Windows Phone should be gone by now. But somehow it survived, hanging around few percent of mobile OS market share. Maybe good camera which is in those phones does it. Sometimes even an application dedicated to WP platform shows up on pentest. How to do it? What tools to use? What to check? This talk will give you an overview of WP application security assessment, including some tips & tricks as well. We will cover topics like: - application internal structure - data storage - traffic interception - testing on emulator vs testing on rooted phone - code analysis of WP application - overview of security mechanisms available on WP There even will be a real phone with Windows Phone on it to see.

1. Approaching the unknown –
Windows Phone application
security assessment guide
Mateusz Olejarka
Hacktivity, 21.10.2016

2. • Senior IT Security Specialist, SecuRing
• Web & mobile application security
• Ex developer
• Bug hunter
Who am i

3. http://www.gartner.com/newsroom/id/3323017
Worldwide
Smartphone Sales to
End Users by
Operating System in
1Q of 2016
Reason
2.4 million of Windows
Phone powered devices
sold in Q1 – less than 1%
of total devices sold

4. • Application
• Test environment
• Security assessment
• Summary
• Q&A
Agenda

5. APPLICATION

6. File Structure

7. dotPeek
https://www.jetbrains.com/decompiler/

8. dotPeek

9. AppManifest.xaml

10. WMAppManifest.xml

11. „Main” class

12. app.xaml

13. Sample .xaml file

14. TEST ENVIRONMENT

15. • Do whatever it takes to get version for emulator 
• Just unpack and analyze
Emulator
https://wptools.codeplex.com/

16. • Nice tool called Windows Phone Internals
• Prerequsites to root the phone:
• Windows Phone Recovery Tool
• Nokia or Qualcomm Drivers
• FFU image (Full Flash Update)
• Flash loader file dedicated for given phone model
• SBL3 partition (for Mass Storage Mode capability)
Root and mass storage mode

17. Root and mass storage mode
http://www.wpinternals.net/

18. Root and mass storage mode

19. • Assemblies
• Data/PROGRAMS/{guid}/Install
• Isolated storage
• Data/Users/DefApps/APPDATA/Local/Packages/{guid}/
Where are the interesing parts?

20. • Start Burp proxy listener
• Set in IE proxy to that listener
• Start emulator, it should copy those settings
Traffic interception, emulator

21. • Setup WiFi hotspot on Windows
• Connect device to it
• Start Burp
Traffic interception, device

22. Traffic interception, device
• Setup WiFi hotspot on Windows
• Connect device to it
• Start Burp
• Setup proxy on the phone

23. Traffic interception, install CA

24. Traffic intercepted

25. Traffic intercepted

26. • Sometimes app has a custom HTTPS client, which happily avoid proxy
• Then i usually used pytinydns.py to the rescue
• But what about changing the host file on the device when in mass
storage mode?
But sometimes

27. SECURITY ASSESSMENT

28. • Communication
• Data storage & encryption
• Use of WebBrowser
• Code obfuscation
• URI handling
What to check

29. • Check on the wire
• In the source code look for
• System.Net.WebClient usage
• System.Net.WebRequest usage
• TIP: look for http/https string
Communication

30. Example: Certificate pinning flaw

31. • App settings stored in a file:
• IsolatedStorageSettings.ApplicationSettings usage
• File storage:
• IsolatedStorageFile usage
• DPAPI:
• ProtectedData.Protect calls
• ProtectedData.Unprotect calls
• One flaw – all apps use the same key
Data storage & encryption

32. Sample __AppSettings file

33. Example: Hardcoded hard to guess key

34. Example: Hardcoded hard to guess key

35. Example: Hardcoded hard to guess key

36. • Search for Microsoft.Phone.Controls.WebBrowser
• It have some interesting functions:
Use of WebBrowser

37. Code obfuscation

38. Code obfuscation

39. URI handling

40. SUMMARY

41. • Similarities with other platforms
• Fewer ready to go tools
• Some things are easier
Summary

42. • Complete 1.0 version of my notes and public release
• Fill the gaps
• Redaction ;)
• NFC Payments
• Windows Phone Malware !?
Future work

44. Thanks :)
Drop me msg if you wish to get my notes
mateusz.olejarka@securing.pl
@molejarka