Your SlideShare is downloading. ×
Owasp App Sec Ireland Windows Phone 7 Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Owasp App Sec Ireland Windows Phone 7 Security

1,030
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,030
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. David RookWindows Phone 7 SecurityOWASP AppSec IrelandFriday, 7 September 2012
  • 2. if (slide == introduction) System.out.println("I’m David Rook"); • Application Security Lead, Realex Payments, Dublin CISSP, CISA, GCIH and many other acronyms • Security Ninja (@securityninja) • Speaker at developer and security conferences • Microsoft Developer Security MVP • SC Magazine Information Security Rising Star 2012 • Developed and released Agnitio and the WPAAFriday, 7 September 2012
  • 3. Agenda • Smartphones and apps - big numbers, little security? • Windows Phone 7 introduction • Windows Phone 7 platform security • Windows Phone 7 application securityFriday, 7 September 2012
  • 4. Mobile device sales 2011 472 million Smartphones 31% Mobile 69% 1.3 billionSource: http://www.gartner.com/it/page.jsp?id=1924314 Friday, 7 September 2012
  • 5. Smartphone OS market share 2011 Microsoft 2% RIM 9% Symbian 12% Android 51% iOS 24%Source: http://www.gartner.com/it/page.jsp?id=2120015 Friday, 7 September 2012
  • 6. Smartphone OS market share 2011 • Microsoft has 1.9% of the smartphone market share • Smaller market share than something called BadaFriday, 7 September 2012
  • 7. Smartphone OS market share 2011Friday, 7 September 2012
  • 8. Smartphone OS market share 2011 • Microsoft has 1.9% of the smartphone market share • Smaller market share than something called Bada • Should I even continue with this talk about Windows Phone 7? • Similar approach to Android with many devices availableFriday, 7 September 2012
  • 9. Smartphone OS market share 2011Friday, 7 September 2012
  • 10. Smartphone OS market share 2011 • Microsoft has 1.9% of the smartphone market share • Smaller market share than something called Bada • Should I even continue with this talk about Windows Phone 7? • Similar approach to Android with many devices available • IDC predict that they will have 20% market share by 2015Friday, 7 September 2012
  • 11. Smartphone OS market share 2011Friday, 7 September 2012
  • 12. Smartphone OS market share 2011 • Microsoft has 1.9% of the smartphone market share • Smaller market share than something called Bada • Should I even continue with this talk about Windows Phone 7? • Similar approach to Android with many devices available • IDC predict that it will have 20% market share by 2015 • 20% is unlikely but it’s market share will increase in my opinionFriday, 7 September 2012
  • 13. Smartphone OS market share 2011Friday, 7 September 2012
  • 14. Windows Phone 7 Introduction • The smartphone from Microsoft • First released in late 2010 with 7 updates since then • Based on Windows Embedded Compact v6 and v7 • Minimum “tough but fair” hardware requirements • Apps only available via the Windows Phone Marketplace • Specifically aimed at the consumer market not enterpriseFriday, 7 September 2012
  • 15. Windows Phone 7 IntroductionFriday, 7 September 2012
  • 16. Windows Phone 7 Introduction • .NET Compact Framework • Version of the .NET framework for resource constrained devices • Some of the same classes and some mobile specific ones • Compiler translates your code into Intermediate Language • Apps are JIT compiled and executed by the .NET CLR • Only managed .NET code allowed in your apps*Friday, 7 September 2012
  • 17. Windows Phone 7 Introduction private void button1_Click(object sender, RoutedEventArgs e)         {             MessageBox.Show("Hello OWASP AppSec Ireland!");         } C# Compiler Managed Module .NET CLRFriday, 7 September 2012
  • 18. Windows Phone 7 Introduction • Windows Phone 7 Kernel Architecture • 32bit OS that runs inside a 4GB virtual address space • 2GB allocated to the kernel and 2GB to process executing • That isn’t quite true, the process executing only gets 1GB • 1GB is for components commonly mapped into all processesFriday, 7 September 2012
  • 19. Windows Phone 7 Introduction • Windows Phone 7 Kernel Architecture APPLICATIONSSpace User TELSHELL.EXE UDEVICES.EXE SERVICESD.EXE CPROG.EXE COREDLL/WINSOCK/COMMCRL/WININET kCoreDLL.DLL KERNEL.DLLKernelSpace FILESYS.DLL Device.DLL GWES Network OAL.EXE FSDMGR.DLL Drivers HardwareFriday, 7 September 2012
  • 20. Windows Phone 7 Introduction Process Code Process Space 2GB User DLLs Memory Mapped Files GWES Kernel Space Drivers 2GB File System KernelFriday, 7 September 2012
  • 21. Windows Phone 7 Introduction Shared System Heap 256MB processes across all Common RAM Backed Mapfiles 256MB Process Memory Shared User DLLs 2GB 512MB Private to process each Process Space 1GB per processFriday, 7 September 2012
  • 22. Windows Phone 7 Platform Security • Windows Phone 7 Security Model • Chambers concept to enforce app isolation and least privilege • The chambers provide a security boundary to restrict the apps • Four chambers and apps run in one of them • Three chambers have fixed permission sets • The fourth chamber is capabilities basedFriday, 7 September 2012
  • 23. Windows Phone 7 Platform Security Trusted Computing Base (TCB) Elevated Rights Fixed permissions Chamber (ERC) Standard Rights Chamber (SRC) Least Privileged Capabilities based Chamber (LPC)Friday, 7 September 2012
  • 24. Windows Phone 7 Platform Security Trusted Computing Base (TCB) • The kernel and kernel-mode drivers run in the TCB chamber • Allows processes to have unrestricted access to most resources • The TCB chamber can modify policy and enforce the security model • Only Microsoft can add signed software to the TCB chamberFriday, 7 September 2012
  • 25. Windows Phone 7 Platform Security Elevated Rights Chamber (ERC) • User-mode drivers and services runs in this chamber • Can access all resources except security policy • Intended for services and user-mode drivers • Only Microsoft can add signed software to the ERC chamberFriday, 7 September 2012
  • 26. Windows Phone 7 Platform Security Standard Rights Chamber (SRC) • The default chamber for pre-installed MS and OEM applications • Apps that do not provide device-wide services run in the SRCFriday, 7 September 2012
  • 27. Windows Phone 7 Platform Security Least Privileged Chamber (LPC) • The default chamber for all non-Microsoft applications • Least Privileged Chambers are configured using capabilities • Capabilities listed in applications WMAppManifest.xml fileFriday, 7 September 2012
  • 28. Windows Phone 7 Platform Security • Windows Phone 7 Application Capabilities • Application capabilities are features that an app uses • Apps request permission to access protected APIs during the deployment process • Default app manifest file includes a list of all the capabilities* • WP7 grants security permissions based on the contents of your WMAppManifest.xml file* • Not everything your app does needs a capability definedFriday, 7 September 2012
  • 29. Windows Phone 7 Platform Security • Windows Phone 7 Application Capabilities • Capability checks are enforced at runtime • Permission set for the apps LPC is created based on the capabilities • Requests for other resources == UnauthorizedAccessException • This exception occurs when the access is attempted not when the app is executedFriday, 7 September 2012
  • 30. Windows Phone 7 Platform SecurityFriday, 7 September 2012
  • 31. Windows Phone 7 Platform Security • Windows Phone 7 Capabilities Detection DemoFriday, 7 September 2012
  • 32. Windows Phone 7 Platform Security • Windows Phone 7 Application Signing • Apart from developer unlocked devices apps must be signed • Microsoft automatically signs approved apps • Apps must have a valid Microsoft signature to be installedFriday, 7 September 2012
  • 33. Friday, 7 September 2012
  • 34. Windows Phone 7 Platform Security • Windows Phone 7 Application Sandboxing • Apps execute within a restricted LPC as we saw earlier • Cannot communicate with other apps on the phone • Sandboxed apps aren’t allowed to run in the background • No access to native code from within the sandbox • All I/O operations are restricted to per app Isolated StorageFriday, 7 September 2012
  • 35. Windows Phone 7 Platform Security • Windows Phone 7 Application Isolated Storage • Per app Isolated Storage allows apps to keep data “private” • Very similar to Isolated Storage in Silverlight • No direct access to the file system • No access to other apps Isolated Storage • Three different ways to use your apps Isolated StorageFriday, 7 September 2012
  • 36. Windows Phone 7 Platform SecurityFriday, 7 September 2012
  • 37. Windows Phone 7 Application Security • Windows Phone 7 Application Security • Mobile application security introduces almost no new issues • Forget about specific vulnerabilities for one minute • Think about the root causes of vulnerabilities, I’ll give you a handFriday, 7 September 2012
  • 38. Windows Phone 7 Application Security • Input Validation • Output Validation • Error Handling • Authentication and Authorisation • Secure Storage • Secure Communications • Session Management • Secure Resource Access • Auditing and Logging • PrivacyFriday, 7 September 2012
  • 39. Windows Phone 7 Application Security • Windows Phone 7 Application Security • Mobile application security introduces almost no new issues • Forget about specific vulnerabilities for one minute • Think about the root causes of vulnerabilities, I’ll give you a hand • From that list what do you think the top 3 are? • My top 3 are: • Secure Storage • Authentication and Authorisation • Secure Resource Access/PrivacyFriday, 7 September 2012
  • 40. Windows Phone 7 Application Security • OWASP Top 10 Mobile Risks • I compared the OWASP top 10 mobile risks to my list • 50% Secure Storage/Secure Communications • 20% Authentication and Authorisation • 0% Privacy*Friday, 7 September 2012
  • 41. Windows Phone 7 Application Security • OWASP Mobile Controls • Lists the mobile app security controls you should implement • I compared each control to the list I showed you, guess what? • 26% Secure Storage • 16% Secure Communications • 16% Authentication and Authorisation • 16% Secure Resource Access*Friday, 7 September 2012
  • 42. Windows Phone 7 Application Security • My top 3 in the real world • Secure Storage: Facebook, Citibank, LinkedIn, Google Wallet • A&A: Foodspotting, Google Wallet, Google (multiple apps) • SRA/Privacy: Path, Hipster, Ad Libraries • This doesn’t mean we can ignore all of the other issuesFriday, 7 September 2012
  • 43. Windows Phone 7 Application Security • Preventing the top 3 in your WP7 apps • I can’t cover every principle in this talk • With that in mind Im grouping them to make a "new" top 3 • Data Security - Secure Storage and Communications • Authentication and Authorisation • Data Access/PrivacyFriday, 7 September 2012
  • 44. Windows Phone 7 Application Security • Windows Phone 7 Data Security • Never store data on the device if it really isn’t needed • WP7 allows us to encrypt data and databases • Only new databases can be encrypted but very easy to do • DPAPI is used for file/password/pin etc encryption • No hashing available and no algorithm selectionFriday, 7 September 2012
  • 45. Windows Phone 7 Application Security • Windows Phone 7 Data Security • The local database encryption is based on a password • You create a DB in code and you must include the password • The database is encrypted using AES-128 • The password is hashed using SHA-256 • An encrypted database can be created with two lines of codeFriday, 7 September 2012
  • 46. Windows Phone 7 Application Security // Create the data context, specify the database file location and password DavesDataContext db = new DavesDataContext ("Data Source=isostore:/NinjaSecrets.sdf;Password=NinjaPassword"); // Create an encrypted database after confirming that it does not exist if (!db.DatabaseExists()) db.CreateDatabase();Friday, 7 September 2012
  • 47. Windows Phone 7 Application Security • Windows Phone 7 Data Security • Saving data to an apps isolated storage is not secure • If you want to encrypt data and not a DB you use the DPAPI • Use the System.Security.Cryptography.ProtectedData class • Specifically the Protect() and Unprotect() methods • Symmetric encryption (AES) used. Hashing isn’t possibleFriday, 7 September 2012
  • 48. Windows Phone 7 Application Security • Windows Phone 7 Data Security • Every app on a WP7 phone gets its own Encryption Key • DPAPI generates and securely stores this for you • Calling Protect() or Unprotect() implicitly selects the apps key • optionalEntropy parameter can be used to provide extra entropyFriday, 7 September 2012
  • 49. Windows Phone 7 Application Security • Encrypted Data Code SampleFriday, 7 September 2012
  • 50. Windows Phone 7 Application Security • Windows Phone 7 Data Security • Secure Communications is a lot easier! • Very little to do with the app code itself in my opinion • More to do with good design and a good security code review! • Data sent to web services, SQL Azure etc needs protection • No client side SSL certs allowed and no VPN functionalityFriday, 7 September 2012
  • 51. Windows Phone 7 Application Security • Windows Phone 7 Authentication & Authorisation • Not just talking about app logon or service authentication • Specifically talking about access to data on the device • Gaining users authorisation before accessing sensitive data • This includes access to users contacts, SMS etc • I know we already "asked" in the WMAppManifest.xml file....Friday, 7 September 2012
  • 52. Windows Phone 7 Application Security • Windows Phone 7 Data Access/Privacy • Another one which isn’t a platform/framework specific • Understand the data accessed by third party libraries • Create a privacy policy covering personal data and stick to it! • Don’t store historical data on the device beyond required time • Audit app communications to check for data leaksFriday, 7 September 2012
  • 53. Windows Phone 8 Security • The good things • Shared Windows Core (NT Kernel on a phone) • Secure boot and Bitlocker on by default • Enterprise app deployment/management functionality • OTA updates for all phones for at least 18 monthsFriday, 7 September 2012
  • 54. Windows Phone 8 Security • The potentially bad things • Shared Windows Core (NT Kernel on a phone) • NFC and Wallet Hub • Native C and C++ code now available to everyone • Micro SD Card support but with no Bitlocker supportFriday, 7 September 2012
  • 55. Application Security Workshop • Free Application Security Workshop at Realex • 27th September in our Dublin office • Secure coding: why and how • Think like a pen tester • Security focused code reviewsFriday, 7 September 2012
  • 56. QUESTIONS? www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninjaFriday, 7 September 2012