Your SlideShare is downloading. ×
0
David RookWindows Phone 7 SecuritySecurityBSides LondonSunday, 22 April 2012
if (slide == introduction)                   System.out.println("I’m David Rook"); • Application Security Lead, Realex Pay...
Agenda  • Smartphones and apps - big numbers, little security?  • Windows Phone 7 introduction  • Windows Phone 7 platform...
Mobile device sales 2011                                                                      472 million                 ...
Smartphone OS market share 2011                                                        Microsoft                          ...
Smartphone OS market share 2011  • Microsoft has 1.9% of the smartphone market share        • Smaller market share than so...
Smartphone OS market share 2011Sunday, 22 April 2012
Smartphone OS market share 2011  • Microsoft has 1.9% of the smartphone market share        • Smaller market share than so...
Smartphone OS market share 2011  • Microsoft has 1.9% of the smartphone market share        • Smaller market share than so...
Smartphone OS market share 2011Sunday, 22 April 2012
Smartphone OS market share 2011  • Microsoft has 1.9% of the smartphone market share        • Smaller market share than so...
Smartphone OS market share 2011Sunday, 22 April 2012
Smartphone OS market share 2011  • Microsoft has 1.9% of the smartphone market share        • Smaller market share than so...
Smartphone OS market share 2011Sunday, 22 April 2012
Windows Phone 7 Introduction  • The smartphone from Microsoft        • First released in late 2010 with 7 updates since th...
Windows Phone 7 IntroductionSunday, 22 April 2012
Windows Phone 7 Introduction  • .NET Compact Framework        • Version of the .NET framework for resource constrained dev...
Windows Phone 7 Introduction                        private void button1_Click(object sender, RoutedEventArgs e)          ...
Windows Phone 7 Introduction                        private void button1_Click(object sender, RoutedEventArgs e)          ...
Windows Phone 7 Introduction                        private void button1_Click(object sender, RoutedEventArgs e)          ...
Windows Phone 7 Introduction                        private void button1_Click(object sender, RoutedEventArgs e)          ...
Windows Phone 7 Introduction  • Windows Phone 7 Kernel Architecture        • 32bit OS that runs inside a 4GB virtual addre...
Windows Phone 7 Introduction  • Windows Phone 7 Kernel Architecture        • 32bit OS that runs inside a 4GB virtual addre...
Windows Phone 7 Introduction  • Windows Phone 7 Kernel Architecture                                         APPLICATIONSSp...
Windows Phone 7 Introduction                                Process Code   Process    Space               2GB             ...
Windows Phone 7 Introduction                             Shared System Heap                                   256MB       ...
Windows Phone 7 Platform Security  • Windows Phone 7 Security Model        • Chambers concept to enforce app isolation and...
Windows Phone 7 Platform Security  • Windows Phone 7 Security Model        • Chambers concept to enforce app isolation and...
Windows Phone 7 Platform Security  • Windows Phone 7 Security Model        • Chambers concept to enforce app isolation and...
Windows Phone 7 Platform Security       Trusted Computing          Base (TCB)          Elevated Rights        Fixed permis...
Windows Phone 7 Platform Security       Trusted Computing          Base (TCB)  • The kernel and kernel-mode drivers run in...
Windows Phone 7 Platform Security          Elevated Rights          Chamber (ERC)  • User-mode drivers and services runs i...
Windows Phone 7 Platform Security          Standard Rights          Chamber (SRC)  • The default chamber for pre-installed...
Windows Phone 7 Platform Security          Least Privileged          Chamber (LPC)  • The default chamber for all non-Micr...
Windows Phone 7 Platform Security  • Windows Phone 7 Application Capabilities        • Application capabilities are featur...
Windows Phone 7 Platform Security  • Windows Phone 7 Application Capabilities        • Capability checks are enforced at r...
Windows Phone 7 Platform SecuritySunday, 22 April 2012
Windows Phone 7 Platform Security  • Windows Phone 7 Capabilities Detection DemoSunday, 22 April 2012
Windows Phone 7 Platform Security  • Windows Phone 7 Application Signing        • Apart from developer unlocked devices ap...
Sunday, 22 April 2012
Windows Phone 7 Platform Security  • Windows Phone 7 Application Sandboxing        • Apps execute within a restricted LPC ...
Windows Phone 7 Platform Security  • Windows Phone 7 Application Isolated Storage        • Per app Isolated Storage allows...
Windows Phone 7 Platform SecuritySunday, 22 April 2012
Windows Phone 7 Application Security  • Windows Phone 7 Application Security        • Mobile application security introduc...
Windows Phone 7 Application Security  •   Input Validation  •   Output Validation  •   Error Handling  •   Authentication ...
Windows Phone 7 Application Security  • Windows Phone 7 Application Security        • Mobile application security introduc...
Windows Phone 7 Application Security  • Windows Phone 7 Application Security        • Mobile application security introduc...
Windows Phone 7 Application Security  • OWASP Top 10 Mobile Risks        • I compared the OWASP top 10 mobile risks to my ...
Windows Phone 7 Application Security  • OWASP Mobile Controls        • Lists the mobile app security controls you should i...
Windows Phone 7 Application Security  • My top 3 in the real world        • Secure Storage: Facebook, Citibank, LinkedIn, ...
Windows Phone 7 Application Security  • My top 3 in the real world        • Secure Storage: Facebook, Citibank, LinkedIn, ...
Windows Phone 7 Application Security  • Preventing the top 3 in your WP7 apps        • I can’t cover every principle in th...
Windows Phone 7 Application Security  • Preventing the top 3 in your WP7 apps        • I can’t cover every principle in th...
Windows Phone 7 Application Security  • Preventing the top 3 in your WP7 apps        • I can’t cover every principle in th...
Windows Phone 7 Application Security  • Windows Phone 7 Data Security        • Never store data on the device if it really...
Windows Phone 7 Application Security  • Windows Phone 7 Data Security        • Never store data on the device if it really...
Windows Phone 7 Application Security  • Windows Phone 7 Data Security        • Never store data on the device if it really...
Windows Phone 7 Application Security  • Windows Phone 7 Data Security        • The local database encryption is based on a...
Windows Phone 7 Application Security  • Windows Phone 7 Data Security        • The local database encryption is based on a...
Windows Phone 7 Application Security  • Windows Phone 7 Data Security        • The local database encryption is based on a...
Windows Phone 7 Application Security   // Create the data context, specify the database file location and password   DavesD...
Windows Phone 7 Application Security  • Windows Phone 7 Data Security        • Saving data to an apps isolated storage is ...
Windows Phone 7 Application Security  • Windows Phone 7 Data Security        • Saving data to an apps isolated storage is ...
Windows Phone 7 Application Security  • Windows Phone 7 Data Security        • Saving data to an apps isolated storage is ...
Windows Phone 7 Application Security  • Windows Phone 7 Data Security        • Every app on a WP7 phone gets its own Encry...
Windows Phone 7 Application Security  • Encrypted Data Code SampleSunday, 22 April 2012
Windows Phone 7 Application Security  • Windows Phone 7 Data Security        • Secure Communications is a lot easier!     ...
Windows Phone 7 Application Security  • Windows Phone 7 Authentication & Authorisation        • Not just talking about app...
Windows Phone 7 Application Security  • Windows Phone 7 Authentication & Authorisation        • Not just talking about app...
Windows Phone 7 Application Security  • Windows Phone 7 Data Access/Privacy        • Another one which isn’t a platform/fr...
Windows Phone 7 Application Security  • Windows Phone App Analyser and Agnitio DemosSunday, 22 April 2012
I love questions!Sunday, 22 April 2012
www.securityninja.co.uk    http://sourceforge.net/projects/agnitiotool/                        @securityninja             ...
QUESTIONS?              www.securityninja.co.uk    http://sourceforge.net/projects/agnitiotool/                        @se...
Upcoming SlideShare
Loading in...5
×

SecurityBSides London - windows phone 7

1,658

Published on

My Windows Phone 7 platform and application security overview presentation from SecurityBSides London 2012.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,658
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
44
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "SecurityBSides London - windows phone 7"

  1. 1. David RookWindows Phone 7 SecuritySecurityBSides LondonSunday, 22 April 2012
  2. 2. if (slide == introduction) System.out.println("I’m David Rook"); • Application Security Lead, Realex Payments, Dublin CISSP, CISA, GCIH and many other acronyms • Security Ninja (@securityninja) • Speaker at developer and security conferences • Microsoft Developer Security MVP • Developed and released Agnitio and the WPAASunday, 22 April 2012
  3. 3. Agenda • Smartphones and apps - big numbers, little security? • Windows Phone 7 introduction • Windows Phone 7 platform security • Windows Phone 7 application security • Security reviewing Windows Phone 7 appsSunday, 22 April 2012
  4. 4. Mobile device sales 2011 472 million Smartphones 31% Mobile 69% 1.3 billionSource: http://www.gartner.com/it/page.jsp?id=1924314 Sunday, 22 April 2012
  5. 5. Smartphone OS market share 2011 Microsoft 2% RIM 9% Symbian 12% Android 51% iOS 24%Source: http://www.gartner.com/it/page.jsp?id=1924314 Sunday, 22 April 2012
  6. 6. Smartphone OS market share 2011 • Microsoft has 1.9% of the smartphone market share • Smaller market share than something called BadaSunday, 22 April 2012
  7. 7. Smartphone OS market share 2011Sunday, 22 April 2012
  8. 8. Smartphone OS market share 2011 • Microsoft has 1.9% of the smartphone market share • Smaller market share than something called Bada • Should I even continue with this talk about Windows Phone 7?Sunday, 22 April 2012
  9. 9. Smartphone OS market share 2011 • Microsoft has 1.9% of the smartphone market share • Smaller market share than something called Bada • Should I even continue with this talk about Windows Phone 7? • Similar approach to Android with many devices availableSunday, 22 April 2012
  10. 10. Smartphone OS market share 2011Sunday, 22 April 2012
  11. 11. Smartphone OS market share 2011 • Microsoft has 1.9% of the smartphone market share • Smaller market share than something called Bada • Should I even continue with this talk about Windows Phone 7? • Similar approach to Android with many devices available • IDC predict that they will have 20% market share by 2015Sunday, 22 April 2012
  12. 12. Smartphone OS market share 2011Sunday, 22 April 2012
  13. 13. Smartphone OS market share 2011 • Microsoft has 1.9% of the smartphone market share • Smaller market share than something called Bada • Should I even continue with this talk about Windows Phone 7? • Similar approach to Android with many devices available • IDC predict that it will have 20% market share by 2015 • 20% is unlikely but it’s market share will increase in my opinionSunday, 22 April 2012
  14. 14. Smartphone OS market share 2011Sunday, 22 April 2012
  15. 15. Windows Phone 7 Introduction • The smartphone from Microsoft • First released in late 2010 with 7 updates since then • Based on Windows Embedded Compact v6 and v7 • Minimum “tough but fair” hardware requirements • Apps only available via the Windows Phone Marketplace • Specifically aimed at the consumer market not enterpriseSunday, 22 April 2012
  16. 16. Windows Phone 7 IntroductionSunday, 22 April 2012
  17. 17. Windows Phone 7 Introduction • .NET Compact Framework • Version of the .NET framework for resource constrained devices • Some of the same classes and some mobile specific ones • Compiler translates your code into Intermediate Language • Apps are JIT compiled and executed by the .NET CLR • Only managed .NET code allowed in your apps*Sunday, 22 April 2012
  18. 18. Windows Phone 7 Introduction private void button1_Click(object sender, RoutedEventArgs e)         {             MessageBox.Show("Hello BSides London!");         }Sunday, 22 April 2012
  19. 19. Windows Phone 7 Introduction private void button1_Click(object sender, RoutedEventArgs e)         {             MessageBox.Show("Hello BSides London!");         } C# CompilerSunday, 22 April 2012
  20. 20. Windows Phone 7 Introduction private void button1_Click(object sender, RoutedEventArgs e)         {             MessageBox.Show("Hello BSides London!");         } C# Compiler Managed ModuleSunday, 22 April 2012
  21. 21. Windows Phone 7 Introduction private void button1_Click(object sender, RoutedEventArgs e)         {             MessageBox.Show("Hello BSides London!");         } C# Compiler Managed Module .NET CLRSunday, 22 April 2012
  22. 22. Windows Phone 7 Introduction • Windows Phone 7 Kernel Architecture • 32bit OS that runs inside a 4GB virtual address space • 2GB allocated to the kernel and 2GB to process executingSunday, 22 April 2012
  23. 23. Windows Phone 7 Introduction • Windows Phone 7 Kernel Architecture • 32bit OS that runs inside a 4GB virtual address space • 2GB allocated to the kernel and 2GB to process executing • That isn’t quite true, the process executing only gets 1GB • 1GB is for components commonly mapped into all processesSunday, 22 April 2012
  24. 24. Windows Phone 7 Introduction • Windows Phone 7 Kernel Architecture APPLICATIONSSpace User TELSHELL.EXE UDEVICES.EXE SERVICESD.EXE CPROG.EXE COREDLL/WINSOCK/COMMCRL/WININET kCoreDLL.DLL KERNEL.DLLKernelSpace FILESYS.DLL Device.DLL GWES Network OAL.EXE FSDMGR.DLL Drivers HardwareSunday, 22 April 2012
  25. 25. Windows Phone 7 Introduction Process Code Process Space 2GB User DLLs Memory Mapped Files GWES Kernel Space Drivers 2GB File System KernelSunday, 22 April 2012
  26. 26. Windows Phone 7 Introduction Shared System Heap 256MB processes across all Common RAM Backed Mapfiles 256MB Process Memory Shared User DLLs 2GB 512MB Private to process each Process Space 1GB per processSunday, 22 April 2012
  27. 27. Windows Phone 7 Platform Security • Windows Phone 7 Security Model • Chambers concept to enforce app isolation and least privilege • The chambers provide a security boundary to restrict the apps • Four chambers and apps run in one of themSunday, 22 April 2012
  28. 28. Windows Phone 7 Platform Security • Windows Phone 7 Security Model • Chambers concept to enforce app isolation and least privilege • The chambers provide a security boundary to restrict the apps • Four chambers and apps run in one of them • Three chambers have fixed permission setsSunday, 22 April 2012
  29. 29. Windows Phone 7 Platform Security • Windows Phone 7 Security Model • Chambers concept to enforce app isolation and least privilege • The chambers provide a security boundary to restrict the apps • Four chambers and apps run in one of them • Three chambers have fixed permission sets • The fourth chamber is capabilities basedSunday, 22 April 2012
  30. 30. Windows Phone 7 Platform Security Trusted Computing Base (TCB) Elevated Rights Fixed permissions Chamber (ERC) Standard Rights Chamber (SRC) Least Privileged Capabilities based Chamber (LPC)Sunday, 22 April 2012
  31. 31. Windows Phone 7 Platform Security Trusted Computing Base (TCB) • The kernel and kernel-mode drivers run in the TCB chamber • Allows processes to have unrestricted access to most resources • The TCB chamber can modify policy and enforce the security model • Only Microsoft can add signed software to the TCB chamberSunday, 22 April 2012
  32. 32. Windows Phone 7 Platform Security Elevated Rights Chamber (ERC) • User-mode drivers and services runs in this chamber • Can access all resources except security policy • Intended for services and user-mode drivers • Only Microsoft can add signed software to the ERC chamberSunday, 22 April 2012
  33. 33. Windows Phone 7 Platform Security Standard Rights Chamber (SRC) • The default chamber for pre-installed MS and OEM applications • Apps that do not provide device-wide services run in the SRCSunday, 22 April 2012
  34. 34. Windows Phone 7 Platform Security Least Privileged Chamber (LPC) • The default chamber for all non-Microsoft applications • Least Privileged Chambers are configured using capabilities • Capabilities listed in applications WMAppManifest.xml fileSunday, 22 April 2012
  35. 35. Windows Phone 7 Platform Security • Windows Phone 7 Application Capabilities • Application capabilities are features that an app uses • Apps request permission to access protected APIs during the deployment process • Default app manifest file includes a list of all the capabilities* • WP7 grants security permissions based on the contents of your WMAppManifest.xml file* • Not everything your app does needs a capability definedSunday, 22 April 2012
  36. 36. Windows Phone 7 Platform Security • Windows Phone 7 Application Capabilities • Capability checks are enforced at runtime • Permission set for the apps LPC is created based on the capabilities • Requests for other resources == UnauthorizedAccessException • This exception occurs when the access is attempted not when the app is executedSunday, 22 April 2012
  37. 37. Windows Phone 7 Platform SecuritySunday, 22 April 2012
  38. 38. Windows Phone 7 Platform Security • Windows Phone 7 Capabilities Detection DemoSunday, 22 April 2012
  39. 39. Windows Phone 7 Platform Security • Windows Phone 7 Application Signing • Apart from developer unlocked devices apps must be signed • Microsoft automatically signs approved apps • Apps must have a valid Microsoft signature to be installedSunday, 22 April 2012
  40. 40. Sunday, 22 April 2012
  41. 41. Windows Phone 7 Platform Security • Windows Phone 7 Application Sandboxing • Apps execute within a restricted LPC as we saw earlier • Cannot communicate with other apps on the phone • Sandboxed apps aren’t allowed to run in the background • No access to native code from within the sandbox • All I/O operations are restricted to per app Isolated StorageSunday, 22 April 2012
  42. 42. Windows Phone 7 Platform Security • Windows Phone 7 Application Isolated Storage • Per app Isolated Storage allows apps to keep data “private” • Very similar to Isolated Storage in Silverlight • No direct access to the file system • No access to other apps Isolated Storage • Three different ways to use your apps Isolated StorageSunday, 22 April 2012
  43. 43. Windows Phone 7 Platform SecuritySunday, 22 April 2012
  44. 44. Windows Phone 7 Application Security • Windows Phone 7 Application Security • Mobile application security introduces almost no new issues • Forget about specific vulnerabilities for one minute • Think about the root causes of vulnerabilities, I’ll give you a handSunday, 22 April 2012
  45. 45. Windows Phone 7 Application Security • Input Validation • Output Validation • Error Handling • Authentication and Authorisation • Secure Storage • Secure Communications • Session Management • Secure Resource Access • Auditing and Logging • PrivacySunday, 22 April 2012
  46. 46. Windows Phone 7 Application Security • Windows Phone 7 Application Security • Mobile application security introduces almost no new issues • Forget about specific vulnerabilities for one minute • Think about the root causes of vulnerabilities, I’ll give you a hand • From that list what do you think the top 3 are?Sunday, 22 April 2012
  47. 47. Windows Phone 7 Application Security • Windows Phone 7 Application Security • Mobile application security introduces almost no new issues • Forget about specific vulnerabilities for one minute • Think about the root causes of vulnerabilities, I’ll give you a hand • From that list what do you think the top 3 are? • My top 3 are: • Secure Storage • Authentication and Authorisation • Secure Resource Access/PrivacySunday, 22 April 2012
  48. 48. Windows Phone 7 Application Security • OWASP Top 10 Mobile Risks • I compared the OWASP top 10 mobile risks to my list • 50% Secure Storage/Secure Communications • 20% Authentication and Authorisation • 0% Privacy*Sunday, 22 April 2012
  49. 49. Windows Phone 7 Application Security • OWASP Mobile Controls • Lists the mobile app security controls you should implement • I compared each control to the list I showed you, guess what? • 26% Secure Storage • 16% Authentication and Authorisation • 16% Secure Resource Access*/Secure CommunicationsSunday, 22 April 2012
  50. 50. Windows Phone 7 Application Security • My top 3 in the real world • Secure Storage: Facebook, Citibank, LinkedIn, Google Wallet • A&A: Foodspotting, Google Wallet, Google (multiple apps) • SRA/Privacy: Path, Hipster, Carrier IQ, Ad LibrariesSunday, 22 April 2012
  51. 51. Windows Phone 7 Application Security • My top 3 in the real world • Secure Storage: Facebook, Citibank, LinkedIn, Google Wallet • A&A: Foodspotting, Google Wallet, Google (multiple apps) • SRA/Privacy: Path, Hipster, Carrier IQ, Ad Libraries • This doesn’t mean we can ignore all of the other issuesSunday, 22 April 2012
  52. 52. Windows Phone 7 Application Security • Preventing the top 3 in your WP7 apps • I can’t cover every principle in this talk • With that in mind Im grouping them to make a "new" top 3 • Data Security - Secure Storage and CommunicationsSunday, 22 April 2012
  53. 53. Windows Phone 7 Application Security • Preventing the top 3 in your WP7 apps • I can’t cover every principle in this talk • With that in mind Im grouping them to make a "new" top 3 • Data Security - Secure Storage and Communications • Authentication and AuthorisationSunday, 22 April 2012
  54. 54. Windows Phone 7 Application Security • Preventing the top 3 in your WP7 apps • I can’t cover every principle in this talk • With that in mind Im grouping them to make a "new" top 3 • Data Security - Secure Storage and Communications • Authentication and Authorisation • Data Access/PrivacySunday, 22 April 2012
  55. 55. Windows Phone 7 Application Security • Windows Phone 7 Data Security • Never store data on the device if it really isn’t needed • WP7 allows us to encrypt data and databases • Only new databases can be encrypted but very easy to doSunday, 22 April 2012
  56. 56. Windows Phone 7 Application Security • Windows Phone 7 Data Security • Never store data on the device if it really isn’t needed • WP7 allows us to encrypt data and databases • Only new databases can be encrypted but very easy to do • DPAPI is used for file/password/pin etc encryptionSunday, 22 April 2012
  57. 57. Windows Phone 7 Application Security • Windows Phone 7 Data Security • Never store data on the device if it really isn’t needed • WP7 allows us to encrypt data and databases • Only new databases can be encrypted but very easy to do • DPAPI is used for file/password/pin etc encryption • No hashing available and no algorithm selectionSunday, 22 April 2012
  58. 58. Windows Phone 7 Application Security • Windows Phone 7 Data Security • The local database encryption is based on a password • You create a DB in code and you must include the password • The database is encrypted using AES-128Sunday, 22 April 2012
  59. 59. Windows Phone 7 Application Security • Windows Phone 7 Data Security • The local database encryption is based on a password • You create a DB in code and you must include the password • The database is encrypted using AES-128 • The password is hashed using SHA-256Sunday, 22 April 2012
  60. 60. Windows Phone 7 Application Security • Windows Phone 7 Data Security • The local database encryption is based on a password • You create a DB in code and you must include the password • The database is encrypted using AES-128 • The password is hashed using SHA-256 • An encrypted database can be created with two lines of codeSunday, 22 April 2012
  61. 61. Windows Phone 7 Application Security // Create the data context, specify the database file location and password DavesDataContext db = new DavesDataContext ("Data Source=isostore:/NinjaSecrets.sdf;Password=NinjaPassword"); // Create an encrypted database after confirming that it does not exist if (!db.DatabaseExists()) db.CreateDatabase();Sunday, 22 April 2012
  62. 62. Windows Phone 7 Application Security • Windows Phone 7 Data Security • Saving data to an apps isolated storage is not secure • If you want to encrypt data and not a DB you use the DPAPI • Use the System.Security.Cryptography.ProtectedData classSunday, 22 April 2012
  63. 63. Windows Phone 7 Application Security • Windows Phone 7 Data Security • Saving data to an apps isolated storage is not secure • If you want to encrypt data and not a DB you use the DPAPI • Use the System.Security.Cryptography.ProtectedData class • Specifically the Protect() and Unprotect() methodsSunday, 22 April 2012
  64. 64. Windows Phone 7 Application Security • Windows Phone 7 Data Security • Saving data to an apps isolated storage is not secure • If you want to encrypt data and not a DB you use the DPAPI • Use the System.Security.Cryptography.ProtectedData class • Specifically the Protect() and Unprotect() methods • Symmetric encryption (AES) used. Hashing isn’t possibleSunday, 22 April 2012
  65. 65. Windows Phone 7 Application Security • Windows Phone 7 Data Security • Every app on a WP7 phone gets its own Encryption Key • DPAPI generates and securely stores this for you • Calling Protect() or Unprotect() implicitly selects the apps key • optionalEntropy parameter can be used to provide extra entropySunday, 22 April 2012
  66. 66. Windows Phone 7 Application Security • Encrypted Data Code SampleSunday, 22 April 2012
  67. 67. Windows Phone 7 Application Security • Windows Phone 7 Data Security • Secure Communications is a lot easier! • Very little to do with the app code itself in my opinion • More to do with good design and a good security code review! • Data sent to web services, SQL Azure etc needs protection • No client side SSL certs allowed and no VPN functionalitySunday, 22 April 2012
  68. 68. Windows Phone 7 Application Security • Windows Phone 7 Authentication & Authorisation • Not just talking about app logon or service authentication • Specifically talking about access to data on the device • Gaining users authorisation before accessing sensitive data • This includes access to users contacts, SMS etcSunday, 22 April 2012
  69. 69. Windows Phone 7 Application Security • Windows Phone 7 Authentication & Authorisation • Not just talking about app logon or service authentication • Specifically talking about access to data on the device • Gaining users authorisation before accessing sensitive data • This includes access to users contacts, SMS etc • I know we already "asked" in the WMAppManifest.xml file....Sunday, 22 April 2012
  70. 70. Windows Phone 7 Application Security • Windows Phone 7 Data Access/Privacy • Another one which isn’t a platform/framework specific • Understand the data accessed by third party libraries • Create a privacy policy covering personal data and stick to it! • Don’t store historical data on the device beyond required time • Audit app communications to check for data leaksSunday, 22 April 2012
  71. 71. Windows Phone 7 Application Security • Windows Phone App Analyser and Agnitio DemosSunday, 22 April 2012
  72. 72. I love questions!Sunday, 22 April 2012
  73. 73. www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninjaSunday, 22 April 2012
  74. 74. QUESTIONS? www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninjaSunday, 22 April 2012
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×