Building Secure GOV-LOB Windows Phone Apps. Part II, Session I

_{YOU BUILT YOUR APP, IS READY TO PUBLISH, BUT YOU NEVER SEEN IT ON A DEVICE. CHANGE THAT NOW!}

Series Introduction (Part I)

Overview of Windows Phone Security Features

Part II covers an extensive list of topics. I will break Part II into several sessions.

So Lets’ call this Part II, Session I and it will cover:

• Application Safeguards
• Capabilities Security Model

The Windows Phone 7 Platform enables developers to create engaging consumer experiences running on a Windows Phone. It is built upon existing Microsoft tools and technologies such as Visual Studio, Expression Blend, Silverlight, and the XNA Framework.

The Windows Phone 7 Platform provides two frameworks for developing applications.   

• The Silverlight framework for event-driven, XAML-based application development that allows developers to develop creative mark-up based user experiences.
• The XNA Framework for loop-based games that enables immersive and fun gaming and entertainment experiences.

Bear in mind that this series targets 3rd party applications for WP7. These applications are different than the likes of Outlook or IE that ship natively as part of the WP7 device image. Many of the features mentioned as unavailable on WP7 in this series are, in fact, unavailable only in the managed platform (i.e., they are not exposed for 3rd party applications).

Application Safeguards

The Windows Phone Application Platform employs a variety of technologies designed to help protect Windows Phone end users from applications that exhibit certain unwanted behaviors:

Marketplace

• Applications can be deployed onto a WP7 device only through the Windows Phone Marketplace web portal. The structured Marketplace submission and provisioning process includes a suite of certification tests to identify certain behaviors that may be associated with problems and prevent those applications from being offered in the Windows Phone Marketplace.
• The Windows Phone Marketplace is the only legitimate source of application acquisition, mandatory code signing, and application licenses. This approach will help to maintain a consistent set of standards for Windows Phone applications.

Development in Managed code only

• The requirement to develop Windows Phone applications using only .NET managed code helps to improve developer productivity and the robustness of their applications. When used appropriately, the strong typing, bounds checking, and memory management features of managed code can help to eliminate or minimize many of the common programming errors that can lead to exploitation of the application by hackers, as well as excessive and unintended resource consumption.

Sandbox Environment

• Windows Phone applications run in a sandboxed process. This means that they are isolated from each other, and will interact with phone features in a structured way. If an application needs to save data or configuration information, it will do so using Isolated Storage or cloud, which is designed to be protected from access by other applications.

Isolated Storage

• Isolated Storage allows an application to create and maintain data in a sandboxed isolated virtual folder. All I/O operations are restricted to Isolated Storage and do not have direct access to the underlying OS file system. This prevents unauthorized access and data corruption by other applications.

Execution Manager

• Windows Phone applications are run under the supervision of an execution manager. The execution manager will measure whether applications behave as required by certain defined conventions.

Privileges

• The sandboxed process within which a particular application runs has a customized set of security privileges.
• The Windows Phone Application Platform is designed to minimize the attack surface area of each application by only granting it the privileges that it needs in order to run. For example, if an application does not require the use of the Media Library, the application platform will seek to execute it in a sandboxed process which does not have access to the Media Library.
• Certain privileges that an application might need have a direct impact on information access or cost. In such cases, the Windows Phone Marketplace will disclose this information to the end user before the application is purchased. Pre-installed applications are also required to disclose this information to the end user upon first use of the application.

DID YOU KNOW THAT WEBMATRIX COULD MAKE YOU A HEROE?

Capabilities Security Model

A Capability is defined as a resource on the phone to which security risks/business costs are associated (Microphone, Networking, Phonedialer, etc.). Windows Phone provides a capabilities-driven security model – in which an application is executed within a security sandbox whose limits are determined by capabilities required by the application. Also, applications that use certain capabilities are required to seek an explicit opt-in from the end-user. Some examples include using network-based services where a user could incur additional roaming costs if the use of the services were not disclosed by the application, or the use of push notifications that can also produce roaming charges.

The primary goals of the Capability Model are to:

• Ensure proper disclosure – Users must be notified if an application’s functionality has implications on their privacy, security or costs. They must opt-in to allow the functionality to be activated. For example if an application uses a microphone and a user is not aware of it, then it can be possible that application records the user’s conversation and dumps it to the attacker’s site which can pose security and privacy risk. So the capability model ensures that a user is aware of what capabilities an application supports before s/he can use it.
• Decrease the attack surface - Capabilities are used to create a security chamber in which the application will execute. This chamber is created once at install-time and used from there-on for the application. (Note: A chamber is a security and an isolation boundary for a process and puts limits on what the hosted process can do based on policies as configured for the instance of the chamber. All 3rd party applications on WP7 run in a special type of chamber called the Least Privilege Chamber or LPC whose capabilities are limited based on configuration/manifest settings.)

Developers can make use of Capability Detection Tool used to identify the exact capabilities required by the application. Developers can run this tool and remove the other capabilities not required by the application. This helps in decreasing the attack surface.

Note for WP 7.0 – This tool is not part of WP 7.0 SDK.
Note for WP 7.1 – this tool is part of WP 7.1 SDK and can be found at following location:

• Program Files\Microsoft SDKs\Windows Phone\v7.1\Tools\CapDetect
• Program Files (x86)\Microsoft SDKs\Windows Phone\v7.1\Tools\CapDetect

Usage:

CapabilityDetection.exe <rulespath> <Project Output Folder containing assemblies or assembly file path>

A MARRIAGE MADE IN HEAVEN PHONE PLUS CLOUD

In Part II, Session II we will cover:

• Managed Code Security and API Access
• Execution Model

Based on work from Manish Prabhu, Sameer Saran, Don Willits, and Dharmesh Mehta.

G E T F-R-E-E 
Phone: Tools, Devices
Cloud: Tools, Account
Client: WebMatrix
Resources: Infokit
Apps Ideas: Ideas