Dynamic Analysis of Windows Phone 7 apps<br />BehrangFouladi, SensePost<br />
Security Model<br />Processes run in 4 Isolated “Chambers”:<br />Trusted Computing Base (TCB) : Kernel land drivers<br />E...
Security Model<br />“Managed code Only” policy in Market Place and Development tools:<br />Not 100% true: Vendors like Sam...
Windows Phone 7 SDK<br />Installed as a VS 2010 component<br />The Express version allows app (Silverlight) and Game devel...
Dynamic Analysis<br />Network traffic can be monitored effectively using Fiddler proxy tool<br /> Good news: WP7 Apps can ...
Dynamic Analysis<br />Monitoring SMS,MMS, camera and Sensor access:<br />Checking Capabilities element inside WMAppManifes...
Dynamic Analysis<br />Monitoring code execution flow:<br />VS debugger can’t attach to Emulator/device processes<br />No C...
XAP Spy<br />Automates the process of prologue injection, signing, deployment and logging<br />Uses Mono.Cecil library for...
XAP Spy<br />
Demo<br />
Iimitations<br />No GAC assemblies trace <br />No code breakpoints and manual trace<br />No runtime code/variable modifica...
How to Improve it?<br />Communicating directly with “debugger agent” on the emulator:<br />VS deploys edm3.exe file to the...
Thank you!<br />
Upcoming SlideShare
Loading in …5
×

Dynamic Analysis of Windows Phone 7 Apps

1,819 views

Published on

Presentation by Behrang Fouladi at UnCon in 2011.

This presentation is about runtime analysis of Windows Phone 7 applications. XAP Spy, a tool developed by the presenter for dynamic analysis of Windows Phone 7 is discussed.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,819
On SlideShare
0
From Embeds
0
Number of Embeds
178
Actions
Shares
0
Downloads
34
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Dynamic Analysis of Windows Phone 7 Apps

  1. 1. Dynamic Analysis of Windows Phone 7 apps<br />BehrangFouladi, SensePost<br />
  2. 2. Security Model<br />Processes run in 4 Isolated “Chambers”:<br />Trusted Computing Base (TCB) : Kernel land drivers<br />Elevated Rights Chamber (ERC): User land services<br />Standard Rights Chamber (SRC): IE, MS Office<br />Least Privileged Chamber (LPC): Marketplace apps<br />LPC permissions are “Capability” driven: GPS, camera, microphone, SMS or sensor<br />Applications must be code-signed by MS after functional and content review<br />
  3. 3. Security Model<br />“Managed code Only” policy in Market Place and Development tools:<br />Not 100% true: Vendors like Samsung and Adobe used Undocumented COMBridgeClass to execute native code <br />The native code will still run in managed code security context<br />Different versions of SDK released for OEM vendors and normal programmers: Native module and driver development support are included in OEM version (Platform Builder)<br />
  4. 4. Windows Phone 7 SDK<br />Installed as a VS 2010 component<br />The Express version allows app (Silverlight) and Game development (XNA framework)<br />No native module development features<br />Uses MS Smart Device API to connect, deploy apps and exchange data with device/emulator<br />VS Debugger UI has no “Attach to Process” option: no third-party app debugging <br />
  5. 5. Dynamic Analysis<br />Network traffic can be monitored effectively using Fiddler proxy tool<br /> Good news: WP7 Apps can only communicate HTTP(s)<br />Inspecting IsolatedStorage:<br />RemoteIsolatedStore class in Smart Device API is not implemented yet:<br />But, Storage explorer based on System.IO.IsolatedStorage can be injected into target app<br />
  6. 6. Dynamic Analysis<br />Monitoring SMS,MMS, camera and Sensor access:<br />Checking Capabilities element inside WMAppManifest.xml file:<br /><Capabilities><br /> < Capability Name="ID_CAP_LOCATION"/> <br /><Capability Name="ID_CAP_PHONEDIALER"/> <br /></Capabilities><br />
  7. 7. Dynamic Analysis<br />Monitoring code execution flow:<br />VS debugger can’t attach to Emulator/device processes<br />No CLR Profiler in .NET compact framework<br />Idea: Inject prologue to target app methods and dump variables content at runtime:<br />Assembly files need to be re-signed after patching<br />How to communicate with the app on emulator?<br />Problem with anti-tampered apps<br />
  8. 8. XAP Spy<br />Automates the process of prologue injection, signing, deployment and logging<br />Uses Mono.Cecil library for code injection<br />MS Smart Device API for app deployment<br />Communication with remote app:<br />HTTP server and clients : approach that used by code profiling tools like EQATEC and RuntimeIntelligence: resource expensive, access violation for multi-thread apps<br />Enabling emulator console (by registry trick) and pointing output there:<br />HKEY_LOCAL_MACHINESOFTWAREMicrosoftXDEEnableConsole<br />
  9. 9. XAP Spy<br />
  10. 10. Demo<br />
  11. 11. Iimitations<br />No GAC assemblies trace <br />No code breakpoints and manual trace<br />No runtime code/variable modification<br />Anti-tampered apps need to be “cracked” before analysis<br />
  12. 12. How to Improve it?<br />Communicating directly with “debugger agent” on the emulator:<br />VS deploys edm3.exe file to the emulator: native x86 code, signed by MS<br />“attach to process” code was found inside this file<br />This file seems to be a “RemoteAgent” module (Windows Mobile 5 , 6)<br />From MSDN: “The device agent has full programmatic access to gather information and manipulate the device because it runs on the device.”<br />Using a phone (Transport Layer=tcp) and analysis packets: Easier than reversing emulator’s DMA transport <br />
  13. 13. Thank you!<br />

×