More info on http://www.techdays.be

1. Windows Phone 8
Security deep dive
@DavidHernie
Technical Evangelist
Microsoft Belux

2. Agenda
Security goals
What is this all about?
System integrity
Prevent malware from taking control
App platform security
Architecture and recommendations
Data protection
Prevent unauthorized access to data
Access control & App Mgmt
Provide secure access to device
Remediation
What if something goes wrong?

3. All large screen, dual-core, LTE and NFC
Nokia Lumia 920 Nokia Lumia 820 Samsung ATIV S HTC 8X
4.5”, PureMotion display, 4.3”, ClearBlack display, Carl 4.8”, HD super AMOLED 4.3”, Gorilla Glass 2 display,
PureView OIS camera Zeiss lens display ultra-wide angle camera lens
Nokia City lens, Nokia music Snap on back cover, Wireless NFC Tap-to-send, Built-in Beats Audio, built-in
streaming, Wireless charging charging, Nokia City lens, Samsung Family Story amp
Nokia music streaming

4. Security Goals
User first
Great users experiences .. What’s the impact
End user safety
Not always aware .. Tools to protect
Developer trust
Create apps .. Trustable platform
Business compliance
Enterprise .. Policy .. Management

5. New WP8 security controls
Secure Boot helps ensure the integrity of the
entire Operating System
Secure Boot implementation is provided by SoC
Two phases:
pre-UEFI secure boot loaders to initialize the hardware
UEFI secure boot helps ensure integrity of OS
Secure Boot helps prevent malware from being
installed on the phone

6. Secure boot process
Power On
Windows
Firmware Windows Phone 8 OS
OEM UEFI boot
boot Phone boot
applications
loaders manager
Windows
Phone 8
update OS
Boot to
boot
flashing
SoC Vendor mode
OEM
MSFT http://www.uefi.org/specs/

7. Signed pre-boot loader
During manufacturing
Pre boot is securely signed
Add public key used to sign the initial boot loaders
+ numbers of unique & common keys per device
Blow appropriate fuses – read only
Every phone gets unique key
Encryption, …
No secure boot bypass for users
Secure flashing is required

8. Secure UEFI Boot Loader
All about keys
Platform Key – Master key
Once PK is provisioned the UEFI environment is “enabled”
be used to sign updates
Allowed and Forbidden Signature Database –
DB/DBX
Controls what images can be loaded
Contains forbidden keys – can be updated
Supports only signed components
Secure boot policy
Boot Sequence

9. Code Signing
All Windows Phone 8 binaries must have digital
signatures signed by Microsoft
OS components and Apps have a digital signatures
Different from WP7, OEM binaries are signed by Microsoft
With the control of every layers, it becomes
very difficult to integrate a custom build.

10. Windows Phone 7 Application
security model
Chamber security Model (Sandbo
Fixed For the Kernel & Drivers <- risk
Permissions
Chamber For OS component and cross OS apps like
Types
music – expose to multiple apps
Capabilities
Created ad-hoc for apps based on
Dynamic
Build
Expressed in application manifest
Disclosed on Marketplace
Defines app’s security boundary on phone

11. Capabilities
WP7 capabilities
 Capabilities are detected during ingestion and overwrite what you specified
during development.
WP8 capabilities
• You are responsible for specifying the correct capabilities that are used by your
application in the AppManifest before submitting your app to the Store

12. Windows Phone 8 Application
security model
WP8 chambers are built on
the Windows security
infrastructure
TBC for the kernel
LPC for all
• Apps
• OS components
Dynamic • Drivers
Build
(LPC)
The attack surface becomes smaller

13. Internet Explorer 10 for Windows Phone
Fast and safe browsing
Run in the Least privilege sandbox
Cannot access data in the phone’s file system or access
information from other applications in memory.
No plug-ins
Real time anti-phishing protection
SmartScreen Filter

14. Device Encryption
Full internal storage
encryption to protect
information
Build on Windows BitLocker architecture (TPM 2.0)
Encryption is always on
Not manageable or pre-boot PIN entry
All internal storage is encrypted
SD card not encrypted but can be managed

15. Data Leak Prevention (DLP)
Information Rights Management
(IRM) Helps prevent intellectual
property from being leaked
Protects emails and documents on the phone from
unauthorized distribution
SupportExchange Server and SharePoint
Active Directory Rights Management supports all your
Mobile Information Management (MIM) needs

16. Security takeaways
Secure boot turned on
Security model for applications
All binaries are signed
Device encryption on
Device access must be controlled!

17. Device management choice
Exchange ActiveSync with Exchange Server
and Office 365 for email and config
management
Widely used for mobile email and access policy management
Enterprise App and device management with
System Center Mobile Device Management
For app distribution and access policy management

18. Mobile device policy and reporting
EA
S MDM Enterprise policies MDM Reporting
  Simple password Server configured policy values
  Alphanumeric password Query installed enterprise app
  Minimum password length Device name
  Minimum password complex characters Device ID
  Password expiration OS platform type
  Password history Firmware version
  Device wipe threshold OS version
  Inactivity timeout Device local time
 (NA) IRM enabled Processor type
  Remote device wipe Device model
  Device encryption (new) Device manufacturer
 Disable removable storage card (new) Device processor architecture
 Remote update of business apps (new) Device language
 Remote or local un-enroll (new)

19. Enterprise Application Management
1. Registration 1. Device Enrollment
IT depart
Dev Center
2. Signing Tools 2. Get apps
3. Cert and
Enterprise ID
Registration Development & deployment
1. Enterprise registers @ Dev center 1. Develop Corp App
2. Enterprise downloads app tools 2. Sign package with enterprise
3. Geotrust checks that vetting is Certificate
complete, and generates a 3. Integrate in Corp app catalog
certificate for enterprise 4. Generate tokens to side load
5. Deploy by mail, Corp hub ..
No need to publish it
Supports multiple organizations tokens

20. Enterprise app ingestion
Enterprise apps are not submitted to Marketplace for ingestion
App ingestion in enterprise catalog is owned and managed
exclusively by IT
IT is responsible for the quality of enterprise apps
IT is responsible for any impact on the overall experience on the phone
Use the Windows Phone Marketplace Test Kit to evaluate apps
Enterprise app capabilities are the same as a public apps
Capabilities are enforced on the phone at app install time
Sandbox still there
If app uses the location capability, would suggest to add an option to disable it

21. WP7 Phones enterprise app
deployment
1.Submit you app to me marketplace
2.Mark as hidden
3.Email a Deep Link (IRM)
4.User downloads and install the app
5.Advice – Add a User Authentication
Enterprise app installation works only for enrolled phones

22. Unmanaged Phones enterprise app
deployment (BYOD)
1.Enterprise IT signs the XAP
2.Email a link with the app enrollment token (IRM)
3.User downloads and install the app enrollment token
4.User navigates via web to the enterprise app store or via
a client app
Enterprise app installation works only for enrolled phones
5.App is downloaded and installed on the phone
6.Advice – Add a User Authentication

23. Managed Phones Enterprise App
management
Managed by MDM
1.The phone initiates enrollment with MDM
2.MDM provisions certificates and sends the app
enrollment token to the phone
3.IT can decide to push only one App,
4.Advice – push a discovery app that provides access to
apps in the enterprise store
5.User always decides to install Apps
6.Automatic update or remove Apps ones enrolled with the
enterprise

24. Company Hub as private marketplace

25. Remediate
Remote and local wipe
Admin initiated or end user initiated
Windowsphone.live.com (Demo)
Windows update
OTA only - not manageable by IT
Application revocation
Marketplace and enterprise apps

26. Robust security helps to protect information
Secure boot
Complete boot sequence is secured
Assures operating system integrity and know state, helps protect against malware
Code signing
All code is signed
Making sure only known and trusted software components can execute
App sandboxing
Least privilege, secure chambers model is applied to operating system services, inbox apps,
and store apps
Marketplace developer validation, app certification, and malware scanning
Assures apps can be trusted and helps protect against malware
Device encryption
Always-on, hardware assisted, and accelerated, full internal storage encryption

27. 5 – 6 – 7 MARCH 2013
Kinepolis Antwerp
3 days full of fascinating technical sessions for
developers and IT professionals.
www.techdays.be

28. The information herein is for informational interpreted to be a commitment on the part of
purposes only an represents the current view of Microsoft, and Microsoft cannot guarantee the
Microsoft Corporation as of the date of this accuracy of any information provided after the
presentation. Because Microsoft must respond date of this presentation.
to changing market conditions, it should not be
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION
IN THIS PRESENTATION.
© 2012 Microsoft Corporation.
All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.