Windows Phone should be gone by now.
But somehow it survived, hanging around few percent of mobile OS market share. Maybe good camera which is in those phones does it.
Sometimes even an application dedicated to WP platform shows up on pentest.
How to do it?
What tools to use?
What to check?
This talk will give you an overview of WP application security assessment, including some tips & tricks as well.
We will cover topics like:
- application internal structure
- data storage
- traffic interception
- testing on emulator vs testing on rooted phone
- code analysis of WP application
- overview of security mechanisms available on WP
There even will be a real phone with Windows Phone on it to see.
15. • Do whatever it takes to get version for emulator
• Just unpack and analyze
Emulator
https://wptools.codeplex.com/
16. • Nice tool called Windows Phone Internals
• Prerequsites to root the phone:
• Windows Phone Recovery Tool
• Nokia or Qualcomm Drivers
• FFU image (Full Flash Update)
• Flash loader file dedicated for given phone model
• SBL3 partition (for Mass Storage Mode capability)
Root and mass storage mode
17. Root and mass storage mode
http://www.wpinternals.net/
26. • Sometimes app has a custom HTTPS client, which happily avoid proxy
• Then i usually used pytinydns.py to the rescue
• But what about changing the host file on the device when in mass
storage mode?
But sometimes
28. • Communication
• Data storage & encryption
• Use of WebBrowser
• Code obfuscation
• URI handling
What to check
29. • Check on the wire
• In the source code look for
• System.Net.WebClient usage
• System.Net.WebRequest usage
• TIP: look for http/https string
Communication
31. • App settings stored in a file:
• IsolatedStorageSettings.ApplicationSettings usage
• File storage:
• IsolatedStorageFile usage
• DPAPI:
• ProtectedData.Protect calls
• ProtectedData.Unprotect calls
• One flaw – all apps use the same key
Data storage & encryption