Dynamic Analysis of Windows Phone 7 Apps Security
This content discusses the security model, managed code policy, Windows Phone 7 SDK features, network traffic monitoring, SMS/MMS camera and sensor access monitoring, and code execution flow analysis. It covers the isolation of processes, code signing requirements, SDK components, and tools used for development and monitoring within the Windows Phone 7 ecosystem.
Download Presentation

Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost
Security Model Processes run in 4 Isolated Chambers : Trusted Computing Base (TCB) : Kernel land drivers Elevated Rights Chamber (ERC): User land services Standard Rights Chamber (SRC): IE, MS Office Least Privileged Chamber (LPC): Marketplace apps LPC permissions are Capability driven: GPS, camera, microphone, SMS or sensor Applications must be code-signed by MS after functional and content review
Security Model Managed code Only policy in Market Place and Development tools: Not 100% true: Vendors like Samsung and Adobe used Undocumented COMBridge Class to execute native code The native code will still run in managed code security context Different versions of SDK released for OEM vendors and normal programmers: Native module and driver development support are included in OEM version (Platform Builder)
Windows Phone 7 SDK Installed as a VS 2010 component The Express version allows app (Silverlight) and Game development (XNA framework) No native module development features Uses MS Smart Device API to connect, deploy apps and exchange data with device/emulator VS Debugger UI has no Attach to Process option: no third-party app debugging
Dynamic Analysis Network traffic can be monitored effectively using Fiddler proxy tool Good news: WP7 Apps can only communicate HTTP(s) Inspecting IsolatedStorage: RemoteIsolatedStore class in Smart Device API is not implemented yet: But, Storage explorer based on System.IO.IsolatedStorage can be injected into target app
Dynamic Analysis Monitoring SMS,MMS, camera and Sensor access: Checking Capabilities element inside WMAppManifest.xml file: < Capabilities> < Capability Name="ID_CAP_LOCATION"/> <Capability Name="ID_CAP_PHONEDIALER"/> </Capabilities>
Dynamic Analysis Monitoring code execution flow: VS debugger can t attach to Emulator/device processes No CLR Profiler in .NET compact framework Idea: Inject prologue to target app methods and dump variables content at runtime: Assembly files need to be re-signed after patching How to communicate with the app on emulator? Problem with anti-tampered apps
XAP Spy Automates the process of prologue injection, signing, deployment and logging Uses Mono.Cecil library for code injection MS Smart Device API for app deployment Communication with remote app: HTTP server and clients : approach that used by code profiling tools like EQATEC and RuntimeIntelligence: resource expensive, access violation for multi-thread apps Enabling emulator console (by registry trick) and pointing output there: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XDE\EnableConsole
Iimitations No GAC assemblies trace No code breakpoints and manual trace No runtime code/variable modification Anti-tampered apps need to be cracked before analysis
How to Improve it? Communicating directly with debugger agent on the emulator: VS deploys edm3.exe file to the emulator: native x86 code, signed by MS attach to process code was found inside this file This file seems to be a RemoteAgent module (Windows Mobile 5 , 6) From MSDN: The device agent has full programmatic access to gather information and manipulate the device because it runs on the device. Using a phone (Transport Layer=tcp) and analysis packets: Easier than reversing emulator s DMA transport