Windows Mobile Application Security Testing - Part 6


In this article we will learn how to analysis the local storage of device and will look into way to do static analysis by doing reverse engineering. If you had not yet rooted your device please read my previous article where I have written the process to root the device.

Exploring application binaries, .NET assemblies, and other assets


In device installed applications have two main directories one is where application binaries, .NET assemblies assets are stored and another is app’s local storage directory where the app can store the local data.

All installed app have their own installation directory located at D:\Computer\Windows Phone\Phone\Data\PROGRAMS\{GUID}\Install\.






Also each app has its own local storage directory which run in their own filesystem sandbox. The local storage directory for an app is located at D:\Computer\Windows Phone\Phone\Data\Users\DefApps\APPDATA\{GUID}


Application Manifests file


Let's start with Manifest file of application which give us information about the application and their structure which help us to understand about the application.

In Windows Phone 8 Manifests file name as WMAppManifest.xml in XAP files and in Windows 8.x application Manifests name as Package.appxmanifest in APPX packages.


Manifest file support multiple XML elements, some of them are interesting as security view.
  • Capabilities (<Capabilities>) - Which defines the capabilities required by the application.
  • File Type Association (<FileTypeAssociation>) - Which defines the file extensions that are associated with the application.
  • Protocol (<Protocol>) - Defines URL schemes that the app wishes to register for Activatable Class (<ActivatableClass>) - Defines classes that are used by the app that are external to it.
  • Interface(<Interface>) - Specifies interfaces that the app implements that are external to it

Check the capabilities

<Capabilities>
<Capability Name="ID_CAP_IDENTITY_DEVICE" />
<Capability Name="ID_CAP_IDENTITY_USER" />
<Capability Name="ID_CAP_LOCATION" />
<Capability Name="ID_CAP_MICROPHONE" />
<Capability Name="ID_CAP_NETWORKING" />
<Capability Name="ID_CAP_PHONEDIALER" />
<Capability Name="ID_CAP_PUSH_NOTIFICATION" />
<Capability Name="ID_CAP_SENSORS" />
<Capability Name="ID_CAP_WEBBROWSERCOMPONENT" />
<Capability Name="ID_CAP_ISV_CAMERA" />
<Capability Name="ID_CAP_CONTACTS" />
<Capability Name="ID_CAP_APPOINTMENTS" />
<Capability Name="ID_CAP_MEDIALIB_AUDIO" />
<Capability Name="ID_CAP_MEDIALIB_PHOTO" />
<Capability Name="ID_CAP_MEDIALIB_PLAYBACK" /> 
</Capabilities>



Seems that application using Capability Location, Microphone, Networking, phone dialer, contacts, Medialib Photo. These all susceptible and collecting user information.

Analysis Local Storage

As we know that application need local storage to save or cache file and folder for further uses. Lets analysis the local storage of the application into device.

Application data — C:\Data\Users\DefApps\APPDATA\{GUID}\...

Install directoryC:\Data\Programs\{GUID}\Install\...

Here are the some interesting folders to analysis the local storage.

Framework Temp - Some framework temporary data storing.

INetCache - Storing webView cache files

INetCookies - Storing WebCookies data.




INetHistory - Storing History of the web pages

Local - This is the folder where most of the application storing sensitive data. Also we can call isolated storage of application.

LocalLow - Low integrity code execute in this folder. Code executing with low integrity can only write to a small number of locations on the disk, such as the LocalLow folder you mentioned. (FOLDERID_LocalAppDataLow)

PlatformData - The system will create a directory in the top level of the app’s isolatedstorage.


Let's move into the local storage >


D:\Data\Users\DefApps\APPDATA\{513D7B13-D7A9-4B59-ACB0-B4629E4A7EEE}\Local




So above we have list of all local storage data. __ApplicationSettings and userdata seems that storing sensitive data. Lets open the __ApplicationSettings file.


Wooo!! application login username and password stored plain text in__ApplicationSettings





Now check the userdata database file where all data has been stored.

In order to open userdata.sdf file which is in the form of SQL Server compact database we need to use sdf viewer or Compact Viewer.

You can download CompactView_1.4.12.0 and install in your system.


Okay, so here we got the database where all data has been stored. But seems that data has been encoded into some numeric value. To get the know about which numeric value these data has been encoded we have to do reverse engineering and from the code let's understand the data encoding.

Reverse Engineering on the Application


In order to analyzing application binaries we have to extract all application binaries and .NET assemblies from the device where application installation files has been installed. Move into install directoryC:\Data\Programs\{GUID}\Install\..

D:\Data\PROGRAMS\{513D7B13-D7A9-4B59-ACB0-B4629E4A7EEE}\Install



Okay, after extract all the binaries from the device we’ll going to disassembled/decompiled and analyzed by doing manual testing. It is also need to review source code.

Most of the .dll files are seems that googleAds and GoogleAnalytics but we have to decompiled application .dll file. PhoneApp5.dll is seems that application .dll file. Let’s decompile this file using ILSpy. Its allow you to decompile .NET assemblies.

Now let's load the PhoneApp5.dll file into ILSpy and decompile assemblies.




As above picture you can view all the class has dicomplied and we are able to view C# code. Now let's review the code and figure-out some security issue.

We can start looking into .net Libraries, namespace and classes. So let’s start from first class AboutUs as by name it's look like all information about the application.



If you look into the code, he has embedded his name with his mail ID. Which will used for further attacks. Many time and most of the application you can able to extract information about developers. Let’s move other classes.

On the top of the class you can review the .net Libraries which will help you to figure out security issues.

Here in the action class if you look on the top you can see there are some Libraries list.


using GoogleAds;
using GoogleAnalytics;
using Microsoft.Phone.Controls;
using System;
using System.ComponentModel;
using System.Diagnostics;
using System.IO.IsolatedStorage; //
using System.Windows;
using System.Windows.Controls;
using System.Windows.Input;

In this class action  using System.IO.IsolatedStorge  which mean that the class using IsolatedStorage to store data.




If you look into snippet code username and password storing into __ApplicationSettings() without doing any encryption that found in our local storage analysis into __ApplicationSettings  file.

Lets move another classes to check for local storage database.



using GoogleAnalytics;
using Microsoft.Phone.Controls;
using PhoneApp5.MyClasses;
using System;
using System.Diagnostics;
using System.Linq; //
using System.Windows;
using System.Windows.Controls;
using System.Windows.Navigation;

If you look into these Libraries list there is using System.Linq namespace provides classes and interfaces that support queries that use Language-Integrated Query (LINQ).



In this picture if you look closely UserDataContext is publicly used class were DB connection established and created as userdata.sdf database file were all the data has been stored.

Next things all Bank data has stored and updated by class userDataContext. If you look closely in the code before storing data into database they parse with Function Scramble.

In our local storage analysis we got userdata.sdf database file and using compactView we have view the data which being stored into userdata.sdf file. But data has encoded into some numeric value which is not in plain text. So the application using Scramble function to puzzle the words using some programming method.

Let's look closely and figure out how the data has been decoded.



Okay, we manage to get the function UnScramble which is using decoding the data stored into database file while display the information to the users. Also we got he unscramble program to decode all users data from the database.

By the way for this application we got the username password in plain text stored into __ApplicaitonSetting file which will use to unlock the application and view all data of users. But I want to show you approach for source code review by doing reverse engineering on the application.

Secure way Storing Data in Windows Phone


If you are developer and used to save data in local storage of device then I would say saving confidential data in a phone’s isolated storage is not secure. Also if you encrypted your all data and save decryption key inside the device its not increase your security, its about how well the key is hidden.

Microsoft have DPAPI (Data Protection API)to encrypt and decrypt entire isolated storage. DPAPI generating and storing a cryptographic key by using the user and device credentials to encrypt and decrypt data. You can use the Protected Data class that provides you access to DPAPI through Protect and Unprotect methods. You use the Protect method to encrypt the data and the Unprotect method to decrypt the data. On a Windows Phone device, every app gets its own decryption key, which is created when you run the app for the first time. Calls to Protect and Unprotect will implicitly use the decryption key and make sure that all the data remains private to the app.

Protect and Unprotect API using optional parameter call optionalEntropy.If you are using DPAPI recommended to use OptionalEntropy because of all data protected by DPAPI on Windows Phone is encrypted using the same key. If an attacker on the device or any app is able to get access to a DPAPI-encrypted data, and if the target app not using an optionalEntropy parameter, then it can recover the data by simply calling into ProtectedData.Unprotect().So you should always use the optionalEntropy parameter if you want to use DPAPI in your apps. However hard code optionalEntropy or store it on the device will allow to attackers to decrypt entire data if he/she have full access on the device. In this case you should base it on secret passphrase known only by the app user. You can use PBKDF2 which password only the user knows.

Windows Phone local database encryption


If you want to encrypt your database you can simply use the Password property in your database’s connection string:

// Create the data context.
MyDataContext db = new MyDataContext("Data Source='isostore:/mydb.sdf';Password='securepassword';");

// Create an encrypted database after confirming that it does not exist.
if (!db.DatabaseExists()) db.CreateDatabase();

But if you hard coding the key or secure credential is not good idea. As we see how we can decompile the code by doing reverse Engineering on the application and get the secrete key.

In this case you can use SQLite-based database and use SQLite Encryption Extension (SEE) and SQLCipher.

Conclusion:


In this article we did analysis internal device local storage and database of the application. Also we learned secure way to store data into the device. We learned how to perform source code review by doing reverse engineering.

If you want to learn more about the Windows Mobile Application security I recommend you to read
"The Mobile Application Hacker's Handbook".

Reference:







Read More →
Windows Mobile Application Security Testing - Part 5

In this article we will going to learn how to root WP8 Nokia lumia device and inspect internal storage. I am using Nokia Lumia 720 for demo purpose. However Lumia 520, 521, 525, 620, 625, 820, 920, 925, 928, 1020 and 1320 are supported.

XDA developer Heathcliff74 given us powerful tool Windows Phone Internals which allow to unlock the bootloader of selected Lumia Windows Phone models and after unlocking the bootloader, you can enable Root Access on the phone or create and flash Custom ROM's.

OS versions are supported


The following OS versions Root Access can be enabled. To enable Root Access, the bootloader must be unlocked first.
  • 8.10.12393.890
  • 8.10.12397.895
  • 8.10.14219.341
  • 8.10.14226.359
  • 8.10.14234.375
  • 8.10.15116.125
  • 8.10.15148.160
  • 10.0.10512.1000
  • 10.0.10536.1004
  • 10.0.10549.4
  • 10.0.10581.0
  • 10.0.10586.11
  • 10.0.10586.36


In order to root your device you have to carefully follow the instruction. Download the Windows Phone Internals. The instructions you can find in the tool itself. 



Fig. 1 Windows Phone Internals

I followed instruction for my lumia 720 device only may it's change for your devices, please follow the instruction accordingly.
 Before rooting the device we need unlock the bootloader of the device.


Fig. 2. Windows Phone Internals Connecting


 Now Connect you device using USB and unlock your screen. And wait for detection.
 In order to unlock the bootloader of device its ask you to phone needs to be switched to flash-mode. Click on “Ok”
Fig. 3 WP Internals Unlock Bootloader


Now we need FFU-image file which is fresh ROM image of your device. It’s important to get the exact same FFU file for your device. To get the FFU file, you need to use Windows Device Recovery Tool which help you to download FFU file for your device. (You need to switch your device in normal mode by Press and hold the Volume Down and Power buttons at the same time until you feel a vibration (about 10-15 seconds). Your phone will restart automatically.)

Fig. 4 Windows Device Recovery Tool


Now Connect your device and open Windows Recovery Tool, your device will detect after some seconds.

In case you'r getting error while downloading ROM image from Windows Recovery Tool for your device I recommend you to restart your system as well as your device.

After downloaded the ROM image for your device, the ffu file will be located to path 

C:\ProgramData\Microsoft\Packages\Products\RM-885 in your system.

 Now again switch to Unlock bootloader in windows phone internals.

Select your .ffu file (Fresh ROM image) which is located at path 

C:\ProgramData\Microsoft\Packages\Products\RM-885

You should also select a folder where you have Lumia Emergency Flash Loaders. This tool will try to select the Loader that is suitable for your phone.

Select asC:\ProgramData\Microsoft\Packages\Products\RM-885

Now it is very important to use Engineering SBL3 and be careful before using sbl3 file for you device. Make sure that the sbl3 file should work for your device otherwise your device will not work after using wrong sbl3 file.
 You can download sbl3 file from xda-developers site for 520, 620, 625, 810, 820, 822, 920, 925 and the 1020.
For me lumia 720 I didn't found sbl3 file but when I research on internet someone posted that lumia 520 sbl3 file will work for lumia 720. So pleae do on your risk.


Now click on continue


Fig 5. Flashing Unlock bootloader

After the booting your device, as your device bootloader has been unlocked. Now move to “Enable Root Access” and click on Unlock Phone. You device will turned into flash mode and switch to Mass Storage mode. In your system you will see drive “MainOS” get active which is your device internal storage.


Fig 6. Enable Root access

Fig 7. Device internal file access.

Root Tool
Root tool help you to edit your device registry and provide you to full access on device file system, which can easily access all internal files by only connecting your phone with your system.


Previously Windows phone Internal it give you mass storage mode by flashing your phone, but root tool make your task easier in terms of file access.
 Download Root Tool

Now extract the file and Deploy .XAP file into device.

Fig 8. Root Tool

Be careful while using this tool. If you selected any wrong file path or setting may its break your device.

Now select “Lumia Registry Edit”

Go to options >

Now click on Templates


Select both Interop/Capability Unlock and Full FS Access with MTP > Now Apply the setting.

Now you can able to view or edit your device internal storage without switching into flash mode.

WP8 Native Access Webserver


There is also cool way to access your device file systems. WP8 Native Access Webserver which provide you to install Client WP8 Native Access .XAP file in your device and by using port you can enable your device into webserver. You can download this app from here.








Conclusion:


In this article we learned how we will root our device and inspect internal storage. Next article we will going to learn attack vectors of WP8 application and their vulnerabilities.

Reference:




Read More →
Windows Mobile Application Security Testing - Part 4


Before I start this part of article I want to thanks all of you who have appreciated me for this series. I’m very excited to continue writing on WP8 application security testing.

Previous article we learned setup proxy with device and perform dynamic analysis on the WP8 Applications. In this article we are going to learn analysis of Isolated storage or local file system using Windows power tool.

In case you haven't rooted your device and wants to analysis dynamically local storage of the application, then this article will help you to check local storage of the application. You can able to check local storage or isolated storage for only developer signed apps using Unlocked device. If you haven't Unlocked your device yet then I recommend you to unlock your device using my part 1 article


So next we need one developer signed application for our demo purpose right. In my previous article I mention found youtube developer signed app from XDA forum. You can also download this application for your learning purpose from here.

Isolated storage


Isolated storage is used to store local data on a Windows Phone. It is "isolated" because other applications can't access this data.

All I/O operations are restricted to isolated storage and do not have direct access to the underlying OS file system, which helps to provide security and prevents unauthorized access and data corruption from other apps. If you want to share data between two applications, you will need some kind of cloud-based service that can share that data for you.

Microsoft has provided two way to store data locally for their developers. The first way is to collection of name/value pairs call IsolatedStorageSetting and other way is through the creation of actual files and folders called IsolatedStorageFile. We will check this later while doing static or reverse engineering analysis.

Windows Phone power Tool


As in my previous article I already written about Windows Phone Power Tool which is powerful tool to deploy WP8 Applications (Only developer signed App) and analysis isolated storage in device. We will use this tool for analysis dynamically storing data into device. If you want to install Windows Phone Power Tool please read my previous blog post.


Fig. 1 WP Power Tool

Let deploy the Youtube application into device using WP power tool


Fig 2. Deploy Application

You can see the information about the application in Dev Apps


Fig 3. Application Information

Now we’ll going to inspect isolated storage. As you can see there is no data found at this time.


Fig 4. Isolated Storage

Lets use the application by exploring application functionality and save some data. You can also login into application using google account.



 Fig 5. Youtube login form.

After using the application you can refresh the app in WP Power tool by right click on application. Now you can see there are bunch of data available for inspection.


Fig 6. Isolated Storage Data


Isolated Storage Explorer


This is one more tool which can help you to explore or modify dynamically storing data into device (isolated storage). You can download and install from here.


Fig 7. IsoStore Spy App.

Isolated Storage Explorer (ISETool.exe)


Isolated Storage Explorer (ISETool.exe) is a command-line tool that is installed with the Windows Phone SDK. ISETool provide you to explore list of Isolated Storage or you can copy and replace the files into directories of the application.

This tool you can find from the following path.

C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\IsolatedStorageExplor




Fig 8. ISETool 



ISETool.exe <cmd[:param]> <target-device[:param]> <product-id> [<desktop-path>]

<cmd[:param]> - Specifies the command to be executed (one of the following)
 ts -(takesnapshot) to download the contents of isolated store from <target-device> to desktop
    rs -(restoresnapshot) to upload the contents of isolated store from desktop to <target-device>
    dir - lists the contents of the device folder.
    EnumerateDevices  - lists the valid device targets along with their device indices.

<target-device[:param]> - Specifies the target device (one of the following)
    xd - default emulator
    de - Windows Phone device connected to the desktop
    deviceindex:n - device listed at index n. To get the list of devices use the following command
                    "ISETool EnumerateDevices"

<product-id> - Specifies the GUID of the product. This is located in
                 WMAppManifest.xml file of the project

<desktop-path> - desktop path for download and upload


To get the list of devices use the following command

ISETool EnumerateDevices



Fig 9. To get the list of Devices

 If you want to get application Product ID or GUID of the product which is located in WMAppManifest.xml. In order to get manifest file you have change application extension .xap to .zip and extract the file. (Only this is for developer signed applications)


Fig 10. Application ProductID

Now lists the Application contents of the device folder.


C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\IsolatedStorageExplorerTool\ISETool.exe dir de dcbb1ac6-a89a-df11-a490-00237de2db9e


Fig 11. List of file and Directory

Now to download the contents of isolated store from device to desktop.

C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\IsolatedStorageExplorerTool

λ ISETool.exe ts de dcbb1ac6-a89a-df11-a490-00237de2db9e G:\test\

Fig 12. Exact contents of isolated Storage


Fig 13. Download File and Folder

Now you can inspect all the file and folder manually. Later we will learn more about the individual files and their functionality.

Conclusion :


In this article we learned about Isolated Storage, tools and technique to inspect isolated files and folders. You can analysis the data of application and how/which data storing inside isolated storage. Later will learn more about the file and their functionality in terms of security.

Read More →
Powered by Blogger.

Copyright © All Rights Reserved / Designed By: Templatezy | Blogger Templates