Windows Phone 8 application security


Published on

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Also we can learn the system in dynamic.By default, developer can use limited subset of Win32 API functions. But we can use old technic for calling arbitrary functions.Make any allowed call from kernelbase.dll and find dll address by ‘MZ’ signature. Parse import table and find LoadLibraryA and GetProcAddress functions. Now you can load libraries and call any functions you want.This technic was used in WindowsRT, where developers also can’t use Win32 API entirely. We checked it for Windows Phone 8 – and it also works. For example, you can read content of Windows folder.
  • Windows Phone 8 application security

    1. 1. WINDOWS PHONE 8APPLICATION SECURITYHackInParis 2013Dmitriy EvdokimovAndrey Chasovskikh
    2. 2. About usDmitriy ‘D1g1’ Evdokimov- Security researcher at ERPScan- Mobile security, RE, fuzzing, exploit dev etc.- Editor of Russian hacking magazine- DEFCON Russia (DCG #7812) co-organizerAndrey Chasovskikh- Software developer- Windows Phone addictHackInParis 20132
    3. 3. HackInParis 2013• Intro• Security model• First steps in Windows Phone 8• Applications• Application security• Conclusion3Agenda
    4. 4. INTRO
    5. 5. Intro• 29 Oct 2012 – Windows Phone 8 released• Based on Windows 8 core– ARM architecture• Market share: 3,2% (Q1 2013, IDC)• 145 000+ applications in Windows Phone StoreHackInParis 20135
    7. 7. HackInParis 2013- Trusted Computing Base (TCB)Kernel, kernel-mode drivers- Least Privileged Chamber (LPC)All other software: services,pre-installed apps,application from WP storeChambers7
    8. 8. HackInParis 2013CapabilitiesSystem- Debug- SMS API- Live ID- SIM APIEtc.Total 350+WMAppManifest.xmlDevelopers- Network- Camera- NFC- SD card access- Wallet- Speech recognition- Front cameraEtc.Total 278OEM Developers- Cell API- Device managementEtc.Total 39
    9. 9. HackInParis 2013SandboxingApp1ChamberApp2ChamberLocal folderfor App1Local folderfor App2• File system structure is hidden• Local folder• Former isolated storage• Limited app-to-appcommunication9URI, files
    10. 10. HackInParis 2013• File types associations- LaunchFileAsync()- Reserved: xap, msi, bat, cmd, py, jar etc.• URI associations- LaunchUriAsync()- Reserved: http, tel, wallet, LDAP, rlogin, telnet etc.- Proximity communication using NFCApp-to-app communication10
    11. 11. HackInParis 2013Local folderLocal FolderSettings StorageFilesDatabaseFile StorageDirectoryPhysical File Storage11
    12. 12. Application protection• All binaries are signed• Application file is signed– Kind of checksum file is put into applications• Certificate pinning for Store• XAP file has DRM keyHackInParis 201312
    13. 13. The Microsoft PlayReady EcosystemHackInParis 201313
    14. 14. XAP file protection• Before august 2012– ZIP archive– Sign• After august 2012– New file format– PlayReady Header– AESCTR algorithmHackInParis 201314
    16. 16. Windows 8 vs Windows Phone 8• WP8 is migrating from the WinCE core to theWinNT core• Win8/emulator (x86)• WinRT/device (ARM)HackInParis 201316
    17. 17. WP8 emulator• Hyper-V images– %ProgramFiles(x86)%Microsoft SDKsWindows Phonev8.0EmulationImages• Emulator vs. Device– x86– Fake binaries• FakeLed.sys, Fakevibra.sys, FakeModem.dll etc.– Different user-agent– Prohibited to install apps from the StoreHackInParis 201317
    18. 18. WP8 device• Windows Phone 8 has standardizedbootloader– Full flash images are available• ImgMount tool– FFU Image file as a virtual hard driveHackInParis 201318
    19. 19. Reversing WP8 internals• No debug symbols• Tip: restore information from Event Tracing forWindows (ETW)• Use IDAPythonHackInParis 2013*InstallerWorker.exe19
    20. 20. Windows API calls• Full Windows API is not available by default• Originally posted on XDA for WindowsRT apps– Find kernerbase.dll address (“MZ”) -> Get“LoadLibraryA” and “GetProcAddress” functions ->call any function you want–• Works for Windows Phone 8HackInParis 201320
    21. 21. APPLICATIONS
    22. 22. HackInParis 2013ApplicationsDeveloper Platform (XAML, XNA, Device services).NET Framework (CoreCLR)WP8 OS, Win8 based22.NET and CLR
    23. 23. HackInParis 201323Frameworks
    24. 24. • Microsoft• OEM– XAP files are not encrypted (~ZIP)– C:PROGRAMSCommonFilesXaps• Windows Phone Store apps– C:DataPrograms{ProductID}Install• Company applications– XAP files are not encrypted (~ZIP)– Company hubs• Developer applications– Need developer unlockHackInParis 201324Application kinds
    25. 25. HackInParis 2013• Application assemblies(in various formats)• Resources• AppManifest.xaml• WMAppManifest.xml25Application file structure
    27. 27. Security?!“One of the goals of the Windows Phone appplatform is to foster the creation of apps thatare secure by design and secure by default.”Security for Windows PhoneHackInParis 201327
    28. 28. Application entry points• User input• SD card• Sockets• URIHackInParis 201328• Web• Bluetooth• NFC• Speech2TextGreen – Windows Phone 7White – Windows Phone 8
    29. 29. VulnerabilitiesHackInParis 2013Windows Phone 8(C#/VB/C/C++)iOS(Objective-C)Android(Java)Note: Main programming languages in bracketsPlatform independentvulnerabilitiesPlatform specificvulnerabilities29
    30. 30. Work with SD card• WP8 allows only read operations• Only registered file types• Files on SD cards are not encryptedHackInParis 2013OS DetailsiOS Work with SD card is absentAndroid READ/WRITE30
    31. 31. Privacy• Device Unique ID– Requires ID_CAP_IDENTITY_DEVICE– DeviceExtendedProperties.GetValue(“DeviceUniqueId”)• Windows Live Anonymous ID– Requires ID_CAP_IDENTITY_USER– UserExtendedProperties.GetValue(“ANID2”)• Both identifiers are per-publisherHackInParis 2013OS DetailsiOS UDID (apps that use UDIDs are no longer accepted, from May 1, 2013)Android telephonyManager.getDeviceId()31
    32. 32. Privacy, part 2• Device name, manufacturer, firmware versions– Requires ID_CAP_IDENTITY_DEVICE– DeviceStatus class• Location tracking– ID_CAP_LOCATION– GeoCoordinateWatcher classHackInParis 201332OS DetailsiOS UDID (apps that use UDIDs are no longer accepted, from May 1, 2013)Android telephonyManager.getDeviceId()
    33. 33. Secure storage• Device can be encrypted (not for all countries)– BitLocker 2.0/TPM– Available only in business settings• Data Protection API (DPAPI)• System.Security.Cryptography• Algorithms: AES, HMACSHA1, HMACSHA256,Rfc2898DeriveBytes, RSA, SHA1, SHA256HackInParis 2013OS DetailsiOS Keychain, /System/Library/Frameworks/Security.frameworkAndroid (from 4.0)33
    34. 34. Data leak• Keyboard cache is isolated per-application• Cache for applications that access internet– Controlled by OSHackInParis 2013OS DetailsiOS plist, Custom created documents, Preferences, Logs, Cache data,Keyboard cache, Pasteboard cache, CookiesAndroid shared_preference, logs, external storage, MODE_WORLD_READABLEor MODE_WORLD_WRITETABLE34
    35. 35. Work with URI• Handling function: MapUri()• Filter user input• Exclude critical arguments from URI– Ex.: prgrm://command?request=data&role=adminHackInParis 2013OS DetailsiOS openURL(), handleOpenURL()Android class35
    36. 36. Cross-site scripting (XSS)• WebBrowser control (based on IE10)• JavaScript is disabled by default• To see if enabled:– WebBrowser.IsScriptEnabled = true– <WebBrowser IsScriptEnabled = “True” />HackInParis 2013OS DetailsiOS UIWebView Class + stringByEvaluatingJavaScriptFromString()shouldStartLoadWithRequest()Android WebView.getSettings().setJavaScriptEnabled();WebView.getSettings().setPluginsEnabled();36
    37. 37. Directory traversal• Local folder API accepts paths with traversal– IsolatedStorageFile class (WP7)– StorageFolder class• Win32 storage APIHackInParis 2013OS DetailsiOS contentsAtPath, fileHandleForReadingAtPath, _fopen etc.Android ContentProvider + incorrect or missing rights, files functions37
    38. 38. XML External Entity (XXE)• System.Xml namespace– Entity resolving is prohibited by default• Entities can be resolved by using customXmlResolver for XmlDocumentHackInParis 2013OS DetailsiOS libXML2 + _xmlParseMemory,NSXMLParser + setShouldResolveExternalEntities:YESAndroid setFeature(external-general-entities, True)38
    39. 39. SQL injection• Bad:• Good:HackInParis 2013OS DetailsiOS sqlite3_exec()Android query(), rawQuery()39
    40. 40. Memory corruption bugs• Developers can use native code• Format string, BoF, use-after-free etc.– С/C++ functions• Compilation flags: /sdl, /GS, /DYNAMICBASE,/NXCOMPATHackInParis 2013OS DetailsiOS –fPIE, –fstack-protector-all, -fobjc-arcAndroid Only in native libs, -fstack-protector, -Wformat-security, NX, ASLR, PIE
    41. 41. CONCLUSION
    42. 42. HackInParis 2013• Windows Phone 8 is pretty secure• Greater attack surface• Security-related API• More flexible than in iOS• More simple than in AndroidConclusion42
    43. 43. Q&ADmitry ‘D1g1’ Chasovskikh 201343
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.