1 / 13

Dynamic Analysis of Windows Phone 7 apps

Dynamic Analysis of Windows Phone 7 apps. Behrang Fouladi , SensePost. Security Model. Processes run in 4 Isolated “ Chambers ”: Trusted Computing Base (TCB) : Kernel land drivers Elevated Rights Chamber (ERC): User land services Standard Rights Chamber (SRC): IE, MS Office

geneva
Download Presentation

Dynamic Analysis of Windows Phone 7 apps

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dynamic Analysis of Windows Phone 7 apps BehrangFouladi, SensePost

  2. Security Model • Processes run in 4 Isolated “Chambers”: • Trusted Computing Base (TCB) : Kernel land drivers • Elevated Rights Chamber (ERC): User land services • Standard Rights Chamber (SRC): IE, MS Office • Least Privileged Chamber (LPC): Marketplace apps • LPC permissions are “Capability” driven: GPS, camera, microphone, SMS or sensor • Applications must be code-signed by MS after functional and content review

  3. Security Model • “Managed code Only” policy in Market Place and Development tools: • Not 100% true: Vendors like Samsung and Adobe used Undocumented COMBridgeClass to execute native code • The native code will still run in managed code security context • Different versions of SDK released for OEM vendors and normal programmers: Native module and driver development support are included in OEM version (Platform Builder)

  4. Windows Phone 7 SDK • Installed as a VS 2010 component • The Express version allows app (Silverlight) and Game development (XNA framework) • No native module development features • Uses MS Smart Device API to connect, deploy apps and exchange data with device/emulator • VS Debugger UI has no “Attach to Process” option: no third-party app debugging

  5. Dynamic Analysis • Network traffic can be monitored effectively using Fiddler proxy tool • Good news: WP7 Apps can only communicate HTTP(s) • Inspecting IsolatedStorage: • RemoteIsolatedStore class in Smart Device API is not implemented yet: • But, Storage explorer based on System.IO.IsolatedStorage can be injected into target app

  6. Dynamic Analysis • Monitoring SMS,MMS, camera and Sensor access: • Checking Capabilities element inside WMAppManifest.xml file: <Capabilities> < Capability Name="ID_CAP_LOCATION"/> <Capability Name="ID_CAP_PHONEDIALER"/> </Capabilities>

  7. Dynamic Analysis • Monitoring code execution flow: • VS debugger can’t attach to Emulator/device processes • No CLR Profiler in .NET compact framework • Idea: Inject prologue to target app methods and dump variables content at runtime: • Assembly files need to be re-signed after patching • How to communicate with the app on emulator? • Problem with anti-tampered apps

  8. XAP Spy • Automates the process of prologue injection, signing, deployment and logging • Uses Mono.Cecil library for code injection • MS Smart Device API for app deployment • Communication with remote app: • HTTP server and clients : approach that used by code profiling tools like EQATEC and RuntimeIntelligence: resource expensive, access violation for multi-thread apps • Enabling emulator console (by registry trick) and pointing output there: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XDE\EnableConsole

  9. XAP Spy

  10. Demo

  11. Iimitations • No GAC assemblies trace • No code breakpoints and manual trace • No runtime code/variable modification • Anti-tampered apps need to be “cracked” before analysis

  12. How to Improve it? • Communicating directly with “debugger agent” on the emulator: • VS deploys edm3.exe file to the emulator: native x86 code, signed by MS • “attach to process” code was found inside this file • This file seems to be a “RemoteAgent” module (Windows Mobile 5 , 6) • From MSDN: “The device agent has full programmatic access to gather information and manipulate the device because it runs on the device.” • Using a phone (Transport Layer=tcp) and analysis packets: Easier than reversing emulator’s DMA transport

  13. Thank you!

More Related