The first three posts in this series were an introduction to WP8 platform, prerequisites for testing, and side loading the XAP file. At this point you should have the app installed on your device or emulator. If a XAP file was not provided, obtain the app from the Microsoft App Store as an end user would. We will follow the OWASP mobile security testing methodology moving forward. It is broken up in the following sections of which we will break up even more to get deeper into the platform specific steps for testing WP8 App Security:
- Information Gathering – describes the steps and things to consider when you are in the early stage reconnaissance and mapping phases of testing as well as determining the application’s magnitude of effort and scoping.
- Dynamic Analysis – executing an application either on the device itself or within a simulator/emulator and interacting with the remote services with which the application communicates. This includes assessing the application’s local inter process communication surface, forensic analysis of the local file system, and assessing remote service dependencies.
- Static Analysis – Analyzing raw mobile source code, decompile or disassembled code.
The first phase of any vulnerability assessment or penetration test is understanding what you are testing. This step will prepare you for the future tests we will cover in this series. Learning how the application works will reveal what it “should” do so you can identify when it does something it “should not”. This step also helps identify attack vectors you will try to exploit.
- Navigate through the application. This will expose you to the application as an end user would use it. Tap through all the different features, look at the settings, etc. This may be performed on the device or in the emulator as we covered in previous sections.
- Identify the network interfaces used. Does the application require internet connectivity? If so, does it work through Wi-Fi only, SIM only? Does the application use bluetooth, NFC, a VPN?
- Does the application take your input? Any sensitive information? Does it access any sensitive information?
- Does the application perform transactions? In-app purchases? Credit card or payment information?
- What other components does the application interact with? Contact list, calendar, camera, location?
- Do some reconnaissance. Has this app been talked about already? Search Google, app store reviews, etc.
It is a good idea to document all of this as you go, particularly any attack vectors you identify. For instance, you notice that sensitive information must be submitted and sent to a web server. It would be a good idea to write that down and test it during the dynamic analysis of network traffic to ensure the data is being transferred securely. Also, you will want to make sure the sensitive information is not being stored locally.
During the information gathering phase you may already have some vulnerabilities in mind. Here are a few to consider:
- No application pass code – does the app reveal sensitive information that requires authentication? Should it have it’s own pass code. This may be a consideration for apps storing company data while the devices are BYOD and don’t require a device pass code.
- Weak pass code – does the app enforce good password policies?
- Minimum of how many characters?
- Password rotation?
- Password lock out?
- Sensitive information stored on disk – does the app request sensitive information from the end user and then store it? We will look at local storage later in this series.
In this step we covered using the application for the first time to gather as much information as possible. Good notes were taken so they may be used in the different phases of testing.