securitybsides london - windows phone 7

74
David Rook Windows Phone 7 Security SecurityBSides London Sunday, 22 April 2012

Upload: security-ninja

Post on 17-May-2015

1.637 views

Category:

Technology


1 download

DESCRIPTION

My Windows Phone 7 platform and application security overview presentation from SecurityBSides London 2012.

TRANSCRIPT

Page 1: SecurityBSides London - windows phone 7

David Rook

Windows Phone 7 Security

SecurityBSides London

Sunday, 22 April 2012

Page 2: SecurityBSides London - windows phone 7

if (slide == introduction)System.out.println("I’m David Rook");

• Application Security Lead, Realex Payments, Dublin CISSP, CISA, GCIH and many other acronyms

• Security Ninja (@securityninja)

• Speaker at developer and security conferences

• Microsoft Developer Security MVP

• Developed and released Agnitio and the WPAA

Sunday, 22 April 2012

Page 3: SecurityBSides London - windows phone 7

• Smartphones and apps - big numbers, little security?

• Windows Phone 7 introduction

• Windows Phone 7 platform security

• Windows Phone 7 application security

• Security reviewing Windows Phone 7 apps

Agenda

Sunday, 22 April 2012

Page 4: SecurityBSides London - windows phone 7

Mobile device sales 2011

Mobile69%

Smartphones31%

1.3 billion

472 million

Source: http://www.gartner.com/it/page.jsp?id=1924314Sunday, 22 April 2012

Page 5: SecurityBSides London - windows phone 7

Smartphone OS market share 2011

Android51%

iOS24%

Symbian12%

RIM9%

Microsoft2%

Source: http://www.gartner.com/it/page.jsp?id=1924314Sunday, 22 April 2012

Page 6: SecurityBSides London - windows phone 7

Smartphone OS market share 2011

• Microsoft has 1.9% of the smartphone market share

• Smaller market share than something called Bada

Sunday, 22 April 2012

Page 7: SecurityBSides London - windows phone 7

Smartphone OS market share 2011

Sunday, 22 April 2012

Page 8: SecurityBSides London - windows phone 7

Smartphone OS market share 2011

• Microsoft has 1.9% of the smartphone market share

• Smaller market share than something called Bada• Should I even continue with this talk about Windows Phone 7?

Sunday, 22 April 2012

Page 9: SecurityBSides London - windows phone 7

Smartphone OS market share 2011

• Microsoft has 1.9% of the smartphone market share

• Smaller market share than something called Bada

• Similar approach to Android with many devices available • Should I even continue with this talk about Windows Phone 7?

Sunday, 22 April 2012

Page 10: SecurityBSides London - windows phone 7

Smartphone OS market share 2011

Sunday, 22 April 2012

Page 11: SecurityBSides London - windows phone 7

Smartphone OS market share 2011

• Microsoft has 1.9% of the smartphone market share

• Smaller market share than something called Bada

• Similar approach to Android with many devices available • IDC predict that they will have 20% market share by 2015

• Should I even continue with this talk about Windows Phone 7?

Sunday, 22 April 2012

Page 12: SecurityBSides London - windows phone 7

Smartphone OS market share 2011

Sunday, 22 April 2012

Page 13: SecurityBSides London - windows phone 7

Smartphone OS market share 2011

• Microsoft has 1.9% of the smartphone market share

• Smaller market share than something called Bada

• Similar approach to Android with many devices available • IDC predict that it will have 20% market share by 2015

• Should I even continue with this talk about Windows Phone 7?

• 20% is unlikely but it’s market share will increase in my opinion

Sunday, 22 April 2012

Page 14: SecurityBSides London - windows phone 7

Smartphone OS market share 2011

Sunday, 22 April 2012

Page 15: SecurityBSides London - windows phone 7

Windows Phone 7 Introduction

• The smartphone from Microsoft

• First released in late 2010 with 7 updates since then

• Minimum “tough but fair” hardware requirements• Apps only available via the Windows Phone Marketplace• Specifically aimed at the consumer market not enterprise

• Based on Windows Embedded Compact v6 and v7

Sunday, 22 April 2012

Page 16: SecurityBSides London - windows phone 7

Windows Phone 7 Introduction

Sunday, 22 April 2012

Page 17: SecurityBSides London - windows phone 7

Windows Phone 7 Introduction

• .NET Compact Framework

• Version of the .NET framework for resource constrained devices

• Compiler translates your code into Intermediate Language • Apps are JIT compiled and executed by the .NET CLR• Only managed .NET code allowed in your apps*

• Some of the same classes and some mobile specific ones

Sunday, 22 April 2012

Page 18: SecurityBSides London - windows phone 7

Windows Phone 7 Introductionprivate void button1_Click(object sender, RoutedEventArgs e)        {            MessageBox.Show("Hello BSides London!");        }

Sunday, 22 April 2012

Page 19: SecurityBSides London - windows phone 7

Windows Phone 7 Introductionprivate void button1_Click(object sender, RoutedEventArgs e)        {            MessageBox.Show("Hello BSides London!");        }

C# Compiler

Sunday, 22 April 2012

Page 20: SecurityBSides London - windows phone 7

Windows Phone 7 Introductionprivate void button1_Click(object sender, RoutedEventArgs e)        {            MessageBox.Show("Hello BSides London!");        }

C# Compiler

ManagedModule

Sunday, 22 April 2012

Page 21: SecurityBSides London - windows phone 7

Windows Phone 7 Introductionprivate void button1_Click(object sender, RoutedEventArgs e)        {            MessageBox.Show("Hello BSides London!");        }

C# Compiler

ManagedModule

.NET CLR

Sunday, 22 April 2012

Page 22: SecurityBSides London - windows phone 7

Windows Phone 7 Introduction

• Windows Phone 7 Kernel Architecture

• 32bit OS that runs inside a 4GB virtual address space • 2GB allocated to the kernel and 2GB to process executing

Sunday, 22 April 2012

Page 23: SecurityBSides London - windows phone 7

Windows Phone 7 Introduction

• Windows Phone 7 Kernel Architecture

• 32bit OS that runs inside a 4GB virtual address space

• That isn’t quite true, the process executing only gets 1GB• 1GB is for components commonly mapped into all processes

• 2GB allocated to the kernel and 2GB to process executing

Sunday, 22 April 2012

Page 24: SecurityBSides London - windows phone 7

Windows Phone 7 Introduction

• Windows Phone 7 Kernel Architecture

Hardware

Ker

nel

Spa

ce

Drivers

Device.DLL

kCoreDLL.DLL

COREDLL/WINSOCK/COMMCRL/WININET

NetworkGWESFSDMGR.DLL

FILESYS.DLL

KERNEL.DLL

OAL.EXE

APPLICATIONS

Use

rS

pace

TELSHELL.EXE UDEVICES.EXE SERVICESD.EXE CPROG.EXE

Sunday, 22 April 2012

Page 25: SecurityBSides London - windows phone 7

Windows Phone 7 IntroductionK

erne

lS

pace

2GB

Pro

cess

Spa

ce

2GB

Kernel

File System

Drivers

GWES

Memory Mapped Files

User DLLs

Process Code

Sunday, 22 April 2012

Page 26: SecurityBSides London - windows phone 7

Windows Phone 7 IntroductionP

roce

ssM

emor

y

2GB Shared User DLLs

512MB

RAM Backed Mapfiles256MB

Shared System Heap256MB

Process Space1GB per process

Priv

ate

toea

ch

proc

ess

Com

mon

ac

ross

all

proc

esse

s

Sunday, 22 April 2012

Page 27: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

• Windows Phone 7 Security Model

• Chambers concept to enforce app isolation and least privilege

• Four chambers and apps run in one of them• The chambers provide a security boundary to restrict the apps

Sunday, 22 April 2012

Page 28: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

• Windows Phone 7 Security Model

• Chambers concept to enforce app isolation and least privilege

• Four chambers and apps run in one of them• Three chambers have fixed permission sets

• The chambers provide a security boundary to restrict the apps

Sunday, 22 April 2012

Page 29: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

• Windows Phone 7 Security Model

• Chambers concept to enforce app isolation and least privilege

• Four chambers and apps run in one of them• Three chambers have fixed permission sets• The fourth chamber is capabilities based

• The chambers provide a security boundary to restrict the apps

Sunday, 22 April 2012

Page 30: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

Trusted Computing Base (TCB)

Elevated RightsChamber (ERC)

Standard RightsChamber (SRC)

Least PrivilegedChamber (LPC)

Fixed permissions

Capabilities based

Sunday, 22 April 2012

Page 31: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

Trusted Computing Base (TCB)

• Allows processes to have unrestricted access to most resources• The TCB chamber can modify policy and enforce the security model• Only Microsoft can add signed software to the TCB chamber

• The kernel and kernel-mode drivers run in the TCB chamber

Sunday, 22 April 2012

Page 32: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

Elevated RightsChamber (ERC)

• Can access all resources except security policy• Intended for services and user-mode drivers• Only Microsoft can add signed software to the ERC chamber

• User-mode drivers and services runs in this chamber

Sunday, 22 April 2012

Page 33: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

Standard RightsChamber (SRC)

• Apps that do not provide device-wide services run in the SRC• The default chamber for pre-installed MS and OEM applications

Sunday, 22 April 2012

Page 34: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

Least PrivilegedChamber (LPC)

• Least Privileged Chambers are configured using capabilities• The default chamber for all non-Microsoft applications

• Capabilities listed in applications WMAppManifest.xml file

Sunday, 22 April 2012

Page 35: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

• Windows Phone 7 Application Capabilities

• Application capabilities are features that an app uses

• Default app manifest file includes a list of all the capabilities*• WP7 grants security permissions based on the contents of your

WMAppManifest.xml file*• Not everything your app does needs a capability defined

• Apps request permission to access protected APIs during the deployment process

Sunday, 22 April 2012

Page 36: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

• Windows Phone 7 Application Capabilities

• Capability checks are enforced at runtime

• Requests for other resources == UnauthorizedAccessException• This exception occurs when the access is attempted not when

the app is executed

• Permission set for the apps LPC is created based on the capabilities

Sunday, 22 April 2012

Page 37: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

Sunday, 22 April 2012

Page 38: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

• Windows Phone 7 Capabilities Detection Demo

Sunday, 22 April 2012

Page 39: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

• Windows Phone 7 Application Signing

• Apart from developer unlocked devices apps must be signed• Microsoft automatically signs approved apps• Apps must have a valid Microsoft signature to be installed

Sunday, 22 April 2012

Page 40: SecurityBSides London - windows phone 7

Sunday, 22 April 2012

Page 41: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

• Windows Phone 7 Application Sandboxing

• Apps execute within a restricted LPC as we saw earlier• Cannot communicate with other apps on the phone• Sandboxed apps aren’t allowed to run in the background • No access to native code from within the sandbox• All I/O operations are restricted to per app Isolated Storage

Sunday, 22 April 2012

Page 42: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

• Windows Phone 7 Application Isolated Storage

• Per app Isolated Storage allows apps to keep data “private”• Very similar to Isolated Storage in Silverlight• No direct access to the file system• No access to other apps Isolated Storage• Three different ways to use your apps Isolated Storage

Sunday, 22 April 2012

Page 43: SecurityBSides London - windows phone 7

Windows Phone 7 Platform Security

Sunday, 22 April 2012

Page 44: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Application Security

• Mobile application security introduces almost no new issues• Forget about specific vulnerabilities for one minute• Think about the root causes of vulnerabilities, I’ll give you a hand

Sunday, 22 April 2012

Page 45: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Input Validation• Output Validation• Error Handling• Authentication and Authorisation• Secure Storage• Secure Communications• Session Management• Secure Resource Access• Auditing and Logging• Privacy

Sunday, 22 April 2012

Page 46: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Application Security

• Mobile application security introduces almost no new issues• Forget about specific vulnerabilities for one minute• Think about the root causes of vulnerabilities, I’ll give you a hand• From that list what do you think the top 3 are?

Sunday, 22 April 2012

Page 47: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Application Security

• Mobile application security introduces almost no new issues• Forget about specific vulnerabilities for one minute• Think about the root causes of vulnerabilities, I’ll give you a hand• From that list what do you think the top 3 are?• My top 3 are:

• Secure Storage• Authentication and Authorisation• Secure Resource Access/Privacy

Sunday, 22 April 2012

Page 48: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• OWASP Top 10 Mobile Risks

• I compared the OWASP top 10 mobile risks to my list• 50% Secure Storage/Secure Communications• 20% Authentication and Authorisation• 0% Privacy*

Sunday, 22 April 2012

Page 49: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• OWASP Mobile Controls

• Lists the mobile app security controls you should implement • I compared each control to the list I showed you, guess what?• 26% Secure Storage• 16% Authentication and Authorisation• 16% Secure Resource Access*/Secure Communications

Sunday, 22 April 2012

Page 50: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• My top 3 in the real world

• Secure Storage: Facebook, Citibank, LinkedIn, Google Wallet• A&A: Foodspotting, Google Wallet, Google (multiple apps)• SRA/Privacy: Path, Hipster, Carrier IQ, Ad Libraries

Sunday, 22 April 2012

Page 51: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• My top 3 in the real world

• Secure Storage: Facebook, Citibank, LinkedIn, Google Wallet• A&A: Foodspotting, Google Wallet, Google (multiple apps)• SRA/Privacy: Path, Hipster, Carrier IQ, Ad Libraries• This doesn’t mean we can ignore all of the other issues

Sunday, 22 April 2012

Page 52: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Preventing the top 3 in your WP7 apps

• I can’t cover every principle in this talk• With that in mind I'm grouping them to make a "new" top 3• Data Security - Secure Storage and Communications

Sunday, 22 April 2012

Page 53: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Preventing the top 3 in your WP7 apps

• I can’t cover every principle in this talk• With that in mind I'm grouping them to make a "new" top 3• Data Security - Secure Storage and Communications• Authentication and Authorisation

Sunday, 22 April 2012

Page 54: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Preventing the top 3 in your WP7 apps

• I can’t cover every principle in this talk• With that in mind I'm grouping them to make a "new" top 3• Data Security - Secure Storage and Communications• Authentication and Authorisation• Data Access/Privacy

Sunday, 22 April 2012

Page 55: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Data Security

• Never store data on the device if it really isn’t needed• WP7 allows us to encrypt data and databases• Only new databases can be encrypted but very easy to do

Sunday, 22 April 2012

Page 56: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Data Security

• Never store data on the device if it really isn’t needed• WP7 allows us to encrypt data and databases• Only new databases can be encrypted but very easy to do• DPAPI is used for file/password/pin etc encryption

Sunday, 22 April 2012

Page 57: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Data Security

• Never store data on the device if it really isn’t needed• WP7 allows us to encrypt data and databases• Only new databases can be encrypted but very easy to do• DPAPI is used for file/password/pin etc encryption• No hashing available and no algorithm selection

Sunday, 22 April 2012

Page 58: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Data Security

• The local database encryption is based on a password• You create a DB in code and you must include the password• The database is encrypted using AES-128

Sunday, 22 April 2012

Page 59: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Data Security

• The local database encryption is based on a password• You create a DB in code and you must include the password• The database is encrypted using AES-128• The password is hashed using SHA-256

Sunday, 22 April 2012

Page 60: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Data Security

• The local database encryption is based on a password• You create a DB in code and you must include the password• The database is encrypted using AES-128• The password is hashed using SHA-256• An encrypted database can be created with two lines of code

Sunday, 22 April 2012

Page 61: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

// Create the data context, specify the database file location and passwordDavesDataContext db = new DavesDataContext ("Data Source=isostore:/NinjaSecrets.sdf;Password=NinjaPassword");

// Create an encrypted database after confirming that it does not existif (!db.DatabaseExists()) db.CreateDatabase();

Sunday, 22 April 2012

Page 62: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Data Security

• Saving data to an apps isolated storage is not secure• If you want to encrypt data and not a DB you use the DPAPI• Use the System.Security.Cryptography.ProtectedData class

Sunday, 22 April 2012

Page 63: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Data Security

• Saving data to an apps isolated storage is not secure• If you want to encrypt data and not a DB you use the DPAPI• Use the System.Security.Cryptography.ProtectedData class• Specifically the Protect() and Unprotect() methods

Sunday, 22 April 2012

Page 64: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Data Security

• Saving data to an apps isolated storage is not secure• If you want to encrypt data and not a DB you use the DPAPI• Use the System.Security.Cryptography.ProtectedData class• Specifically the Protect() and Unprotect() methods• Symmetric encryption (AES) used. Hashing isn’t possible

Sunday, 22 April 2012

Page 65: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Data Security

• Every app on a WP7 phone gets its own Encryption Key• DPAPI generates and securely stores this for you• Calling Protect() or Unprotect() implicitly selects the apps key• optionalEntropy parameter can be used to provide extra entropy

Sunday, 22 April 2012

Page 66: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Encrypted Data Code Sample

Sunday, 22 April 2012

Page 67: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Data Security

• Secure Communications is a lot easier!• Very little to do with the app code itself in my opinion• More to do with good design and a good security code review!• Data sent to web services, SQL Azure etc needs protection• No client side SSL certs allowed and no VPN functionality

Sunday, 22 April 2012

Page 68: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Authentication & Authorisation

• Not just talking about app logon or service authentication• Specifically talking about access to data on the device• Gaining users authorisation before accessing sensitive data• This includes access to users contacts, SMS etc

Sunday, 22 April 2012

Page 69: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Authentication & Authorisation

• Not just talking about app logon or service authentication• Specifically talking about access to data on the device• Gaining users authorisation before accessing sensitive data• This includes access to users contacts, SMS etc• I know we already "asked" in the WMAppManifest.xml file....

Sunday, 22 April 2012

Page 70: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone 7 Data Access/Privacy

• Another one which isn’t a platform/framework specific• Understand the data accessed by third party libraries• Create a privacy policy covering personal data and stick to it!• Don’t store historical data on the device beyond required time• Audit app communications to check for data leaks

Sunday, 22 April 2012

Page 71: SecurityBSides London - windows phone 7

Windows Phone 7 Application Security

• Windows Phone App Analyser and Agnitio Demos

Sunday, 22 April 2012

Page 72: SecurityBSides London - windows phone 7

I love questions!

Sunday, 22 April 2012

Page 73: SecurityBSides London - windows phone 7

www.securityninja.co.uk

@securityninja

/realexninja

/securityninja

/realexninja

http://sourceforge.net/projects/agnitiotool/

Sunday, 22 April 2012

Page 74: SecurityBSides London - windows phone 7

www.securityninja.co.uk

@securityninja

QUESTIONS?

/realexninja

/securityninja

/realexninja

http://sourceforge.net/projects/agnitiotool/

Sunday, 22 April 2012