2. if (slide == introduction)
System.out.println("I’m David Rook");
• Application Security Lead, Realex Payments, Dublin
CISSP, CISA, GCIH and many other acronyms
• Security Ninja (@securityninja)
• Speaker at developer and security conferences
• Microsoft Developer Security MVP
• Developed and released Agnitio and the WPAA
Sunday, 22 April 2012
3. Agenda
• Smartphones and apps - big numbers, little security?
• Windows Phone 7 introduction
• Windows Phone 7 platform security
• Windows Phone 7 application security
• Security reviewing Windows Phone 7 apps
Sunday, 22 April 2012
4. Mobile device sales 2011
472 million
Smartphones
31%
Mobile
69%
1.3 billion
Source: http://www.gartner.com/it/page.jsp?id=1924314
Sunday, 22 April 2012
5. Smartphone OS market share 2011
Microsoft
2%
RIM
9%
Symbian
12%
Android
51%
iOS
24%
Source: http://www.gartner.com/it/page.jsp?id=1924314
Sunday, 22 April 2012
6. Smartphone OS market share 2011
• Microsoft has 1.9% of the smartphone market share
• Smaller market share than something called Bada
Sunday, 22 April 2012
8. Smartphone OS market share 2011
• Microsoft has 1.9% of the smartphone market share
• Smaller market share than something called Bada
• Should I even continue with this talk about Windows Phone 7?
Sunday, 22 April 2012
9. Smartphone OS market share 2011
• Microsoft has 1.9% of the smartphone market share
• Smaller market share than something called Bada
• Should I even continue with this talk about Windows Phone 7?
• Similar approach to Android with many devices available
Sunday, 22 April 2012
11. Smartphone OS market share 2011
• Microsoft has 1.9% of the smartphone market share
• Smaller market share than something called Bada
• Should I even continue with this talk about Windows Phone 7?
• Similar approach to Android with many devices available
• IDC predict that they will have 20% market share by 2015
Sunday, 22 April 2012
13. Smartphone OS market share 2011
• Microsoft has 1.9% of the smartphone market share
• Smaller market share than something called Bada
• Should I even continue with this talk about Windows Phone 7?
• Similar approach to Android with many devices available
• IDC predict that it will have 20% market share by 2015
• 20% is unlikely but it’s market share will increase in my opinion
Sunday, 22 April 2012
15. Windows Phone 7 Introduction
• The smartphone from Microsoft
• First released in late 2010 with 7 updates since then
• Based on Windows Embedded Compact v6 and v7
• Minimum “tough but fair” hardware requirements
• Apps only available via the Windows Phone Marketplace
• Specifically aimed at the consumer market not enterprise
Sunday, 22 April 2012
17. Windows Phone 7 Introduction
• .NET Compact Framework
• Version of the .NET framework for resource constrained devices
• Some of the same classes and some mobile specific ones
• Compiler translates your code into Intermediate Language
• Apps are JIT compiled and executed by the .NET CLR
• Only managed .NET code allowed in your apps*
Sunday, 22 April 2012
18. Windows Phone 7 Introduction
private void button1_Click(object sender, RoutedEventArgs e)
{
MessageBox.Show("Hello BSides London!");
}
Sunday, 22 April 2012
22. Windows Phone 7 Introduction
• Windows Phone 7 Kernel Architecture
• 32bit OS that runs inside a 4GB virtual address space
• 2GB allocated to the kernel and 2GB to process executing
Sunday, 22 April 2012
23. Windows Phone 7 Introduction
• Windows Phone 7 Kernel Architecture
• 32bit OS that runs inside a 4GB virtual address space
• 2GB allocated to the kernel and 2GB to process executing
• That isn’t quite true, the process executing only gets 1GB
• 1GB is for components commonly mapped into all processes
Sunday, 22 April 2012
24. Windows Phone 7 Introduction
• Windows Phone 7 Kernel Architecture
APPLICATIONS
Space
User
TELSHELL.EXE UDEVICES.EXE SERVICESD.EXE CPROG.EXE
COREDLL/WINSOCK/COMMCRL/WININET
kCoreDLL.DLL
KERNEL.DLL
Kernel
Space
FILESYS.DLL Device.DLL
GWES Network
OAL.EXE
FSDMGR.DLL Drivers
Hardware
Sunday, 22 April 2012
25. Windows Phone 7 Introduction
Process Code
Process
Space
2GB
User DLLs
Memory Mapped Files
GWES
Kernel
Space
Drivers
2GB
File System
Kernel
Sunday, 22 April 2012
26. Windows Phone 7 Introduction
Shared System Heap
256MB
processes
across all
Common
RAM Backed Mapfiles
256MB
Process
Memory
Shared User DLLs
2GB
512MB
Private to
process
each
Process Space
1GB per process
Sunday, 22 April 2012
27. Windows Phone 7 Platform Security
• Windows Phone 7 Security Model
• Chambers concept to enforce app isolation and least privilege
• The chambers provide a security boundary to restrict the apps
• Four chambers and apps run in one of them
Sunday, 22 April 2012
28. Windows Phone 7 Platform Security
• Windows Phone 7 Security Model
• Chambers concept to enforce app isolation and least privilege
• The chambers provide a security boundary to restrict the apps
• Four chambers and apps run in one of them
• Three chambers have fixed permission sets
Sunday, 22 April 2012
29. Windows Phone 7 Platform Security
• Windows Phone 7 Security Model
• Chambers concept to enforce app isolation and least privilege
• The chambers provide a security boundary to restrict the apps
• Four chambers and apps run in one of them
• Three chambers have fixed permission sets
• The fourth chamber is capabilities based
Sunday, 22 April 2012
30. Windows Phone 7 Platform Security
Trusted Computing
Base (TCB)
Elevated Rights Fixed permissions
Chamber (ERC)
Standard Rights
Chamber (SRC)
Least Privileged
Capabilities based
Chamber (LPC)
Sunday, 22 April 2012
31. Windows Phone 7 Platform Security
Trusted Computing
Base (TCB)
• The kernel and kernel-mode drivers run in the TCB chamber
• Allows processes to have unrestricted access to most resources
• The TCB chamber can modify policy and enforce the security model
• Only Microsoft can add signed software to the TCB chamber
Sunday, 22 April 2012
32. Windows Phone 7 Platform Security
Elevated Rights
Chamber (ERC)
• User-mode drivers and services runs in this chamber
• Can access all resources except security policy
• Intended for services and user-mode drivers
• Only Microsoft can add signed software to the ERC chamber
Sunday, 22 April 2012
33. Windows Phone 7 Platform Security
Standard Rights
Chamber (SRC)
• The default chamber for pre-installed MS and OEM applications
• Apps that do not provide device-wide services run in the SRC
Sunday, 22 April 2012
34. Windows Phone 7 Platform Security
Least Privileged
Chamber (LPC)
• The default chamber for all non-Microsoft applications
• Least Privileged Chambers are configured using capabilities
• Capabilities listed in applications WMAppManifest.xml file
Sunday, 22 April 2012
35. Windows Phone 7 Platform Security
• Windows Phone 7 Application Capabilities
• Application capabilities are features that an app uses
• Apps request permission to access protected APIs during the
deployment process
• Default app manifest file includes a list of all the capabilities*
• WP7 grants security permissions based on the contents of your
WMAppManifest.xml file*
• Not everything your app does needs a capability defined
Sunday, 22 April 2012
36. Windows Phone 7 Platform Security
• Windows Phone 7 Application Capabilities
• Capability checks are enforced at runtime
• Permission set for the apps LPC is created based on the
capabilities
• Requests for other resources == UnauthorizedAccessException
• This exception occurs when the access is attempted not when
the app is executed
Sunday, 22 April 2012
38. Windows Phone 7 Platform Security
• Windows Phone 7 Capabilities Detection Demo
Sunday, 22 April 2012
39. Windows Phone 7 Platform Security
• Windows Phone 7 Application Signing
• Apart from developer unlocked devices apps must be signed
• Microsoft automatically signs approved apps
• Apps must have a valid Microsoft signature to be installed
Sunday, 22 April 2012
41. Windows Phone 7 Platform Security
• Windows Phone 7 Application Sandboxing
• Apps execute within a restricted LPC as we saw earlier
• Cannot communicate with other apps on the phone
• Sandboxed apps aren’t allowed to run in the background
• No access to native code from within the sandbox
• All I/O operations are restricted to per app Isolated Storage
Sunday, 22 April 2012
42. Windows Phone 7 Platform Security
• Windows Phone 7 Application Isolated Storage
• Per app Isolated Storage allows apps to keep data “private”
• Very similar to Isolated Storage in Silverlight
• No direct access to the file system
• No access to other apps Isolated Storage
• Three different ways to use your apps Isolated Storage
Sunday, 22 April 2012
44. Windows Phone 7 Application Security
• Windows Phone 7 Application Security
• Mobile application security introduces almost no new issues
• Forget about specific vulnerabilities for one minute
• Think about the root causes of vulnerabilities, I’ll give you a hand
Sunday, 22 April 2012
46. Windows Phone 7 Application Security
• Windows Phone 7 Application Security
• Mobile application security introduces almost no new issues
• Forget about specific vulnerabilities for one minute
• Think about the root causes of vulnerabilities, I’ll give you a hand
• From that list what do you think the top 3 are?
Sunday, 22 April 2012
47. Windows Phone 7 Application Security
• Windows Phone 7 Application Security
• Mobile application security introduces almost no new issues
• Forget about specific vulnerabilities for one minute
• Think about the root causes of vulnerabilities, I’ll give you a hand
• From that list what do you think the top 3 are?
• My top 3 are:
• Secure Storage
• Authentication and Authorisation
• Secure Resource Access/Privacy
Sunday, 22 April 2012
48. Windows Phone 7 Application Security
• OWASP Top 10 Mobile Risks
• I compared the OWASP top 10 mobile risks to my list
• 50% Secure Storage/Secure Communications
• 20% Authentication and Authorisation
• 0% Privacy*
Sunday, 22 April 2012
49. Windows Phone 7 Application Security
• OWASP Mobile Controls
• Lists the mobile app security controls you should implement
• I compared each control to the list I showed you, guess what?
• 26% Secure Storage
• 16% Authentication and Authorisation
• 16% Secure Resource Access*/Secure Communications
Sunday, 22 April 2012
50. Windows Phone 7 Application Security
• My top 3 in the real world
• Secure Storage: Facebook, Citibank, LinkedIn, Google Wallet
• A&A: Foodspotting, Google Wallet, Google (multiple apps)
• SRA/Privacy: Path, Hipster, Carrier IQ, Ad Libraries
Sunday, 22 April 2012
51. Windows Phone 7 Application Security
• My top 3 in the real world
• Secure Storage: Facebook, Citibank, LinkedIn, Google Wallet
• A&A: Foodspotting, Google Wallet, Google (multiple apps)
• SRA/Privacy: Path, Hipster, Carrier IQ, Ad Libraries
• This doesn’t mean we can ignore all of the other issues
Sunday, 22 April 2012
52. Windows Phone 7 Application Security
• Preventing the top 3 in your WP7 apps
• I can’t cover every principle in this talk
• With that in mind I'm grouping them to make a "new" top 3
• Data Security - Secure Storage and Communications
Sunday, 22 April 2012
53. Windows Phone 7 Application Security
• Preventing the top 3 in your WP7 apps
• I can’t cover every principle in this talk
• With that in mind I'm grouping them to make a "new" top 3
• Data Security - Secure Storage and Communications
• Authentication and Authorisation
Sunday, 22 April 2012
54. Windows Phone 7 Application Security
• Preventing the top 3 in your WP7 apps
• I can’t cover every principle in this talk
• With that in mind I'm grouping them to make a "new" top 3
• Data Security - Secure Storage and Communications
• Authentication and Authorisation
• Data Access/Privacy
Sunday, 22 April 2012
55. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• Never store data on the device if it really isn’t needed
• WP7 allows us to encrypt data and databases
• Only new databases can be encrypted but very easy to do
Sunday, 22 April 2012
56. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• Never store data on the device if it really isn’t needed
• WP7 allows us to encrypt data and databases
• Only new databases can be encrypted but very easy to do
• DPAPI is used for file/password/pin etc encryption
Sunday, 22 April 2012
57. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• Never store data on the device if it really isn’t needed
• WP7 allows us to encrypt data and databases
• Only new databases can be encrypted but very easy to do
• DPAPI is used for file/password/pin etc encryption
• No hashing available and no algorithm selection
Sunday, 22 April 2012
58. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• The local database encryption is based on a password
• You create a DB in code and you must include the password
• The database is encrypted using AES-128
Sunday, 22 April 2012
59. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• The local database encryption is based on a password
• You create a DB in code and you must include the password
• The database is encrypted using AES-128
• The password is hashed using SHA-256
Sunday, 22 April 2012
60. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• The local database encryption is based on a password
• You create a DB in code and you must include the password
• The database is encrypted using AES-128
• The password is hashed using SHA-256
• An encrypted database can be created with two lines of code
Sunday, 22 April 2012
61. Windows Phone 7 Application Security
// Create the data context, specify the database file location and password
DavesDataContext db = new DavesDataContext ("Data Source=isostore:/NinjaSecrets.sdf;Password=NinjaPassword");
// Create an encrypted database after confirming that it does not exist
if (!db.DatabaseExists()) db.CreateDatabase();
Sunday, 22 April 2012
62. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• Saving data to an apps isolated storage is not secure
• If you want to encrypt data and not a DB you use the DPAPI
• Use the System.Security.Cryptography.ProtectedData class
Sunday, 22 April 2012
63. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• Saving data to an apps isolated storage is not secure
• If you want to encrypt data and not a DB you use the DPAPI
• Use the System.Security.Cryptography.ProtectedData class
• Specifically the Protect() and Unprotect() methods
Sunday, 22 April 2012
64. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• Saving data to an apps isolated storage is not secure
• If you want to encrypt data and not a DB you use the DPAPI
• Use the System.Security.Cryptography.ProtectedData class
• Specifically the Protect() and Unprotect() methods
• Symmetric encryption (AES) used. Hashing isn’t possible
Sunday, 22 April 2012
65. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• Every app on a WP7 phone gets its own Encryption Key
• DPAPI generates and securely stores this for you
• Calling Protect() or Unprotect() implicitly selects the apps key
• optionalEntropy parameter can be used to provide extra entropy
Sunday, 22 April 2012
66. Windows Phone 7 Application Security
• Encrypted Data Code Sample
Sunday, 22 April 2012
67. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• Secure Communications is a lot easier!
• Very little to do with the app code itself in my opinion
• More to do with good design and a good security code review!
• Data sent to web services, SQL Azure etc needs protection
• No client side SSL certs allowed and no VPN functionality
Sunday, 22 April 2012
68. Windows Phone 7 Application Security
• Windows Phone 7 Authentication & Authorisation
• Not just talking about app logon or service authentication
• Specifically talking about access to data on the device
• Gaining users authorisation before accessing sensitive data
• This includes access to users contacts, SMS etc
Sunday, 22 April 2012
69. Windows Phone 7 Application Security
• Windows Phone 7 Authentication & Authorisation
• Not just talking about app logon or service authentication
• Specifically talking about access to data on the device
• Gaining users authorisation before accessing sensitive data
• This includes access to users contacts, SMS etc
• I know we already "asked" in the WMAppManifest.xml file....
Sunday, 22 April 2012
70. Windows Phone 7 Application Security
• Windows Phone 7 Data Access/Privacy
• Another one which isn’t a platform/framework specific
• Understand the data accessed by third party libraries
• Create a privacy policy covering personal data and stick to it!
• Don’t store historical data on the device beyond required time
• Audit app communications to check for data leaks
Sunday, 22 April 2012
71. Windows Phone 7 Application Security
• Windows Phone App Analyser and Agnitio Demos
Sunday, 22 April 2012