Approaching the unknown - Windows Phone application security assessment guide
Transcript of Approaching the unknown - Windows Phone application security assessment guide
Approaching the unknown –
Windows Phone application
security assessment guide
Mateusz Olejarka
Hacktivity, 21.10.2016
• Senior IT Security Specialist, SecuRing
• Web & mobile application security
• Ex developer
• Bug hunter
Who am i
http://www.gartner.com/newsroom/id/3323017
Worldwide
Smartphone Sales to End Users by Operating System in 1Q of 2016
Reason
2.4 million of Windows Phone powered devices
sold in Q1 – less than 1%
of total devices sold
• Do whatever it takes to get version for emulator
• Just unpack and analyze
Emulator
https://wptools.codeplex.com/
• Nice tool called Windows Phone Internals
• Prerequsites to root the phone:
• Windows Phone Recovery Tool
• Nokia or Qualcomm Drivers
• FFU image (Full Flash Update)
• Flash loader file dedicated for given phone model
• SBL3 partition (for Mass Storage Mode capability)
Root and mass storage mode
• Assemblies
• Data/PROGRAMS/{guid}/Install
• Isolated storage
• Data/Users/DefApps/APPDATA/Local/Packages/{guid}/
Where are the interesing parts?
• Start Burp proxy listener
• Set in IE proxy to that listener
• Start emulator, it should copy those settings
Traffic interception, emulator
Traffic interception, device
• Setup WiFi hotspot on Windows
• Connect device to it
• Start Burp
• Setup proxy on the phone
• Sometimes app has a custom HTTPS client, which happily avoid proxy
• Then i usually used pytinydns.py to the rescue
• But what about changing the host file on the device when in mass storage mode?
But sometimes
• Communication
• Data storage & encryption
• Use of WebBrowser
• Code obfuscation
• URI handling
What to check
• Check on the wire
• In the source code look for
• System.Net.WebClient usage
• System.Net.WebRequest usage
• TIP: look for http/https string
Communication
• App settings stored in a file:
• IsolatedStorageSettings.ApplicationSettings usage
• File storage:
• IsolatedStorageFile usage
• DPAPI:
• ProtectedData.Protect calls
• ProtectedData.Unprotect calls
• One flaw – all apps use the same key
Data storage & encryption
• Search for Microsoft.Phone.Controls.WebBrowser
• It have some interesting functions:
Use of WebBrowser
• Complete 1.0 version of my notes and public release
• Fill the gaps
• Redaction ;)
• NFC Payments
• Windows Phone Malware !?
Future work