[PPT] - Inspection of Windows Phone applications Dmitriy Evdokimov Andrey PowerPoint Presentation

SLIDE 1

Inspection of Windows Phone applications

Dmitriy Evdokimov Andrey Chasovskikh

SLIDE 2

About us

Dmitriy ‘D1g1’ Evdokimov

Security researcher at ERPScan
Editor of Russian hacking magazine
DEFCON Russia (DCG #7812) organizer

Andrey Chasovskikh

Software developer
Windows Phone addict

2

SLIDE 3

Agenda

Windows Phone intro
Security model
All about applications
Not all applications are secure
Tools overview
Deep dive: finding vulnerabilities
Conclusion

3

SLIDE 4

WINDOWS PHONE INTRO

SLIDE 5

The successor to the Windows Mobile OS
15 Mar 2010 – Windows Phone 7 series

announced

21 Oct 2010 – Windows Phone 7 released
29 Oct 2012 – Windows Phone 8 released

History of Windows Phone

time version

WP7 WP7 NoDo WP7.5 Mango WP7.5 Tango WP8 27 Sep 2011 29 Oct 2012 21 Oct 2011

5

SLIDE 6

Market share

Source: Gartner, November 2012

6

SLIDE 7

125 000+ applications
Casual apps, social networks, mobile banking,

enterprise applications etc.

Windows Phone Store

7

SLIDE 8

SECURITY MODEL

SLIDE 9

Trusted Computing Base (TCB)

Kernel, kernel-mode drivers

Elevated Rights Chamber (ERC)

Services, user-mode drivers

Standard Rights Chamber (SRC)

Pre-installed applications

Least Privileged Chamber (LPC)

Applications from WP store

Chamber concept, WP7

9

SLIDE 10

Trusted Computing Base (TCB)

Kernel, kernel-mode drivers

Least Privileged Chamber (LPC)

All other software: services, pre-installed apps, application from WP store

Chamber concept, WP8

10

SLIDE 11

Capabilities

Windows Phone 7

Camera
Contacts
Location services
Owner/phone identity
Network services

Etc.

Undocumented

Native code
SMS API
Access to user

properties

SIM API

Etc.

WMAppManifest.xml

Windows Phone 8

All WP7 capabilities
NFC
SD card access
Wallet
Speech recognition
Front camera

Etc. 11

SLIDE 12

Sandboxing concept

App1 Isolated chamber App2 Isolated chamber Isolated storage for App1 Isolated storage for App2

No app communication in WP7
Limited app-to-app in WP8
File system structure is

hidden

Isolated storages

12

SLIDE 13

File associations
LaunchFileAsync()
Reserved: xap, msi, bat, cmd, py, jar etc
URI associations
LaunchUriAsync()
Reserved: http, tel, wallet, LDAP, rlogin, telnet etc
Proximity communication using NFC

App-to-App, WP8

13

SLIDE 14

Isolated Storage

Isolated Storage Isolated Settings Storage

Files Database

Isolated File Storage Directory Physical File Storage 14

SLIDE 15

Store applications are signed in WP7
All binaries get signed since WP8
Application file get signed
Kind of checksum file is put into applications
Applications XAP files have undocumented

format (since Aug 2012)

Signing

15

SLIDE 16

ALL ABOUT APPLICATIONS

SLIDE 17

.NET and CLR, WP7

Applications Developer Platform (XAML, XNA, Device services) .NET Compact Framework (BCL + Silverlight flavor) WP7 OS, WinCE based

17

SLIDE 18

???

Framework

18

SLIDE 19

.NET and CLR, WP8

Applications Developer Platform (XAML, XNA, Device services) .NET Framework (CoreCLR) WP8 OS, Win8 based

19

SLIDE 20

Framework

20

SLIDE 21

Application assemblies
Resources
AppManifest.xaml
WMAppManifest.xml
WMInteropManifest.xml*

Application file structure

* — optional for WP7, absent in WP8

21

SLIDE 22

Submission and certification

App Creation App Submission XAP File Validation Adding Metadata Certification Testing Signing Publication in Marketplace Source code .xap 22

SLIDE 23

WP7: \Applications

\Install\<ProductID>\Install\

Content from XAP
WMAppPRHeader.xml (package signature)

\Data\<ProductID>\Data\IsolatedStorage Same idea in WP8, i.e. install path: C:\Data\Programs\<ProductID>\Install\

Applications on a device

23

SLIDE 24

NOT ALL APPLICATIONS ARE SECURE

SLIDE 25

Security assessment

Server Device/Emulator Data channel App 25 App

SLIDE 26

Prepare environment

Get app (unpack/decrypt)
Configuration device/emulator

Static analysis

Properties of program compilation
Metadata analysis
Code analysis

Dynamic analysis

How application works with file system/network
Runtime code analysis

Mobile applications security assessment

26

SLIDE 27

1. Insecure Data Storage
2. Weak Server Side Controls
3. Insufficient Transport Layer Protection
4. Client Side Injection
5. Poor Authorization and Authentication
6. Improper Session Handling
7. Security Decisions Via Untrusted Inputs
8. Side Channel Data Leakage
9. Broken Cryptography
10. Sensitive Information Disclosure

OWASP Top 10 Mobile Risks

27

SLIDE 28

WP vs. Android vs. iOS vulnerabilities

WP7 (C#/VB) WP8 (C#/VB/C/C++) iOS (Objective-C) Android (Java)

Note: Main programming languages in brackets

Platform independent vulnerabilities Platform specific vulnerabilities 28

SLIDE 29

TOOLS OVERVIEW

SLIDE 30

Device
Full unlock
Emulator
Windows Phone Device Manager
Network proxy: Burp Suite, Charles etc.
.NET tools: .Net Reflector, ILSpy etc.
IDA Pro
RAIN, Boyan Balkanski
Windows Phone App Analyzer, David Rook
XAPSpy, Behrang Fouladi
XapSpyAnalysis, David Rook

Arsenal

30

SLIDE 31

Static analysis is insufficient. Lack of dynamic analysis tools:

IDE allows debugging with source code only
No programmable debugging interface
Managed code

Main issue

31

Solution: static byte code instrumentation.

SLIDE 32

Tangerine

32

SLIDE 33

Unpacking
Removing application signature
Resigning assemblies
Packing
Deploying

Automates routine with XAP files

33

SLIDE 34

Application info
Application capabilities
Code analysis
Code structure analysis
API usage analysis
View IL code

Static analysis

34

SLIDE 35

Log application stack trace
Method names
Method parameters
Return values
Run custom code
On method enter
Replace method
On method exit
Change parameters values

Dynamic analysis

35

SLIDE 36

DEEP DIVE: FINDING VULNERABILITIES

SLIDE 37

DEMO

SLIDE 38

How it works

Target application Instrumented application Emulator Emulator console Tangerine log Instrumented application Add hooks (1) Resign and deploy Hooked

utput (2)

Log data (2) Repeat

(1) Changing CIL code (2) Emulator console (writing/reading)

38

SLIDE 39

CIL Instrumentation

39

SLIDE 40

Emulator only
Does not help to overcome obfuscated code
Does not work with system assemblies
Applications from store need to be decrypted
Windows Phone 7 only

Limitations

40

SLIDE 41

Cloud Compilation, WP8

CIL Assembly C# Source Code MDIL Assembly C# Compiler MDIL Compiler Cloud MDIL Assembly

Native Image Generator

Native DLL Device

Download Run

41

SLIDE 42

MDIL in work

42

R0 = this R1 = a R0 + 0x10 = j, where j is a field from base class

SLIDE 43

MDILDump

43

http://github.com/WalkingCat/mdildump/

SLIDE 44

Support Windows Phone 8 applications
MDIL instrumentation
Windows Phone RT
Add new features
Code graphical representation
Data flow analysis
Fix bugs ;)

Future work

44

SLIDE 45

CONCLUSION

SLIDE 46

Greater attack surface in WP8
App-to-App
Applications that use native code
New technologies
Logical bugs never die

Conclusion

46

SLIDE 47

Evgeny Bechkalo
DSecRG team

Thanks

47

SLIDE 48

Q&A

Dmitry Evdokimov d.evdokimov@erpscan.com @evdokimovds Andrey Chasovskikh http://andreycha.info @andreycha Tangerine: http://github.com/andreycha/tangerine