Upload
owasp
View
116
Download
1
Embed Size (px)
Citation preview
Pwning Windows Mobile Applications
By Ankit Giri
Agenda
Mobile Platform Operating Systems
Windows Phone Overview
What we can test?
Challenges
Approach & Prerequisites
Methodology
Application File Structure
Tools for Penetration Testing
Security Features
Microsoft Phone!
Windows Phone 8 (WP8) – used to be called Windows Mobile until 7.x
ARM Hardware Architecture (like iOS, Android, and Blackberry)
Windows Phone Runtime Application Architecture
Developer apps work on both Windows 8 and WP8
Windows NT kernel
Windows 10 Mobile: The release was officially dubbed "Version 1511" or "November Update" (owing to the fact that in all other editions of Windows 10, this version was an update).
Windows 10 Mobile launched with the Microsoft Lumia 550, 950 and 950 XL. The rollout for Windows Phone 8.1 devices started March 17, 2016
Understanding the platformWM10 uses NT Kernel
128-bit BitLocker for device encryption
NTFS file system
Sandboxed apps
SafeBoot: Secure UEFI Boot
➔ Can’t boot software without correct digital signature to be loaded on the phone
➔ TPM 2.0 – requires unique keys to be burned into chip during production
Windows Mobile binaries must have Microsoft signed digital signatures
Application Sandboxing
Each app has a local isolated storage
Limited app-to-app communication
App A cannot see App B storage
App folder has:
❖ Settings
❖ Files
❖ Directories
❖ Database
Jailbreakable or not!WM10 is a closed OS, just like most things Microsoft stuff
No jailbreak yet – some activities you would like to do for mobile device testing will not be possible
❖ Access to memory
❖ Local file system and storage
❖ Transfer files to and from device
Static AnalysisView Manifest information
View the application tree including assemblies, types and methods
Methods which use APIs
XAP files
Purpose of Source code review“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!”
To find Treasure Key Words like: password , keys , sql, algo, AES, DES, Base64, etc
Detect the data storage definitions
Detect backdoors or suspicious code
Detect injection flaws
Figure out weak algorithm usage and hardcoded keys
E.g. Password in Banking ApplicaZon (SensiZve InformaZon)
E.g. Angry Birds Malware (Stealing Data)
E.g. Zitmo Malware (Sending SMS)
Reverse engineering a windows mobile application
Tools used :
● De-compresser (Winrar / Winzip / 7zip)
● .Net Decompiler (ILSpy)
● Visual Studio / Notepad
Steps :
● xap -> .dll
● dll -> .csproject / .vbproject
Mitigation1. Free Obfuscator: http://confuser.codeplex.com/
2. Dotfuscator: https://www.preemptive.com/products/dotfuscator/overview
Other tools usedWP Power tools
.NET Reflector
Testing Approach
◼ Emulator / Windows Phone SDK
◼ Unlocked Device
◼ Side Loading
◼ Developer Unlock – Free Unlock with 2 Apps Limit
◼ Student Unlock – Up to 3 Apps
◼ Limitations
◼ Apps from the store cannot be extracted
◼ Apps from the store will not work on emulators
Sideloading apps
◼ It is a process of installing apps on a device without using app store
◼ Windows phone Power tools is used to deploy apps
◼ Plug in your device, unlock your device & run Windows phone Power tools
◼ Only apps signed with certificates will run on unlocked phones
Application File Structure
► AppManifest.xaml► WMAppManifest.xml
WMAppManifest.xml
XAP - Headers
File Analysis
Dynamic analysis
◼ Log method names
◼ Log parameters values
◼ Log return values
◼ Add custom code to method
◼ Replace method
◼ Add custom code to the end of method
◼ Change parameter values with custom code
Isolated Storage explorer