SlideShare ist ein Scribd-Unternehmen logo

Pwning Windows Mobile applications by Ankit Giri

Als PPTX, PDF herunterladen
OWASP Delhi
OWASP Delhi

Mobile Platform Operating Systems Windows Phone Overview What we can test? Challenges Approach & Prerequisites Methodology Application File Structure Tools for Penetration Testing Security Features

Internet
1 von 22
Pwning Windows Mobile Applications By Ankit Giri
Agenda Mobile Platform Operating Systems Windows Phone Overview What we can test? Challenges Approach & Prerequisites Methodology Application File Structure Tools for Penetration Testing
Microsoft Phone! Windows Phone 8 (WP8) – used to be called Windows Mobile until 7.x ARM Hardware Architecture (like iOS, Android, and Blackberry) Windows Phone Runtime Application Architecture Developer apps work on both Windows 8 and WP8 Windows NT kernel Windows 10 Mobile: The release was officially dubbed "Version 1511" or "November Update" (owing to the fact that in all other editions of Windows 10, this version was an update). Windows 10 Mobile launched with the Microsoft Lumia 550, 950 and 950 XL. The rollout for Windows Phone 8.1 devices started March 17, 2016
Understanding the platform WM10 uses NT Kernel 128-bit BitLocker for device encryption NTFS file system Sandboxed apps SafeBoot: Secure UEFI Boot ➔ Can’t boot software without correct digital signature to be loaded on the phone ➔ TPM 2.0 – requires unique keys to be burned into chip during production Windows Mobile binaries must have Microsoft signed digital signatures
Application Sandboxing Each app has a local isolated storage Limited app-to-app communication App A cannot see App B storage App folder has: ❖ Settings ❖ Files ❖ Directories ❖ Database
Jailbreakable or not! WM10 is a closed OS, just like most things Microsoft stuff No jailbreak yet – some activities you would like to do for mobile device testing will not be possible ❖ Access to memory ❖ Local file system and storage ❖ Transfer files to and from device
Static Analysis View Manifest information View the application tree including assemblies, types and methods Methods which use APIs
XAP files
Purpose of Source code review “UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!” To find Treasure Key Words like: password , keys , sql, algo, AES, DES, Base64, etc Detect the data storage definitions Detect backdoors or suspicious code Detect injection flaws Figure out weak algorithm usage and hardcoded keys E.g. Password in Banking ApplicaZon (SensiZve InformaZon) E.g. Angry Birds Malware (Stealing Data) E.g. Zitmo Malware (Sending SMS)
Reverse engineering a windows mobile application Tools used : ● De-compresser (Winrar / Winzip / 7zip) ● .Net Decompiler (ILSpy) ● Visual Studio / Notepad Steps : ● xap -> .dll ● dll -> .csproject / .vbproject
Mitigation 1. Free Obfuscator: http://confuser.codeplex.com/ 2. Dotfuscator: https://www.preemptive.com/products/dotfuscator/overview
Other tools used WP Power tools .NET Reflector
Testing Approach ◼ Emulator / Windows Phone SDK ◼ Unlocked Device ◼ Side Loading ◼ Developer Unlock – Free Unlock with 2 Apps Limit ◼ Student Unlock – Up to 3 Apps ◼ Limitations ◼ Apps from the store cannot be extracted ◼ Apps from the store will not work on emulators
Sideloading apps ◼ It is a process of installing apps on a device without using app store ◼ Windows phone Power tools is used to deploy apps ◼ Plug in your device, unlock your device & run Windows phone Power tools ◼ Only apps signed with certificates will run on unlocked phones
Application File Structure ► AppManifest.xaml ► WMAppManifest.xml
WMAppManifest.xml
XAP - Headers
File Analysis
Dynamic analysis ◼ Log method names ◼ Log parameters values ◼ Log return values ◼ Add custom code to method ◼ Replace method ◼ Add custom code to the end of method ◼ Change parameter values with custom code
Isolated Storage explorer
Questions?

Empfohlen

Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Jewel Joy
 
Windows Phone 8 application security
Windows Phone 8 application securityWindows Phone 8 application security
Windows Phone 8 application securityAndrey Chasovskikh
 
Windows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveWindows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayn|u - The Open Security Community
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Reversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandReversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandSignalSEC Ltd.
 
Program Threats
Program ThreatsProgram Threats
Program Threatsguestab0ee0
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp ForensicAnimesh Shaw
 

Empfohlen

Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Jewel Joy
 
Windows Phone 8 application security
Windows Phone 8 application securityWindows Phone 8 application security
Windows Phone 8 application securityAndrey Chasovskikh
 
Windows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveWindows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayn|u - The Open Security Community
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Reversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandReversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandSignalSEC Ltd.
 
Program Threats
Program ThreatsProgram Threats
Program Threatsguestab0ee0
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp ForensicAnimesh Shaw
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityEY Belgium
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Firefox Mobile Talk @ CeBIT 2011
Firefox Mobile Talk @ CeBIT 2011Firefox Mobile Talk @ CeBIT 2011
Firefox Mobile Talk @ CeBIT 2011Carsten Book
 
Windows Hello e Intel(r) RealSense(tm): attenti a questi due!!
Windows Hello e Intel(r) RealSense(tm): attenti a questi due!!Windows Hello e Intel(r) RealSense(tm): attenti a questi due!!
Windows Hello e Intel(r) RealSense(tm): attenti a questi due!!Massimo Bonanni
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsHariharan Ganesan
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesBee_Ware
 
Windows 10: Security Focus (part II)
Windows 10: Security Focus (part II)Windows 10: Security Focus (part II)
Windows 10: Security Focus (part II)Juan Ignacio Oller Aznar
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna) ClubHack
 
Windows Phone PPT
Windows Phone PPTWindows Phone PPT
Windows Phone PPTdeepak171991
 
Window Phone
Window PhoneWindow Phone
Window PhoneEdutechLearners
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00srini0x00
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
Virus
Virus Virus
Virus Partha Bhunia
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
Pwning Windows Mobile Applications by Ankit Giri
Pwning Windows Mobile Applications by Ankit GiriPwning Windows Mobile Applications by Ankit Giri
Pwning Windows Mobile Applications by Ankit GiriOWASP Delhi
 

Weitere ähnliche Inhalte

Was ist angesagt?

Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityEY Belgium
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Firefox Mobile Talk @ CeBIT 2011
Firefox Mobile Talk @ CeBIT 2011Firefox Mobile Talk @ CeBIT 2011
Firefox Mobile Talk @ CeBIT 2011Carsten Book
 
Windows Hello e Intel(r) RealSense(tm): attenti a questi due!!
Windows Hello e Intel(r) RealSense(tm): attenti a questi due!!Windows Hello e Intel(r) RealSense(tm): attenti a questi due!!
Windows Hello e Intel(r) RealSense(tm): attenti a questi due!!Massimo Bonanni
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsHariharan Ganesan
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesBee_Ware
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna) ClubHack
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00srini0x00
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 

Was ist angesagt? (20)

Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery Image
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
Firefox Mobile Talk @ CeBIT 2011
Firefox Mobile Talk @ CeBIT 2011Firefox Mobile Talk @ CeBIT 2011
Firefox Mobile Talk @ CeBIT 2011
 
Windows Hello e Intel(r) RealSense(tm): attenti a questi due!!
Windows Hello e Intel(r) RealSense(tm): attenti a questi due!!Windows Hello e Intel(r) RealSense(tm): attenti a questi due!!
Windows Hello e Intel(r) RealSense(tm): attenti a questi due!!
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App Permissions
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobiles
 
Windows 10: Security Focus (part II)
Windows 10: Security Focus (part II)Windows 10: Security Focus (part II)
Windows 10: Security Focus (part II)
 
Mobile security
Mobile securityMobile security
Mobile security
 
Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
 
Windows Phone PPT
Windows Phone PPTWindows Phone PPT
Windows Phone PPT
 
Window Phone
Window PhoneWindow Phone
Window Phone
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption Systems
 
Virus
Virus Virus
Virus
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and Encryption
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 

Andere mochten auch

Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
Pwning Windows Mobile Applications by Ankit Giri
Pwning Windows Mobile Applications by Ankit GiriPwning Windows Mobile Applications by Ankit Giri
Pwning Windows Mobile Applications by Ankit GiriOWASP Delhi
 
Social gaming: is it gambling?
Social gaming: is it gambling? Social gaming: is it gambling?
Social gaming: is it gambling? Raf Keustermans
 
Peerlyst Delhi NCR Chapter Meet
Peerlyst Delhi NCR Chapter MeetPeerlyst Delhi NCR Chapter Meet
Peerlyst Delhi NCR Chapter MeetAbhinav Mishra
 
Software Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CDSoftware Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CDOWASP Delhi
 
The change.asia - results not reports
The change.asia - results not reportsThe change.asia - results not reports
The change.asia - results not reportspck100
 
Healthync hospitals
Healthync hospitalsHealthync hospitals
Healthync hospitalsJack740
 
IzzudDin
IzzudDinIzzudDin
IzzudDinDinGea
 
P h technical handbook
P h technical handbookP h technical handbook
P h technical handbookAbegail Ayaso
 
More about health
More about healthMore about health
More about healthJack740
 
GoldAdMatriX - Presentazione
GoldAdMatriX - PresentazioneGoldAdMatriX - Presentazione
GoldAdMatriX - PresentazioneOnethorSlide
 
Thetexaslawyer
ThetexaslawyerThetexaslawyer
ThetexaslawyerJack740
 
Change in the cloud
Change in the cloudChange in the cloud
Change in the cloudpck100
 
Eyeonhome
EyeonhomeEyeonhome
EyeonhomeJack740
 
Home smart home
Home smart homeHome smart home
Home smart homeJack740
 
νεο λυκειο
νεο λυκειονεο λυκειο
νεο λυκειοelpitheo
 
Clean Energy Ministerial - Digital Media Year+ in Review
Clean Energy Ministerial - Digital Media Year+ in ReviewClean Energy Ministerial - Digital Media Year+ in Review
Clean Energy Ministerial - Digital Media Year+ in ReviewValerie Riedel
 

Andere mochten auch (18)

Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
Pwning Windows Mobile Applications by Ankit Giri
Pwning Windows Mobile Applications by Ankit GiriPwning Windows Mobile Applications by Ankit Giri
Pwning Windows Mobile Applications by Ankit Giri
 
Social gaming: is it gambling?
Social gaming: is it gambling? Social gaming: is it gambling?
Social gaming: is it gambling?
 
Peerlyst Delhi NCR Chapter Meet
Peerlyst Delhi NCR Chapter MeetPeerlyst Delhi NCR Chapter Meet
Peerlyst Delhi NCR Chapter Meet
 
Software Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CDSoftware Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CD
 
The change.asia - results not reports
The change.asia - results not reportsThe change.asia - results not reports
The change.asia - results not reports
 
Healthync hospitals
Healthync hospitalsHealthync hospitals
Healthync hospitals
 
IzzudDin
IzzudDinIzzudDin
IzzudDin
 
P h technical handbook
P h technical handbookP h technical handbook
P h technical handbook
 
More about health
More about healthMore about health
More about health
 
GoldAdMatriX - Presentazione
GoldAdMatriX - PresentazioneGoldAdMatriX - Presentazione
GoldAdMatriX - Presentazione
 
Thetexaslawyer
ThetexaslawyerThetexaslawyer
Thetexaslawyer
 
Change in the cloud
Change in the cloudChange in the cloud
Change in the cloud
 
Eyeonhome
EyeonhomeEyeonhome
Eyeonhome
 
Lifestyle holidays vacation club
Lifestyle holidays vacation clubLifestyle holidays vacation club
Lifestyle holidays vacation club
 
Home smart home
Home smart homeHome smart home
Home smart home
 
νεο λυκειο
νεο λυκειονεο λυκειο
νεο λυκειο
 
Clean Energy Ministerial - Digital Media Year+ in Review
Clean Energy Ministerial - Digital Media Year+ in ReviewClean Energy Ministerial - Digital Media Year+ in Review
Clean Energy Ministerial - Digital Media Year+ in Review
 

Ähnlich wie Pwning Windows Mobile applications by Ankit Giri

Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)abilitySubho Halder
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security ModelMichael Rushanan
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
1 introduction of android
1 introduction of android1 introduction of android
1 introduction of androidakila_mano
 
Building your Own Mobile Enterprise Application: It’s Not as Hard as You Migh...
Building your Own Mobile Enterprise Application: It’s Not as Hard as You Migh...Building your Own Mobile Enterprise Application: It’s Not as Hard as You Migh...
Building your Own Mobile Enterprise Application: It’s Not as Hard as You Migh...Jason Conger
 
Windows Phone 8 Advanced Developers Conference
Windows Phone 8 Advanced Developers ConferenceWindows Phone 8 Advanced Developers Conference
Windows Phone 8 Advanced Developers ConferenceDamir Dobric
 
Adc2012 windows phone 8
Adc2012 windows phone 8Adc2012 windows phone 8
Adc2012 windows phone 8AlexanderGoetz
 
ANDROID MOBILE OPERATING SYSTEM
ANDROID MOBILE OPERATING SYSTEMANDROID MOBILE OPERATING SYSTEM
ANDROID MOBILE OPERATING SYSTEMpreeta sinha
 
Android (Types, Feature,Application etc..)
Android (Types, Feature,Application etc..)Android (Types, Feature,Application etc..)
Android (Types, Feature,Application etc..)Coder Tech
 
Windows Phone and Windows 8 application development
Windows Phone and Windows 8 application developmentWindows Phone and Windows 8 application development
Windows Phone and Windows 8 application developmentChristos Matskas
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsPositive Hack Days
 
Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !Veduruparthy Bharat
 
Runtime 8 and Windows Phone 8
Runtime 8 and Windows Phone 8Runtime 8 and Windows Phone 8
Runtime 8 and Windows Phone 8Damir Dobric
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 

Ähnlich wie Pwning Windows Mobile applications by Ankit Giri (20)

Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
1 introduction of android
1 introduction of android1 introduction of android
1 introduction of android
 
Building your Own Mobile Enterprise Application: It’s Not as Hard as You Migh...
Building your Own Mobile Enterprise Application: It’s Not as Hard as You Migh...Building your Own Mobile Enterprise Application: It’s Not as Hard as You Migh...
Building your Own Mobile Enterprise Application: It’s Not as Hard as You Migh...
 
Windows Phone 8 Advanced Developers Conference
Windows Phone 8 Advanced Developers ConferenceWindows Phone 8 Advanced Developers Conference
Windows Phone 8 Advanced Developers Conference
 
Adc2012 windows phone 8
Adc2012 windows phone 8Adc2012 windows phone 8
Adc2012 windows phone 8
 
ANDROID MOBILE OPERATING SYSTEM
ANDROID MOBILE OPERATING SYSTEMANDROID MOBILE OPERATING SYSTEM
ANDROID MOBILE OPERATING SYSTEM
 
Android (Types, Feature,Application etc..)
Android (Types, Feature,Application etc..)Android (Types, Feature,Application etc..)
Android (Types, Feature,Application etc..)
 
Windows Phone and Windows 8 application development
Windows Phone and Windows 8 application developmentWindows Phone and Windows 8 application development
Windows Phone and Windows 8 application development
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !
 
Runtime 8 and Windows Phone 8
Runtime 8 and Windows Phone 8Runtime 8 and Windows Phone 8
Runtime 8 and Windows Phone 8
 
PPT on Android
PPT on AndroidPPT on Android
PPT on Android
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 

Mehr von OWASP Delhi

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeoverOWASP Delhi
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report WritingOWASP Delhi
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air GapOWASP Delhi
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container EscapesOWASP Delhi
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using TerraformOWASP Delhi
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat IntelligenceOWASP Delhi
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriOWASP Delhi
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelOWASP Delhi
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraOWASP Delhi
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraOWASP Delhi
 

Mehr von OWASP Delhi (20)

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
 

Kürzlich hochgeladen

一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理F
 
PIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsxPIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsxjeykeydeveloper
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...gragchanchal546
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理F
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxi191686
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024SOFTTECHHUB
 

Kürzlich hochgeladen (20)

call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
 
PIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsxPIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsx
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
 

Pwning Windows Mobile applications by Ankit Giri

  • 2. Agenda Mobile Platform Operating Systems Windows Phone Overview What we can test? Challenges Approach & Prerequisites Methodology Application File Structure Tools for Penetration Testing
  • 3. Microsoft Phone! Windows Phone 8 (WP8) – used to be called Windows Mobile until 7.x ARM Hardware Architecture (like iOS, Android, and Blackberry) Windows Phone Runtime Application Architecture Developer apps work on both Windows 8 and WP8 Windows NT kernel Windows 10 Mobile: The release was officially dubbed "Version 1511" or "November Update" (owing to the fact that in all other editions of Windows 10, this version was an update). Windows 10 Mobile launched with the Microsoft Lumia 550, 950 and 950 XL. The rollout for Windows Phone 8.1 devices started March 17, 2016
  • 4. Understanding the platform WM10 uses NT Kernel 128-bit BitLocker for device encryption NTFS file system Sandboxed apps SafeBoot: Secure UEFI Boot ➔ Can’t boot software without correct digital signature to be loaded on the phone ➔ TPM 2.0 – requires unique keys to be burned into chip during production Windows Mobile binaries must have Microsoft signed digital signatures
  • 5. Application Sandboxing Each app has a local isolated storage Limited app-to-app communication App A cannot see App B storage App folder has: ❖ Settings ❖ Files ❖ Directories ❖ Database
  • 6. Jailbreakable or not! WM10 is a closed OS, just like most things Microsoft stuff No jailbreak yet – some activities you would like to do for mobile device testing will not be possible ❖ Access to memory ❖ Local file system and storage ❖ Transfer files to and from device
  • 7. Static Analysis View Manifest information View the application tree including assemblies, types and methods Methods which use APIs
  • 9. Purpose of Source code review “UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!” To find Treasure Key Words like: password , keys , sql, algo, AES, DES, Base64, etc Detect the data storage definitions Detect backdoors or suspicious code Detect injection flaws Figure out weak algorithm usage and hardcoded keys E.g. Password in Banking ApplicaZon (SensiZve InformaZon) E.g. Angry Birds Malware (Stealing Data) E.g. Zitmo Malware (Sending SMS)
  • 10. Reverse engineering a windows mobile application Tools used : ● De-compresser (Winrar / Winzip / 7zip) ● .Net Decompiler (ILSpy) ● Visual Studio / Notepad Steps : ● xap -> .dll ● dll -> .csproject / .vbproject
  • 11. Mitigation 1. Free Obfuscator: http://confuser.codeplex.com/ 2. Dotfuscator: https://www.preemptive.com/products/dotfuscator/overview
  • 12. Other tools used WP Power tools .NET Reflector
  • 13. Testing Approach ◼ Emulator / Windows Phone SDK ◼ Unlocked Device ◼ Side Loading ◼ Developer Unlock – Free Unlock with 2 Apps Limit ◼ Student Unlock – Up to 3 Apps ◼ Limitations ◼ Apps from the store cannot be extracted ◼ Apps from the store will not work on emulators
  • 14. Sideloading apps ◼ It is a process of installing apps on a device without using app store ◼ Windows phone Power tools is used to deploy apps ◼ Plug in your device, unlock your device & run Windows phone Power tools ◼ Only apps signed with certificates will run on unlocked phones
  • 15. Application File Structure ► AppManifest.xaml ► WMAppManifest.xml
  • 19.
  • 20. Dynamic analysis ◼ Log method names ◼ Log parameters values ◼ Log return values ◼ Add custom code to method ◼ Replace method ◼ Add custom code to the end of method ◼ Change parameter values with custom code