Agentless MTD

Update #1 - Looks like there is one other company that doing something adjacent. Q-Scout

Okay. Let's begin.

For those who do not know MTD; it's Mobile Threat Defense. It is a system of products and services designed to protect mobile devices from different threats. These include phishing attacks, malware, trojans, etc. Most importantly, it continuously monitors your device for jailbreak/rooting, manages vulnerabilities, thwarts tampering attacks, detects exploits, etc

Typically, MTD uses an agent application that sits on the user's device to do threat detection/scanning. The agent application is responsible for continuously monitoring the device for app, network & device threats. If an enterprise uses MDM, this application is pushed through automatically and goes through an "enrollment" process. This entails clicking an activation link and launching the agent app to do a one-time initialization

There are two challenges (broadly)

1. Agents Suck - Let's face it; many enterprise folks are not comfortable with agent solutions. And there is a good reason for it. They require user interaction (at least during the initial/enrollment stage), consume battery & raise all sorts of privacy concerns. Unlike desktops and other computing machines, mobile devices are personal. People are wary of apps that "scan" their devices.
2. Efficacy - The efficacy of MTD depends on how good this agent app is in picking up threats. Apple & Google are always deprecating APIs and closing down a few others in the name of privacy/security. This stifles vendors from putting forward innovative products to the market. Vendors need to stay ahead of attackers and be on top of Apple & Google to be relevant. Call your vendors and ask how they are staying up to date! 😃

It's not all bad though. Agents do have an upper hand in many areas. They sit on the device and have access to data that allows them to detect threats with better accuracy.

This brings me to an idea I have been pondering for a while.

Is it possible to detect threats without an agent app? Can it be done from the browser? Or can it be done through MDM? Previously, I have written about how it's possible to do mobile threat detection on the web (At least partially). This article will explore the latter case. MDMs!

I believe there is a potential for MDMs to play a crucial role in detecting threats

Let's step back and review how MDMs evolved over the past few years. In the 2000s, MDMs were born to help enterprises manage their mobile fleet. MDM provisions apps, manage data & enforce policies like device lock & wipe. Two decades have passed and MDMs have changed. A lot! Both Google and Apple have added many security-related features that might be relevant to threat detection. I will discuss two of the major ones

Managed Device Attestation for Apple devices

Managed Device Attestation is a feature in iOS 16, iPadOS 16.1, macOS 14, and tvOS 16 that provides strong evidence about which properties of a device can be used as part of a trust evaluation.

Apple Support

This allows EMM vendors to evaluate if your iPhone/iPad is genuine and is not compromised (Not jailbroken). This API has been around in the operating system but was not exposed to MDM. Hence, your MDM server can query devices whose attestation can't be confirmed. Therefore no agent app is needed to get compromised devices on your server.

Understanding Security Posture | Android Management API | Google for Developers

Google for Developers

Similar to the security attestation feature provided by Apple, Google provides a similar API under Android Management API (Aka AMAPI). It allows EMM vendors to obtain the security posture of the device. It's powered by Play Integrity

Here is a brief diagram of the system (very brief ;))

Many items are missing to compete with agent-based solutions. For example, is it possible to cover network threats & phishing attacks, what about application threats like malware? However, these problems are not "unsolvable". More research is needed to verify if this proposal is indeed workable.

I believe there is an opportunity to make it work. These bits & pieces might sound hacky but their upside is big. I think enterprises will love it (At least in theory). Especially those who have deployed MTD solutions and know the pain of managing apps, enrollments & performance issues.

Okay, so, has this been done before?

I think not

The only vendor that mentioned the term agentless is Appdome. To their credit, they understood the value of no-code mobile EDR/MTD solution. However, the solution depends on "injecting" their stuff into apps including other third-party apps. While this requires no extra dev effort, an enterprise is forced to protect all of its internal & third-party apps for full protection. The latter might not be feasible given there might be copyright issues.

The better approach is to connect with the enterprise's MDM servers and do security scanning. No agent, no user interaction & one-click deployment. Too tempting to ignore, no?

What do you think?