Cybersecurity of Headwind MDM

We are taking the security issues seriously and do our best to make Headwind MDM safe

Is Headwind MDM safe?

Ensuring the security of our MDM software and user data is a top priority of our development and security assessment team. Here’s how we make Headwind MDM safe and reliable for business.

Security methods

  • Encrypted protocols. Headwind MDM uses HTTPS and checks the certificate validity by Android SDK methods. The HSTS mode (HTTP Strict Transport Security) can be turned on, which blocks attempts of ignoring the certificate issues.
  • Password storage. Users’ passwords are not exposed, only their hashes (SHA-1) are transmitted and stored.
  • Password requirements. The admin can set the minimal password strength and require a user to reset the password after signing up.
  • Two-factor authentication. 2FA by means of TOTP (the time-based Authenticator app) can be turned on.
  • Access isolation. Critical services (like Push sending or superadmin access) are isolated from non-critical services and methods.

Enhanced security

REST method signatures can be turned on by the admin to prevent Man-in-the-Middle attacks and control access to files and applications.

Data security

  • Storage encryption by Android OS can be turned on. This prevents unsolicited access to data by extracting the storage.
  • USB data transfer lock protects the data extraction by connecting a device to a USB host.
  • Remote lock and reset can be done by the admin if a mobile device is lost or stolen.
  • Content authorization may be turned on to prevent unauthorized third party access to files and applications.

Cybersecurity-related quality assessment

Audits by third parties and organizations

Headwind MDM, as an open source software, is regularly checked for vulnerabilities, both by volunteers (Ethical Hackers, Bug Hunters) and independent cybersecurity companies hired by Headwind MDM or our customers. Security assessments are resulted in the vulnerability reports (CVE) which are treated in the same way as bugs reported by our users.

Vulnerability fix

Each vulnerability issue is analyzed by means of its importance. Critical issues are treated as high-priority bugs (similar to the functionality issues). Once the vulnerability is fixed, the auditor’s confirmation is requested, and the issue is being closed after the confirmation.

Common security tests

  • Unauthorized access and access escalation tests of all REST methods listed in https://srv.h-mdm.com/swagger-ui/;
  • Testing third party software and libraries used by Headwind MDM by common vulnerabilities, update the components to their secure versions;
  • Deployment of the test instance and performing the Penetration Testing for common attack types, for example:
    • Access escalation by using cookies or REST methods;
    • SQL database injection attacks;
    • Access to protected storages by script uploading;
    • Uploaded file execution attacks.
  • Source code audit for undocumented access (backdoors) and common security issues like exposing secrets and passwords. Audit report sample