In this post and series we will dive into the process and methods used to test the security of Windows Phone 8 (WP8) app. Let’s say you are tasked with performing a security assessment, ethical hack, vulnerability assessment, or a penetration test of a WP8 app, where do you begin? This is where!

WP8 Platform

Before testing any app, one must first understand how the underlying platform works. Microsoft rebranded Windows Mobile to Windows Phone for version 7. The latest version is Windows Phone 8 (WP8). WP8 runs ARM hardware architecture, similar to iOS, Android, and Blackberry. WP8 migrated to the Windows NT kernel instead of Windows CE which WP7 used. WP8 also uses the Windows Phone Runtime application architecture, not identical to WinRT, to allow developers convergence between Windows 8 and WP8. Applications for WP8 may be coded in .NET (C# or VB.NET) and C++ but not JavaScript.

Security in WP8 Platform

WP8 being Windows NT kernel based allows for multiple benefits from a end user security perspective. These security controls do not help a tester but do help make the device more secure and attractive to enterprise users and decision makers.

  • 128-bit BitLocker for full disk encryption
  • NTFS file system
  • Sandboxed apps – no access to other apps
  • SafeBoot: Secure boot with Unified Extensible Firmware Interface (EUFI)
    • This makes it difficult for software without correct  digital signature to be loaded on your Windows Phone. Something jailbreakers will need to bypass. More on the jailbreaking later.
    • TPM 2.0 standard, requires unique keys to be burned into the chip during production
  • All Windows Phone 8 binaries must have legit digital signatures from Microsoft to run

No Jailbreak for WP8 Yet

WP8 is a closed operating system and therefore does not allow access to memory, inspecting the local file system and storage, or transferring certain files to and from the device. Traditionally, a jailbreak is required to obtain this type of access to the platform. Unfortunately there is no jailbreak for WP8 which limits us substantially at the moment. However, there are ways we can test the app without a jailbreak as you will see in this series. To see and manipulate the app’s local storage we must obtain the XAP file from the developers. This should be a requirement in your contract to successfully and thoroughly test a WP8 app. Even if you do not have the XAP file, you will be able to perform some testing so don’t let that stop you.

What would a jailbreak for WP8 look like? Well it would need to do the following:

  • Exploit a vulnerability
  • Escalate privilege to run code as SYSTEM
  • Bypass SecureBoot
  • Disable application code signing
  • Create a trusted app store certificate

Resources

Conclusion

In the first part of WP8 application security we learned about the WP8 platform and the security controls that Microsoft has implemented. We learned there is no jailbreak currently available and will have to be creative in ways to test the applications.

3 Comments

Comments are closed.