Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.

Similar presentations

Presentation on theme: "Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost."— Presentation transcript:

1 Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost

2 Security Model Processes run in 4 Isolated Chambers: – Trusted Computing Base (TCB) : Kernel land drivers – Elevated Rights Chamber (ERC): User land services – Standard Rights Chamber (SRC): IE, MS Office – Least Privileged Chamber (LPC): Marketplace apps LPC permissions are Capability driven: GPS, camera, microphone, SMS or sensor Applications must be code-signed by MS after functional and content review

3 Security Model Managed code Only policy in Market Place and Development tools: – Not 100% true: Vendors like Samsung and Adobe used Undocumented COMBridge Class to execute native code – The native code will still run in managed code security context Different versions of SDK released for OEM vendors and normal programmers: Native module and driver development support are included in OEM version (Platform Builder)

4 Windows Phone 7 SDK Installed as a VS 2010 component The Express version allows app (Silverlight) and Game development (XNA framework) No native module development features Uses MS Smart Device API to connect, deploy apps and exchange data with device/emulator VS Debugger UI has no Attach to Process option: no third-party app debugging

5 Dynamic Analysis Network traffic can be monitored effectively using Fiddler proxy tool – Good news: WP7 Apps can only communicate HTTP(s) Inspecting IsolatedStorage: – RemoteIsolatedStore class in Smart Device API is not implemented yet: – But, Storage explorer based on System.IO.IsolatedStorage can be injected into target app

6 Dynamic Analysis Monitoring SMS,MMS, camera and Sensor access: – Checking Capabilities element inside WMAppManifest.xml file:

7 Dynamic Analysis Monitoring code execution flow: – VS debugger cant attach to Emulator/device processes – No CLR Profiler in.NET compact framework – Idea: Inject prologue to target app methods and dump variables content at runtime: Assembly files need to be re-signed after patching How to communicate with the app on emulator? Problem with anti-tampered apps

8 XAP Spy Automates the process of prologue injection, signing, deployment and logging Uses Mono.Cecil library for code injection MS Smart Device API for app deployment Communication with remote app: – HTTP server and clients : approach that used by code profiling tools like EQATEC and RuntimeIntelligence: resource expensive, access violation for multi-thread apps – Enabling emulator console (by registry trick) and pointing output there: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XDE\EnableConsole

9 XAP Spy

10 Demo

11 Iimitations No GAC assemblies trace No code breakpoints and manual trace No runtime code/variable modification Anti-tampered apps need to be cracked before analysis

12 How to Improve it? Communicating directly with debugger agent on the emulator: – VS deploys edm3.exe file to the emulator: native x86 code, signed by MS – attach to process code was found inside this file – This file seems to be a RemoteAgent module (Windows Mobile 5, 6) – From MSDN: The device agent has full programmatic access to gather information and manipulate the device because it runs on the device. – Using a phone (Transport Layer=tcp) and analysis packets: Easier than reversing emulators DMA transport

13 Thank you!

Download ppt "Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost."

Similar presentations

Ads by Google