Approaching the unknown - Windows Phone application security assessment guide

44
Approaching the unknown – Windows Phone application security assessment guide Mateusz Olejarka Hacktivity, 21.10.2016

Transcript of Approaching the unknown - Windows Phone application security assessment guide

Approaching the unknown –

Windows Phone application

security assessment guide

Mateusz Olejarka

Hacktivity, 21.10.2016

• Senior IT Security Specialist, SecuRing

• Web & mobile application security

• Ex developer

• Bug hunter

Who am i

http://www.gartner.com/newsroom/id/3323017

Worldwide

Smartphone Sales to End Users by Operating System in 1Q of 2016

Reason

2.4 million of Windows Phone powered devices

sold in Q1 – less than 1%

of total devices sold

• Application

• Test environment

• Security assessment

• Summary

• Q&A

Agenda

APPLICATION

File Structure

dotPeek

https://www.jetbrains.com/decompiler/

dotPeek

AppManifest.xaml

WMAppManifest.xml

„Main” class

app.xaml

Sample .xaml file

TEST ENVIRONMENT

• Do whatever it takes to get version for emulator

• Just unpack and analyze

Emulator

https://wptools.codeplex.com/

• Nice tool called Windows Phone Internals

• Prerequsites to root the phone:

• Windows Phone Recovery Tool

• Nokia or Qualcomm Drivers

• FFU image (Full Flash Update)

• Flash loader file dedicated for given phone model

• SBL3 partition (for Mass Storage Mode capability)

Root and mass storage mode

Root and mass storage mode

http://www.wpinternals.net/

Root and mass storage mode

• Assemblies

• Data/PROGRAMS/{guid}/Install

• Isolated storage

• Data/Users/DefApps/APPDATA/Local/Packages/{guid}/

Where are the interesing parts?

• Start Burp proxy listener

• Set in IE proxy to that listener

• Start emulator, it should copy those settings

Traffic interception, emulator

• Setup WiFi hotspot on Windows

• Connect device to it

• Start Burp

Traffic interception, device

Traffic interception, device

• Setup WiFi hotspot on Windows

• Connect device to it

• Start Burp

• Setup proxy on the phone

Traffic interception, install CA

Traffic intercepted

Traffic intercepted

• Sometimes app has a custom HTTPS client, which happily avoid proxy

• Then i usually used pytinydns.py to the rescue

• But what about changing the host file on the device when in mass storage mode?

But sometimes

SECURITY ASSESSMENT

• Communication

• Data storage & encryption

• Use of WebBrowser

• Code obfuscation

• URI handling

What to check

• Check on the wire

• In the source code look for

• System.Net.WebClient usage

• System.Net.WebRequest usage

• TIP: look for http/https string

Communication

Example: Certificate pinning flaw

• App settings stored in a file:

• IsolatedStorageSettings.ApplicationSettings usage

• File storage:

• IsolatedStorageFile usage

• DPAPI:

• ProtectedData.Protect calls

• ProtectedData.Unprotect calls

• One flaw – all apps use the same key

Data storage & encryption

Sample __AppSettings file

Example: Hardcoded hard to guess key

Example: Hardcoded hard to guess key

Example: Hardcoded hard to guess key

• Search for Microsoft.Phone.Controls.WebBrowser

• It have some interesting functions:

Use of WebBrowser

Code obfuscation

Code obfuscation

URI handling

SUMMARY

• Similarities with other platforms

• Fewer ready to go tools

• Some things are easier

Summary

• Complete 1.0 version of my notes and public release

• Fill the gaps

• Redaction ;)

• NFC Payments

• Windows Phone Malware !?

Future work

Thanks :)

Drop me msg if you wish to get my notes

[email protected]

@molejarka