Black Hat Europe: ‘Hardening Windows 8 Apps for the Windows Store’

“Let’s face it, there are no really great apps for Windows 8 and the number of trashy apps is also very low compared to the Android and iOS ecosystems,” wrote Senior .NET developer Igor Kulman in the Coding Journal. He concluded that “the problem with Windows 8 development is the WinRT’s lack of capabilities.” When it comes to customers who want a complex iOS-like app, Kulman ended the interesting article with “I am really fed up with telling customers” the “magic words ‘it is not possible in Windows 8’.”

Yet at Black Hat Europe, Bill Sempf discussed developing Windows 8 apps when he presented “Hardening Windows 8 Apps for the Windows Store” [PDF]. The synopsis of his talk states, “Security and privacy in mobile development has been a topic in the iOS and Android world for a few years now. Microsoft is entering the fray with be their first significant push into the mobile space.” He asked if your apps will be featured on the front page of a tech news site for the wrong reasons, but offered “to help you make sure that won’t happen. Learn the security considerations of HTML5, backend services, cloud computing and WinRT.”

“There are a number of WinRT features that are potential attack vectors. You need to consider their application, and determine their risk individually based on the use factor.” Sempf has been writing apps for Windows 8 since the OS was released. He is also the author of “Windows 8 Application Development with HTML5 For Dummies.” He is a “blue team person” who subscribes to the 80/20 rule. “I want to fix the 20% of the code that will keep out 80% of the attackers.” He wrote [PDF], “Because of the relative strength of the sandbox, most Windows Store app security testing will focus on the backend services, and flaws in the business logic of the application.”

“There are 3 ways to build a Windows Store app, according to the Corelan Team which heard Sempf’s talk in person. “You can build .Net applications, Windows ASP.Net, WPF applications etc in Windows 8, using C++ or C#. Silverlight apps, however, are gone. The Windows 8 start screen tiles are Windows 8 Apps, based on WinRT. Although this is fundamentally different than Silverlight, it’s quite easy to make the move to WinRT. Keep in mind that there are significant limitations to what you can do from WinRT.”

Identity

Regarding WinRT Identity, developers can tap into the user’s account information via the Windows Live Connect Identity API, or via OAuth. Sempf said, “The Windows API includes OAUTH built in. This is better than having everyone bake their own, but still is something of an attack surface.” He also suggested that developers should embrace WinRT hashing and encryption APIs. “They are slow, but they are effective. If you are going to communicate with a backend service, hashing the authentication information is the best way to prevent a man in the middle attack from gaining access to the credentials.”

Capabilities

Developers must declare “capabilities” that are subject to the Windows Store Policy in order to use features of the Windows 8 OS. Users will be notified and must “accept” those when the app is installed. If you are like me, and overreaching permissions are a pet peeve, then you will forget about installing an app that wants permissions it does not need in order to work. Developers should always apply least privilege. “See to it that your app only has the capabilities it needs. The fewer things that your application touches, the less that an attacker has the potential to use it for bad things.” Sempf advised for developers to start with “no capabilities” and turn them on, one by one, until the application works.

“Declarations” are the opposing side of “Capabilities,” explained the Corelan Team. “Declarations allow you to define what type of access the application needs from the OS. Even if apps don’t know anything about each other, [they] can still work together by setting them as a ‘share’ target. If you enable your app to be a ‘share’ target, you’d better provide the code to handle this properly, Bill explains.” If you recall the Evernote hack that forced 50 million customers to change passwords, then you’ll understand why Sempf said the ‘Evernote’ app is a good example on how not to code ‘share’ target.

Unexpected crashes

When discussing unexpected behavior, such as an app crashing from an XSS attack, Sempf said it may be frustrating for a developer, but it’s good news for a consumer. “If a malicious app shows up, it is much more likely to just bomb when it does something unexpected than it is to do damage, especially if I reject a capability that the application is expecting (as I should). Of course, there isn’t much that Windows can do when the user accepts everything, but we are taking this one step at a time.”

Remote storage

Regarding Remote Storage, Sempf said, “This one freaks me out a bit, even though I haven’t found a way to exploit it. A developer can use Windows.Storage.ApplicationData.current.roamingSettings to save values ‘somewhere’ that a user can then pick up in the same app in the same user account on another machine.” Sempf warned, “Choose your storage very carefully.”

Your app will have to store something sometime, but there is no question that keeping as little as possible in storage is a good idea. If you need a lot of data to go in and out, make your own service layer using Heroku or Azure Mobile Services, and keep it encrypted. At the very least, review your storage needs with the knowledge that much is quite open to being compromised.

Code defensively

Sempf concluded, “There is little protection for bad code. Building insecure apps will make life easier for the attackers, and using the ecosystem improperly will weaken the whole environment. Taking care to code securely, test and review configuration with the Good Ideas in mind will make for a quality experience for your users and all users.”

Windows 8 for enterprise?

Like it or not, you can’t just stick your head in the sand and believe that you can cling to Windows XP. You may not need Microsoft’s “end of support gadget” as a reminder, but XP will be beyond dead in 379 days. Incidentally, last week, AVG anti-virus software mistakenly identified the Windows system file wintrust.dll as a Trojan. Only Windows XP systems were affected and AVG fixed the problem the same day.

If you represent an enterprise and you’ve moved to Windows 8, I’d be interested in talking to you to see how it is going and for future articles. I don’t know any enterprise, personally, that has made the move. Although some people claim to love Windows 8, there are others who believe you should kill it with fire.

When Sempf interacted with the audience, he explained that the start screen is really cool if you have a touch-enabled device. “If you are using a regular laptop/desktop, you’ll probably going to skip this start screen and go back to Windows 7 mode.” 

Paul Thurrott’s SuperSite for Windows, attacks the problem from a different angle . . . suggesting Microsoft needs to fix Windows 8. Thurrott wrote:

Dear Microsoft,

You’re moving too slow. You’re being too quiet. And your decision to force users to embrace the Metro UI on non-touch devices and traditional PCs is sound strategically-after all, no one would choose a “Metro” tablet if it wasn’t Windows-but morally bankrupt. It’s insulting to the 1.3 billion users who got you here and to the businesses who may be your only viable customers in a few years.

If interested in developed Windows Store Apps, you can read Hardening Windows 8 Apps for the Windows Store [PDF] in full.

Like this? Here’s more posts:

• Gov’t wielded security as a shield to deny the most FOIA requests yet under Obama
• Microsoft patch stops attackers from owning PC via USB flash drive hack
• Microsoft: Office 2013 can now be transferred to another PC every 90 days
• Transparency report reveals Google receives less than 1,000 NSLs yearly
• Preserving American Privacy Act would limit domestic drone spying, ban killer drones
• Microsoft admits to being hacked too
• Will future surveillance include global ‘pre-crime’ machine spying on everyone?
• Sunshine on extreme secrecy: Hear full leaked audio of Bradley Manning’s statement
• Microsoft’s Secure Boot, Red Hat request ignites Linus Torvalds’ NSFW flame war
• Insect assassin drones? Armed drones choosing targets? What could possibly go wrong?
• Microsoft may not scan your email for keywords like Google, but your boss can

Follow me on Twitter @PrivacyFanatic