Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Approaching the unknown –
Windows Phone application
security assessment guide
Mateusz Olejarka
Hacktivity, 21.10.2016
• Senior IT Security Specialist, SecuRing
• Web & mobile application security
• Ex developer
• Bug hunter
Who am i
http://www.gartner.com/newsroom/id/3323017
Worldwide
Smartphone Sales to
End Users by
Operating System in
1Q of 2016
Reaso...
• Application
• Test environment
• Security assessment
• Summary
• Q&A
Agenda
APPLICATION
File Structure
dotPeek
https://www.jetbrains.com/decompiler/
dotPeek
AppManifest.xaml
WMAppManifest.xml
„Main” class
app.xaml
Sample .xaml file
TEST ENVIRONMENT
• Do whatever it takes to get version for emulator 
• Just unpack and analyze
Emulator
https://wptools.codeplex.com/
• Nice tool called Windows Phone Internals
• Prerequsites to root the phone:
• Windows Phone Recovery Tool
• Nokia or Qual...
Root and mass storage mode
http://www.wpinternals.net/
Root and mass storage mode
• Assemblies
• Data/PROGRAMS/{guid}/Install
• Isolated storage
• Data/Users/DefApps/APPDATA/Local/Packages/{guid}/
Where a...
• Start Burp proxy listener
• Set in IE proxy to that listener
• Start emulator, it should copy those settings
Traffic int...
• Setup WiFi hotspot on Windows
• Connect device to it
• Start Burp
Traffic interception, device
Traffic interception, device
• Setup WiFi hotspot on Windows
• Connect device to it
• Start Burp
• Setup proxy on the phone
Traffic interception, install CA
Traffic intercepted
Traffic intercepted
• Sometimes app has a custom HTTPS client, which happily avoid proxy
• Then i usually used pytinydns.py to the rescue
• Bu...
SECURITY ASSESSMENT
• Communication
• Data storage & encryption
• Use of WebBrowser
• Code obfuscation
• URI handling
What to check
• Check on the wire
• In the source code look for
• System.Net.WebClient usage
• System.Net.WebRequest usage
• TIP: look f...
Example: Certificate pinning flaw
• App settings stored in a file:
• IsolatedStorageSettings.ApplicationSettings usage
• File storage:
• IsolatedStorageFile...
Sample __AppSettings file
Example: Hardcoded hard to guess key
Example: Hardcoded hard to guess key
Example: Hardcoded hard to guess key
• Search for Microsoft.Phone.Controls.WebBrowser
• It have some interesting functions:
Use of WebBrowser
Code obfuscation
Code obfuscation
URI handling
SUMMARY
• Similarities with other platforms
• Fewer ready to go tools
• Some things are easier
Summary
• Complete 1.0 version of my notes and public release
• Fill the gaps
• Redaction ;)
• NFC Payments
• Windows Phone Malwar...
Thanks :)
Drop me msg if you wish to get my notes
mateusz.olejarka@securing.pl
@molejarka
Approaching the unknown - Windows Phone application security assessment guide
Próxima SlideShare
Cargando en…5
×

Approaching the unknown - Windows Phone application security assessment guide

403 visualizaciones

Publicado el

Windows Phone should be gone by now.
But somehow it survived, hanging around few percent of mobile OS market share. Maybe good camera which is in those phones does it.
Sometimes even an application dedicated to WP platform shows up on pentest.

How to do it?
What tools to use?
What to check?

This talk will give you an overview of WP application security assessment, including some tips & tricks as well.
We will cover topics like:

- application internal structure
- data storage
- traffic interception
- testing on emulator vs testing on rooted phone
- code analysis of WP application
- overview of security mechanisms available on WP

There even will be a real phone with Windows Phone on it to see.

Publicado en: Internet
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Approaching the unknown - Windows Phone application security assessment guide

  1. 1. Approaching the unknown – Windows Phone application security assessment guide Mateusz Olejarka Hacktivity, 21.10.2016
  2. 2. • Senior IT Security Specialist, SecuRing • Web & mobile application security • Ex developer • Bug hunter Who am i
  3. 3. http://www.gartner.com/newsroom/id/3323017 Worldwide Smartphone Sales to End Users by Operating System in 1Q of 2016 Reason 2.4 million of Windows Phone powered devices sold in Q1 – less than 1% of total devices sold
  4. 4. • Application • Test environment • Security assessment • Summary • Q&A Agenda
  5. 5. APPLICATION
  6. 6. File Structure
  7. 7. dotPeek https://www.jetbrains.com/decompiler/
  8. 8. dotPeek
  9. 9. AppManifest.xaml
  10. 10. WMAppManifest.xml
  11. 11. „Main” class
  12. 12. app.xaml
  13. 13. Sample .xaml file
  14. 14. TEST ENVIRONMENT
  15. 15. • Do whatever it takes to get version for emulator  • Just unpack and analyze Emulator https://wptools.codeplex.com/
  16. 16. • Nice tool called Windows Phone Internals • Prerequsites to root the phone: • Windows Phone Recovery Tool • Nokia or Qualcomm Drivers • FFU image (Full Flash Update) • Flash loader file dedicated for given phone model • SBL3 partition (for Mass Storage Mode capability) Root and mass storage mode
  17. 17. Root and mass storage mode http://www.wpinternals.net/
  18. 18. Root and mass storage mode
  19. 19. • Assemblies • Data/PROGRAMS/{guid}/Install • Isolated storage • Data/Users/DefApps/APPDATA/Local/Packages/{guid}/ Where are the interesing parts?
  20. 20. • Start Burp proxy listener • Set in IE proxy to that listener • Start emulator, it should copy those settings Traffic interception, emulator
  21. 21. • Setup WiFi hotspot on Windows • Connect device to it • Start Burp Traffic interception, device
  22. 22. Traffic interception, device • Setup WiFi hotspot on Windows • Connect device to it • Start Burp • Setup proxy on the phone
  23. 23. Traffic interception, install CA
  24. 24. Traffic intercepted
  25. 25. Traffic intercepted
  26. 26. • Sometimes app has a custom HTTPS client, which happily avoid proxy • Then i usually used pytinydns.py to the rescue • But what about changing the host file on the device when in mass storage mode? But sometimes
  27. 27. SECURITY ASSESSMENT
  28. 28. • Communication • Data storage & encryption • Use of WebBrowser • Code obfuscation • URI handling What to check
  29. 29. • Check on the wire • In the source code look for • System.Net.WebClient usage • System.Net.WebRequest usage • TIP: look for http/https string Communication
  30. 30. Example: Certificate pinning flaw
  31. 31. • App settings stored in a file: • IsolatedStorageSettings.ApplicationSettings usage • File storage: • IsolatedStorageFile usage • DPAPI: • ProtectedData.Protect calls • ProtectedData.Unprotect calls • One flaw – all apps use the same key Data storage & encryption
  32. 32. Sample __AppSettings file
  33. 33. Example: Hardcoded hard to guess key
  34. 34. Example: Hardcoded hard to guess key
  35. 35. Example: Hardcoded hard to guess key
  36. 36. • Search for Microsoft.Phone.Controls.WebBrowser • It have some interesting functions: Use of WebBrowser
  37. 37. Code obfuscation
  38. 38. Code obfuscation
  39. 39. URI handling
  40. 40. SUMMARY
  41. 41. • Similarities with other platforms • Fewer ready to go tools • Some things are easier Summary
  42. 42. • Complete 1.0 version of my notes and public release • Fill the gaps • Redaction ;) • NFC Payments • Windows Phone Malware !? Future work
  43. 43. Thanks :) Drop me msg if you wish to get my notes mateusz.olejarka@securing.pl @molejarka

×