Inspection of Windows Phone applications
Upcoming SlideShare
Loading in...5

Inspection of Windows Phone applications






Total Views
Views on SlideShare
Embed Views



1 Embed 1 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Inspection of Windows Phone applications Inspection of Windows Phone applications Presentation Transcript

  • Inspection of Windows Phone applicationsDmitriy EvdokimovAndrey Chasovskikh
  • About usDmitriy ‘D1g1’ Evdokimov - Security researcher at ERPScan - Editor of Russian hacking magazine - DEFCON Russia (DCG #7812) organizerAndrey Chasovskikh - Software developer - Windows Phone addict 2
  • Agenda- Windows Phone intro- Security model- All about applications- Not all applications are secure- Tools overview- Deep dive: finding vulnerabilities- Conclusion 3
  • History of Windows Phone - The successor to the Windows Mobile OS - 15 Mar 2010 – Windows Phone 7 series announced - 21 Oct 2010 – Windows Phone 7 released - 29 Oct 2012 – Windows Phone 8 released WP7 WP7.5 Mango WP8 WP7 NoDo WP7.5 Tango version time21 Oct 2011 27 Sep 2011 29 Oct 2012 5
  • Market share Source: Gartner, November 2012 6
  • Windows Phone Store- 125 000+ applications- Casual apps, social networks, mobile banking, enterprise applications etc. 7
  • Chamber concept, WP7- Trusted Computing Base (TCB) Kernel, kernel-mode drivers- Elevated Rights Chamber (ERC) Services, user-mode drivers- Standard Rights Chamber (SRC) Pre-installed applications- Least Privileged Chamber (LPC) Applications from WP store 9
  • Chamber concept, WP8- Trusted Computing Base (TCB) Kernel, kernel-mode drivers- Least Privileged Chamber (LPC) All other software: services, pre-installed apps, application from WP store 10
  • Capabilities WMAppManifest.xml Windows Phone 7 Windows Phone 8 Undocumented- Camera - All WP7 capabilities - Native code- Contacts - NFC - SMS API- Location services - SD card access - Access to user- Owner/phone identity - Wallet properties- Network services - Speech recognition - SIM APIEtc. - Front camera Etc. Etc. 11
  • Sandboxing concept- No app communication in WP7- Limited app-to-app in WP8- File system structure is Isolated chamber Isolated chamberhidden App1 App2- Isolated storages Isolated storage Isolated storage for App1 for App2 12
  • App-to-App, WP8- File associations - LaunchFileAsync() - Reserved: xap, msi, bat, cmd, py, jar etc- URI associations - LaunchUriAsync() - Reserved: http, tel, wallet, LDAP, rlogin, telnet etc - Proximity communication using NFC 13
  • Isolated Storage Physical File Storage Isolated Storage Isolated Settings Storage Isolated File Storage Files Directory Database 14
  • Signing- Store applications are signed in WP7- All binaries get signed since WP8- Application file get signed - Kind of checksum file is put into applications- Applications XAP files have undocumented format (since Aug 2012) 15
  • .NET and CLR, WP7 Applications Developer Platform (XAML, XNA, Device services).NET Compact Framework (BCL + Silverlight flavor) WP7 OS, WinCE based 17
  • Framework??? 18
  • .NET and CLR, WP8 ApplicationsDeveloper Platform (XAML, XNA, Device services) .NET Framework (CoreCLR) WP8 OS, Win8 based 19
  • Framework 20
  • Application file structure- Application assemblies- Resources- AppManifest.xaml- WMAppManifest.xml- WMInteropManifest.xml** — optional for WP7, absent in WP8 21
  • Submission and certification .xap XAP FileApp Creation App Submission Validation Source code Adding Metadata Publication in Certification Signing Marketplace Testing 22
  • Applications on a deviceWP7:Applications Install<ProductID>Install - Content from XAP - WMAppPRHeader.xml (package signature) Data<ProductID>DataIsolatedStorageSame idea in WP8, i.e. install path:C:DataPrograms<ProductID>Install 23
  • Security assessmentApp Server Data channelApp Device/Emulator 25
  • Mobile applications security assessmentPrepare environment - Get app (unpack/decrypt) - Configuration device/emulatorStatic analysis - Properties of program compilation - Metadata analysis - Code analysisDynamic analysis - How application works with file system/network - Runtime code analysis 26
  • OWASP Top 10 Mobile Risks1. Insecure Data Storage2. Weak Server Side Controls3. Insufficient Transport Layer Protection4. Client Side Injection5. Poor Authorization and Authentication6. Improper Session Handling7. Security Decisions Via Untrusted Inputs8. Side Channel Data Leakage9. Broken Cryptography10. Sensitive Information Disclosure 27
  • WP vs. Android vs. iOS vulnerabilities WP7 (C#/VB) iOS WP8 (C#/VB/C/C++) (Objective-C) Platform independent vulnerabilities Platform specific vulnerabilities Android (Java)Note: Main programming languages in brackets 28
  • Arsenal- Device - Full unlock- Emulator- Windows Phone Device Manager- Network proxy: Burp Suite, Charles etc.- .NET tools: .Net Reflector, ILSpy etc.- IDA Pro- RAIN, Boyan Balkanski- Windows Phone App Analyzer, David Rook- XAPSpy, Behrang Fouladi - XapSpyAnalysis, David Rook 30
  • Main issueStatic analysis is insufficient.Lack of dynamic analysis tools: • IDE allows debugging with source code only • No programmable debugging interface • Managed code Solution: static byte code instrumentation. 31
  • Tangerine 32
  • Automates routine with XAP files- Unpacking- Removing application signature- Resigning assemblies- Packing- Deploying 33
  • Static analysis- Application info- Application capabilities- Code analysis - Code structure analysis - API usage analysis - View IL code 34
  • Dynamic analysis- Log application stack trace - Method names - Method parameters - Return values- Run custom code - On method enter - Replace method - On method exit - Change parameters values 35
  • DEMO
  • How it works(1) Changing CIL code(2) Emulator console (writing/reading) Target Add Instrumented Resign and Emulator application hooks (1) application deploy Instrumented application Repeat Log data (2) Hooked Tangerine log Emulator console output (2) 38
  • CIL Instrumentation 39
  • Limitations- Emulator only- Does not help to overcome obfuscated code- Does not work with system assemblies- Applications from store need to be decrypted- Windows Phone 7 only 40
  • Cloud Compilation, WP8 CloudC# Source CIL MDIL MDIL Code C# Compiler Assembly Assembly Compiler Download Device Native Native Image MDIL Run DLL Assembly Generator 41
  • MDIL in workR0 = thisR1 = aR0 + 0x10 = j, where j is a field from base class 42
  • MDILDump 43
  • Future work- Support Windows Phone 8 applications - MDIL instrumentation - Windows Phone RT- Add new features - Code graphical representation - Data flow analysis- Fix bugs ;) 44
  • Conclusion- Greater attack surface in WP8 - App-to-App - Applications that use native code - New technologies- Logical bugs never die 46
  • Thanks- Evgeny Bechkalo- DSecRG team 47
  • Q&ADmitry Evdokimov @evdokimovdsAndrey Chasovskikh @andreychaTangerine: