Windows Phone 8 application security
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Windows Phone 8 application security

on

  • 3,936 views

 

Statistics

Views

Total Views
3,936
Views on SlideShare
3,018
Embed Views
918

Actions

Likes
0
Downloads
50
Comments
0

7 Embeds 918

http://localhost 428
http://talks.codeblau.de 332
http://www.codeblau.de 72
http://127.0.0.1 43
https://twitter.com 39
http://tweetedtimes.com 2
http://translate.googleusercontent.com 2
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Also we can learn the system in dynamic.By default, developer can use limited subset of Win32 API functions. But we can use old technic for calling arbitrary functions.Make any allowed call from kernelbase.dll and find dll address by ‘MZ’ signature. Parse import table and find LoadLibraryA and GetProcAddress functions. Now you can load libraries and call any functions you want.This technic was used in WindowsRT, where developers also can’t use Win32 API entirely. We checked it for Windows Phone 8 – and it also works. For example, you can read content of Windows folder.

Windows Phone 8 application security Presentation Transcript

  • 1. WINDOWS PHONE 8APPLICATION SECURITYHackInParis 2013Dmitriy EvdokimovAndrey Chasovskikh
  • 2. About usDmitriy ‘D1g1’ Evdokimov- Security researcher at ERPScan- Mobile security, RE, fuzzing, exploit dev etc.- Editor of Russian hacking magazine- DEFCON Russia (DCG #7812) co-organizerAndrey Chasovskikh- Software developer- Windows Phone addictHackInParis 20132
  • 3. HackInParis 2013• Intro• Security model• First steps in Windows Phone 8• Applications• Application security• Conclusion3Agenda
  • 4. INTRO
  • 5. Intro• 29 Oct 2012 – Windows Phone 8 released• Based on Windows 8 core– ARM architecture• Market share: 3,2% (Q1 2013, IDC)• 145 000+ applications in Windows Phone StoreHackInParis 20135
  • 6. SECURITY MODEL
  • 7. HackInParis 2013- Trusted Computing Base (TCB)Kernel, kernel-mode drivers- Least Privileged Chamber (LPC)All other software: services,pre-installed apps,application from WP storeChambers7
  • 8. HackInParis 2013CapabilitiesSystem- Debug- SMS API- Live ID- SIM APIEtc.Total 350+WMAppManifest.xmlDevelopers- Network- Camera- NFC- SD card access- Wallet- Speech recognition- Front cameraEtc.Total 278OEM Developers- Cell API- Device managementEtc.Total 39
  • 9. HackInParis 2013SandboxingApp1ChamberApp2ChamberLocal folderfor App1Local folderfor App2• File system structure is hidden• Local folder• Former isolated storage• Limited app-to-appcommunication9URI, files
  • 10. HackInParis 2013• File types associations- LaunchFileAsync()- Reserved: xap, msi, bat, cmd, py, jar etc.• URI associations- LaunchUriAsync()- Reserved: http, tel, wallet, LDAP, rlogin, telnet etc.- Proximity communication using NFCApp-to-app communication10
  • 11. HackInParis 2013Local folderLocal FolderSettings StorageFilesDatabaseFile StorageDirectoryPhysical File Storage11
  • 12. Application protection• All binaries are signed• Application file is signed– Kind of checksum file is put into applications• Certificate pinning for Store• XAP file has DRM keyHackInParis 201312
  • 13. The Microsoft PlayReady EcosystemHackInParis 201313
  • 14. XAP file protection• Before august 2012– ZIP archive– Sign• After august 2012– New file format– PlayReady Header– AESCTR algorithmHackInParis 201314
  • 15. FIRST STEPS IN WINDOWS PHONE 8
  • 16. Windows 8 vs Windows Phone 8• WP8 is migrating from the WinCE core to theWinNT core• Win8/emulator (x86)• WinRT/device (ARM)HackInParis 201316http://intrepidusgroup.com/insight/2012/12/windows-phone-8-and-windows-8-similarity/
  • 17. WP8 emulator• Hyper-V images– %ProgramFiles(x86)%Microsoft SDKsWindows Phonev8.0EmulationImages• Emulator vs. Device– x86– Fake binaries• FakeLed.sys, Fakevibra.sys, FakeModem.dll etc.– Different user-agent– Prohibited to install apps from the StoreHackInParis 201317
  • 18. WP8 device• Windows Phone 8 has standardizedbootloader– Full flash images are available• ImgMount tool– FFU Image file as a virtual hard driveHackInParis 201318
  • 19. Reversing WP8 internals• No debug symbols• Tip: restore information from Event Tracing forWindows (ETW)• Use IDAPythonHackInParis 2013*InstallerWorker.exe19
  • 20. Windows API calls• Full Windows API is not available by default• Originally posted on XDA for WindowsRT apps– Find kernerbase.dll address (“MZ”) -> Get“LoadLibraryA” and “GetProcAddress” functions ->call any function you want– http://bit.ly/Uw2Gk6• Works for Windows Phone 8HackInParis 201320
  • 21. APPLICATIONS
  • 22. HackInParis 2013ApplicationsDeveloper Platform (XAML, XNA, Device services).NET Framework (CoreCLR)WP8 OS, Win8 based22.NET and CLR
  • 23. HackInParis 201323Frameworks
  • 24. • Microsoft• OEM– XAP files are not encrypted (~ZIP)– C:PROGRAMSCommonFilesXaps• Windows Phone Store apps– C:DataPrograms{ProductID}Install• Company applications– XAP files are not encrypted (~ZIP)– Company hubs• Developer applications– Need developer unlockHackInParis 201324Application kinds
  • 25. HackInParis 2013• Application assemblies(in various formats)• Resources• AppManifest.xaml• WMAppManifest.xml25Application file structure
  • 26. APPLICATION SECURITY
  • 27. Security?!“One of the goals of the Windows Phone appplatform is to foster the creation of apps thatare secure by design and secure by default.”Security for Windows PhoneHackInParis 201327
  • 28. Application entry points• User input• SD card• Sockets• URIHackInParis 201328• Web• Bluetooth• NFC• Speech2TextGreen – Windows Phone 7White – Windows Phone 8
  • 29. VulnerabilitiesHackInParis 2013Windows Phone 8(C#/VB/C/C++)iOS(Objective-C)Android(Java)Note: Main programming languages in bracketsPlatform independentvulnerabilitiesPlatform specificvulnerabilities29
  • 30. Work with SD card• WP8 allows only read operations• Only registered file types• Files on SD cards are not encryptedHackInParis 2013OS DetailsiOS Work with SD card is absentAndroid READ/WRITE30
  • 31. Privacy• Device Unique ID– Requires ID_CAP_IDENTITY_DEVICE– DeviceExtendedProperties.GetValue(“DeviceUniqueId”)• Windows Live Anonymous ID– Requires ID_CAP_IDENTITY_USER– UserExtendedProperties.GetValue(“ANID2”)• Both identifiers are per-publisherHackInParis 2013OS DetailsiOS UDID (apps that use UDIDs are no longer accepted, from May 1, 2013)Android telephonyManager.getDeviceId()31
  • 32. Privacy, part 2• Device name, manufacturer, firmware versions– Requires ID_CAP_IDENTITY_DEVICE– DeviceStatus class• Location tracking– ID_CAP_LOCATION– GeoCoordinateWatcher classHackInParis 201332OS DetailsiOS UDID (apps that use UDIDs are no longer accepted, from May 1, 2013)Android telephonyManager.getDeviceId()
  • 33. Secure storage• Device can be encrypted (not for all countries)– BitLocker 2.0/TPM– Available only in business settings• Data Protection API (DPAPI)• System.Security.Cryptography• Algorithms: AES, HMACSHA1, HMACSHA256,Rfc2898DeriveBytes, RSA, SHA1, SHA256HackInParis 2013OS DetailsiOS Keychain, /System/Library/Frameworks/Security.frameworkAndroid android.security.KeyChain (from 4.0)33
  • 34. Data leak• Keyboard cache is isolated per-application• Cache for applications that access internet– Controlled by OSHackInParis 2013OS DetailsiOS plist, Custom created documents, Preferences, Logs, Cache data,Keyboard cache, Pasteboard cache, CookiesAndroid shared_preference, logs, external storage, MODE_WORLD_READABLEor MODE_WORLD_WRITETABLE34
  • 35. Work with URI• Handling function: MapUri()• Filter user input• Exclude critical arguments from URI– Ex.: prgrm://command?request=data&role=adminHackInParis 2013OS DetailsiOS openURL(), handleOpenURL()Android android.net.Uri class35
  • 36. Cross-site scripting (XSS)• WebBrowser control (based on IE10)• JavaScript is disabled by default• To see if enabled:– WebBrowser.IsScriptEnabled = true– <WebBrowser IsScriptEnabled = “True” />HackInParis 2013OS DetailsiOS UIWebView Class + stringByEvaluatingJavaScriptFromString()shouldStartLoadWithRequest()Android WebView.getSettings().setJavaScriptEnabled();WebView.getSettings().setPluginsEnabled();36
  • 37. Directory traversal• Local folder API accepts paths with traversal– IsolatedStorageFile class (WP7)– StorageFolder class• Win32 storage APIHackInParis 2013OS DetailsiOS contentsAtPath, fileHandleForReadingAtPath, _fopen etc.Android ContentProvider + incorrect or missing rights, files functions37
  • 38. XML External Entity (XXE)• System.Xml namespace– Entity resolving is prohibited by default• Entities can be resolved by using customXmlResolver for XmlDocumentHackInParis 2013OS DetailsiOS libXML2 + _xmlParseMemory,NSXMLParser + setShouldResolveExternalEntities:YESAndroid setFeature(external-general-entities, True)38
  • 39. SQL injection• Bad:• Good:HackInParis 2013OS DetailsiOS sqlite3_exec()Android query(), rawQuery()39
  • 40. Memory corruption bugs• Developers can use native code• Format string, BoF, use-after-free etc.– С/C++ functions• Compilation flags: /sdl, /GS, /DYNAMICBASE,/NXCOMPATHackInParis 2013OS DetailsiOS –fPIE, –fstack-protector-all, -fobjc-arcAndroid Only in native libs, -fstack-protector, -Wformat-security, NX, ASLR, PIE
  • 41. CONCLUSION
  • 42. HackInParis 2013• Windows Phone 8 is pretty secure• Greater attack surface• Security-related API• More flexible than in iOS• More simple than in AndroidConclusion42
  • 43. Q&ADmitry ‘D1g1’ Evdokimovd.evdokimov@erpscan.com@evdokimovdsAndrey Chasovskikhhttp://andreycha.info@andreychaHackInParis 201343