pwning windows mobile applications by ankit giri
TRANSCRIPT
Pwning Windows Mobile Applications
By Ankit Giri
Agenda● Mobile Platform Operating Systems
● Windows Phone Overview
● What we can test?
● Challenges
● Approach & Prerequisites
● Methodology
● Application File Structure
● Tools for Penetration Testing
● Security Features
Microsoft Phone! ● Windows Phone 8 (WP8) – used to be called Windows Mobile until 7.x● ARM Hardware Architecture (like iOS, Android, and Blackberry)● Windows Phone Runtime Application Architecture● Developer apps work on both Windows 8 and WP8● Windows NT kernel● Windows 10 Mobile: The release was officially dubbed "Version 1511" or "November Update"
(owing to the fact that in all other editions of Windows 10, this version was an update).● Windows 10 Mobile launched with the Microsoft Lumia 550, 950 and 950 XL. The rollout for
Windows Phone 8.1 devices started March 17, 2016
Understanding the platform● WM10 uses NT Kernel● 128-bit BitLocker for device encryption● NTFS file system● Sandboxed apps● SafeBoot: Secure UEFI Boot➔ Can’t boot software without correct digital signature to be loaded on the phone➔ TPM 2.0 – requires unique keys to be burned into chip during production● Windows Mobile binaries must have Microsoft signed digital signatures
Application Sandboxing● Each app has a local isolated storage● Limited app-to-app communication● App A cannot see App B storage● App folder has:❖ Settings❖ Files❖ Directories❖ Database
Jailbreakable or not!● WM10 is a closed OS, just like most things Microsoft stuff● No jailbreak yet – some activities you would like to do for mobile device testing will not be possible❖ Access to memory❖ Local file system and storage❖ Transfer files to and from device
Static Analysis● View Manifest information● View the application tree including assemblies, types and methods● Methods which use APIs
XAP files
Purpose of Source code review● “UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!”● To find Treasure Key Words like: password , keys , sql, algo, AES, DES, Base64, etc● Detect the data storage definitions● Detect backdoors or suspicious code● Detect injection flaws● Figure out weak algorithm usage and hardcoded keys● E.g. Password in Banking ApplicaZon (SensiZve InformaZon)● E.g. Angry Birds Malware (Stealing Data) ● E.g. Zitmo Malware (Sending SMS)
Reverse engineering a windows mobile application
Tools used :
● De-compresser (Winrar / Winzip / 7zip)● .Net Decompiler (ILSpy)● Visual Studio / Notepad
Steps :
● xap -> .dll● dll -> .csproject / .vbproject
Mitigation1. Free Obfuscator: http://confuser.codeplex.com/
2. Dotfuscator: https://www.preemptive.com/products/dotfuscator/overview
Other tools used● WP Power tools● .NET Reflector
Testing Approach● Emulator / Windows Phone SDK
● Unlocked Device
● Side Loading
● Developer Unlock – Free Unlock with 2 Apps Limit
● Student Unlock – Up to 3 Apps
● Limitations
● Apps from the store cannot be extracted
● Apps from the store will not work on emulators
Sideloading apps● It is a process of installing apps on a device without using app store
● Windows phone Power tools is used to deploy apps
● Plug in your device, unlock your device & run Windows phone Power tools
● Only apps signed with certificates will run on unlocked phones
Application File Structure
► AppManifest.xaml
► WMAppManifest.xml
WMAppManifest.xml
XAP - Headers
File Analysis
Dynamic analysis
● Log method names
● Log parameters values
● Log return values
● Add custom code to method
● Replace method
● Add custom code to the end of method
● Change parameter values with custom code
Isolated Storage explorer
