metro (down the tube)2014.appsec.eu/wp-content/...metro-down-the...apps.pdf · package up the app...
TRANSCRIPT
![Page 1: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/1.jpg)
Metro (down the Tube)
![Page 2: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/2.jpg)
Marion McCune
20 Years in IT
Worked with Microsoft products since DOS 3
Director of own security testing company for 3 years
Web Applications, MS products and mobile
![Page 3: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/3.jpg)
Introducing Windows Store Apps
Background
Windows Store
Some Apps
Security Architectur
e
Microsoft Testing Process
Development
Environments-
HTML, JavaScript
.NET
Store Requireme
nts and Certificatio
n
Win RT(Windows Runtime)
![Page 4: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/4.jpg)
Background
![Page 5: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/5.jpg)
The Windows Store
![Page 6: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/6.jpg)
The Internet as Sewer….
![Page 7: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/7.jpg)
Some Apps….
![Page 8: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/8.jpg)
Security Architecture
Apps run in a Sandbox
The App Container
Integrity Levels
![Page 9: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/9.jpg)
Security Architecture (cont)
Capabilities
Contracts
Broker Process
![Page 10: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/10.jpg)
Win RT
![Page 11: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/11.jpg)
Development Environments
.NET – C# and VB.NET with XAML
C++ with XAML
JavaScript and HTML
59%
5%
36%
![Page 12: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/12.jpg)
Store Requirements and Certification Package up the App and Deploy to the Store
Various requirements – mostly to do with development practices and content
Give it a WACK!!
If it passes WACK it still may fail acceptance for the Store (but they will indicate why)
![Page 13: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/13.jpg)
Security Tests
BinScope Binary Analyzer Tests
AllowPartiallyTrustedCallersAttribute /SafeSEH Exception Handling Protection Data Execution Prevention Address Space Layout Randomization Read/Write Shared PE Section AppContainerCheck ExecutableImportsCheck WXCheck
Attack Surface Analyzer• Secure executable files that have weak ACLs• Secure directories that contain objects and have weak ACLs• •Secure registry keys with weak ACLs• •Services that allow access to non-administrator accounts and are
vulnerable to tampering• •Services that have fast restarts or might restart more than twice
every 24 hours
![Page 14: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/14.jpg)
Great, But…..
https://www.blackhat.com/html/bh-us-12/bh-us-12-archives.html
Protect the OS
Defeat Malware
App v. User or User v. App?
User A v. User B?
![Page 15: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/15.jpg)
Security Testing Windows Store Apps
Where are they?
Some lessons
from another country
Testing Approaches
Software Setup
Web Services
Decompilation/Code Review
The Way we Were
JavaScript/HTML
![Page 16: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/16.jpg)
Where are they?C:\Program Files\WindowsApps\
Show hidden files and folders
Go to Security Tab and take ownership
Then take control when prompted
Must be logged in as an Administrator
![Page 17: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/17.jpg)
App Packages
![Page 18: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/18.jpg)
Danger Will Robinson…….
![Page 19: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/19.jpg)
The Way we Were
![Page 20: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/20.jpg)
Buy Burger £10.99
My Proprietal Secret Sauce App!!
Buy Chicken £12.50
Buy Milkshake £5.25
My Credit £2.99
![Page 21: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/21.jpg)
Buy Burger £1.99
My Evil Hacker App!!
Buy Chicken £2.50
Buy Milkshake £0.25
My Credit £2000.99
![Page 22: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/22.jpg)
Salad – FREE
My Ethical Open Source App!!
Fruit - FREE
Milk - FREE My TCO £????
![Page 23: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/23.jpg)
The Way we areWindows resource protection makes it difficult to modify WindowsApps
Checksum prevents apps from running after modification
Verification back to Store – hacked now fixed…
Down to the individual App as of now
![Page 24: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/24.jpg)
Testing Approaches
Attacking the Sandbox?
Web Application
Local Data
Decompilation/Code Review
Web Services
![Page 25: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/25.jpg)
Software Setup
![Page 26: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/26.jpg)
![Page 27: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/27.jpg)
![Page 28: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/28.jpg)
![Page 29: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/29.jpg)
JavaScript/HTML Apps
Really are Web Applications and can be tested as such
Local context versus Web context
Run as a headless version of IE – can be seen in task explorer as ‘wwahost.exe’
Suffer from the typical problems of apps with a good framework
Unlikely (but possible) to get XSS
No less likely (maybe more!) to have other flaws
![Page 30: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/30.jpg)
![Page 31: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/31.jpg)
WWA Host running in Low Integrity Process
![Page 32: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/32.jpg)
Decompilation/Code Review
.NET Apps can be trivially decompiled but may be obfuscated
A lot depends on your ability to read the language
Credentials/Keys
Developer Mode
SSL - <meta name="ms-https-connections-only" content="true"/>
![Page 33: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/33.jpg)
Bad Coding Practices
Eval, ExecScript, MsAppExecUnsafeLocalFunction
![Page 34: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/34.jpg)
Bad Coding Practices
XMLHttpRequest
Untrusted dynamic content
var myDiv = document.createElement("div");myDiv.innerHTML = xhr.responseText document.body.appendChild(myDiv);
document.writeln(xhr.responseText);
![Page 35: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/35.jpg)
Local Data
Apps can write to C:\users\username\AppData\Packages\appname
LocalState or RemoteState
![Page 36: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/36.jpg)
Web Services
![Page 37: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/37.jpg)
Web Services<?xml version="1.0" encoding="utf-8"?>
<soap:body><Process_ID xmlns="http://tempuri.org>
<id>a' and 1=0/@@version;--</id></Process_ID>
</soap:body></xml>
<soap:body><soap:fault><faultcode>soap:server</faultcode></faultstring>Server was unable to process
request. ---> Conversion failed when converting the nvarchar valueMicrosoft SQL Server 2008 R2 (SP2) - 10.50.4000.0(X64)
June28 2012 08:36:30Copyright (c) Microsoft CorporationEnterprise Edition (64-bit) on Windows NT 6.1 (Build 7601: Service Pack 1)'
to data type int. </faultstring></soap:fault>
</soap:body>
![Page 38: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/38.jpg)
Some lessons from another Country
![Page 39: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/39.jpg)
OWASP Mobile Top Ten
Insecure Data Storage
Weak Server Side Controls
Insufficient
Transport Layer
Protection
Client Side Injection
Poor Authorization and Authentication
Improper Session Handling
Security Decisions via Untrusted Inputs
Side Channel Data Leakage
Broken Cryptography
Sensitive Information Disclosure
![Page 40: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/40.jpg)
Turning it on its head….
Compile with VS
Minimize App Capibilities
Use File Pikcer instead of
library capabilities
Don’t trust remote data
Don’t let the web access WinRT
Authenticate correctly
Validate content
Use HTTPs
![Page 41: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/41.jpg)
OWASP Project Training Application to assist Developers and
testers
Web Goat, Rails Goat, Droid Goat
Store Sheep (“A Friend for Ewe”)
A Friend for Ewe
![Page 42: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/42.jpg)
![Page 43: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/43.jpg)
![Page 44: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/44.jpg)
Conclusion
![Page 45: Metro (down the Tube)2014.appsec.eu/wp-content/...Metro-down-the...Apps.pdf · Package up the App and Deploy to the Store Various requirements – mostly to do with development practices](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb1293414f045c1503018/html5/thumbnails/45.jpg)
Questions? Answers?Questions?Answers?