Windows <br />Phone <br />7 <br />…and its security<br />Karol Bronke – WP7 Security<br />1<br />
Windows Phone 7 and its Security<br />Stuttgart Media University<br />Course<br />„Sicherheit mobiler Systeme“<br />Presen...
Agenda<br />Introduction<br />Structure (UI)<br />Architecture<br />Deployment & Runtime<br />Security<br />Protection<br ...
Karol Bronke – WP7 Security<br />4<br />Introduction<br />
Karol Bronke – WP7 Security<br />5<br />Introduction - Essentials<br />Windows Phone 7 is the newest of the new generation...
Karol Bronke – WP7 Security<br />6<br />Introduction - Essentials<br />Microsoft (MS) was criticized for coming into new s...
Karol Bronke – WP7 Security<br />7<br />Introduction - Statistics<br />2m devices sold worldwide (April 2011) <br />US sma...
Karol Bronke – WP7 Security<br />8<br />Introduction - Statistics<br />11.500 Apps – 7500 not free (March 2011)<br />44% c...
Karol Bronke – WP7 Security<br />9<br />Introduction - Statistics<br />http://www.areamobile.de/bilder/81750-original-idc-...
Karol Bronke – WP7 Security<br />10<br />Introduction - Reasons<br />Small updates cause big problems with certain devices...
Karol Bronke – WP7 Security<br />11<br />User Interface<br />
Karol Bronke – WP7 Security<br />12<br />User Interface - Structure<br />People<br />Games<br />Marketplace<br />Office<br...
Karol Bronke – WP7 Security<br />13<br />Architecture<br />
Karol Bronke – WP7 Security<br />14<br />Architecture - Essentials<br />
Karol Bronke – WP7 Security<br />15<br />User Interface - Frameworks<br />
Karol Bronke – WP7 Security<br />16<br />Deployment<br />
Karol Bronke – WP7 Security<br />17<br />Deployment - Marketplace<br />Apps as .xap file in the marketplace<br />Phone onl...
Karol Bronke – WP7 Security<br />18<br />Deployment - Runtime<br />Ressources are allocated to foreground app only<br />Ev...
Karol Bronke – WP7 Security<br />19<br />Security<br />
Karol Bronke – WP7 Security<br />20<br />Security - Protection<br />Demand and usage of mobile devices has risen<br />Simu...
Karol Bronke – WP7 Security<br />21<br />Security – Chamber concept<br />Principles of isolation and least privilege<br />...
Karol Bronke – WP7 Security<br />22<br />Security – Chamber concept<br />TCB - Trusted Computing Base <br />ERC – Elevated...
Karol Bronke – WP7 Security<br />23<br />Security – Chamber concept<br />Trusted Computing Base <br />Greatest privileges<...
Karol Bronke – WP7 Security<br />24<br />Security – Chamber concept<br />Elevated Rights Chamber<br />Access to most of th...
Karol Bronke – WP7 Security<br />25<br />Security – Chamber concept<br />Standard Rights Chamber<br />Default chamber for ...
Karol Bronke – WP7 Security<br />26<br />Security – Chamber concept<br />LPC – Least Privileged Chamber<br />Default for a...
Karol Bronke – WP7 Security<br />27<br />Security – Capabilities<br />Are set at installation<br />Cannot be changed at ru...
Karol Bronke – WP7 Security<br />28<br />Security – Chamber concept<br />TCB - Trusted Computing Base <br />ERC – Elevated...
Karol Bronke – WP7 Security<br />29<br />Security – Sandboxing<br />Each app …<br />…runs inside of ist capabilities<br />...
Karol Bronke – WP7 Security<br />30<br />Security – What‘s missing?<br /><ul><li>installing updates from central station i...
Using app administration tools, like in Windows Mobile 6.5
Controling complexities for passwords
Some security relevant active snyc policies for MS Exchange are not supported
device encryption
Upcoming SlideShare
Loading in …5
×

Windows Phone 7 Security

1,189 views

Published on

Windows Phone 7 and it's security

Published in: Technology, Business
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total views
1,189
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
63
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide
  • 2. Semester MasterThema ausgesucht, weil ich iOs und Android nicht mehr hören kann
  • Nach Google mit Android und Apple mit iOSWerde an vielen stellen vergleichen mit ios android- Features wie „copy &amp; paste“
  • Im moment weit weit hinter android und iOSÜber 1500 Apps kommen wöchentlichhinzu, tendenz steigend
  • 5,7 apps pro monat bei iOs, Android
  • IDC statistik gibt wp7 viel potentialAber auch kritische statistiken sagen kein großes WachstumSelten Uneinigkeit, bei android war einig das es explodieren würdeSteigerungsrate 67 Prozent…andere Betriebssysteme haben schon bald Sättigung erreicht
  • Ms und Nokia haben eine Partnerschaft vereinbart, Nokia wird Symbian mittelfristig nicht weiterentwickeln und sich auf MS Produkte konzentrieren
  • Im Metro DesignDie neue Designsprace von microsoftAuch für windows 8Einfach, modern, sauber
  • Hub-DesignPeople (alles von social entworks, mail, sms, twitter etc.)Games (mit xbox live Verbindung)Tiles verschiebbar aber design Nicht änderbar, oder anpassbar wie z.b. android
  • Ähnlich Android und andereJede Ebene greift auf die darunter zuKernel, wie fast alle Kernel ist für Sicherheitsfeatures, Netzwerk und Datenhaltung verantwortlichGrün: Hardware block mit Treibern für …Darüber 3 Säulen ArchitekturApp Model -&gt; Management der Apps, für high level sicherheit, kommen wir drauf zurückUI Model -&gt; Darstellung, von 2D, 3D openGl, direct3DCloud integration – gibt’s bei anderen nicht in der form; suchmaschine, windows live, xbox liveApps mit UI und LogikBauen auf Frameworks auf CLR ist Laufzeitumgebung von .NET (der Softwareplattform von MS)Common language runtimeÄhnlich zu Dalvik Virtual MachineDarin können alle Sprachen übersetzt werdenXNA ist zur Spieleentwicklung (xbox,windows,zune,wp7)
  • Haupt entwicklungssprache soll c# seinAber andere möglichWindows Phone Frameworks – zugriff auf camera, sensoren, webbrowser, also alles was telefon spezifisch istAlles darunter kennt man aus anderen systemenDarunter die zwei presentations schichtenEinstiegspunkt zum system ist application objectBlau, kennt man von .net entwicklung…also alle bibliotheken die auf allen MS Systemen verfügbar sindGut ist, dass man dadurch viele schon erfahrene programmierer gewinnt, weil man viel bekanntes verwenden kannWie XNA oder silverlight oder HTMLJavascript
  • Per remote laut MS nicht möglich, was ich mir nicht vorstellen kannSandbox wie android ios, kommen wir später drauf
  • CLR – Common language runtime, wie vorher in architektur
  • Man geht also immer vom niedrigsten Recht ausJeder der chamber vergibt rechte/Möglichkeiten
  • Prozesse in diesem chamber müssen minimal gehalten werden, damit die Angriffsfäche reduziert wird
  • Beispiel MS Outlook oder apps vom provider
  • e.g. GPS, camera, mic, networking, sensors etc.
  • -Kommunikation nur durch die cloud (potenzielle angriffsfläche)-Apps können nicht auf daten von anderen app zugreifen (read,write,access) (nicht mal keyboard cache) (usability?)Nur MS Apps können im Hintergrund laufen (bald anders, mit update)-Beim switchen muss status der app gespeichert werden, dann schließen dann andere öffnen (performance?)-Viel mehr feedback für user, weil keine app resourcen verbrauchen kann oder daten im hintergrund schicken kannReduziert aber performance (kein multithreading)
  • Fehlt für einsatz im unternehmenVerschlüsselung von daten auf Gerät bei Android mit third party, bei iOS erst ab 4
  • Im moment weit weit hinter android und iOSÜber 1500 kommen wöchentlich hinzu
  • Windows Phone 7 Security

    1. 1. Windows <br />Phone <br />7 <br />…and its security<br />Karol Bronke – WP7 Security<br />1<br />
    2. 2. Windows Phone 7 and its Security<br />Stuttgart Media University<br />Course<br />„Sicherheit mobiler Systeme“<br />Presentation by<br />Karol Bronke<br />Master<br />„Computer Science and Media“ <br />Karol Bronke – WP7 Security<br />2<br />
    3. 3. Agenda<br />Introduction<br />Structure (UI)<br />Architecture<br />Deployment & Runtime<br />Security<br />Protection<br />Chamber concept<br />Sandboxing<br />What‘s missing?<br />Conclusion<br />Karol Bronke – WP7 Security<br />3<br />
    4. 4. Karol Bronke – WP7 Security<br />4<br />Introduction<br />
    5. 5. Karol Bronke – WP7 Security<br />5<br />Introduction - Essentials<br />Windows Phone 7 is the newest of the new generation of smartphone operating systems<br />Presented officially in january 2010<br />New user experience with „metro“ design<br />Combined off- and online content<br />Integrated cloud features<br />
    6. 6. Karol Bronke – WP7 Security<br />6<br />Introduction - Essentials<br />Microsoft (MS) was criticized for coming into new smartphone market too late<br />Big questionmark at potential of Windows Phone 7 (WP7)<br />Espacially because it was not really complete<br />Promises by MS to update features fast<br />
    7. 7. Karol Bronke – WP7 Security<br />7<br />Introduction - Statistics<br />2m devices sold worldwide (April 2011) <br />US smartphone market January 2011<br />WP7 market share 7%<br />Over 36.000 developer registered<br />Development toolkit downloaded 1.5m times<br />WP7 loses early adopters and core purchaser<br />
    8. 8. Karol Bronke – WP7 Security<br />8<br />Introduction - Statistics<br />11.500 Apps – 7500 not free (March 2011)<br />44% can be tested freely<br />62% are validated in the first try<br />Average validating time 1,8 days<br />Every user gets 12 new apps per month<br />
    9. 9. Karol Bronke – WP7 Security<br />9<br />Introduction - Statistics<br />http://www.areamobile.de/bilder/81750-original-idc-sieht-android-auf-platz-1-bis-2015-koennte-windows-phone-7-sogar-auf-den-2-platz-vorstossen-c-idc<br />
    10. 10. Karol Bronke – WP7 Security<br />10<br />Introduction - Reasons<br />Small updates cause big problems with certain devices<br />Buggy early releases<br />Manufacturer have to test these releases before providing them to costumers<br />Few manufacturer<br />Big business with Nokia takes time<br />
    11. 11. Karol Bronke – WP7 Security<br />11<br />User Interface<br />
    12. 12. Karol Bronke – WP7 Security<br />12<br />User Interface - Structure<br />People<br />Games<br />Marketplace<br />Office<br />Pictures<br />Phone<br />…<br />
    13. 13. Karol Bronke – WP7 Security<br />13<br />Architecture<br />
    14. 14. Karol Bronke – WP7 Security<br />14<br />Architecture - Essentials<br />
    15. 15. Karol Bronke – WP7 Security<br />15<br />User Interface - Frameworks<br />
    16. 16. Karol Bronke – WP7 Security<br />16<br />Deployment<br />
    17. 17. Karol Bronke – WP7 Security<br />17<br />Deployment - Marketplace<br />Apps as .xap file in the marketplace<br />Phone only installs .xap packages signed by marketplace<br />User has to (un)install apps <br />Apps are isolated on phone<br />Every app is installed & runs in sandbox<br />
    18. 18. Karol Bronke – WP7 Security<br />18<br />Deployment - Runtime<br />Ressources are allocated to foreground app only<br />Every app runs in CLR <br />Every code is .NET<br />Through frameworks it is possible to access hardware, UI, cloud services,…<br />
    19. 19. Karol Bronke – WP7 Security<br />19<br />Security<br />
    20. 20. Karol Bronke – WP7 Security<br />20<br />Security - Protection<br />Demand and usage of mobile devices has risen<br />Simultaneously protection becoms more important<br />Confidential and personal data must be safe<br />Personal identities must be safe<br />WP7 has a security model and protection policies <br />
    21. 21. Karol Bronke – WP7 Security<br />21<br />Security – Chamber concept<br />Principles of isolation and least privilege<br />Each chamber is a security boundary and isolation boundary<br />Inside of these boundaries, apps can run<br />Each chamber is defined and implemented using policy systems<br />Each policy of a chamber defines what capabilities the processes have<br />
    22. 22. Karol Bronke – WP7 Security<br />22<br />Security – Chamber concept<br />TCB - Trusted Computing Base <br />ERC – Elevated Rights Chamber<br />SRC – Standard Rights Chamber<br />LPC – Least Privileged Chamber<br />
    23. 23. Karol Bronke – WP7 Security<br />23<br />Security – Chamber concept<br />Trusted Computing Base <br />Greatest privileges<br />Allows process unrestricted acces to most of the resources<br />Can modify security policies<br />Kernel and kernel-mode drivers run in TCB<br />
    24. 24. Karol Bronke – WP7 Security<br />24<br />Security – Chamber concept<br />Elevated Rights Chamber<br />Access to most of the resources<br />No access to security policies<br />Intended for services and user-mode drivers to provide functionalities<br />
    25. 25. Karol Bronke – WP7 Security<br />25<br />Security – Chamber concept<br />Standard Rights Chamber<br />Default chamber for pre-installed apps <br />Apps which don‘t provide device wide services<br />
    26. 26. Karol Bronke – WP7 Security<br />26<br />Security – Chamber concept<br />LPC – Least Privileged Chamber<br />Default for all non MS apps from marketplace<br />Apps are configured using capabilities<br />
    27. 27. Karol Bronke – WP7 Security<br />27<br />Security – Capabilities<br />Are set at installation<br />Cannot be changed at runtime<br />LPC defines a minimal set of access rights by default<br />Capabilities can be extended dynamically<br />Reduces attack surface<br />App receives only capabilities it needs to fulfill ist use case<br />App has to disclose capabilities<br />Developers use the capability detection tool<br />Are written to WMAppManifest.xml <br />capability<br />- A resource for which user pricacy, security, cost or business concerns exist<br />
    28. 28. Karol Bronke – WP7 Security<br />28<br />Security – Chamber concept<br />TCB - Trusted Computing Base <br />ERC – Elevated Rights Chamber<br />SRC – Standard Rights Chamber<br />LPC – Least Privileged Chamber<br />
    29. 29. Karol Bronke – WP7 Security<br />29<br />Security – Sandboxing<br />Each app …<br />…runs inside of ist capabilities<br />…has ist own isolated storage file<br />…cannot communicate with other apps<br />…are not allowed to run in background<br />…cannot switch to another app<br />
    30. 30. Karol Bronke – WP7 Security<br />30<br />Security – What‘s missing?<br /><ul><li>installing updates from central station in the company
    31. 31. Using app administration tools, like in Windows Mobile 6.5
    32. 32. Controling complexities for passwords
    33. 33. Some security relevant active snyc policies for MS Exchange are not supported
    34. 34. device encryption
    35. 35. regular VPN connections (SSL VPN via Exchange)
    36. 36. (malware, viruses, trojans, …)</li></li></ul><li>Karol Bronke – WP7 Security<br />31<br />Conclusion<br />
    37. 37. Karol Bronke – WP7 Security<br />32<br />Conclusion<br /><ul><li>Not fully completed mobile OS with a lot of potential
    38. 38. Model of „managed code only“ together with isolation chambers makes WP7 very secure
    39. 39. Even usability and performance have to soft-pedal to guarantee security
    40. 40. Model of capabilities seems to be popular
    41. 41. If vulnarability is detected, it is mitigated by providing appropriate updates or by revoking the app
    42. 42. Not yet applicable for enterprise usage</li></li></ul><li>Karol Bronke – WP7 Security<br />33<br />Thank you!<br />Contact:<br />Karol Bronke<br />karol.bronke@gmail.com<br />
    43. 43. Karol Bronke – WP7 Security<br />34<br />Source materials<br />– Windows Mobile Security Modell:<br />http://msdn.microsoft.com/en-us/library/bb416353%28v=MSDN.10%29.aspx<br />http://www.microsoft.com/downloads/en/details.aspx?FamilyID=dfad6c2f-988a-4b09-9e3b-58bfc9ac0447#QuickDetails<br />http://www.microsoft.com/downloads/en/details.aspx?FamilyID=dfad6c2f-988a-4b09-9e3b-58bfc9ac0447<br />– Kaspersky Mobile Security:<br />http://www.kaspersky.com/de/kaspersky-mobile-security<br />– Windows Mobile Security Advisory: Manufacturers leave device open for WAP- Push based attacks<br />http://www.silentservices.de/adv01-2008.html<br />– PDUSpy:<br />http://www.nobbi.com/pduspy.html<br />– Windows Mobile Code Signing:<br />http://msdn.microsoft.com/en-us/windowsmobile/dd569132.aspx<br />– Understanding the Windows Mobile Security Model<br />http://technet.microsoft.com/en-us/library/cc512651.aspx<br />– Canalys: iPhone outsold all Windows Mobile phones in Q2 2009<br />http://www.appleinsider.com/articles/09/08/21/canalys_iphone_outsold_all_windows_mobile_phones_in_q2_2009.htm<br />- MX 10 conference<br /><ul><li>http://channel9.msdn.com/events/MIX/MIX10/CL18</li>

    ×