.0.6 because it actually shows a little bit more information these are blobs that show up in base uh as you can see there's quite a bit of clear text information that's still stored in the keychain all the passwords certificates things of that nature are encrypted however um

the thing that's important i've kind of talked about this a little bit if you think things are deleted but they're really not use strings there's a little binary utility called strings that you can use to extract strings out of binaries strings is very adept at locating deleted information out of sqlite databases and the really interesting thing is you can attempt to open a database with sqlite three the command line client or base or some other gui client and it'll say this is not a database or it's encrypted right well that doesn't stop me you just run strings against it and you can recover not just the deleted information out of the database but the other information

that is also not encrypted so don't think that you're just ah crap it's encrypted i can't get anything out of there try to run strings against that and my tool will eventually be able to do that i'm going to focus it's going to be released in phases first phase is just acquisition and then i'll build a gui and put some analysis stuff in there as well uh passbook this is something that came along does anybody use passbook to hold your training tickets airplane tickets yep me too and there it is uh there's the flight that i was on uh if anybody's interested here's the cloud url where your information is stored uh ubiquity assistant this is

interesting so this is siri i love to use siri to set reminders because i'm constantly you know i'll be driving and i remember something so i'll use siri to set reminders well little did i know that gets recorded in an sqlite database in the clear and then it goes over the wire and uh here you can see these are all the ubiquity things that have been going on on the device that could potentially be interesting maybe maybe android same thing uh start out with uh gingerbread on here and then we go up to jelly bean for all of the interesting locations android has really a couple of super critical findings everything else is just kind of black

but there's a couple of really gnarly things seriously already man so we can get all the accounts that are on the device uh we can get all the bookmarks from the browser and obviously cache and all that kind of thing so we can see what people have been browsing uh we get all browser data if you notice here form data okay so it gets stored uh anybody use basic authentication probably uh passwords maybe that's interesting too yeah so we need to be really careful about developing mobile applications obviously this is the webcache uh now this is one of the super nasty findings that i just absolutely hate about android and why i never recommend anybody use android in an

enterprise environment this is email provider.db is an sqli database stores all of these accounts in the clear and as you can see it's my username and my password for my google accounts for my enterprise exchange accounts etc this is still the case i did go verify this this is the first thing i do when a new version of android comes out google is not using their own keychain so we've had a key chain since version 4 came out they're not using it they're still storing this stuff in an sqlite database in the clear okay so bear that in mind if you allow byod android devices in your environment um it's really easy to find this here

you can see me using strings against it i knew what my password is so i just passed that to grep and said show me that information boom pretty uh pretty nasty stuff so i don't even have to have really any skill i just use strings pointed at the database and i have dataweek uh this is mail so android goes a step further uh and logically groups all this stuff you'll find that this is in multiple databases on the iphone or on ios google android is uh is excellent in terms of data leakage and they put everything all in one space space including all of your email messages the recipients well you can see this is pretty much all of your map on

android contacts same thing as with with ios here's the second critical finding wi-fi configuration this is an xml file on on android they use xml files for config they use plist on ios and as you can see all the ssids that i'm connected to with the free shared key conveniently located in cleartext uh applications i've done a number of application assessments over the years both official and just for my own use uh egregious daily emails email is considered pii if you met if you match it with some other bits of information it depends on what your definition of pii is android don't expect your email ever to be hidden you know if you're using an email

for maybe uh you know anonymity purposes or something like that if it's found on your device with the email that you use all the time you've now blown your animation okay uh facebook creds uh this is from an application that i did an assessment for they were integrated with facebook so they could say you know here touch this button and go do this so any applications that say you know games are really bad about this they want you to post all of the stuff that you're doing on the games uh nine times out of ten they store your information in the clear in sqlite database 90 of the time what do we do well i'm scared too which is why i

analyze all the applications that i use on my mobile devices uh so we need to be very diligent some things that we need to do inside we need to prepare appropriately okay just run around with exchange activesync and saying yeah we've got mdm exchange activesync is not mdm it is the absolute bare minimum that you have the ability to wipe and set pin complexity on the device as we're going to see you should not allow four-digit pins in your environment okay six digits at least six digits will increase complexity just several hours potentially days depending on the pin uh personally myself i've gone to using words i don't even use numbers okay and what's better is if you can create a

long sentence

am i using a gpu uh no because i use elcomsoft if i'm doing it commercially for a client um and uh and otherwise i'm using this on much older versions yeah but that's a great point so that's actually where this kind of headed and how elcom did their stuff is using gpu clusters and certainly to his point you can speed up the cracking process by putting a gpu closer together so what do we do mobile security education it's not enough to just have mobile security awareness we need to explain why we don't allow jailbroken rooted devices in our environment okay we need to explain why we only support these versions of the firmware we need

to explain to our user community why we only allow these devices etc educate them don't just say this is the way it is and lay down the law because they're not going to appreciate that they're going to attempt to circumvent your controls okay so if you educate them then you'll find that they'll be much more uh you know willing to jump on board with you uh so basically until the stealth providers come out with point of origin encryption some of these guys are starting to come out now but you know they're focused on salesforce or something else until that happens mdm ma'am mem these are our uh this is what we can do to help protect ourselves

also do this experimentation find out what the risk is of loss or theft of the device in your environment and if you're developing mobile applications please develop them securely look at the osp has come a long way in the last couple years as far as guidance around secure mobile application development application assessment stuff like that so definitely visit uh our friends at uh oauth for that information so i was gonna share some knox stuff with you let's see where we are with the cracking still haven't cracked hopefully that gets done before i get booted four minutes left on the crack but i have roughly eight i think okay so i'll share a little bit of stuff

with knox i hate knox because i can no longer customize my phones so essentially what knox is is uh it is a secured bootloader so what will happen is this thing it looks for custom signed code so if you root a device depending on on the device and depending on how you root it you could trip the knox counter so if you go zero uh by one and then you attempt to go in and get service on that device they will most likely deny you uh according to some people that have posted an xda they've been able to go from service center to service center and eventually find a nice little hacker kid that will reset their device for

them uh we do know for a fact it is not in hardware we used to think that this was in hardware that this protection lived there it's not it's in software that's been confirmed because if you take this to a service center and you can get somebody to actually do reset your phone for you they can reset the timer on this so this is believed to be an e-fuse now which means we can come up with a software work around to avoid tripping it but that research is still underway you cannot remove uh knocks you cannot completely remove it however you can disable it okay and if you're uh if you're still playing with samsung devices chaining fire actually

has super su out that will disable this for you when you go about removing your device so it is looking at kernels and recoveries looking at the signatures of those and it will not allow custom recoveries and custom kernels to run so what what the hell is knox anyway well what it is is dual persona it's container based solution at the hardware level and it's utilizing the trust zone that's in android itself if you want to check out something that's really cool pike os p-i-k-e-o-s these guys built a hypervisor within trust zone it's really cool they built it for like governments and things of that nature unfortunately i don't know that our government is going

to use it because they're germans and i don't think that they're allowed to use at least some of some portions of the government are not allowed to use anything that's not from the united states okay it's still working on it so i'm going to keep talking here uh knox 2 0 was just released this is actually pretty cool from the aspect of getting android in the enterprise because it's extremely insecure at this point as you can see i don't recommend it about the only way that i would recommend adopting android in the enterprise environment is if you have all nox20 devices which means everybody's stuck with samsung s5s okay there's no uh knox 20 i don't think it

works on any of the others right now there's the note and there's a couple of other devices that knox one zero let me finish here and then i'll take that um they came out with a couple of other things so they've renamed the the nox the actual container to workspace they now have enterprise mobility management they can manage actually multiple types of devices not just samsung devices you can manage ios devices etc it's your typical mdm type solution they have their own marketplace and they have an sdk where you can customize it so if you want to use these for like maybe a kiosk type of application um something like that or maybe check in like valets and

stuff like that you can customize the device so that they can only gain access to certain pieces certain applications store data obviously only in the container etc this is what emm the emm policy list looks like as you can see the checks means it's supported now the clock means it's coming eventually sweet uh let's see so there we go can you guys see that nine three seven one so here's uh all the cracking right here we've brute forced the system key bag 9371 is the passcode key we've recovered all the keys so we have access to all of the data and you know we can do a lot of other stuff now we could download the key

chain decrypt all of that information because we now have keys we own this device so nothing is now protected on this class the good news is over 95 of ios users upgrade to the latest version of ios within a week of its release so there's practically nobody except researchers running around with 5.1.1 so thankfully this is not really this is more of a theoretical attack now it's not really practical in the real world questions

has anybody come up with um whole disk encryption for the phones uh yeah moxie whisper systems did um but if i remember correctly you have to root the device and do a bunch of other it has a bunch of requirements to be able to do that um this knox thing this i think we're getting away from full disk encryption because of the personal data corporate data argument there's a lot of people that have not rolled out any kind of mdm or anything because of privacy concerns for example i'm talking to a customer right now that's really kind of you know they're getting pushback from even i.t who's saying man this is a privacy nightmare you're able to locate people you're able

to you know change their pen and do all this other kind of stuff so really dual persona is kind of where we're headed as far as this is concerned if you look at the market uh all of the you know vanilla mdm providers like mobileiron airwatch etc they're now in the mam business and that's because the container is the way to go you look at blue box all of those guys you know they're all coming out with containers because that's the only way to really address the data protection issue and the issue of users saying i want you to have control of my device i spent 600 bucks on this i should be able to do whatever i want

which we should be behind i'm with that too i can give a damn about your device all i care about is my corporate data right okay other questions um as far as you know is there any way to load custom kernel on the models uh no not today um some yes and no not a custom kernel you can put a custom rom on there with a couple of different devices uh so safe route is what you want to look at for the samsung devices and there is uh what's it called safe strap i think it's essentially a wrapper so you're it's not the same and there's a very limited number of roms to choose from if you want to enable

uh let's say otg cable or external network device you cannot do that no not on one of these devices yeah you're not low level enough because you're not current other questions so when you enable encryption on the android device do you find that helping you prevent against accessing their uh storage or is that just a speed bump uh it's a speed bump yeah no it doesn't do anymore i mean once i've got root on the devices all right remember this is session id 13. joey thank you so very much thank you very much