SlideShare a Scribd company logo

Inspection of Windows Phone applications

Download as PPTX, PDF
Andrey Chasovskikh
Andrey Chasovskikh
Technology
1 of 48
Inspection of Windows Phone applications Dmitriy Evdokimov Andrey Chasovskikh
About us Dmitriy ‘D1g1’ Evdokimov - Security researcher at ERPScan - Editor of Russian hacking magazine - DEFCON Russia (DCG #7812) organizer Andrey Chasovskikh - Software developer - Windows Phone addict 2
Agenda - Windows Phone intro - Security model - All about applications - Not all applications are secure - Tools overview - Deep dive: finding vulnerabilities - Conclusion 3
WINDOWS PHONE INTRO
History of Windows Phone - The successor to the Windows Mobile OS - 15 Mar 2010 – Windows Phone 7 series announced - 21 Oct 2010 – Windows Phone 7 released - 29 Oct 2012 – Windows Phone 8 released WP7 WP7.5 Mango WP8 WP7 NoDo WP7.5 Tango version time 21 Oct 2011 27 Sep 2011 29 Oct 2012 5
Market share Source: Gartner, November 2012 6
Windows Phone Store - 125 000+ applications - Casual apps, social networks, mobile banking, enterprise applications etc. 7
SECURITY MODEL
Chamber concept, WP7 - Trusted Computing Base (TCB) Kernel, kernel-mode drivers - Elevated Rights Chamber (ERC) Services, user-mode drivers - Standard Rights Chamber (SRC) Pre-installed applications - Least Privileged Chamber (LPC) Applications from WP store 9
Chamber concept, WP8 - Trusted Computing Base (TCB) Kernel, kernel-mode drivers - Least Privileged Chamber (LPC) All other software: services, pre-installed apps, application from WP store 10
Capabilities WMAppManifest.xml Windows Phone 7 Windows Phone 8 Undocumented - Camera - All WP7 capabilities - Native code - Contacts - NFC - SMS API - Location services - SD card access - Access to user - Owner/phone identity - Wallet properties - Network services - Speech recognition - SIM API Etc. - Front camera Etc. Etc. 11
Sandboxing concept - No app communication in WP7 - Limited app-to-app in WP8 - File system structure is Isolated chamber Isolated chamber hidden App1 App2 - Isolated storages Isolated storage Isolated storage for App1 for App2 12
App-to-App, WP8 - File associations - LaunchFileAsync() - Reserved: xap, msi, bat, cmd, py, jar etc - URI associations - LaunchUriAsync() - Reserved: http, tel, wallet, LDAP, rlogin, telnet etc - Proximity communication using NFC 13
Isolated Storage Physical File Storage Isolated Storage Isolated Settings Storage Isolated File Storage Files Directory Database 14
Signing - Store applications are signed in WP7 - All binaries get signed since WP8 - Application file get signed - Kind of checksum file is put into applications - Applications XAP files have undocumented format (since Aug 2012) 15
ALL ABOUT APPLICATIONS
.NET and CLR, WP7 Applications Developer Platform (XAML, XNA, Device services) .NET Compact Framework (BCL + Silverlight flavor) WP7 OS, WinCE based 17
Framework ??? 18
.NET and CLR, WP8 Applications Developer Platform (XAML, XNA, Device services) .NET Framework (CoreCLR) WP8 OS, Win8 based 19
Framework 20
Application file structure - Application assemblies - Resources - AppManifest.xaml - WMAppManifest.xml - WMInteropManifest.xml* * — optional for WP7, absent in WP8 21
Submission and certification .xap XAP File App Creation App Submission Validation Source code Adding Metadata Publication in Certification Signing Marketplace Testing 22
Applications on a device WP7: Applications Install<ProductID>Install - Content from XAP - WMAppPRHeader.xml (package signature) Data<ProductID>DataIsolatedStorage Same idea in WP8, i.e. install path: C:DataPrograms<ProductID>Install 23
NOT ALL APPLICATIONS ARE SECURE
Security assessment App Server Data channel App Device/Emulator 25
Mobile applications security assessment Prepare environment - Get app (unpack/decrypt) - Configuration device/emulator Static analysis - Properties of program compilation - Metadata analysis - Code analysis Dynamic analysis - How application works with file system/network - Runtime code analysis 26
OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure 27
WP vs. Android vs. iOS vulnerabilities WP7 (C#/VB) iOS WP8 (C#/VB/C/C++) (Objective-C) Platform independent vulnerabilities Platform specific vulnerabilities Android (Java) Note: Main programming languages in brackets 28
TOOLS OVERVIEW
Arsenal - Device - Full unlock - Emulator - Windows Phone Device Manager - Network proxy: Burp Suite, Charles etc. - .NET tools: .Net Reflector, ILSpy etc. - IDA Pro - RAIN, Boyan Balkanski - Windows Phone App Analyzer, David Rook - XAPSpy, Behrang Fouladi - XapSpyAnalysis, David Rook 30
Main issue Static analysis is insufficient. Lack of dynamic analysis tools: • IDE allows debugging with source code only • No programmable debugging interface • Managed code Solution: static byte code instrumentation. 31
Tangerine 32
Automates routine with XAP files - Unpacking - Removing application signature - Resigning assemblies - Packing - Deploying 33
Static analysis - Application info - Application capabilities - Code analysis - Code structure analysis - API usage analysis - View IL code 34
Dynamic analysis - Log application stack trace - Method names - Method parameters - Return values - Run custom code - On method enter - Replace method - On method exit - Change parameters values 35
DEEP DIVE: FINDING VULNERABILITIES
DEMO
How it works (1) Changing CIL code (2) Emulator console (writing/reading) Target Add Instrumented Resign and Emulator application hooks (1) application deploy Instrumented application Repeat Log data (2) Hooked Tangerine log Emulator console output (2) 38
CIL Instrumentation 39
Limitations - Emulator only - Does not help to overcome obfuscated code - Does not work with system assemblies - Applications from store need to be decrypted - Windows Phone 7 only 40
Cloud Compilation, WP8 Cloud C# Source CIL MDIL MDIL Code C# Compiler Assembly Assembly Compiler Download Device Native Native Image MDIL Run DLL Assembly Generator 41
MDIL in work R0 = this R1 = a R0 + 0x10 = j, where j is a field from base class 42
MDILDump http://github.com/WalkingCat/mdildump/ 43
Future work - Support Windows Phone 8 applications - MDIL instrumentation - Windows Phone RT - Add new features - Code graphical representation - Data flow analysis - Fix bugs ;) 44
CONCLUSION
Conclusion - Greater attack surface in WP8 - App-to-App - Applications that use native code - New technologies - Logical bugs never die 46
Thanks - Evgeny Bechkalo - DSecRG team 47
Q&A Dmitry Evdokimov d.evdokimov@erpscan.com @evdokimovds Andrey Chasovskikh http://andreycha.info @andreycha Tangerine: http://github.com/andreycha/tangerine

Recommended

Reverse engineering and modifying windows 8 apps
Reverse engineering and modifying windows 8 appsReverse engineering and modifying windows 8 apps
Reverse engineering and modifying windows 8 appsAmaan Khan
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Jewel Joy
 
Windows Phone 8 application security
Windows Phone 8 application securityWindows Phone 8 application security
Windows Phone 8 application securityAndrey Chasovskikh
 
Windows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveWindows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Operating System Windows CE 7.0 and Processor ARM Advantages and Disadvantages
Operating System Windows CE 7.0 and Processor ARM Advantages and DisadvantagesOperating System Windows CE 7.0 and Processor ARM Advantages and Disadvantages
Operating System Windows CE 7.0 and Processor ARM Advantages and DisadvantagesFatih Özlü
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
 

Recommended

Reverse engineering and modifying windows 8 apps
Reverse engineering and modifying windows 8 appsReverse engineering and modifying windows 8 apps
Reverse engineering and modifying windows 8 appsAmaan Khan
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Jewel Joy
 
Windows Phone 8 application security
Windows Phone 8 application securityWindows Phone 8 application security
Windows Phone 8 application securityAndrey Chasovskikh
 
Windows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveWindows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Operating System Windows CE 7.0 and Processor ARM Advantages and Disadvantages
Operating System Windows CE 7.0 and Processor ARM Advantages and DisadvantagesOperating System Windows CE 7.0 and Processor ARM Advantages and Disadvantages
Operating System Windows CE 7.0 and Processor ARM Advantages and DisadvantagesFatih Özlü
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedHalvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedArea41
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
RSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamRSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamAhmed Sallam
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Nagaraju Repala
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
How to Customize Android Framework&System
How to Customize Android Framework&SystemHow to Customize Android Framework&System
How to Customize Android Framework&SystemIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 

More Related Content

What's hot

Halvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedHalvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedArea41
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
RSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamRSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamAhmed Sallam
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Nagaraju Repala
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 

What's hot (20)

Halvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedHalvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromised
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission Model
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
 
RSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamRSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallam
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
 
Android security
Android securityAndroid security
Android security
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC Mobile
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Android Security
Android SecurityAndroid Security
Android Security
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
 

Similar to Inspection of Windows Phone applications

Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Runtime 8 and Windows Phone 8
Runtime 8 and Windows Phone 8Runtime 8 and Windows Phone 8
Runtime 8 and Windows Phone 8Damir Dobric
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Windows Phone 8 Advanced Developers Conference
Windows Phone 8 Advanced Developers ConferenceWindows Phone 8 Advanced Developers Conference
Windows Phone 8 Advanced Developers ConferenceDamir Dobric
 
Adc2012 windows phone 8
Adc2012 windows phone 8Adc2012 windows phone 8
Adc2012 windows phone 8AlexanderGoetz
 
Android Development in a Nutshell
Android Development in a NutshellAndroid Development in a Nutshell
Android Development in a NutshellAleix Solé
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsPositive Hack Days
 
Droidcon uk2012 androvm
Droidcon uk2012 androvmDroidcon uk2012 androvm
Droidcon uk2012 androvmdfages
 
Begining Android Development
Begining Android DevelopmentBegining Android Development
Begining Android DevelopmentHayi Nukman
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01Santosh Sh
 
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems ToolboxEclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems ToolboxBrett Hackleman
 
OSGi: Best Tool In Your Embedded Systems Toolbox
OSGi: Best Tool In Your Embedded Systems ToolboxOSGi: Best Tool In Your Embedded Systems Toolbox
OSGi: Best Tool In Your Embedded Systems ToolboxBrett Hackleman
 
How Android is different from other systems – An exploration of the design de...
How Android is different from other systems – An exploration of the design de...How Android is different from other systems – An exploration of the design de...
How Android is different from other systems – An exploration of the design de...IndicThreads
 

Similar to Inspection of Windows Phone applications (20)

Android sandbox
Android sandboxAndroid sandbox
Android sandbox
 
How to Customize Android Framework&System
How to Customize Android Framework&SystemHow to Customize Android Framework&System
How to Customize Android Framework&System
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Runtime 8 and Windows Phone 8
Runtime 8 and Windows Phone 8Runtime 8 and Windows Phone 8
Runtime 8 and Windows Phone 8
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Windows Phone 8 Advanced Developers Conference
Windows Phone 8 Advanced Developers ConferenceWindows Phone 8 Advanced Developers Conference
Windows Phone 8 Advanced Developers Conference
 
Adc2012 windows phone 8
Adc2012 windows phone 8Adc2012 windows phone 8
Adc2012 windows phone 8
 
Android Development in a Nutshell
Android Development in a NutshellAndroid Development in a Nutshell
Android Development in a Nutshell
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
Droidcon uk2012 androvm
Droidcon uk2012 androvmDroidcon uk2012 androvm
Droidcon uk2012 androvm
 
Android
AndroidAndroid
Android
 
Android Anatomy
Android AnatomyAndroid Anatomy
Android Anatomy
 
Begining Android Development
Begining Android DevelopmentBegining Android Development
Begining Android Development
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01
 
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems ToolboxEclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
EclipseEmbeddedDay2009-OSGi: Best Tool In Your Embedded Systems Toolbox
 
Eclipse RT Day
Eclipse RT DayEclipse RT Day
Eclipse RT Day
 
OSGi: Best Tool In Your Embedded Systems Toolbox
OSGi: Best Tool In Your Embedded Systems ToolboxOSGi: Best Tool In Your Embedded Systems Toolbox
OSGi: Best Tool In Your Embedded Systems Toolbox
 
How Android is different from other systems – An exploration of the design de...
How Android is different from other systems – An exploration of the design de...How Android is different from other systems – An exploration of the design de...
How Android is different from other systems – An exploration of the design de...
 

Recently uploaded

Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 

Recently uploaded (20)

Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 

Inspection of Windows Phone applications

  • 1. Inspection of Windows Phone applications Dmitriy Evdokimov Andrey Chasovskikh
  • 2. About us Dmitriy ‘D1g1’ Evdokimov - Security researcher at ERPScan - Editor of Russian hacking magazine - DEFCON Russia (DCG #7812) organizer Andrey Chasovskikh - Software developer - Windows Phone addict 2
  • 3. Agenda - Windows Phone intro - Security model - All about applications - Not all applications are secure - Tools overview - Deep dive: finding vulnerabilities - Conclusion 3
  • 5. History of Windows Phone - The successor to the Windows Mobile OS - 15 Mar 2010 – Windows Phone 7 series announced - 21 Oct 2010 – Windows Phone 7 released - 29 Oct 2012 – Windows Phone 8 released WP7 WP7.5 Mango WP8 WP7 NoDo WP7.5 Tango version time 21 Oct 2011 27 Sep 2011 29 Oct 2012 5
  • 6. Market share Source: Gartner, November 2012 6
  • 7. Windows Phone Store - 125 000+ applications - Casual apps, social networks, mobile banking, enterprise applications etc. 7
  • 9. Chamber concept, WP7 - Trusted Computing Base (TCB) Kernel, kernel-mode drivers - Elevated Rights Chamber (ERC) Services, user-mode drivers - Standard Rights Chamber (SRC) Pre-installed applications - Least Privileged Chamber (LPC) Applications from WP store 9
  • 10. Chamber concept, WP8 - Trusted Computing Base (TCB) Kernel, kernel-mode drivers - Least Privileged Chamber (LPC) All other software: services, pre-installed apps, application from WP store 10
  • 11. Capabilities WMAppManifest.xml Windows Phone 7 Windows Phone 8 Undocumented - Camera - All WP7 capabilities - Native code - Contacts - NFC - SMS API - Location services - SD card access - Access to user - Owner/phone identity - Wallet properties - Network services - Speech recognition - SIM API Etc. - Front camera Etc. Etc. 11
  • 12. Sandboxing concept - No app communication in WP7 - Limited app-to-app in WP8 - File system structure is Isolated chamber Isolated chamber hidden App1 App2 - Isolated storages Isolated storage Isolated storage for App1 for App2 12
  • 13. App-to-App, WP8 - File associations - LaunchFileAsync() - Reserved: xap, msi, bat, cmd, py, jar etc - URI associations - LaunchUriAsync() - Reserved: http, tel, wallet, LDAP, rlogin, telnet etc - Proximity communication using NFC 13
  • 14. Isolated Storage Physical File Storage Isolated Storage Isolated Settings Storage Isolated File Storage Files Directory Database 14
  • 15. Signing - Store applications are signed in WP7 - All binaries get signed since WP8 - Application file get signed - Kind of checksum file is put into applications - Applications XAP files have undocumented format (since Aug 2012) 15
  • 17. .NET and CLR, WP7 Applications Developer Platform (XAML, XNA, Device services) .NET Compact Framework (BCL + Silverlight flavor) WP7 OS, WinCE based 17
  • 19. .NET and CLR, WP8 Applications Developer Platform (XAML, XNA, Device services) .NET Framework (CoreCLR) WP8 OS, Win8 based 19
  • 20. Framework 20
  • 21. Application file structure - Application assemblies - Resources - AppManifest.xaml - WMAppManifest.xml - WMInteropManifest.xml* * — optional for WP7, absent in WP8 21
  • 22. Submission and certification .xap XAP File App Creation App Submission Validation Source code Adding Metadata Publication in Certification Signing Marketplace Testing 22
  • 23. Applications on a device WP7: Applications Install<ProductID>Install - Content from XAP - WMAppPRHeader.xml (package signature) Data<ProductID>DataIsolatedStorage Same idea in WP8, i.e. install path: C:DataPrograms<ProductID>Install 23
  • 24. NOT ALL APPLICATIONS ARE SECURE
  • 25. Security assessment App Server Data channel App Device/Emulator 25
  • 26. Mobile applications security assessment Prepare environment - Get app (unpack/decrypt) - Configuration device/emulator Static analysis - Properties of program compilation - Metadata analysis - Code analysis Dynamic analysis - How application works with file system/network - Runtime code analysis 26
  • 27. OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure 27
  • 28. WP vs. Android vs. iOS vulnerabilities WP7 (C#/VB) iOS WP8 (C#/VB/C/C++) (Objective-C) Platform independent vulnerabilities Platform specific vulnerabilities Android (Java) Note: Main programming languages in brackets 28
  • 30. Arsenal - Device - Full unlock - Emulator - Windows Phone Device Manager - Network proxy: Burp Suite, Charles etc. - .NET tools: .Net Reflector, ILSpy etc. - IDA Pro - RAIN, Boyan Balkanski - Windows Phone App Analyzer, David Rook - XAPSpy, Behrang Fouladi - XapSpyAnalysis, David Rook 30
  • 31. Main issue Static analysis is insufficient. Lack of dynamic analysis tools: • IDE allows debugging with source code only • No programmable debugging interface • Managed code Solution: static byte code instrumentation. 31
  • 32. Tangerine 32
  • 33. Automates routine with XAP files - Unpacking - Removing application signature - Resigning assemblies - Packing - Deploying 33
  • 34. Static analysis - Application info - Application capabilities - Code analysis - Code structure analysis - API usage analysis - View IL code 34
  • 35. Dynamic analysis - Log application stack trace - Method names - Method parameters - Return values - Run custom code - On method enter - Replace method - On method exit - Change parameters values 35
  • 36. DEEP DIVE: FINDING VULNERABILITIES
  • 37. DEMO
  • 38. How it works (1) Changing CIL code (2) Emulator console (writing/reading) Target Add Instrumented Resign and Emulator application hooks (1) application deploy Instrumented application Repeat Log data (2) Hooked Tangerine log Emulator console output (2) 38
  • 40. Limitations - Emulator only - Does not help to overcome obfuscated code - Does not work with system assemblies - Applications from store need to be decrypted - Windows Phone 7 only 40
  • 41. Cloud Compilation, WP8 Cloud C# Source CIL MDIL MDIL Code C# Compiler Assembly Assembly Compiler Download Device Native Native Image MDIL Run DLL Assembly Generator 41
  • 42. MDIL in work R0 = this R1 = a R0 + 0x10 = j, where j is a field from base class 42
  • 44. Future work - Support Windows Phone 8 applications - MDIL instrumentation - Windows Phone RT - Add new features - Code graphical representation - Data flow analysis - Fix bugs ;) 44
  • 46. Conclusion - Greater attack surface in WP8 - App-to-App - Applications that use native code - New technologies - Logical bugs never die 46
  • 47. Thanks - Evgeny Bechkalo - DSecRG team 47
  • 48. Q&A Dmitry Evdokimov d.evdokimov@erpscan.com @evdokimovds Andrey Chasovskikh http://andreycha.info @andreycha Tangerine: http://github.com/andreycha/tangerine