pwning windows mobile applications by ankit giri
TRANSCRIPT
![Page 1: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/1.jpg)
Pwning Windows Mobile Applications
By Ankit Giri
![Page 2: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/2.jpg)
Agenda
Mobile Platform Operating Systems
Windows Phone Overview
What we can test?
Challenges
Approach & Prerequisites
Methodology
Application File Structure
Tools for Penetration Testing
Security Features
![Page 3: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/3.jpg)
Microsoft Phone!
Windows Phone 8 (WP8) – used to be called Windows Mobile until 7.x
ARM Hardware Architecture (like iOS, Android, and Blackberry)
Windows Phone Runtime Application Architecture
Developer apps work on both Windows 8 and WP8
Windows NT kernel
Windows 10 Mobile: The release was officially dubbed "Version 1511" or "November Update" (owing to the fact that in all other editions of Windows 10, this version was an update).
Windows 10 Mobile launched with the Microsoft Lumia 550, 950 and 950 XL. The rollout for Windows Phone 8.1 devices started March 17, 2016
![Page 4: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/4.jpg)
Understanding the platformWM10 uses NT Kernel
128-bit BitLocker for device encryption
NTFS file system
Sandboxed apps
SafeBoot: Secure UEFI Boot
➔ Can’t boot software without correct digital signature to be loaded on the phone
➔ TPM 2.0 – requires unique keys to be burned into chip during production
Windows Mobile binaries must have Microsoft signed digital signatures
![Page 5: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/5.jpg)
Application Sandboxing
Each app has a local isolated storage
Limited app-to-app communication
App A cannot see App B storage
App folder has:
❖ Settings
❖ Files
❖ Directories
❖ Database
![Page 6: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/6.jpg)
Jailbreakable or not!WM10 is a closed OS, just like most things Microsoft stuff
No jailbreak yet – some activities you would like to do for mobile device testing will not be possible
❖ Access to memory
❖ Local file system and storage
❖ Transfer files to and from device
![Page 7: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/7.jpg)
Static AnalysisView Manifest information
View the application tree including assemblies, types and methods
Methods which use APIs
![Page 8: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/8.jpg)
XAP files
![Page 9: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/9.jpg)
Purpose of Source code review“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!”
To find Treasure Key Words like: password , keys , sql, algo, AES, DES, Base64, etc
Detect the data storage definitions
Detect backdoors or suspicious code
Detect injection flaws
Figure out weak algorithm usage and hardcoded keys
E.g. Password in Banking ApplicaZon (SensiZve InformaZon)
E.g. Angry Birds Malware (Stealing Data)
E.g. Zitmo Malware (Sending SMS)
![Page 10: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/10.jpg)
Reverse engineering a windows mobile application
Tools used :
● De-compresser (Winrar / Winzip / 7zip)
● .Net Decompiler (ILSpy)
● Visual Studio / Notepad
Steps :
● xap -> .dll
● dll -> .csproject / .vbproject
![Page 11: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/11.jpg)
Mitigation1. Free Obfuscator: http://confuser.codeplex.com/
2. Dotfuscator: https://www.preemptive.com/products/dotfuscator/overview
![Page 12: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/12.jpg)
Other tools usedWP Power tools
.NET Reflector
![Page 13: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/13.jpg)
Testing Approach
◼ Emulator / Windows Phone SDK
◼ Unlocked Device
◼ Side Loading
◼ Developer Unlock – Free Unlock with 2 Apps Limit
◼ Student Unlock – Up to 3 Apps
◼ Limitations
◼ Apps from the store cannot be extracted
◼ Apps from the store will not work on emulators
![Page 14: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/14.jpg)
Sideloading apps
◼ It is a process of installing apps on a device without using app store
◼ Windows phone Power tools is used to deploy apps
◼ Plug in your device, unlock your device & run Windows phone Power tools
◼ Only apps signed with certificates will run on unlocked phones
![Page 15: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/15.jpg)
Application File Structure
► AppManifest.xaml► WMAppManifest.xml
![Page 16: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/16.jpg)
WMAppManifest.xml
![Page 17: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/17.jpg)
XAP - Headers
![Page 18: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/18.jpg)
File Analysis
![Page 19: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/19.jpg)
![Page 20: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/20.jpg)
Dynamic analysis
◼ Log method names
◼ Log parameters values
◼ Log return values
◼ Add custom code to method
◼ Replace method
◼ Add custom code to the end of method
◼ Change parameter values with custom code
![Page 21: Pwning Windows Mobile applications by Ankit Giri](https://reader035.vdocument.in/reader035/viewer/2022062823/587198c31a28ab044e8b53c7/html5/thumbnails/21.jpg)
Isolated Storage explorer