Windows Phone 8 Security & Testing WP8 Apps

Jorge Orchilles

1

whoami

• Advanced PenTest & QC – Large Financial

• Master of Science and BBA in Management Information Systems – Florida International University

• Author – Microsoft Windows 7 Administrator’s Reference (Syngress)

• Certifications – GXPN, CISM, CISSP, GPEN, GCIH, CEH, CICP, CCDA, CSSDS, MCTS, MCP, Security+, CISM

• SANS Instructor – SEC504, SEC560, SEC577

• Organizations– Director - South Florida ISSA

– Member - OWASP, InfraGard, Miami Electronic Crimes Task Force, Hack Miami

2

Microsoft has a phone?

• Windows Phone 8 (WP8) – used to be called Windows Mobile until 7.x– Released Oct 2012

– ARM Hardware Architecture (like iOS, Android, and Blackberry)

– Windows Phone Runtime Application Architecture

• Developer apps work on both Windows 8 and WP8

– Windows NT kernel

• Windows Phone 8.1 recently released– Fixed 1.5 of 3 issues found in my original research

Understand the platform

• WP7 uses Windows CE kernel

• WP8 uses NT Kernel– 128-bit BitLocker for device encryption

– NTFS file system

– Sandboxed apps

– SafeBoot: Secure UEFI Boot

• Can’t boot software without correct digital signature to be loaded on the phone

• TPM 2.0 – requires unique keys to be burned into chip during production

– WP8 binaries must have Microsoft signed digital signatures

Chambers

• Trusted Computing Base (TCB)– Kernel & kernel-mode drivers

• Least Privileged Chamber (LPC)– Services

– Apps

Capabilities

App Sandboxing

• Each app has a local isolated storage

• Limited app-to-app communication

• App A cannot see App B storage

• App folder has:– Settings

– Files

– Directories

– Database

Jailbreak?

• WP8 is closed OS, just like most things M$

• No jailbreak yet – some activities you would like to do for mobile device testing will not be possible– Access to memory

– Local file system and storage

– Transfer files to and from device

What would a JB look like?

• Exploit a vulnerability– Client side vulnerability for IE 10 or 11

• Escalate privilege to SYSTEM

• Bypass SecureBoot

• Disable application code signing

• Create a trusted app store certificate

What we can test

• Application Logic

• Server side

• Client side

• Local app storage – requires XAP file

• Local app configuration – requires XAP file

Prerequisites

• Physical Device or Emulator

• Windows Phone SDK

• Unlocking the device

• XAP file or app

• HTTP Proxy

Physical or Emulator

• Prefer physical – devices are cheap– Nokia Lumia 920

• Emulator– Hyper-V images

– x86 instead of ARM

– Fake binaries

• FakeLed.sys, FakeModem.dll

– Different browser user-agent

– Cannot install apps from Store

Windows Phone SDK

• Requires Windows 8 64-bit w/Hyper-V enabled– For VM, set hypervisor.cpuid.v0 = “FALSE”

– Control Panel – Programs – Turn Windows Features on or off – Check Hyper-V

• Free at http://dev.windowsphone.com

• Emulator is installed as part of SDK– C:\Program Files (x86)\Microsoft XDE\8.0\XDE.exe

• Visual Studio Express 2012

Unlock the Device

• For physical devices only

• Must unlock the device to be able to side load apps

• Join the dev program (lifetime membership now)– $19 allows 3 side loaded apps

– $99 dev account allows 10 side loaded app

– $399 company trusted cert for enterprise app store

• Register it on dev.windowsphone.com

XAP File

• Windows Phone App file: .xap– Used for Silverlight apps as well

• Contains an App.Manifest.xaml– Defines assemblies and DLLs that get deployed

• XAP files downloaded from Store come with PlayReady DRM– DRM is added by the marketplace in realtime, based on the

LiveID cookie value

– Encrypted XAP files will not run in emulator

• Request XAP from developers

DRM vs. No DRM

Side loading apps

• Defined: installing applications on your device without going through the official Store

• Use SDK or Windows Phone Power Tools

• Live Demo

• If fail then video

Methodology

• Information Gathering – Describes the steps and things to consider when you are in

the early stage reconnaissance and mapping phases of testing as well as determining the application’s magnitude of effort and scoping.

• Dynamic Analysis – Executing an application either on the device itself or within a

simulator/emulator and interacting with the remote services with which the application communicates. This includes assessing the application’s local inter process communication surface, forensic analysis of the local file system, and assessing remote service dependencies.

• Static Analysis – Analyzing raw mobile source code, decompile or

disassembled code.

Information Gathering

• First step of any assessment!– Understand what you are testing

• App is installed right?– Side loaded or from Store

• Learn how the app works

Information Gathering• Navigate through the application

– This will expose you to the application as an end user would use it. Tap through all the different features, look at the settings, etc. This may be performed on the device or in the emulator as we covered in previous sections.

• Identify the network interfaces used– Does the application require internet connectivity? If so, does it work

through Wi-Fi only, SIM only? Does the application use bluetooth, NFC, a VPN?

• Does the application take your input? Any sensitive information? Does it access any sensitive information?

• Does the application perform transactions? In-app purchases? Credit card or payment information?

• What other components does the application interact with? Contact list, calendar, camera, location?

• Do some reconnaissance. Has this app been talked about already? Search Google, app store reviews, etc.

Vulnerabilities?• No application pass code

– Does the app reveal sensitive information that requires authentication? Should it have it’s own pass code. This may be a consideration for apps storing company data while the devices are BYOD and don’t require a device pass code.

• Weak pass code – Does the app enforce good password policies?

– Minimum of how many characters?

– Complexity?

– Password rotation?

– Password lock out?

• Sensitive information stored on disk – Does the app request sensitive information from the end user

and then store it?

Dynamic Testing

• Use an HTTP proxy to see traffic– Install cert to see HTTPS

• If traffic is not HTTP(s)– Perform MiTM

• Mallory

• Access Point

• ARP Poisoning

• Cannot do VPN!

HTTP Proxy

• Notice no authentication for HTTP proxy!– Corporate proxies should

require authentication

– Fixed in 8.1 for corporate deployments

Now you see traffic!

Generate SSL Cert

• Email it to yourself

• Save it on SkyDrive and access it from IE (remember App Sandboxing won’t allow you to install the cert onto the device if it is opened with SkyDrive App)

• Transfer it via USB

• Host it on a web server and browse to it with IE

Install SSL Cert

• Note there is no digital certificate management

• Your device will accept this cert as valid until expiration

If Emulator

• Windows Phone 8 emulator is a Hyper-V virtual machine with it’s own IP address.

• This means the network traffic will route from the virtual machine (emulator) to your Windows 8 system running the SDK and then out to the Internet.

• The easiest way to configure the emulator to use a proxy is to configure the Windows 8 system’s IE proxy settings.

If Emulator

More Information Gathering• Can you determine anything about the server side application

environment?– Hosting provider (AWS, App Engine, Heroku, Rackspace, Azure, etc.)– Development environment (Rails, Java, Django, ASP.NET, etc.)– Does the application leverage Single Sign On or Authentication APIs

(Google Apps, Facebook, iTunes, OAuth, etc.)– Any other APIs in use

• Payment gateways• SMS messaging• Social networks• Cloud file storage• Ad networks

• Perform a thorough crawl of exposed web resources and sift through the requests and responses to identify potentially interesting data or behavior– Leaking sensitive information (i.e. credentials) in the response– Resources not exposed through the UI– Error messages– Cacheable information

More Vulnerabilities• Encryption not enforced

– I prefer always enforcing HTTPS even for non-sensitive data. Most end users connect to any free/untrusted WiFi and modifying HTTP data is trivial.

– More of an integrity issue than confidentiality

• Sensitive information sent in clear text– Credentials sent over HTTP instead of HTTPS

• Digital Certificate not validated– Does the app accept the invalid cert and send sensitive

information?

– No warning on invalid digital certificate

• Basic Authentication used

• No Mutual Authentication

HTTPS for EVERYTHING

• Traditionally, encryption was used to maintain confidentiality

• With mobile apps, you also need to maintain Integrity

• Push for everything being HTTPS

• OR ELSE

No HTTPS… Stock market crash

Local Storage

• Only works if XAP was provided

• Live Demo

• Or video

Static Analysis

• Requires XAP with no DRM

• Decompile apps– XAML Spy - commercial

• ILSPY - free

• JustDecompile

• .NET Reflector - commercial

– Tangerine - free

New in Windows Phone 8.1

• VPN Connectivity

• Enterprise Wi-FI– PEAP-MSCHAPv2

– EAP-TLS

– EAP-TTLS

• Certificate Management– Only through MDM

• Virtual Smart Cards for MFA

• MDM– Remote Wipe

– App allow and deny

Presentation Title

Conclusion

• WP8 is pretty secure

• Complex attack surface

• App testing is dependent on XAP file access

• Server and Client side testing remains the similar to other mobile platforms

Questions?

• http://orchilles.com/category/wp8/

• Thanks for your time and feedback!

• Feel free to contact me

jorge@orchilles.com

@jorgeorchilles

www.orchilles.com