In this post and series we will dive into the process and methods used to test the security of Windows Phone 8 (WP8) app. Let’s say you are tasked with performing a security assessment, ethical hack, vulnerability assessment, or a penetration test of a WP8 app, where do you begin? This is where!

WP8 Platform

Before testing any app, one must first understand how the underlying platform works. Microsoft rebranded Windows Mobile to Windows Phone for version 7. The latest version is Windows Phone 8 (WP8). WP8 runs ARM hardware architecture, similar to iOS, Android, and Blackberry. WP8 migrated to the Windows NT kernel instead of Windows CE which WP7 used. WP8 also uses the Windows Phone Runtime application architecture, not identical to WinRT, to allow developers convergence between Windows 8 and WP8. Applications for WP8 may be coded in .NET (C# or VB.NET) and C++ but not JavaScript.

Security in WP8 Platform

WP8 being Windows NT kernel based allows for multiple benefits from a end user security perspective. These security controls do not help a tester but do help make the device more secure and attractive to enterprise users and decision makers.

• 128-bit BitLocker for full disk encryption
• NTFS file system
• Sandboxed apps – no access to other apps
• SafeBoot: Secure boot with Unified Extensible Firmware Interface (EUFI)
  • This makes it difficult for software without correct  digital signature to be loaded on your Windows Phone. Something jailbreakers will need to bypass. More on the jailbreaking later.
  • TPM 2.0 standard, requires unique keys to be burned into the chip during production
• All Windows Phone 8 binaries must have legit digital signatures from Microsoft to run

No Jailbreak for WP8 Yet

WP8 is a closed operating system and therefore does not allow access to memory, inspecting the local file system and storage, or transferring certain files to and from the device. Traditionally, a jailbreak is required to obtain this type of access to the platform. Unfortunately there is no jailbreak for WP8 which limits us substantially at the moment. However, there are ways we can test the app without a jailbreak as you will see in this series. To see and manipulate the app’s local storage we must obtain the XAP file from the developers. This should be a requirement in your contract to successfully and thoroughly test a WP8 app. Even if you do not have the XAP file, you will be able to perform some testing so don’t let that stop you.

What would a jailbreak for WP8 look like? Well it would need to do the following:

• Exploit a vulnerability
• Escalate privilege to run code as SYSTEM
• Bypass SecureBoot
• Disable application code signing
• Create a trusted app store certificate

Resources

• Microsoft Windows Phone 8 Security Overview
• XDA Developers
• OWASP Mobile

Conclusion

In the first part of WP8 application security we learned about the WP8 platform and the security controls that Microsoft has implemented. We learned there is no jailbreak currently available and will have to be creative in ways to test the applications.

I hope no one is still running Internet Explorer 6; if you are Microsoft has a countdown and awareness campaign to get you and your grandmother to upgrade. For those that are fairly up to date, be informed you are not because Microsoft released Internet Explorer 9 today. If you are feeling risky and are running Windows Vista or Windows 7 you can download Internet Explorer 9 from Microsoft’s official download site (not the millions of Google results for it’s download location). There are issues with certain sites so ensure you test this before deploying in production:

Microsoft also set up a domain dedicated to the new browser: www.beautyoftheweb.com. Unfortunately, that site isn’t hosted under the microsoft.com domain, nor does it have an SSL certificate to confirm that it belongs to Microsoft. Using this site to distribute the browser goes against the advice of downloading software only from known vendor websites. Copycat malicious sites claiming to distribute IE 9 will probably appear shortly, if they aren’t around yet.

Internet Explorer 9 includes a number of security improvements that make the upgrade worth your consideration. These include application reputation capabilities that are part of the SmartScreen feature thathelps protect the user against socially-engineered malware. The browser also supports the notion of Pinned Sites, which implements “secure launch” capabilities to safeguard users’ sessions with important websites. Internet Explorer 9 also improves its resistance to exploits by embracing support for DEP/NX, ASLR and SafeSEH memory protection capabilities. The new browser also improves the messages its users see when they download files and programs; the messages are designed to make it easier for the users to assess the risk of opening such files.

Till next time,

Jorge Orchilles