This document discusses security testing of Windows Phone 8 applications. It provides an overview of the Windows Phone 8 platform and architecture, including the use of the NT kernel and sandboxing of applications. Methods for testing applications are covered, including dynamic analysis using a proxy to view network traffic and static analysis by decompiling application files. Vulnerabilities that may be tested for are also outlined, such as lack of encryption or validation of certificates. The document concludes that while application testing depends on access to application files, server and client side testing is similar to other mobile platforms.

1. Windows Phone 8 Security &
Testing WP8 Apps
Jorge Orchilles
1

2. whoami
• Advanced PenTest & QC – Large Financial
• Master of Science and BBA in Management Information
Systems – Florida International University
• Author – Microsoft Windows 7 Administrator’s Reference
(Syngress)
• Certifications – GXPN, CISM, CISSP, GPEN, GCIH, CEH,
CICP, CCDA, CSSDS, MCTS, MCP, Security+, CISM
• SANS Instructor – SEC504, SEC560, SEC577
• Organizations
– Director - South Florida ISSA
– Member - OWASP, InfraGard, Miami Electronic Crimes Task Force,
Hack Miami
2

3. Microsoft has a phone?
• Windows Phone 8 (WP8) – used to be called
Windows Mobile until 7.x
– Released Oct 2012
– ARM Hardware Architecture (like iOS, Android, and
Blackberry)
– Windows Phone Runtime Application Architecture
• Developer apps work on both Windows 8 and WP8
– Windows NT kernel
• Windows Phone 8.1 recently released
– Fixed 1.5 of 3 issues found in my original research

4. Understand the platform
• WP7 uses Windows CE kernel
• WP8 uses NT Kernel
– 128-bit BitLocker for device encryption
– NTFS file system
– Sandboxed apps
– SafeBoot: Secure UEFI Boot
• Can’t boot software without correct digital signature to be loaded
on the phone
• TPM 2.0 – requires unique keys to be burned into chip during
production
– WP8 binaries must have Microsoft signed digital signatures

5. Chambers
• Trusted Computing Base (TCB)
– Kernel & kernel-mode drivers
• Least Privileged Chamber (LPC)
– Services
– Apps

6. Capabilities

7. App Sandboxing
• Each app has a local isolated storage
• Limited app-to-app communication
• App A cannot see App B storage
• App folder has:
– Settings
– Files
– Directories
– Database

8. Jailbreak?
• WP8 is closed OS, just like most things M$
• No jailbreak yet – some activities you would like to do
for mobile device testing will not be possible
– Access to memory
– Local file system and storage
– Transfer files to and from device

9. What would a JB look like?
• Exploit a vulnerability
– Client side vulnerability for IE 10 or 11
• Escalate privilege to SYSTEM
• Bypass SecureBoot
• Disable application code signing
• Create a trusted app store certificate

10. What we can test
• Application Logic
• Server side
• Client side
• Local app storage – requires XAP file
• Local app configuration – requires XAP file

11. Prerequisites
• Physical Device or Emulator
• Windows Phone SDK
• Unlocking the device
• XAP file or app
• HTTP Proxy

12. Physical or Emulator
• Prefer physical – devices are cheap
– Nokia Lumia 920
• Emulator
– Hyper-V images
– x86 instead of ARM
– Fake binaries
• FakeLed.sys, FakeModem.dll
– Different browser user-agent
– Cannot install apps from Store

13. Windows Phone SDK
• Requires Windows 8 64-bit w/Hyper-V enabled
– For VM, set hypervisor.cpuid.v0 = “FALSE”
– Control Panel – Programs – Turn Windows Features on or off
– Check Hyper-V
• Free at http://dev.windowsphone.com
• Emulator is installed as part of SDK
– C:Program Files (x86)Microsoft XDE8.0XDE.exe
• Visual Studio Express 2012

14. Unlock the Device
• For physical devices only
• Must unlock the device to be able to side load apps
• Join the dev program (lifetime membership now)
– $19 allows 3 side loaded apps
– $99 dev account allows 10 side loaded app
– $399 company trusted cert for enterprise app store
• Register it on dev.windowsphone.com

15. XAP File
• Windows Phone App file: .xap
– Used for Silverlight apps as well
• Contains an App.Manifest.xaml
– Defines assemblies and DLLs that get deployed
• XAP files downloaded from Store come with
PlayReady DRM
– DRM is added by the marketplace in realtime, based on the
LiveID cookie value
– Encrypted XAP files will not run in emulator
• Request XAP from developers

16. DRM vs. No DRM

17. Side loading apps
• Defined: installing applications on your device without
going through the official Store
• Use SDK or Windows Phone Power Tools
• Live Demo
• If fail then video

18. Methodology
• Information Gathering
– Describes the steps and things to consider when you are in
the early stage reconnaissance and mapping phases of
testing as well as determining the application’s magnitude of
effort and scoping.
• Dynamic Analysis
– Executing an application either on the device itself or within a
simulator/emulator and interacting with the remote services
with which the application communicates. This includes
assessing the application’s local inter process
communication surface, forensic analysis of the local file
system, and assessing remote service dependencies.
• Static Analysis
– Analyzing raw mobile source code, decompile or
disassembled code.

19. Information Gathering
• First step of any assessment!
– Understand what you are testing
• App is installed right?
– Side loaded or from Store
• Learn how the app works

20. Information Gathering
• Navigate through the application
– This will expose you to the application as an end user would use it.
Tap through all the different features, look at the settings, etc. This
may be performed on the device or in the emulator as we covered in
previous sections.
• Identify the network interfaces used
– Does the application require internet connectivity? If so, does it work
through Wi-Fi only, SIM only? Does the application use bluetooth,
NFC, a VPN?
• Does the application take your input? Any sensitive information?
Does it access any sensitive information?
• Does the application perform transactions? In-app purchases?
Credit card or payment information?
• What other components does the application interact with?
Contact list, calendar, camera, location?
• Do some reconnaissance. Has this app been talked about
already? Search Google, app store reviews, etc.

21. Vulnerabilities?
• No application pass code
– Does the app reveal sensitive information that requires
authentication? Should it have it’s own pass code. This may
be a consideration for apps storing company data while the
devices are BYOD and don’t require a device pass code.
• Weak pass code
– Does the app enforce good password policies?
– Minimum of how many characters?
– Complexity?
– Password rotation?
– Password lock out?
• Sensitive information stored on disk
– Does the app request sensitive information from the end user
and then store it?

22. Dynamic Testing
• Use an HTTP proxy to see traffic
– Install cert to see HTTPS
• If traffic is not HTTP(s)
– Perform MiTM
• Mallory
• Access Point
• ARP Poisoning
• Cannot do VPN!

23. HTTP Proxy
• Notice no authentication for
HTTP proxy!
– Corporate proxies should
require authentication
– Fixed in 8.1 for corporate
deployments

24. Now you see traffic!

25. Generate SSL Cert
• Email it to yourself
• Save it on SkyDrive and access it from IE (remember
App Sandboxing won’t allow you to install the cert
onto the device if it is opened with SkyDrive App)
• Transfer it via USB
• Host it on a web server and browse to it with IE

26. Install SSL Cert
• Note there is no digital
certificate management
• Your device will accept this
cert as valid until expiration

27. If Emulator
• Windows Phone 8 emulator is a Hyper-V virtual
machine with it’s own IP address.
• This means the network traffic will route from the
virtual machine (emulator) to your Windows 8 system
running the SDK and then out to the Internet.
• The easiest way to configure the emulator to use a
proxy is to configure the Windows 8 system’s IE proxy
settings.

28. If Emulator

29. More Information Gathering
• Can you determine anything about the server side application
environment?
– Hosting provider (AWS, App Engine, Heroku, Rackspace, Azure, etc.)
– Development environment (Rails, Java, Django, ASP.NET, etc.)
– Does the application leverage Single Sign On or Authentication APIs
(Google Apps, Facebook, iTunes, OAuth, etc.)
– Any other APIs in use
• Payment gateways
• SMS messaging
• Social networks
• Cloud file storage
• Ad networks
• Perform a thorough crawl of exposed web resources and sift
through the requests and responses to identify potentially
interesting data or behavior
– Leaking sensitive information (i.e. credentials) in the response
– Resources not exposed through the UI
– Error messages
– Cacheable information

30. More Vulnerabilities
• Encryption not enforced
– I prefer always enforcing HTTPS even for non-sensitive data.
Most end users connect to any free/untrusted WiFi and
modifying HTTP data is trivial.
– More of an integrity issue than confidentiality
• Sensitive information sent in clear text
– Credentials sent over HTTP instead of HTTPS
• Digital Certificate not validated
– Does the app accept the invalid cert and send sensitive
information?
– No warning on invalid digital certificate
• Basic Authentication used
• No Mutual Authentication

31. HTTPS for EVERYTHING
• Traditionally, encryption was used to maintain
confidentiality
• With mobile apps, you also need to maintain Integrity
• Push for everything being HTTPS
• OR ELSE

32. No HTTPS… Stock market crash

33. Local Storage
• Only works if XAP was provided
• Live Demo
• Or video

34. Static Analysis
• Requires XAP with no DRM
• Decompile apps
– XAML Spy - commercial
• ILSPY - free
• JustDecompile
• .NET Reflector - commercial
– Tangerine - free

35. New in Windows Phone 8.1
• VPN Connectivity
• Enterprise Wi-FI
– PEAP-MSCHAPv2
– EAP-TLS
– EAP-TTLS
• Certificate Management
– Only through MDM
• Virtual Smart Cards for MFA
• MDM
– Remote Wipe
– App allow and deny
Presentation Title

36. Conclusion
• WP8 is pretty secure
• Complex attack surface
• App testing is dependent on XAP file access
• Server and Client side testing remains the similar to
other mobile platforms

37. Questions?
• http://orchilles.com/category/wp8/
• Thanks for your time and feedback!
• Feel free to contact me
jorge@orchilles.com
@jorgeorchilles
www.orchilles.com