Summary of my Windows Store App security BlackHat talk

 

Last week, I spoke on the security implications of Windows Store apps for Windows 8 at BlackHat Europe. Running the risk of ruining the suspense for later listeners, I decided to take the advice of several of my attendees and summarize my main points here.

Remember, this is just a summary. I am boiling down a 60 minute talk into 12 or so talking points. If you have questions about specifics, ping me in the comments or via the contact form.

Some of this is original research, some of it is just from the documentation, but all of it applies to the security or privacy of Windows Store apps on Windows 8. Doesn’t matter what you think of Windows 8, you will have to deal with it eventually. It is growing faster than XP or 7 did. The store is selling stuff. It is out there. You will have to either scan an app for your company, or deal with BYOD.

This is all about helping you out.

Features with a risk component

  • You log into a Windows 8 machine with your Microsoft Account. Apps have access to the account information with only a request at install time. Are your users logging in with personal accounts? Company accounts?
  • Capabilities need to be used sparingly. Least Privilege is the rule, not the exception.
  • Remote Settings stores the data saved to it somewhere in the cloud.
  • Local Settings are saved in an unencrypted XML file.
  • The applications themselves are saved locally with source code available or easily obtainable. Code defensively!

 

 

 

 

Testing Windows Store Apps

  • Test backend services with Burp or ZAP.
  • Test for the same vulnerabilities you test your web apps for, manually for now.
  • Do a code review.

 

 

Countermeasures provided by WinRT

  •  Hashing and encryption are in Windows.Security, but are sloowwww.
  •  Instead of Microsoft Account, use OAuth for auth-n
  •  Apps that come across an unexpected error, don’t leak information. They just die!!

 

 

There you go. If you didn’t make it to my talk, you don’t need to go to a later rendition (although the demos are pretty awesome). I just want to make sure that people understand what they are getting into with Windows 8 apps.

Are you doing Windows Store app research? If so, drop me a line. You can find me @sempf on Twitter, or use the contact for on the blog here – it works good.

 

Comments are closed

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList