Threat Manager

EMDK For Android - 6.0

Overview

The Threat Manager feature allows an application to control security Threats actively monitored by a device, how and whether to respond when a Threat is detected, and which Countermeasure(s) to employ.

Main Functionality

Enable/Disable Threat Detection
Detect common threats:
- Maximum failed password attempts
- MDM client removal
- Microsoft Exchange ActiveSync Threat
- External Threat detected
- Device has been rooted
Perform Countermeasures when a Threat is Detected
- Lock the device
- Perform a Factory Reset
- Format the SD card
- Wipe the Secure Storage Keys
- Send a custom Threat message
- Wipe the Secure Storage (encryption) Keys
- Uninstall an application
- Send an "Unsolicited" alert
Signal the Occurrence of an externally detected Threat
Perform Periodic Scans for root-based Threats
Set a custom interval for Periodic Scans
Define specific folders to monitor for changes
Send an Intent when a change occurs in a monitored folder

Threat Action

This is the On/Off switch for Threat Detection on the device. Turning Threat Detection On enables all features and activities that can be triggered whenever a Threat is detected on a device.

Parm Name: ThreatAction

Option	Name	Description	Requires
0	Do nothing	This value (or the absence of this parm from the XML) will make no change to whether Threat Detection is enabled; any previously selected setting will be retained.	OSX: 3.5+ MX: 4.3+
1	Turn On	Turns on Threat detection.	OSX: 3.5+ MX: 4.3+
2	Turn Off	Turns off threat detection.	OSX: 3.5+ MX: 4.3+

Option

Name

Description

Requires

Do nothing

This value (or the absence of this parm from the XML) will make no change to whether Threat Detection is enabled; any previously selected setting will be retained.

OSX: 3.5+

MX: 4.3+

Turn On

Turns on Threat detection.

OSX: 3.5+

MX: 4.3+

Turn Off

Turns off threat detection.

OSX: 3.5+

MX: 4.3+

Threat Name

Used to specify the name of the Threat to detect.

Shown if: Shown when the Threat Action is "Turn On" or "Turn Off"

Parm Name: ThreatName

Option	Name	Description	Requires
1	Do Nothing	This value (or the absence of this parm from the XML) will make no change to the Threat(s) being detected on the device; any previously selected setting will be retained.	OSX: 3.5+ MX: 6.1+
1	Max Password Attempts	Detect that the device has reached the maximum number of failed password attempts.	OSX: 3.5+ MX: 4.3+
2	MDM Client Removal	Detects that an MDM client app has been removed from the device.	OSX: 3.5+ MX: 4.3+
3	Externally Detected	A custom Threat defined by an intent that can be triggered from an application.	OSX: 3.5+ MX: 4.3+
4	Exchange Active Sync Command	Detects a Threat encountered while syncing with Microsoft Exchange.	OSX: 3.5+ MX: 4.3+
5	Device is Rooted	Detects that root-level access has been given to one or more device users and/or apps on the device.	OSX: 3.5+ MX: 4.3+

MDM Package Name

Used to specify the Package Name of the MDM client app to be monitored. Removal of the app specified here will trigger a Threat alert.

Note: The Package Name of the application to be monitored must be specified. The Package Name can be acquired from the application developer, a lookup of the Package Name on the device, or extracted from the APK file using developer tools designed for this purpose.

Parm value input rules:

String from 1 - 255 characters

Shown if: Shown when the Threat Action is "Turn On" and Threat Name is "MDM Client Package Name"

Parm Name: MDMPackage

Requires:

OSX: 3.5+

MX: 4.3+

Format SD Card Countermeasure

Formats the external SD Card, erasing all existing data on the card.

Shown if: Shown if Threat Action is "Turn On" and any Threat Action is selected.

Parm Name: FormatSdcard

Option	Name	Description	Requires
0	Do not perform	This countermeasure will not be executed.	OSX: 3.5+ MX: 4.3+
1	Perform	This countermeasure will be executed upon threat detection.	OSX: 3.5+ MX: 4.3+

Option

Name

Description

Requires

Do not perform

This countermeasure will not be executed.

OSX: 3.5+

MX: 4.3+

Perform

This countermeasure will be executed upon threat detection.

OSX: 3.5+

MX: 4.3+

Factory Reset Countermeasure

Forces a factory reset, returning the device to its original factory settings.

Shown if: Shown if Threat Action is "Turn On" and any Threat Action is selected.

Parm Name: FactoryReset

Option	Name	Description	Requires
0	Do not perform	Countermeasure will not be executed.	OSX: 3.5+ MX: 4.3+
1	Perform	Countermeasure will be executed upon threat detection.	OSX: 3.5+ MX: 4.3+

Option

Name

Description

Requires

Do not perform

Countermeasure will not be executed.

OSX: 3.5+

MX: 4.3+

Perform

Countermeasure will be executed upon threat detection.

OSX: 3.5+

MX: 4.3+

Wipe Secure Storage Keys Countermeasure

Removes from the device all Secure Storage Keys, which would otherwise be used to access portions of the device protected by encryption. Execution of this countermeasure does not necessarily prevent access to the encrypted data, but prevents the data from being decrypted and thus exploited. Once a threat has been neutralized, Secure Storage Keys can be restored to the device to provide access to the secure storage area as normal.

Shown if: Shown if Threat Action is "Turn On" and any Threat Action is selected.

Parm Name: WipeSecureStorageKeys

Option	Name	Description	Requires
0	Do not perform	Secure Storage Keys will not be removed.	OSX: 3.5+ MX: 4.3+
1	Perform	Secure Storage Keys will be removed upon threat detection.	OSX: 3.5+ MX: 4.3+

Option

Name

Description

Requires

Do not perform

Secure Storage Keys will not be removed.

OSX: 3.5+

MX: 4.3+

Perform

Secure Storage Keys will be removed upon threat detection.

OSX: 3.5+

MX: 4.3+

Lock Device Countermeasure

Locks the device; requires the user to perform the device unlock procedure configured for the device.

Shown if: Shown if Threat Action is "Turn On" and any Threat Action is selected.

Parm Name: LockDevice

Option	Name	Description	Requires
0	Do not perform	Countermeasure will not be executed.	OSX: 3.5+ MX: 4.3+
1	Perform	Countermeasure will be executed upon threat detection.	OSX: 3.5+ MX: 4.3+

Option

Name

Description

Requires

Do not perform

Countermeasure will not be executed.

OSX: 3.5+

MX: 4.3+

Perform

Countermeasure will be executed upon threat detection.

OSX: 3.5+

MX: 4.3+

Uninstall Application Countermeasure

Silently removes an application from the device as specified by package name in the UninstallPackage parameter.

Shown if: Shown if Threat Action is "Turn On" and any Threat Action is selected.

Parm Name: UninstallApplication

Option	Name	Description	Requires
0	Do not perform	Countermeasure will not be executed.	OSX: 3.5+ MX: 4.3+
1	Perform	Countermeasure will be executed upon threat detection.	OSX: 3.5+ MX: 4.3+

Option

Name

Description

Requires

Do not perform

Countermeasure will not be executed.

OSX: 3.5+

MX: 4.3+

Perform

Countermeasure will be executed upon threat detection.

OSX: 3.5+

MX: 4.3+

Uninstall Package Name

Used to specify the package name of the application to uninstall during a countermeasure procedure.

Note: The Package Name of the application to be uninstalled must be specified. The Package Name can be acquired from the application developer, a lookup of the Package Name on the device, or extracted from the APK file using developer tools designed for this purpose.

Parm value input rules:

String from 1 - 255 characters

Shown if: Shown if Threat Action is "Turn On" and any Threat Action is selected and countermeasure is "Uninstall Application"

Parm Name: UninstallPackage

Requires:

OSX: 3.5+

MX: 4.3+

Unsolicited Alert Countermeasure

Used to send an alert to an application on the device in the form of an intent. The intent must include the package name, class name and alert message as specified in the AlertPackage, AlertClass, and AlertMsg parameters. When a Threat is detected, the detection service sends the message specified in the Alert Message parameter to the specified class of the specified package.

Shown if: Shown if Threat Action is "Turn On" and any Threat Action is selected.

Parm Name: UnsolicitedAlert

Option	Name	Description	Requires
0	Do not perform	The alert-message intent will not be sent upon Threat detection.	OSX: 3.5+ MX: 4.3+
1	Perform	The alert-message intent will be sent to the specified application and class upon Threat detection.	OSX: 3.5+ MX: 4.3+

Option

Name

Description

Requires

Do not perform

The alert-message intent will not be sent upon Threat detection.

OSX: 3.5+

MX: 4.3+

Perform

The alert-message intent will be sent to the specified application and class upon Threat detection.

OSX: 3.5+

MX: 4.3+

Alert Package Name

Used to specify the package name of the application to receive an alert during a countermeasure procedure.

Note: The Package Name of the application to receive the alert must be specified. The Package Name can be acquired from the application developer, a lookup of the Package Name on the device, or extracted from the APK file using developer tools designed for this purpose.

Parm value input rules:

String from 1 - 255 characters

Shown if: Shown if Threat Action is "Turn On" and any Threat Action is selected and countermeasure is "Unsolicited Alert"

Parm Name: AlertPackage

Requires:

OSX: 3.5+

MX: 4.3+

Alert Class Name

Used to specify the Class Name of the application to receive an alert during a countermeasure procedure.

Note: The Package Name of the application to receive the alert also must be specified. The Package Name can be acquired from the application developer, a lookup of the Package Name on the device, or extracted from the APK file using developer tools designed for this purpose.

Parm value input rules:

String from 1 - 255 characters

Shown if: Shown if Threat Action is "Turn On" and any Threat Action is selected and countermeasure is "Unsolicited Alert"

Parm Name: AlertClass

Requires:

OSX: 3.5+

MX: 4.3+

Alert Message

Used to specify a message to send to the application you wish to send an alert to during a countermeasure procedure.

Parm value input rules:

String from 1 - 255 characters

Shown if: Shown if Threat Action is "Turn On" and any Threat Action is selected and countermeasure is "Unsolicited Alert"

Parm Name: AlertMsg

Requires:

OSX: 3.5+

MX: 4.3+

Signal Occurrence of Threat

Controls whether signaling is triggered by an externally detected threat warning, such as from a Mobile Device Management (MDM) system.

Shown if: Shown if Threat Action is "Turn On" and any Threat Action is selected

Parm Name: SignalOccurrenceOfThreat

Option	Name	Description	Requires
0	Do nothing	Performs no signaling when an externally occurring Threat is detected.	OSX: 3.5+ MX: 4.3+
1	Signal Occurrence	Signals the occurrence of an externally detected Threat.	OSX: 3.5+ MX: 4.3+

Option

Name

Description

Requires

Do nothing

Performs no signaling when an externally occurring Threat is detected.

OSX: 3.5+

MX: 4.3+

Signal Occurrence

Signals the occurrence of an externally detected Threat.

OSX: 3.5+

MX: 4.3+

Send Threat Message

Permits a message to be specified describing a custom threat that has occurred.

Parm value input rules:

String from 1 - 255 characters

Parm Name: SendThreatMsg

Requires:

OSX: 3.5+

MX: 4.3+

Periodic Scan

This is the On/Off switch for Periodic Scans on the device, which detect apps with the "super-user" permissions and other characteristics generally associated with root-based malware. When Periodic Scan is disabled, Threat detection scanning occurs each time the device boots. When enabled, scans are performed according to the interval specified in the Periodic Scan Interval parameter. Scan frequency can effect battery life.

Shown if: Shown if Threat Action is "Turn On"

Parm Name: PeriodicScan

Option	Name	Description	Requires
0	Do nothing	This value (or the absence of this parm from the XML) will make no change to whether the Periodic Scan feature is enabled; any previously selected setting will be retained.	OSX: 3.5+ MX: 6.1+
1	Turn On	Enables Periodic Scans to be performed on the device.	OSX: 3.5+ MX: 6.1+
2	Turn Off	Disables the Periodic Scan feature on the device.	OSX: 3.5+ MX: 6.1+

Option

Name

Description

Requires

Do nothing

This value (or the absence of this parm from the XML) will make no change to whether the Periodic Scan feature is enabled; any previously selected setting will be retained.

OSX: 3.5+

MX: 6.1+

Turn On

Enables Periodic Scans to be performed on the device.

OSX: 3.5+

MX: 6.1+

Turn Off

Disables the Periodic Scan feature on the device.

OSX: 3.5+

MX: 6.1+

Perodic Scan Interval

Used to specify the time, in minutes, to wait between Periodic Scans performed on the device. Minimum scan interval is one minute; maximum is 1440 minutes (24 hrs.). If Periodic Scan is enabled and no scan interval is specified, a value of 30 (min.) will be used. Periodic Scans detect apps with the "super-user" permissions and other characteristics generally associated with root-based malware. Scan frequency can effect battery life.

Parm value input rules:

Integer from 1 - 1440 (min.)

Shown if: Shown if Threat Action is "Turn On" and Periodic Scan is "Turn On"

Parm Name: PeriodicScanInterval

Requires:

OSX: 3.5+

MX: 6.1+

Extra Scan Folders

This is the On/Off switch for folder monitoring. This Extra Scan Folders feature monitors one or more folders on the device (including those in Android-protected areas) as specified in the Extra Scan Folders List parameter. When a change within a monitored folder occurs, ThreatMgr broadcasts an Intent with the folder name and one of the Android FileObserver constants to describe the event.

This parameter does not detect Threats.

Parm Name: ExtraScanFolders

Option	Name	Description	Requires
0	Do nothing	This value (or the absence of this parm from the XML) will make no change to Folder Monitoring; any previously selected setting will be retained.	OSX: 3.5+ MX: 6.1+
1	Turn On	Enables folder monitoring, and sends an Intent when changes occur to the specified folder(s).	OSX: 3.5+ MX: 6.1+
2	Turn Off	Disables folder monitoring, and causes the device to ignore changes to the specified folder(s).	OSX: 3.5+ MX: 6.1+

Option

Name

Description

Requires

Do nothing

This value (or the absence of this parm from the XML) will make no change to Folder Monitoring; any previously selected setting will be retained.

OSX: 3.5+

MX: 6.1+

Turn On

Enables folder monitoring, and sends an Intent when changes occur to the specified folder(s).

OSX: 3.5+

MX: 6.1+

Turn Off

Disables folder monitoring, and causes the device to ignore changes to the specified folder(s).

OSX: 3.5+

MX: 6.1+

Extra Scan Folders List

Used to specify one or more folders on the device to monitor for changes, including folders in protected areas of an Android device. Folder(s) specified in this parameter replace any previously specified folder(s). To add a folder to an existing folder list, specify the entire (comma-separated) list including the new folder.

This parameter does not detect Threats.

Parm value input rules:

String from 1 - 255 characters containing comma-separated list of fully qualified path(s) to folder(s) on the device. Replaces any previously specified folder list.

Parm Name: ExtraScanFoldersList

Requires:

OSX: 3.5+

MX: 6.1+

Examples

Turn On externally detected Threat:


<wap-provisioningdoc>
<characteristic type="ThreatMgr" version="4.3">
   <parm name="ThreatAction" value="1" />
   <parm name="ThreatName" value="ExternallyDetected" />
<characteristic type="CounterMeasure">
   <parm name="FormatSdcard" value="1" />
   <parm name="FactoryReset" value="1" />
   <parm name="WipeSecureStorageKeys" value="1" />
   <parm name="LockDevice" value="1" />
 </characteristic>
</characteristic>
</wap-provisioningdoc>

Turn Off externally detected Threat:


<wap-provisioningdoc>
<characteristic type="ThreatMgr" version="4.3">
   <parm name="ThreatAction" value="2" />
   <parm name="ThreatName" value="ExternallyDetected" />
</wap-provisioningdoc>

Query the current Threat configuration:


<wap-provisioningdoc>
    <characteristic-query type="ThreatMgr"/>
</wap-provisioningdoc>