Pwning Windows Mobile Applications

By Ankit Giri

Agenda

Mobile Platform Operating Systems

Windows Phone Overview

What we can test?

Challenges

Approach & Prerequisites

Methodology

Application File Structure

Tools for Penetration Testing

Security Features

Microsoft Phone!

Windows Phone 8 (WP8) – used to be called Windows Mobile until 7.x

ARM Hardware Architecture (like iOS, Android, and Blackberry)

Windows Phone Runtime Application Architecture

Developer apps work on both Windows 8 and WP8

Windows NT kernel

Windows 10 Mobile: The release was officially dubbed "Version 1511" or "November Update" (owing to the fact that in all other editions of Windows 10, this version was an update).

Windows 10 Mobile launched with the Microsoft Lumia 550, 950 and 950 XL. The rollout for Windows Phone 8.1 devices started March 17, 2016

Understanding the platformWM10 uses NT Kernel

128-bit BitLocker for device encryption

NTFS file system

Sandboxed apps

SafeBoot: Secure UEFI Boot

➔ Can’t boot software without correct digital signature to be loaded on the phone

➔ TPM 2.0 – requires unique keys to be burned into chip during production

Windows Mobile binaries must have Microsoft signed digital signatures

Application Sandboxing

Each app has a local isolated storage

Limited app-to-app communication

App A cannot see App B storage

App folder has:

❖ Settings

❖ Files

❖ Directories

❖ Database

Jailbreakable or not!WM10 is a closed OS, just like most things Microsoft stuff

No jailbreak yet – some activities you would like to do for mobile device testing will not be possible

❖ Access to memory

❖ Local file system and storage

❖ Transfer files to and from device

Static AnalysisView Manifest information

View the application tree including assemblies, types and methods

Methods which use APIs

XAP files

Purpose of Source code review“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!”

To find Treasure Key Words like: password , keys , sql, algo, AES, DES, Base64, etc

Detect the data storage definitions

Detect backdoors or suspicious code

Detect injection flaws

Figure out weak algorithm usage and hardcoded keys

E.g. Password in Banking ApplicaZon (SensiZve InformaZon)

E.g. Angry Birds Malware (Stealing Data)

E.g. Zitmo Malware (Sending SMS)

Reverse engineering a windows mobile application

Tools used :

● De-compresser (Winrar / Winzip / 7zip)

● .Net Decompiler (ILSpy)

● Visual Studio / Notepad

Steps :

● xap -> .dll

● dll -> .csproject / .vbproject

Mitigation1. Free Obfuscator: http://confuser.codeplex.com/

2. Dotfuscator: https://www.preemptive.com/products/dotfuscator/overview

Other tools usedWP Power tools

.NET Reflector

Testing Approach

◼ Emulator / Windows Phone SDK

◼ Unlocked Device

◼ Side Loading

◼ Developer Unlock – Free Unlock with 2 Apps Limit

◼ Student Unlock – Up to 3 Apps

◼ Limitations

◼ Apps from the store cannot be extracted

◼ Apps from the store will not work on emulators

Sideloading apps

◼ It is a process of installing apps on a device without using app store

◼ Windows phone Power tools is used to deploy apps

◼ Plug in your device, unlock your device & run Windows phone Power tools

◼ Only apps signed with certificates will run on unlocked phones

Application File Structure

► AppManifest.xaml► WMAppManifest.xml

WMAppManifest.xml

XAP - Headers

File Analysis

Dynamic analysis

◼ Log method names

◼ Log parameters values

◼ Log return values

◼ Add custom code to method

◼ Replace method

◼ Add custom code to the end of method

◼ Change parameter values with custom code

Isolated Storage explorer

Questions?

Thanks for your time and feedback!

Feel free to contact me:@aankitgiri

aankitgiri@gmail.com