SlideShare a Scribd company logo

Windows Phone 8 application security

Download as PPTX, PDF
Andrey Chasovskikh
Andrey Chasovskikh
1 of 43
WINDOWS PHONE 8 APPLICATION SECURITY HackInParis 2013 Dmitriy Evdokimov Andrey Chasovskikh
About us Dmitriy ‘D1g1’ Evdokimov - Security researcher at ERPScan - Mobile security, RE, fuzzing, exploit dev etc. - Editor of Russian hacking magazine - DEFCON Russia (DCG #7812) co-organizer Andrey Chasovskikh - Software developer - Windows Phone addict HackInParis 2013 2
HackInParis 2013 • Intro • Security model • First steps in Windows Phone 8 • Applications • Application security • Conclusion 3 Agenda
INTRO
Intro • 29 Oct 2012 – Windows Phone 8 released • Based on Windows 8 core – ARM architecture • Market share: 3,2% (Q1 2013, IDC) • 145 000+ applications in Windows Phone Store HackInParis 2013 5
SECURITY MODEL
HackInParis 2013 - Trusted Computing Base (TCB) Kernel, kernel-mode drivers - Least Privileged Chamber (LPC) All other software: services, pre-installed apps, application from WP store Chambers 7
HackInParis 2013 Capabilities System - Debug - SMS API - Live ID - SIM API Etc. Total 350+ WMAppManifest.xml Developers - Network - Camera - NFC - SD card access - Wallet - Speech recognition - Front camera Etc. Total 27 8 OEM Developers - Cell API - Device management Etc. Total 39
HackInParis 2013 Sandboxing App1 Chamber App2 Chamber Local folder for App1 Local folder for App2 • File system structure is hidden • Local folder • Former isolated storage • Limited app-to-app communication 9 URI, files
HackInParis 2013 • File types associations - LaunchFileAsync() - Reserved: xap, msi, bat, cmd, py, jar etc. • URI associations - LaunchUriAsync() - Reserved: http, tel, wallet, LDAP, rlogin, telnet etc. - Proximity communication using NFC App-to-app communication 10
HackInParis 2013 Local folder Local Folder Settings Storage Files Database File Storage Directory Physical File Storage 11
Application protection • All binaries are signed • Application file is signed – Kind of checksum file is put into applications • Certificate pinning for Store • XAP file has DRM key HackInParis 2013 12
The Microsoft PlayReady Ecosystem HackInParis 2013 13
XAP file protection • Before august 2012 – ZIP archive – Sign • After august 2012 – New file format – PlayReady Header – AESCTR algorithm HackInParis 2013 14
FIRST STEPS IN WINDOWS PHONE 8
Windows 8 vs Windows Phone 8 • WP8 is migrating from the WinCE core to the WinNT core • Win8/emulator (x86) • WinRT/device (ARM) HackInParis 2013 16 http://intrepidusgroup.com/insight/2012/12/windows-phone-8-and-windows-8-similarity/
WP8 emulator • Hyper-V images – %ProgramFiles(x86)%Microsoft SDKs Windows Phonev8.0EmulationImages • Emulator vs. Device – x86 – Fake binaries • FakeLed.sys, Fakevibra.sys, FakeModem.dll etc. – Different user-agent – Prohibited to install apps from the Store HackInParis 2013 17
WP8 device • Windows Phone 8 has standardized bootloader – Full flash images are available • ImgMount tool – FFU Image file as a virtual hard drive HackInParis 2013 18
Reversing WP8 internals • No debug symbols • Tip: restore information from Event Tracing for Windows (ETW) • Use IDAPython HackInParis 2013 *InstallerWorker.exe 19
Windows API calls • Full Windows API is not available by default • Originally posted on XDA for WindowsRT apps – Find kernerbase.dll address (“MZ”) -> Get “LoadLibraryA” and “GetProcAddress” functions -> call any function you want – http://bit.ly/Uw2Gk6 • Works for Windows Phone 8 HackInParis 2013 20
APPLICATIONS
HackInParis 2013 Applications Developer Platform (XAML, XNA, Device services) .NET Framework (CoreCLR) WP8 OS, Win8 based 22 .NET and CLR
HackInParis 2013 23 Frameworks
• Microsoft • OEM – XAP files are not encrypted (~ZIP) – C:PROGRAMSCommonFilesXaps • Windows Phone Store apps – C:DataPrograms{ProductID}Install • Company applications – XAP files are not encrypted (~ZIP) – Company hubs • Developer applications – Need developer unlock HackInParis 2013 24 Application kinds
HackInParis 2013 • Application assemblies (in various formats) • Resources • AppManifest.xaml • WMAppManifest.xml 25 Application file structure
APPLICATION SECURITY
Security?! “One of the goals of the Windows Phone app platform is to foster the creation of apps that are secure by design and secure by default.” Security for Windows Phone HackInParis 2013 27
Application entry points • User input • SD card • Sockets • URI HackInParis 2013 28 • Web • Bluetooth • NFC • Speech2Text Green – Windows Phone 7 White – Windows Phone 8
Vulnerabilities HackInParis 2013 Windows Phone 8 (C#/VB/C/C++) iOS (Objective-C) Android (Java) Note: Main programming languages in brackets Platform independent vulnerabilities Platform specific vulnerabilities 29
Work with SD card • WP8 allows only read operations • Only registered file types • Files on SD cards are not encrypted HackInParis 2013 OS Details iOS Work with SD card is absent Android READ/WRITE 30
Privacy • Device Unique ID – Requires ID_CAP_IDENTITY_DEVICE – DeviceExtendedProperties.GetValue(“DeviceUniqueId”) • Windows Live Anonymous ID – Requires ID_CAP_IDENTITY_USER – UserExtendedProperties.GetValue(“ANID2”) • Both identifiers are per-publisher HackInParis 2013 OS Details iOS UDID (apps that use UDIDs are no longer accepted, from May 1, 2013) Android telephonyManager.getDeviceId() 31
Privacy, part 2 • Device name, manufacturer, firmware versions – Requires ID_CAP_IDENTITY_DEVICE – DeviceStatus class • Location tracking – ID_CAP_LOCATION – GeoCoordinateWatcher class HackInParis 2013 32 OS Details iOS UDID (apps that use UDIDs are no longer accepted, from May 1, 2013) Android telephonyManager.getDeviceId()
Secure storage • Device can be encrypted (not for all countries) – BitLocker 2.0/TPM – Available only in business settings • Data Protection API (DPAPI) • System.Security.Cryptography • Algorithms: AES, HMACSHA1, HMACSHA256, Rfc2898DeriveBytes, RSA, SHA1, SHA256 HackInParis 2013 OS Details iOS Keychain, /System/Library/Frameworks/Security.framework Android android.security.KeyChain (from 4.0) 33
Data leak • Keyboard cache is isolated per-application • Cache for applications that access internet – Controlled by OS HackInParis 2013 OS Details iOS plist, Custom created documents, Preferences, Logs, Cache data, Keyboard cache, Pasteboard cache, Cookies Android shared_preference, logs, external storage, MODE_WORLD_READABLE or MODE_WORLD_WRITETABLE 34
Work with URI • Handling function: MapUri() • Filter user input • Exclude critical arguments from URI – Ex.: prgrm://command?request=data&role=admin HackInParis 2013 OS Details iOS openURL(), handleOpenURL() Android android.net.Uri class 35
Cross-site scripting (XSS) • WebBrowser control (based on IE10) • JavaScript is disabled by default • To see if enabled: – WebBrowser.IsScriptEnabled = true – <WebBrowser IsScriptEnabled = “True” /> HackInParis 2013 OS Details iOS UIWebView Class + stringByEvaluatingJavaScriptFromString() shouldStartLoadWithRequest() Android WebView.getSettings().setJavaScriptEnabled(); WebView.getSettings().setPluginsEnabled(); 36
Directory traversal • Local folder API accepts paths with traversal – IsolatedStorageFile class (WP7) – StorageFolder class • Win32 storage API HackInParis 2013 OS Details iOS contentsAtPath, fileHandleForReadingAtPath, _fopen etc. Android ContentProvider + incorrect or missing rights, files functions 37
XML External Entity (XXE) • System.Xml namespace – Entity resolving is prohibited by default • Entities can be resolved by using custom XmlResolver for XmlDocument HackInParis 2013 OS Details iOS libXML2 + _xmlParseMemory, NSXMLParser + setShouldResolveExternalEntities:YES Android setFeature(external-general-entities, True) 38
SQL injection • Bad: • Good: HackInParis 2013 OS Details iOS sqlite3_exec() Android query(), rawQuery() 39
Memory corruption bugs • Developers can use native code • Format string, BoF, use-after-free etc. – С/C++ functions • Compilation flags: /sdl, /GS, /DYNAMICBASE, /NXCOMPAT HackInParis 2013 OS Details iOS –fPIE, –fstack-protector-all, -fobjc-arc Android Only in native libs, -fstack-protector, -Wformat-security, NX, ASLR, PIE
CONCLUSION
HackInParis 2013 • Windows Phone 8 is pretty secure • Greater attack surface • Security-related API • More flexible than in iOS • More simple than in Android Conclusion 42
Q&A Dmitry ‘D1g1’ Evdokimov d.evdokimov@erpscan.com @evdokimovds Andrey Chasovskikh http://andreycha.info @andreycha HackInParis 2013 43

Recommended

Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Windows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveWindows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Jewel Joy
 
Inspection of Windows Phone applications
Inspection of Windows Phone applicationsInspection of Windows Phone applications
Inspection of Windows Phone applicationsAndrey Chasovskikh
 
Reverse engineering and modifying windows 8 apps
Reverse engineering and modifying windows 8 appsReverse engineering and modifying windows 8 apps
Reverse engineering and modifying windows 8 appsAmaan Khan
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Смирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationСмирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationSECON
 
Win10 comparetable fy17
Win10 comparetable fy17Win10 comparetable fy17
Win10 comparetable fy17namprince187
 

Recommended

Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Windows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveWindows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Jewel Joy
 
Inspection of Windows Phone applications
Inspection of Windows Phone applicationsInspection of Windows Phone applications
Inspection of Windows Phone applicationsAndrey Chasovskikh
 
Reverse engineering and modifying windows 8 apps
Reverse engineering and modifying windows 8 appsReverse engineering and modifying windows 8 apps
Reverse engineering and modifying windows 8 appsAmaan Khan
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Смирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationСмирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationSECON
 
Win10 comparetable fy17
Win10 comparetable fy17Win10 comparetable fy17
Win10 comparetable fy17namprince187
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android SecurityNational Cheng Kung University
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
RSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamRSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamAhmed Sallam
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Android
AndroidAndroid
AndroidTapan Khilar
 
Ahmed sallam technical_journey_1992_1999
Ahmed sallam technical_journey_1992_1999Ahmed sallam technical_journey_1992_1999
Ahmed sallam technical_journey_1992_1999Ahmed Sallam
 
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...christopherfairbairn
 
Android ppt
Android pptAndroid ppt
Android pptIndumathy Mayuranathan
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhonessaurabhharit
 

More Related Content

What's hot

Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
RSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamRSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamAhmed Sallam
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Ahmed sallam technical_journey_1992_1999
Ahmed sallam technical_journey_1992_1999Ahmed sallam technical_journey_1992_1999
Ahmed sallam technical_journey_1992_1999Ahmed Sallam
 
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...christopherfairbairn
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 

What's hot (20)

Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
 
Android Security
Android SecurityAndroid Security
Android Security
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Android security
Android securityAndroid security
Android security
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission Model
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC Mobile
 
Android Security
Android SecurityAndroid Security
Android Security
 
RSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamRSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallam
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Android
AndroidAndroid
Android
 
Ahmed sallam technical_journey_1992_1999
Ahmed sallam technical_journey_1992_1999Ahmed sallam technical_journey_1992_1999
Ahmed sallam technical_journey_1992_1999
 
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 

Similar to Windows Phone 8 application security

[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhonessaurabhharit
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012 hakersinfo
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security
 
Android Internals and Toolchain
Android Internals and ToolchainAndroid Internals and Toolchain
Android Internals and ToolchainVladimir Kotov
 
Pwning Windows Mobile Applications by Ankit Giri
Pwning Windows Mobile Applications by Ankit GiriPwning Windows Mobile Applications by Ankit Giri
Pwning Windows Mobile Applications by Ankit GiriOWASP Delhi
 
Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01Santosh Sh
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
Android (Types, Feature,Application etc..)
Android (Types, Feature,Application etc..)Android (Types, Feature,Application etc..)
Android (Types, Feature,Application etc..)Coder Tech
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
3. Android Architecture.pptx
3. Android Architecture.pptx3. Android Architecture.pptx
3. Android Architecture.pptxHarshiniB11
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 

Similar to Windows Phone 8 application security (20)

[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
Android Internals and Toolchain
Android Internals and ToolchainAndroid Internals and Toolchain
Android Internals and Toolchain
 
Android
AndroidAndroid
Android
 
Pwning Windows Mobile Applications by Ankit Giri
Pwning Windows Mobile Applications by Ankit GiriPwning Windows Mobile Applications by Ankit Giri
Pwning Windows Mobile Applications by Ankit Giri
 
Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
Man-In-The-Disk
Man-In-The-DiskMan-In-The-Disk
Man-In-The-Disk
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Android (Types, Feature,Application etc..)
Android (Types, Feature,Application etc..)Android (Types, Feature,Application etc..)
Android (Types, Feature,Application etc..)
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Android Programming
Android ProgrammingAndroid Programming
Android Programming
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
3. Android Architecture.pptx
3. Android Architecture.pptx3. Android Architecture.pptx
3. Android Architecture.pptx
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Android Revolution
Android RevolutionAndroid Revolution
Android Revolution
 

Windows Phone 8 application security

  • 1. WINDOWS PHONE 8 APPLICATION SECURITY HackInParis 2013 Dmitriy Evdokimov Andrey Chasovskikh
  • 2. About us Dmitriy ‘D1g1’ Evdokimov - Security researcher at ERPScan - Mobile security, RE, fuzzing, exploit dev etc. - Editor of Russian hacking magazine - DEFCON Russia (DCG #7812) co-organizer Andrey Chasovskikh - Software developer - Windows Phone addict HackInParis 2013 2
  • 3. HackInParis 2013 • Intro • Security model • First steps in Windows Phone 8 • Applications • Application security • Conclusion 3 Agenda
  • 5. Intro • 29 Oct 2012 – Windows Phone 8 released • Based on Windows 8 core – ARM architecture • Market share: 3,2% (Q1 2013, IDC) • 145 000+ applications in Windows Phone Store HackInParis 2013 5
  • 7. HackInParis 2013 - Trusted Computing Base (TCB) Kernel, kernel-mode drivers - Least Privileged Chamber (LPC) All other software: services, pre-installed apps, application from WP store Chambers 7
  • 8. HackInParis 2013 Capabilities System - Debug - SMS API - Live ID - SIM API Etc. Total 350+ WMAppManifest.xml Developers - Network - Camera - NFC - SD card access - Wallet - Speech recognition - Front camera Etc. Total 27 8 OEM Developers - Cell API - Device management Etc. Total 39
  • 9. HackInParis 2013 Sandboxing App1 Chamber App2 Chamber Local folder for App1 Local folder for App2 • File system structure is hidden • Local folder • Former isolated storage • Limited app-to-app communication 9 URI, files
  • 10. HackInParis 2013 • File types associations - LaunchFileAsync() - Reserved: xap, msi, bat, cmd, py, jar etc. • URI associations - LaunchUriAsync() - Reserved: http, tel, wallet, LDAP, rlogin, telnet etc. - Proximity communication using NFC App-to-app communication 10
  • 11. HackInParis 2013 Local folder Local Folder Settings Storage Files Database File Storage Directory Physical File Storage 11
  • 12. Application protection • All binaries are signed • Application file is signed – Kind of checksum file is put into applications • Certificate pinning for Store • XAP file has DRM key HackInParis 2013 12
  • 13. The Microsoft PlayReady Ecosystem HackInParis 2013 13
  • 14. XAP file protection • Before august 2012 – ZIP archive – Sign • After august 2012 – New file format – PlayReady Header – AESCTR algorithm HackInParis 2013 14
  • 15. FIRST STEPS IN WINDOWS PHONE 8
  • 16. Windows 8 vs Windows Phone 8 • WP8 is migrating from the WinCE core to the WinNT core • Win8/emulator (x86) • WinRT/device (ARM) HackInParis 2013 16 http://intrepidusgroup.com/insight/2012/12/windows-phone-8-and-windows-8-similarity/
  • 17. WP8 emulator • Hyper-V images – %ProgramFiles(x86)%Microsoft SDKs Windows Phonev8.0EmulationImages • Emulator vs. Device – x86 – Fake binaries • FakeLed.sys, Fakevibra.sys, FakeModem.dll etc. – Different user-agent – Prohibited to install apps from the Store HackInParis 2013 17
  • 18. WP8 device • Windows Phone 8 has standardized bootloader – Full flash images are available • ImgMount tool – FFU Image file as a virtual hard drive HackInParis 2013 18
  • 19. Reversing WP8 internals • No debug symbols • Tip: restore information from Event Tracing for Windows (ETW) • Use IDAPython HackInParis 2013 *InstallerWorker.exe 19
  • 20. Windows API calls • Full Windows API is not available by default • Originally posted on XDA for WindowsRT apps – Find kernerbase.dll address (“MZ”) -> Get “LoadLibraryA” and “GetProcAddress” functions -> call any function you want – http://bit.ly/Uw2Gk6 • Works for Windows Phone 8 HackInParis 2013 20
  • 22. HackInParis 2013 Applications Developer Platform (XAML, XNA, Device services) .NET Framework (CoreCLR) WP8 OS, Win8 based 22 .NET and CLR
  • 24. • Microsoft • OEM – XAP files are not encrypted (~ZIP) – C:PROGRAMSCommonFilesXaps • Windows Phone Store apps – C:DataPrograms{ProductID}Install • Company applications – XAP files are not encrypted (~ZIP) – Company hubs • Developer applications – Need developer unlock HackInParis 2013 24 Application kinds
  • 25. HackInParis 2013 • Application assemblies (in various formats) • Resources • AppManifest.xaml • WMAppManifest.xml 25 Application file structure
  • 27. Security?! “One of the goals of the Windows Phone app platform is to foster the creation of apps that are secure by design and secure by default.” Security for Windows Phone HackInParis 2013 27
  • 28. Application entry points • User input • SD card • Sockets • URI HackInParis 2013 28 • Web • Bluetooth • NFC • Speech2Text Green – Windows Phone 7 White – Windows Phone 8
  • 29. Vulnerabilities HackInParis 2013 Windows Phone 8 (C#/VB/C/C++) iOS (Objective-C) Android (Java) Note: Main programming languages in brackets Platform independent vulnerabilities Platform specific vulnerabilities 29
  • 30. Work with SD card • WP8 allows only read operations • Only registered file types • Files on SD cards are not encrypted HackInParis 2013 OS Details iOS Work with SD card is absent Android READ/WRITE 30
  • 31. Privacy • Device Unique ID – Requires ID_CAP_IDENTITY_DEVICE – DeviceExtendedProperties.GetValue(“DeviceUniqueId”) • Windows Live Anonymous ID – Requires ID_CAP_IDENTITY_USER – UserExtendedProperties.GetValue(“ANID2”) • Both identifiers are per-publisher HackInParis 2013 OS Details iOS UDID (apps that use UDIDs are no longer accepted, from May 1, 2013) Android telephonyManager.getDeviceId() 31
  • 32. Privacy, part 2 • Device name, manufacturer, firmware versions – Requires ID_CAP_IDENTITY_DEVICE – DeviceStatus class • Location tracking – ID_CAP_LOCATION – GeoCoordinateWatcher class HackInParis 2013 32 OS Details iOS UDID (apps that use UDIDs are no longer accepted, from May 1, 2013) Android telephonyManager.getDeviceId()
  • 33. Secure storage • Device can be encrypted (not for all countries) – BitLocker 2.0/TPM – Available only in business settings • Data Protection API (DPAPI) • System.Security.Cryptography • Algorithms: AES, HMACSHA1, HMACSHA256, Rfc2898DeriveBytes, RSA, SHA1, SHA256 HackInParis 2013 OS Details iOS Keychain, /System/Library/Frameworks/Security.framework Android android.security.KeyChain (from 4.0) 33
  • 34. Data leak • Keyboard cache is isolated per-application • Cache for applications that access internet – Controlled by OS HackInParis 2013 OS Details iOS plist, Custom created documents, Preferences, Logs, Cache data, Keyboard cache, Pasteboard cache, Cookies Android shared_preference, logs, external storage, MODE_WORLD_READABLE or MODE_WORLD_WRITETABLE 34
  • 35. Work with URI • Handling function: MapUri() • Filter user input • Exclude critical arguments from URI – Ex.: prgrm://command?request=data&role=admin HackInParis 2013 OS Details iOS openURL(), handleOpenURL() Android android.net.Uri class 35
  • 36. Cross-site scripting (XSS) • WebBrowser control (based on IE10) • JavaScript is disabled by default • To see if enabled: – WebBrowser.IsScriptEnabled = true – <WebBrowser IsScriptEnabled = “True” /> HackInParis 2013 OS Details iOS UIWebView Class + stringByEvaluatingJavaScriptFromString() shouldStartLoadWithRequest() Android WebView.getSettings().setJavaScriptEnabled(); WebView.getSettings().setPluginsEnabled(); 36
  • 37. Directory traversal • Local folder API accepts paths with traversal – IsolatedStorageFile class (WP7) – StorageFolder class • Win32 storage API HackInParis 2013 OS Details iOS contentsAtPath, fileHandleForReadingAtPath, _fopen etc. Android ContentProvider + incorrect or missing rights, files functions 37
  • 38. XML External Entity (XXE) • System.Xml namespace – Entity resolving is prohibited by default • Entities can be resolved by using custom XmlResolver for XmlDocument HackInParis 2013 OS Details iOS libXML2 + _xmlParseMemory, NSXMLParser + setShouldResolveExternalEntities:YES Android setFeature(external-general-entities, True) 38
  • 39. SQL injection • Bad: • Good: HackInParis 2013 OS Details iOS sqlite3_exec() Android query(), rawQuery() 39
  • 40. Memory corruption bugs • Developers can use native code • Format string, BoF, use-after-free etc. – С/C++ functions • Compilation flags: /sdl, /GS, /DYNAMICBASE, /NXCOMPAT HackInParis 2013 OS Details iOS –fPIE, –fstack-protector-all, -fobjc-arc Android Only in native libs, -fstack-protector, -Wformat-security, NX, ASLR, PIE
  • 42. HackInParis 2013 • Windows Phone 8 is pretty secure • Greater attack surface • Security-related API • More flexible than in iOS • More simple than in Android Conclusion 42
  • 43. Q&A Dmitry ‘D1g1’ Evdokimov d.evdokimov@erpscan.com @evdokimovds Andrey Chasovskikh http://andreycha.info @andreycha HackInParis 2013 43

Editor's Notes

  1. Also we can learn the system in dynamic.By default, developer can use limited subset of Win32 API functions. But we can use old technic for calling arbitrary functions.Make any allowed call from kernelbase.dll and find dll address by ‘MZ’ signature. Parse import table and find LoadLibraryA and GetProcAddress functions. Now you can load libraries and call any functions you want.This technic was used in WindowsRT, where developers also can’t use Win32 API entirely. We checked it for Windows Phone 8 – and it also works. For example, you can read content of Windows folder.