• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Dynamic Analysis of Windows Phone 7 Apps

Dynamic Analysis of Windows Phone 7 Apps



Presentation by Behrang Fouladi at UnCon in 2011. ...

Presentation by Behrang Fouladi at UnCon in 2011.

This presentation is about runtime analysis of Windows Phone 7 applications. XAP Spy, a tool developed by the presenter for dynamic analysis of Windows Phone 7 is discussed.



Total Views
Views on SlideShare
Embed Views



8 Embeds 155

http://research.sensepost.com 72
http://www.sensepost.com 61
http://introonet.sensepost.com 11
http://localhost 5
http://www.sensepost.co.uk 3
http://webcache.googleusercontent.com 1
http://sensepost.com 1
http://newwww.sensepost.com 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Dynamic Analysis of Windows Phone 7 Apps Dynamic Analysis of Windows Phone 7 Apps Presentation Transcript

    • Dynamic Analysis of Windows Phone 7 apps
      BehrangFouladi, SensePost
    • Security Model
      Processes run in 4 Isolated “Chambers”:
      Trusted Computing Base (TCB) : Kernel land drivers
      Elevated Rights Chamber (ERC): User land services
      Standard Rights Chamber (SRC): IE, MS Office
      Least Privileged Chamber (LPC): Marketplace apps
      LPC permissions are “Capability” driven: GPS, camera, microphone, SMS or sensor
      Applications must be code-signed by MS after functional and content review
    • Security Model
      “Managed code Only” policy in Market Place and Development tools:
      Not 100% true: Vendors like Samsung and Adobe used Undocumented COMBridgeClass to execute native code
      The native code will still run in managed code security context
      Different versions of SDK released for OEM vendors and normal programmers: Native module and driver development support are included in OEM version (Platform Builder)
    • Windows Phone 7 SDK
      Installed as a VS 2010 component
      The Express version allows app (Silverlight) and Game development (XNA framework)
      No native module development features
      Uses MS Smart Device API to connect, deploy apps and exchange data with device/emulator
      VS Debugger UI has no “Attach to Process” option: no third-party app debugging
    • Dynamic Analysis
      Network traffic can be monitored effectively using Fiddler proxy tool
      Good news: WP7 Apps can only communicate HTTP(s)
      Inspecting IsolatedStorage:
      RemoteIsolatedStore class in Smart Device API is not implemented yet:
      But, Storage explorer based on System.IO.IsolatedStorage can be injected into target app
    • Dynamic Analysis
      Monitoring SMS,MMS, camera and Sensor access:
      Checking Capabilities element inside WMAppManifest.xml file:
      < Capability Name="ID_CAP_LOCATION"/>
      <Capability Name="ID_CAP_PHONEDIALER"/>
    • Dynamic Analysis
      Monitoring code execution flow:
      VS debugger can’t attach to Emulator/device processes
      No CLR Profiler in .NET compact framework
      Idea: Inject prologue to target app methods and dump variables content at runtime:
      Assembly files need to be re-signed after patching
      How to communicate with the app on emulator?
      Problem with anti-tampered apps
    • XAP Spy
      Automates the process of prologue injection, signing, deployment and logging
      Uses Mono.Cecil library for code injection
      MS Smart Device API for app deployment
      Communication with remote app:
      HTTP server and clients : approach that used by code profiling tools like EQATEC and RuntimeIntelligence: resource expensive, access violation for multi-thread apps
      Enabling emulator console (by registry trick) and pointing output there:
    • XAP Spy
    • Demo
    • Iimitations
      No GAC assemblies trace
      No code breakpoints and manual trace
      No runtime code/variable modification
      Anti-tampered apps need to be “cracked” before analysis
    • How to Improve it?
      Communicating directly with “debugger agent” on the emulator:
      VS deploys edm3.exe file to the emulator: native x86 code, signed by MS
      “attach to process” code was found inside this file
      This file seems to be a “RemoteAgent” module (Windows Mobile 5 , 6)
      From MSDN: “The device agent has full programmatic access to gather information and manipulate the device because it runs on the device.”
      Using a phone (Transport Layer=tcp) and analysis packets: Easier than reversing emulator’s DMA transport
    • Thank you!