2. if (slide == introduction)
System.out.println("I’m David Rook");
• Application Security Lead, Realex Payments, Dublin
CISSP, CISA, GCIH and many other acronyms
• Security Ninja (@securityninja)
• Speaker at developer and security conferences
• Microsoft Developer Security MVP
• SC Magazine Information Security Rising Star 2012
• Developed and released Agnitio and the WPAA
Friday, 7 September 2012
3. Agenda
• Smartphones and apps - big numbers, little security?
• Windows Phone 7 introduction
• Windows Phone 7 platform security
• Windows Phone 7 application security
Friday, 7 September 2012
4. Mobile device sales 2011
472 million
Smartphones
31%
Mobile
69%
1.3 billion
Source: http://www.gartner.com/it/page.jsp?id=1924314
Friday, 7 September 2012
5. Smartphone OS market share 2011
Microsoft
2%
RIM
9%
Symbian
12%
Android
51%
iOS
24%
Source: http://www.gartner.com/it/page.jsp?id=2120015
Friday, 7 September 2012
6. Smartphone OS market share 2011
• Microsoft has 1.9% of the smartphone market share
• Smaller market share than something called Bada
Friday, 7 September 2012
8. Smartphone OS market share 2011
• Microsoft has 1.9% of the smartphone market share
• Smaller market share than something called Bada
• Should I even continue with this talk about Windows Phone 7?
• Similar approach to Android with many devices available
Friday, 7 September 2012
10. Smartphone OS market share 2011
• Microsoft has 1.9% of the smartphone market share
• Smaller market share than something called Bada
• Should I even continue with this talk about Windows Phone 7?
• Similar approach to Android with many devices available
• IDC predict that they will have 20% market share by 2015
Friday, 7 September 2012
12. Smartphone OS market share 2011
• Microsoft has 1.9% of the smartphone market share
• Smaller market share than something called Bada
• Should I even continue with this talk about Windows Phone 7?
• Similar approach to Android with many devices available
• IDC predict that it will have 20% market share by 2015
• 20% is unlikely but it’s market share will increase in my opinion
Friday, 7 September 2012
14. Windows Phone 7 Introduction
• The smartphone from Microsoft
• First released in late 2010 with 7 updates since then
• Based on Windows Embedded Compact v6 and v7
• Minimum “tough but fair” hardware requirements
• Apps only available via the Windows Phone Marketplace
• Specifically aimed at the consumer market not enterprise
Friday, 7 September 2012
16. Windows Phone 7 Introduction
• .NET Compact Framework
• Version of the .NET framework for resource constrained devices
• Some of the same classes and some mobile specific ones
• Compiler translates your code into Intermediate Language
• Apps are JIT compiled and executed by the .NET CLR
• Only managed .NET code allowed in your apps*
Friday, 7 September 2012
18. Windows Phone 7 Introduction
• Windows Phone 7 Kernel Architecture
• 32bit OS that runs inside a 4GB virtual address space
• 2GB allocated to the kernel and 2GB to process executing
• That isn’t quite true, the process executing only gets 1GB
• 1GB is for components commonly mapped into all processes
Friday, 7 September 2012
19. Windows Phone 7 Introduction
• Windows Phone 7 Kernel Architecture
APPLICATIONS
Space
User
TELSHELL.EXE UDEVICES.EXE SERVICESD.EXE CPROG.EXE
COREDLL/WINSOCK/COMMCRL/WININET
kCoreDLL.DLL
KERNEL.DLL
Kernel
Space
FILESYS.DLL Device.DLL
GWES Network
OAL.EXE
FSDMGR.DLL Drivers
Hardware
Friday, 7 September 2012
20. Windows Phone 7 Introduction
Process Code
Process
Space
2GB
User DLLs
Memory Mapped Files
GWES
Kernel
Space
Drivers
2GB
File System
Kernel
Friday, 7 September 2012
21. Windows Phone 7 Introduction
Shared System Heap
256MB
processes
across all
Common
RAM Backed Mapfiles
256MB
Process
Memory
Shared User DLLs
2GB
512MB
Private to
process
each
Process Space
1GB per process
Friday, 7 September 2012
22. Windows Phone 7 Platform Security
• Windows Phone 7 Security Model
• Chambers concept to enforce app isolation and least privilege
• The chambers provide a security boundary to restrict the apps
• Four chambers and apps run in one of them
• Three chambers have fixed permission sets
• The fourth chamber is capabilities based
Friday, 7 September 2012
23. Windows Phone 7 Platform Security
Trusted Computing
Base (TCB)
Elevated Rights Fixed permissions
Chamber (ERC)
Standard Rights
Chamber (SRC)
Least Privileged
Capabilities based
Chamber (LPC)
Friday, 7 September 2012
24. Windows Phone 7 Platform Security
Trusted Computing
Base (TCB)
• The kernel and kernel-mode drivers run in the TCB chamber
• Allows processes to have unrestricted access to most resources
• The TCB chamber can modify policy and enforce the security model
• Only Microsoft can add signed software to the TCB chamber
Friday, 7 September 2012
25. Windows Phone 7 Platform Security
Elevated Rights
Chamber (ERC)
• User-mode drivers and services runs in this chamber
• Can access all resources except security policy
• Intended for services and user-mode drivers
• Only Microsoft can add signed software to the ERC chamber
Friday, 7 September 2012
26. Windows Phone 7 Platform Security
Standard Rights
Chamber (SRC)
• The default chamber for pre-installed MS and OEM applications
• Apps that do not provide device-wide services run in the SRC
Friday, 7 September 2012
27. Windows Phone 7 Platform Security
Least Privileged
Chamber (LPC)
• The default chamber for all non-Microsoft applications
• Least Privileged Chambers are configured using capabilities
• Capabilities listed in applications WMAppManifest.xml file
Friday, 7 September 2012
28. Windows Phone 7 Platform Security
• Windows Phone 7 Application Capabilities
• Application capabilities are features that an app uses
• Apps request permission to access protected APIs during the
deployment process
• Default app manifest file includes a list of all the capabilities*
• WP7 grants security permissions based on the contents of your
WMAppManifest.xml file*
• Not everything your app does needs a capability defined
Friday, 7 September 2012
29. Windows Phone 7 Platform Security
• Windows Phone 7 Application Capabilities
• Capability checks are enforced at runtime
• Permission set for the apps LPC is created based on the
capabilities
• Requests for other resources == UnauthorizedAccessException
• This exception occurs when the access is attempted not when
the app is executed
Friday, 7 September 2012
31. Windows Phone 7 Platform Security
• Windows Phone 7 Capabilities Detection Demo
Friday, 7 September 2012
32. Windows Phone 7 Platform Security
• Windows Phone 7 Application Signing
• Apart from developer unlocked devices apps must be signed
• Microsoft automatically signs approved apps
• Apps must have a valid Microsoft signature to be installed
Friday, 7 September 2012
34. Windows Phone 7 Platform Security
• Windows Phone 7 Application Sandboxing
• Apps execute within a restricted LPC as we saw earlier
• Cannot communicate with other apps on the phone
• Sandboxed apps aren’t allowed to run in the background
• No access to native code from within the sandbox
• All I/O operations are restricted to per app Isolated Storage
Friday, 7 September 2012
35. Windows Phone 7 Platform Security
• Windows Phone 7 Application Isolated Storage
• Per app Isolated Storage allows apps to keep data “private”
• Very similar to Isolated Storage in Silverlight
• No direct access to the file system
• No access to other apps Isolated Storage
• Three different ways to use your apps Isolated Storage
Friday, 7 September 2012
37. Windows Phone 7 Application Security
• Windows Phone 7 Application Security
• Mobile application security introduces almost no new issues
• Forget about specific vulnerabilities for one minute
• Think about the root causes of vulnerabilities, I’ll give you a hand
Friday, 7 September 2012
39. Windows Phone 7 Application Security
• Windows Phone 7 Application Security
• Mobile application security introduces almost no new issues
• Forget about specific vulnerabilities for one minute
• Think about the root causes of vulnerabilities, I’ll give you a hand
• From that list what do you think the top 3 are?
• My top 3 are:
• Secure Storage
• Authentication and Authorisation
• Secure Resource Access/Privacy
Friday, 7 September 2012
40. Windows Phone 7 Application Security
• OWASP Top 10 Mobile Risks
• I compared the OWASP top 10 mobile risks to my list
• 50% Secure Storage/Secure Communications
• 20% Authentication and Authorisation
• 0% Privacy*
Friday, 7 September 2012
41. Windows Phone 7 Application Security
• OWASP Mobile Controls
• Lists the mobile app security controls you should implement
• I compared each control to the list I showed you, guess what?
• 26% Secure Storage
• 16% Secure Communications
• 16% Authentication and Authorisation
• 16% Secure Resource Access*
Friday, 7 September 2012
42. Windows Phone 7 Application Security
• My top 3 in the real world
• Secure Storage: Facebook, Citibank, LinkedIn, Google Wallet
• A&A: Foodspotting, Google Wallet, Google (multiple apps)
• SRA/Privacy: Path, Hipster, Ad Libraries
• This doesn’t mean we can ignore all of the other issues
Friday, 7 September 2012
43. Windows Phone 7 Application Security
• Preventing the top 3 in your WP7 apps
• I can’t cover every principle in this talk
• With that in mind I'm grouping them to make a "new" top 3
• Data Security - Secure Storage and Communications
• Authentication and Authorisation
• Data Access/Privacy
Friday, 7 September 2012
44. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• Never store data on the device if it really isn’t needed
• WP7 allows us to encrypt data and databases
• Only new databases can be encrypted but very easy to do
• DPAPI is used for file/password/pin etc encryption
• No hashing available and no algorithm selection
Friday, 7 September 2012
45. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• The local database encryption is based on a password
• You create a DB in code and you must include the password
• The database is encrypted using AES-128
• The password is hashed using SHA-256
• An encrypted database can be created with two lines of code
Friday, 7 September 2012
46. Windows Phone 7 Application Security
// Create the data context, specify the database file location and password
DavesDataContext db = new DavesDataContext ("Data Source=isostore:/NinjaSecrets.sdf;Password=NinjaPassword");
// Create an encrypted database after confirming that it does not exist
if (!db.DatabaseExists()) db.CreateDatabase();
Friday, 7 September 2012
47. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• Saving data to an apps isolated storage is not secure
• If you want to encrypt data and not a DB you use the DPAPI
• Use the System.Security.Cryptography.ProtectedData class
• Specifically the Protect() and Unprotect() methods
• Symmetric encryption (AES) used. Hashing isn’t possible
Friday, 7 September 2012
48. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• Every app on a WP7 phone gets its own Encryption Key
• DPAPI generates and securely stores this for you
• Calling Protect() or Unprotect() implicitly selects the apps key
• optionalEntropy parameter can be used to provide extra entropy
Friday, 7 September 2012
49. Windows Phone 7 Application Security
• Encrypted Data Code Sample
Friday, 7 September 2012
50. Windows Phone 7 Application Security
• Windows Phone 7 Data Security
• Secure Communications is a lot easier!
• Very little to do with the app code itself in my opinion
• More to do with good design and a good security code review!
• Data sent to web services, SQL Azure etc needs protection
• No client side SSL certs allowed and no VPN functionality
Friday, 7 September 2012
51. Windows Phone 7 Application Security
• Windows Phone 7 Authentication & Authorisation
• Not just talking about app logon or service authentication
• Specifically talking about access to data on the device
• Gaining users authorisation before accessing sensitive data
• This includes access to users contacts, SMS etc
• I know we already "asked" in the WMAppManifest.xml file....
Friday, 7 September 2012
52. Windows Phone 7 Application Security
• Windows Phone 7 Data Access/Privacy
• Another one which isn’t a platform/framework specific
• Understand the data accessed by third party libraries
• Create a privacy policy covering personal data and stick to it!
• Don’t store historical data on the device beyond required time
• Audit app communications to check for data leaks
Friday, 7 September 2012
53. Windows Phone 8 Security
• The good things
• Shared Windows Core (NT Kernel on a phone)
• Secure boot and Bitlocker on by default
• Enterprise app deployment/management functionality
• OTA updates for all phones for at least 18 months
Friday, 7 September 2012
54. Windows Phone 8 Security
• The potentially bad things
• Shared Windows Core (NT Kernel on a phone)
• NFC and Wallet Hub
• Native C and C++ code now available to everyone
• Micro SD Card support but with no Bitlocker support
Friday, 7 September 2012
55. Application Security Workshop
• Free Application Security Workshop at Realex
• 27th September in our Dublin office
• Secure coding: why and how
• Think like a pen tester
• Security focused code reviews
Friday, 7 September 2012