Windows Phone 8 application security
Download as PPTX, PDF3 likes5,866 views
Windows Phone 8 provides an application security model based on chambers and capabilities. It utilizes sandboxing, application signing, and encryption to isolate apps and protect sensitive data. The document outlines various application entry points like SD cards, sockets, and URIs that could introduce vulnerabilities if not properly secured. It examines platform-specific issues like privacy leaks from device IDs, secure storage APIs, and mitigations for attacks like XSS, directory traversal, and XML external entity injection. In conclusion, the security model of Windows Phone 8 is assessed to be relatively robust while providing more flexibility than iOS but greater isolation than Android.
Windows Phone 8 application security
- 1. WINDOWS PHONE 8 APPLICATION SECURITY HackInParis 2013 Dmitriy Evdokimov Andrey Chasovskikh
- 2. About us Dmitriy ‘D1g1’ Evdokimov - Security researcher at ERPScan - Mobile security, RE, fuzzing, exploit dev etc. - Editor of Russian hacking magazine - DEFCON Russia (DCG #7812) co-organizer Andrey Chasovskikh - Software developer - Windows Phone addict HackInParis 2013 2
- 3. HackInParis 2013 • Intro • Security model • First steps in Windows Phone 8 • Applications • Application security • Conclusion 3 Agenda
- 4. INTRO
- 5. Intro • 29 Oct 2012 – Windows Phone 8 released • Based on Windows 8 core – ARM architecture • Market share: 3,2% (Q1 2013, IDC) • 145 000+ applications in Windows Phone Store HackInParis 2013 5
- 7. HackInParis 2013 - Trusted Computing Base (TCB) Kernel, kernel-mode drivers - Least Privileged Chamber (LPC) All other software: services, pre-installed apps, application from WP store Chambers 7
- 8. HackInParis 2013 Capabilities System - Debug - SMS API - Live ID - SIM API Etc. Total 350+ WMAppManifest.xml Developers - Network - Camera - NFC - SD card access - Wallet - Speech recognition - Front camera Etc. Total 27 8 OEM Developers - Cell API - Device management Etc. Total 39
- 9. HackInParis 2013 Sandboxing App1 Chamber App2 Chamber Local folder for App1 Local folder for App2 • File system structure is hidden • Local folder • Former isolated storage • Limited app-to-app communication 9 URI, files
- 10. HackInParis 2013 • File types associations - LaunchFileAsync() - Reserved: xap, msi, bat, cmd, py, jar etc. • URI associations - LaunchUriAsync() - Reserved: http, tel, wallet, LDAP, rlogin, telnet etc. - Proximity communication using NFC App-to-app communication 10
- 11. HackInParis 2013 Local folder Local Folder Settings Storage Files Database File Storage Directory Physical File Storage 11
- 12. Application protection • All binaries are signed • Application file is signed – Kind of checksum file is put into applications • Certificate pinning for Store • XAP file has DRM key HackInParis 2013 12
- 13. The Microsoft PlayReady Ecosystem HackInParis 2013 13
- 14. XAP file protection • Before august 2012 – ZIP archive – Sign • After august 2012 – New file format – PlayReady Header – AESCTR algorithm HackInParis 2013 14
- 15. FIRST STEPS IN WINDOWS PHONE 8
- 16. Windows 8 vs Windows Phone 8 • WP8 is migrating from the WinCE core to the WinNT core • Win8/emulator (x86) • WinRT/device (ARM) HackInParis 2013 16 http://intrepidusgroup.com/insight/2012/12/windows-phone-8-and-windows-8-similarity/
- 17. WP8 emulator • Hyper-V images – %ProgramFiles(x86)%Microsoft SDKs Windows Phonev8.0EmulationImages • Emulator vs. Device – x86 – Fake binaries • FakeLed.sys, Fakevibra.sys, FakeModem.dll etc. – Different user-agent – Prohibited to install apps from the Store HackInParis 2013 17
- 18. WP8 device • Windows Phone 8 has standardized bootloader – Full flash images are available • ImgMount tool – FFU Image file as a virtual hard drive HackInParis 2013 18
- 19. Reversing WP8 internals • No debug symbols • Tip: restore information from Event Tracing for Windows (ETW) • Use IDAPython HackInParis 2013 *InstallerWorker.exe 19
- 20. Windows API calls • Full Windows API is not available by default • Originally posted on XDA for WindowsRT apps – Find kernerbase.dll address (“MZ”) -> Get “LoadLibraryA” and “GetProcAddress” functions -> call any function you want – http://bit.ly/Uw2Gk6 • Works for Windows Phone 8 HackInParis 2013 20
- 21. APPLICATIONS
- 22. HackInParis 2013 Applications Developer Platform (XAML, XNA, Device services) .NET Framework (CoreCLR) WP8 OS, Win8 based 22 .NET and CLR
- 24. • Microsoft • OEM – XAP files are not encrypted (~ZIP) – C:PROGRAMSCommonFilesXaps • Windows Phone Store apps – C:DataPrograms{ProductID}Install • Company applications – XAP files are not encrypted (~ZIP) – Company hubs • Developer applications – Need developer unlock HackInParis 2013 24 Application kinds
- 25. HackInParis 2013 • Application assemblies (in various formats) • Resources • AppManifest.xaml • WMAppManifest.xml 25 Application file structure
- 27. Security?! “One of the goals of the Windows Phone app platform is to foster the creation of apps that are secure by design and secure by default.” Security for Windows Phone HackInParis 2013 27
- 28. Application entry points • User input • SD card • Sockets • URI HackInParis 2013 28 • Web • Bluetooth • NFC • Speech2Text Green – Windows Phone 7 White – Windows Phone 8
- 29. Vulnerabilities HackInParis 2013 Windows Phone 8 (C#/VB/C/C++) iOS (Objective-C) Android (Java) Note: Main programming languages in brackets Platform independent vulnerabilities Platform specific vulnerabilities 29
- 30. Work with SD card • WP8 allows only read operations • Only registered file types • Files on SD cards are not encrypted HackInParis 2013 OS Details iOS Work with SD card is absent Android READ/WRITE 30
- 31. Privacy • Device Unique ID – Requires ID_CAP_IDENTITY_DEVICE – DeviceExtendedProperties.GetValue(“DeviceUniqueId”) • Windows Live Anonymous ID – Requires ID_CAP_IDENTITY_USER – UserExtendedProperties.GetValue(“ANID2”) • Both identifiers are per-publisher HackInParis 2013 OS Details iOS UDID (apps that use UDIDs are no longer accepted, from May 1, 2013) Android telephonyManager.getDeviceId() 31
- 32. Privacy, part 2 • Device name, manufacturer, firmware versions – Requires ID_CAP_IDENTITY_DEVICE – DeviceStatus class • Location tracking – ID_CAP_LOCATION – GeoCoordinateWatcher class HackInParis 2013 32 OS Details iOS UDID (apps that use UDIDs are no longer accepted, from May 1, 2013) Android telephonyManager.getDeviceId()
- 33. Secure storage • Device can be encrypted (not for all countries) – BitLocker 2.0/TPM – Available only in business settings • Data Protection API (DPAPI) • System.Security.Cryptography • Algorithms: AES, HMACSHA1, HMACSHA256, Rfc2898DeriveBytes, RSA, SHA1, SHA256 HackInParis 2013 OS Details iOS Keychain, /System/Library/Frameworks/Security.framework Android android.security.KeyChain (from 4.0) 33
- 34. Data leak • Keyboard cache is isolated per-application • Cache for applications that access internet – Controlled by OS HackInParis 2013 OS Details iOS plist, Custom created documents, Preferences, Logs, Cache data, Keyboard cache, Pasteboard cache, Cookies Android shared_preference, logs, external storage, MODE_WORLD_READABLE or MODE_WORLD_WRITETABLE 34
- 35. Work with URI • Handling function: MapUri() • Filter user input • Exclude critical arguments from URI – Ex.: prgrm://command?request=data&role=admin HackInParis 2013 OS Details iOS openURL(), handleOpenURL() Android android.net.Uri class 35
- 36. Cross-site scripting (XSS) • WebBrowser control (based on IE10) • JavaScript is disabled by default • To see if enabled: – WebBrowser.IsScriptEnabled = true – <WebBrowser IsScriptEnabled = “True” /> HackInParis 2013 OS Details iOS UIWebView Class + stringByEvaluatingJavaScriptFromString() shouldStartLoadWithRequest() Android WebView.getSettings().setJavaScriptEnabled(); WebView.getSettings().setPluginsEnabled(); 36
- 37. Directory traversal • Local folder API accepts paths with traversal – IsolatedStorageFile class (WP7) – StorageFolder class • Win32 storage API HackInParis 2013 OS Details iOS contentsAtPath, fileHandleForReadingAtPath, _fopen etc. Android ContentProvider + incorrect or missing rights, files functions 37
- 38. XML External Entity (XXE) • System.Xml namespace – Entity resolving is prohibited by default • Entities can be resolved by using custom XmlResolver for XmlDocument HackInParis 2013 OS Details iOS libXML2 + _xmlParseMemory, NSXMLParser + setShouldResolveExternalEntities:YES Android setFeature(external-general-entities, True) 38
- 39. SQL injection • Bad: • Good: HackInParis 2013 OS Details iOS sqlite3_exec() Android query(), rawQuery() 39
- 40. Memory corruption bugs • Developers can use native code • Format string, BoF, use-after-free etc. – С/C++ functions • Compilation flags: /sdl, /GS, /DYNAMICBASE, /NXCOMPAT HackInParis 2013 OS Details iOS –fPIE, –fstack-protector-all, -fobjc-arc Android Only in native libs, -fstack-protector, -Wformat-security, NX, ASLR, PIE
- 41. CONCLUSION
- 42. HackInParis 2013 • Windows Phone 8 is pretty secure • Greater attack surface • Security-related API • More flexible than in iOS • More simple than in Android Conclusion 42
- 43. Q&A Dmitry ‘D1g1’ Evdokimov d.evdokimov@erpscan.com @evdokimovds Andrey Chasovskikh http://andreycha.info @andreycha HackInParis 2013 43
Editor's Notes
- #21: Also we can learn the system in dynamic.By default, developer can use limited subset of Win32 API functions. But we can use old technic for calling arbitrary functions.Make any allowed call from kernelbase.dll and find dll address by ‘MZ’ signature. Parse import table and find LoadLibraryA and GetProcAddress functions. Now you can load libraries and call any functions you want.This technic was used in WindowsRT, where developers also can’t use Win32 API entirely. We checked it for Windows Phone 8 – and it also works. For example, you can read content of Windows folder.