pwning windows mobile applications by ankit giri
TRANSCRIPT
![Page 1: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/1.jpg)
Pwning Windows Mobile Applications
By Ankit Giri
![Page 2: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/2.jpg)
Agenda● Mobile Platform Operating Systems
● Windows Phone Overview
● What we can test?
● Challenges
● Approach & Prerequisites
● Methodology
● Application File Structure
● Tools for Penetration Testing
● Security Features
![Page 3: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/3.jpg)
Microsoft Phone! ● Windows Phone 8 (WP8) – used to be called Windows Mobile until 7.x● ARM Hardware Architecture (like iOS, Android, and Blackberry)● Windows Phone Runtime Application Architecture● Developer apps work on both Windows 8 and WP8● Windows NT kernel● Windows 10 Mobile: The release was officially dubbed "Version 1511" or "November Update"
(owing to the fact that in all other editions of Windows 10, this version was an update).● Windows 10 Mobile launched with the Microsoft Lumia 550, 950 and 950 XL. The rollout for
Windows Phone 8.1 devices started March 17, 2016
![Page 4: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/4.jpg)
Understanding the platform● WM10 uses NT Kernel● 128-bit BitLocker for device encryption● NTFS file system● Sandboxed apps● SafeBoot: Secure UEFI Boot➔ Can’t boot software without correct digital signature to be loaded on the phone➔ TPM 2.0 – requires unique keys to be burned into chip during production● Windows Mobile binaries must have Microsoft signed digital signatures
![Page 5: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/5.jpg)
Application Sandboxing● Each app has a local isolated storage● Limited app-to-app communication● App A cannot see App B storage● App folder has:❖ Settings❖ Files❖ Directories❖ Database
![Page 6: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/6.jpg)
Jailbreakable or not!● WM10 is a closed OS, just like most things Microsoft stuff● No jailbreak yet – some activities you would like to do for mobile device testing will not be possible❖ Access to memory❖ Local file system and storage❖ Transfer files to and from device
![Page 7: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/7.jpg)
Static Analysis● View Manifest information● View the application tree including assemblies, types and methods● Methods which use APIs
![Page 8: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/8.jpg)
XAP files
![Page 9: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/9.jpg)
Purpose of Source code review● “UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!”● To find Treasure Key Words like: password , keys , sql, algo, AES, DES, Base64, etc● Detect the data storage definitions● Detect backdoors or suspicious code● Detect injection flaws● Figure out weak algorithm usage and hardcoded keys● E.g. Password in Banking ApplicaZon (SensiZve InformaZon)● E.g. Angry Birds Malware (Stealing Data) ● E.g. Zitmo Malware (Sending SMS)
![Page 10: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/10.jpg)
Reverse engineering a windows mobile application
Tools used :
● De-compresser (Winrar / Winzip / 7zip)● .Net Decompiler (ILSpy)● Visual Studio / Notepad
Steps :
● xap -> .dll● dll -> .csproject / .vbproject
![Page 11: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/11.jpg)
Mitigation1. Free Obfuscator: http://confuser.codeplex.com/
2. Dotfuscator: https://www.preemptive.com/products/dotfuscator/overview
![Page 12: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/12.jpg)
Other tools used● WP Power tools● .NET Reflector
![Page 13: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/13.jpg)
Testing Approach● Emulator / Windows Phone SDK
● Unlocked Device
● Side Loading
● Developer Unlock – Free Unlock with 2 Apps Limit
● Student Unlock – Up to 3 Apps
● Limitations
● Apps from the store cannot be extracted
● Apps from the store will not work on emulators
![Page 14: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/14.jpg)
Sideloading apps● It is a process of installing apps on a device without using app store
● Windows phone Power tools is used to deploy apps
● Plug in your device, unlock your device & run Windows phone Power tools
● Only apps signed with certificates will run on unlocked phones
![Page 15: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/15.jpg)
Application File Structure
► AppManifest.xaml
► WMAppManifest.xml
![Page 16: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/16.jpg)
WMAppManifest.xml
![Page 17: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/17.jpg)
XAP - Headers
![Page 18: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/18.jpg)
File Analysis
![Page 19: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/19.jpg)
![Page 20: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/20.jpg)
Dynamic analysis
● Log method names
● Log parameters values
● Log return values
● Add custom code to method
● Replace method
● Add custom code to the end of method
● Change parameter values with custom code
![Page 21: Pwning Windows Mobile Applications by Ankit Giri](https://reader031.vdocument.in/reader031/viewer/2022021922/587198c31a28ab044e8b53c5/html5/thumbnails/21.jpg)
Isolated Storage explorer