Jump to content
Nytro

Windows Phone 8 Application Security Whitepaper

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Windows Phone 8 Application Security Whitepaper

Syscan 2014 Singapore – Alex Plaskett and Nick Walker

2014/03/30

Contents
1. Introduction ..................................................................................... 4
2. Background ...................................................................................... 4
2.1 Application Overview ..................................................................................... 4
2.2 Code Signing ................................................................................................ 5
2.3 Sandboxing.................................................................................................. 5
2.4 Exploit Mitigation .......................................................................................... 7
2.5 Encryption .................................................................................................. 7
2.6 Secure Boot ................................................................................................. 8
2.7 Developer Unlock .......................................................................................... 8
2.8 Previous Work .............................................................................................. 9
3. Black box Assessment ......................................................................... 10
3.1 Obtaining Marketplace Applications .................................................................. 10
3.2 Application Structure ................................................................................... 11
3.3 Decompiling Marketplace Applications ............................................................... 12
3.4 Patching Marketplace Applications ................................................................... 12
3.5 Obtaining a remote shell ............................................................................... 13
3.6 Building Standalone Executables ...................................................................... 14
4. Local Data Protection ......................................................................... 16
4.1 Insecure Data Storage................................................................................... 17
4.2 Data Protection API (DPAPI) ........................................................................... 20
4.3 Local Database Security ................................................................................ 24
5. Transmission Security ......................................................................... 26
5.1 Traffic Interception ..................................................................................... 26
5.2 Cipher Support and Certificate Validation .......................................................... 27
6. Interprocess Communication ................................................................. 29
6.1 File and Protocol Handlers ............................................................................. 29
6.2 Cross Application Navigation Forgery ................................................................ 33
mwrinfosecurity.com | © MWR InfoSecurity 3
7. Input Validation ................................................................................ 37
7.1 Web Browser Control ................................................................................... 37
7.2 Cross Site Scripting (XSS) ............................................................................... 38
7.3 SQL Injection ............................................................................................. 40
7.4 XAML Injection ........................................................................................... 40
7.5 JavaScript Bridge Security ............................................................................. 41
8. Backgrounding and Application State ....................................................... 42
9. Push Notifications .............................................................................. 45
10. Application Logging .......................................................................... 48
11. C++/WinRT Native Code ..................................................................... 48
12. Samsung ATIV S ............................................................................... 49
12.1 Registry Access ......................................................................................... 49
12.2 File System Access ..................................................................................... 49
12.3 Enable All Side Loading / Bootstrap Samsung ..................................................... 50
13. Conclusions .................................................................................... 51
14. Acknowledgements ........................................................................... 52
15. References ..................................................................................... 52

Download: https://labs.mwrinfosecurity.com/system/assets/651/original/mwri_wp8_appsec-whitepaper-syscan_2014-03-30.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...