{"id":9848,"date":"2013-03-14T15:29:03","date_gmt":"2013-03-14T14:29:03","guid":{"rendered":"https:\/\/www.corelan.be\/?p=9848"},"modified":"2013-03-14T15:29:03","modified_gmt":"2013-03-14T14:29:03","slug":"blackhateu2013-day1-hardening-windows-8-apps-for-the-windows-store","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day1-hardening-windows-8-apps-for-the-windows-store\/","title":{"rendered":"BlackHatEU2013 - Day1 - Hardening Windows 8 Apps for the Windows Store"},"content":{"rendered":"

The first talk after having lunch at BlackHat Europe 2013, title \"Hardening Windows 8 Apps for the Windows Store\" is delivered by Bill Sempf<\/a>\u00a0(@sempf<\/a>). Usually, the first slot after lunch is not really a gift to speakers as attendees tend to be busy digesting lunch at that time. \u00a0Perhaps the absence of slides during the presentation might help keeping people awake \ud83d\ude42<\/p>\n

Bill starts his presentation by interacting with the audience and asks who has played with Windows 8 and\/or has done development on Windows 8. \u00a0 He explains that the start screen is really cool if you have a touch enable device. \u00a0If you are using a regular laptop\/desktop, you'll probably going to skip this start screen and go back to Windows 7 mode. \u00a0Bill started writing apps for Windows 8 since the OS got released and is author of the \"Windows 8 application development for dummies\" book.<\/p>\n

There are 3 ways to build a Windows Store app. \u00a0You can build .Net applications, Windows ASP.Net, WPF applications etc in Windows 8, using C++ or C#. \u00a0Silverlight apps, however, are gone. \u00a0The Windows 8 start screen tiles are Windows 8 Apps, based on WinRT. \u00a0Although this is fundamentally different than Silverlight, it's quite easy to make the move to WinRT. \u00a0Keep in mind that there are significant limitations to what you can do from WinRT. \u00a0In fact, you don't have access to sockets. You can connect to port 80 and 443, but that's about it. \u00a0You can't connect to a SQL server, read email. \u00a0You don't even have access to the filesystem in a way this is possible in normal \"traditional\" applications. \u00a0On the other hand, the development environment comes with a large number of templates that help lowering the barrier to get started with WinRT development. \u00a0 In addition to C++ and C# to write WinRT apps (both using XAML), you can also use Javascript, which is now closely integrated with WinRT using the WinJS engine. \u00a0In fact, at least half of the applications in the Windows store today are written in JavaScript, Bill says.<\/p>\n

As the number of applications in the Windows Store increases, the use of Windows 8 will become a reality in the enterprise, which means we'l have to deal with it eventually.<\/p>\n

From a WinRT login perspective, all you need is a Microsoft account (similar to the iTunes account for Apple, or your GMail account for Android). The Windows RT environment has APIs that allow applications to access this login information from within an application.<\/p>\n

Bill explains that in WinRT, calls to a service shouldn't take longer than 15 seconds. If they do, you'll need to handle communication and actions asynchronously. \u00a0Unfortunately, the demo didn't work because of internet connectivity issues.<\/p>\n

\u201cCapabilities\" are subject to the Windows Store policy. They will cause popups and request the user to \"accept\" a message before a certain action can occur. If you are looking at app store applications, make sure to review the list with capabilities and their settings. \u00a0When developing an application, start with \"no capabilities\" and turn them on one by one, until the application works.<\/p>\n

\"Declarations\" are the opposing side of \"Capabilities\". Declarations allow you to define what type of access the application needs from the OS. \u00a0Even if apps don't know anything about each other, can still work together by setting them as a \"share\" target. If you enable your app to be a \"share\" target, you'd better provide the code to handle this properly, Bill explains. \u00a0The \"Evernote\" app is a good example on NOT how to do this.<\/p>\n

Applications need to be able to store \"stuff\" somewhere. \u00a0Apps may use \"cookies\" or \"config files\" that need to get updated at runtime. SInce WinRT doesn't really have access to the traditional filesystem, the apps need to use Windows.Storage.ApplicationData. One of the ways to store data is by using \u00a0\"roaming settings\" (which essentially tells Windows to save the data in the cloud, hosted at Microsoft\u2026 somewhere\u2026 we think). \u00a0Traffic seems to be encrypted, Bill continues, but this might still be a privacy issues, especially because you don't really know where the data is stored. In fact, by looking at the traffic, Bill noticed that some of the data gets actually stored at Google. \u00a0If you're using the \u201clocalStorage\" technique to store data, keep in mind that everything is stored in plain text xml. \u00a0If you want to make it safer, you'll have to use online \"services\" instead, so you can store\/retrieve data over http\/https. \u00a0Combine this with the fact that people expect to be mobile, this means you'll have to expose these services to the internet to make this work.<\/p>\n

From a Windows App testing perspective, Bill continues, this means you'll probably should focus on testing these service first, just like any other web application. You could use OWASP Zed Attack Proxy (ZAP), which is free, or Burp if you have a license. \u00a0The WinRT dev environments comes with anti XSS libraries enabled. Bill mentions that it might be possible to bypass this XSS protection library. In other words, think of the App to be a web app that interacts with a service. \u00a0This means tests for SQL Injection \/ JSON injection\u2026 \u00a0Also, do a code review. Do not set \u00a0.innerHTML but use .innerText instead to avoid XSS issues inside your app.<\/p>\n

WinRT comes with support for hashing\/encryption, through crypto.CryptographicBuffer.<\/p>\n

In addition to using the Windows account to log on to WinRT, you can also take advantage of OAuth functionality. \u00a0OAuth will take over the entire authentication portion of the application. All you need to do is call OAuth (Windows.Security.Authentication.Web.WebAuthentication) and WinRT will take care of everything for you.<\/p>\n

Applications will just die on unhanded exceptions, without giving away stack trace information.<\/p>\n

Finally, code defensively. It's trivial to get the source code of \u00a0your apps because they are stored locally (c:\\Windows\\WindowsApps) and not obfuscated by default. \u00a0With WinJS code, you don't even need to use a decompiler, because the code is stored in a .js file. Don't store secrets or hardcode keys in your code.<\/p>\n

Summary:<\/h3>\n