Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.

Published byDeclan Soulsby Modified over 10 years ago

Similar presentations

Presentation on theme: "Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost."— Presentation transcript:

1 Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost

2 Security Model Processes run in 4 Isolated Chambers: – Trusted Computing Base (TCB) : Kernel land drivers – Elevated Rights Chamber (ERC): User land services – Standard Rights Chamber (SRC): IE, MS Office – Least Privileged Chamber (LPC): Marketplace apps LPC permissions are Capability driven: GPS, camera, microphone, SMS or sensor Applications must be code-signed by MS after functional and content review

3 Security Model Managed code Only policy in Market Place and Development tools: – Not 100% true: Vendors like Samsung and Adobe used Undocumented COMBridge Class to execute native code – The native code will still run in managed code security context Different versions of SDK released for OEM vendors and normal programmers: Native module and driver development support are included in OEM version (Platform Builder)

4 Windows Phone 7 SDK Installed as a VS 2010 component The Express version allows app (Silverlight) and Game development (XNA framework) No native module development features Uses MS Smart Device API to connect, deploy apps and exchange data with device/emulator VS Debugger UI has no Attach to Process option: no third-party app debugging

5 Dynamic Analysis Network traffic can be monitored effectively using Fiddler proxy tool – Good news: WP7 Apps can only communicate HTTP(s) Inspecting IsolatedStorage: – RemoteIsolatedStore class in Smart Device API is not implemented yet: – But, Storage explorer based on System.IO.IsolatedStorage can be injected into target app

6 Dynamic Analysis Monitoring SMS,MMS, camera and Sensor access: – Checking Capabilities element inside WMAppManifest.xml file:

7 Dynamic Analysis Monitoring code execution flow: – VS debugger cant attach to Emulator/device processes – No CLR Profiler in.NET compact framework – Idea: Inject prologue to target app methods and dump variables content at runtime: Assembly files need to be re-signed after patching How to communicate with the app on emulator? Problem with anti-tampered apps

8 XAP Spy Automates the process of prologue injection, signing, deployment and logging Uses Mono.Cecil library for code injection MS Smart Device API for app deployment Communication with remote app: – HTTP server and clients : approach that used by code profiling tools like EQATEC and RuntimeIntelligence: resource expensive, access violation for multi-thread apps – Enabling emulator console (by registry trick) and pointing output there: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XDE\EnableConsole

9 XAP Spy

10 Demo

11 Iimitations No GAC assemblies trace No code breakpoints and manual trace No runtime code/variable modification Anti-tampered apps need to be cracked before analysis

12 How to Improve it? Communicating directly with debugger agent on the emulator: – VS deploys edm3.exe file to the emulator: native x86 code, signed by MS – attach to process code was found inside this file – This file seems to be a RemoteAgent module (Windows Mobile 5, 6) – From MSDN: The device agent has full programmatic access to gather information and manipulate the device because it runs on the device. – Using a phone (Transport Layer=tcp) and analysis packets: Easier than reversing emulators DMA transport

13 Thank you!

Download ppt "Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost."

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
Using.NET Platform Note: Most of the material of these slides have been taken & extended from Nakov’s excellent overview for.NET framework, MSDN and wikipedia.

Using.NET Platform Note: Most of the material of these slides have been taken & extended from Nakov’s excellent overview for.NET framework, MSDN and wikipedia.
APP-V 5.0 SP2 (MDOP 2013 R2) Presenter - Fred

APP-V 5.0 SP2 (MDOP 2013 R2) Presenter - Fred
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Exploring Microsoft's Attempt to Revolutionize the Web Ben Stroud CS525 Spring 10.

Exploring Microsoft's Attempt to Revolutionize the Web Ben Stroud CS525 Spring 10.
Exploring Microsoft's Attempt to Revolutionize the Web Ben Stroud CS525 Spring 10.

Exploring Microsoft's Attempt to Revolutionize the Web Ben Stroud CS525 Spring 10.
Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.

Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.
Google Android as a mobile development platform T-110.7111 Internet Technologies for Mobile Computing Olli Mäkinen.

Google Android as a mobile development platform T Internet Technologies for Mobile Computing Olli Mäkinen.
Creating and Running Your First C# Program Svetlin Nakov Telerik Corporation www.telerik.com.

Creating and Running Your First C# Program Svetlin Nakov Telerik Corporation
.NET, and Service Gateways Group members: Andre Tran, Priyanka Gangishetty, Irena Mao, Wileen Chiu.

.NET, and Service Gateways Group members: Andre Tran, Priyanka Gangishetty, Irena Mao, Wileen Chiu.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
September 2008 IT-3100 11 Software Development Guide.

September 2008 IT Software Development Guide.
Programming mobile devices Part II Programming Symbian devices with Symbian C++

Programming mobile devices Part II Programming Symbian devices with Symbian C++
Creating and Running Your First C# Program Telerik Software Academy Telerik School Academy.

Creating and Running Your First C# Program Telerik Software Academy Telerik School Academy.
Windows.Net Programming Series Preview. Course Schedule - 2014 CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
Smart Client Applications for Developers Davin Mickelson, MCT, MCSD New Horizons of MN.

Smart Client Applications for Developers Davin Mickelson, MCT, MCSD New Horizons of MN.
Creating and Running Your First C# Program Svetlin Nakov Telerik Corporation www.telerik.com.

Creating and Running Your First C# Program Svetlin Nakov Telerik Corporation
Lesley Bross, August 29, 2010 ArcGIS 10 add-in glossary.

Lesley Bross, August 29, 2010 ArcGIS 10 add-in glossary.
Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,
Choon Oh Lee OSGi Service Platform. About OSGi Service Platform What it is, Where it is used, What features it provides are Today’s Content.

Choon Oh Lee OSGi Service Platform. About OSGi Service Platform What it is, Where it is used, What features it provides are Today’s Content.

Similar presentations

Ads by Google