Presentation by Behrang Fouladi at UnCon in 2011. This presentation is about runtime analysis of Windows Phone 7 applications. XAP Spy, a tool developed by the presenter for dynamic analysis of Windows Phone 7 is discussed.

1. Dynamic Analysis of Windows Phone 7 apps BehrangFouladi, SensePost

2. Security Model Processes run in 4 Isolated “Chambers”: Trusted Computing Base (TCB) : Kernel land drivers Elevated Rights Chamber (ERC): User land services Standard Rights Chamber (SRC): IE, MS Office Least Privileged Chamber (LPC): Marketplace apps LPC permissions are “Capability” driven: GPS, camera, microphone, SMS or sensor Applications must be code-signed by MS after functional and content review

3. Security Model “Managed code Only” policy in Market Place and Development tools: Not 100% true: Vendors like Samsung and Adobe used Undocumented COMBridgeClass to execute native code The native code will still run in managed code security context Different versions of SDK released for OEM vendors and normal programmers: Native module and driver development support are included in OEM version (Platform Builder)

4. Windows Phone 7 SDK Installed as a VS 2010 component The Express version allows app (Silverlight) and Game development (XNA framework) No native module development features Uses MS Smart Device API to connect, deploy apps and exchange data with device/emulator VS Debugger UI has no “Attach to Process” option: no third-party app debugging

5. Dynamic Analysis Network traffic can be monitored effectively using Fiddler proxy tool Good news: WP7 Apps can only communicate HTTP(s) Inspecting IsolatedStorage: RemoteIsolatedStore class in Smart Device API is not implemented yet: But, Storage explorer based on System.IO.IsolatedStorage can be injected into target app

6. Dynamic Analysis Monitoring SMS,MMS, camera and Sensor access: Checking Capabilities element inside WMAppManifest.xml file: <Capabilities> < Capability Name="ID_CAP_LOCATION"/> <Capability Name="ID_CAP_PHONEDIALER"/> </Capabilities>

7. Dynamic Analysis Monitoring code execution flow: VS debugger can’t attach to Emulator/device processes No CLR Profiler in .NET compact framework Idea: Inject prologue to target app methods and dump variables content at runtime: Assembly files need to be re-signed after patching How to communicate with the app on emulator? Problem with anti-tampered apps

8. XAP Spy Automates the process of prologue injection, signing, deployment and logging Uses Mono.Cecil library for code injection MS Smart Device API for app deployment Communication with remote app: HTTP server and clients : approach that used by code profiling tools like EQATEC and RuntimeIntelligence: resource expensive, access violation for multi-thread apps Enabling emulator console (by registry trick) and pointing output there: HKEY_LOCAL_MACHINEOFTWAREicrosoftDEnableConsole

9. XAP Spy

10. Demo

11. Iimitations No GAC assemblies trace No code breakpoints and manual trace No runtime code/variable modification Anti-tampered apps need to be “cracked” before analysis

12. How to Improve it? Communicating directly with “debugger agent” on the emulator: VS deploys edm3.exe file to the emulator: native x86 code, signed by MS “attach to process” code was found inside this file This file seems to be a “RemoteAgent” module (Windows Mobile 5 , 6) From MSDN: “The device agent has full programmatic access to gather information and manipulate the device because it runs on the device.” Using a phone (Transport Layer=tcp) and analysis packets: Easier than reversing emulator’s DMA transport

13. Thank you!